Commit Graph

2927 Commits

Author SHA1 Message Date
Kristof Umann 3ea7442bd6 [analyzer] Added template argument lists to the Pathdiagnostic output
Because template parameter lists were not displayed
in the plist output, it was difficult to decide in
some cases whether a given checker found a true or a
false positive. This patch aims to correct this.

Differential Revision: https://reviews.llvm.org/D46933

llvm-svn: 333275
2018-05-25 13:18:38 +00:00
David Carlier 3c90fcebd4 [analyzer] CStringChecker fix for strlcpy when no bytes are copied to the dest buffer
Again, strlc* does not return a pointer so the zero size case doest not fit.

Reviewers: NoQ, george.karpenkov

Reviewed by: NoQ

Differential Revision: https://reviews.llvm.org/D47007

llvm-svn: 333060
2018-05-23 04:38:25 +00:00
George Karpenkov 04951d4fc3 [analyzer] Extend ObjCAutoreleaseWriteChecker to catch block declarations with autoreleasing variables
Differential Revision: https://reviews.llvm.org/D46984

llvm-svn: 332546
2018-05-16 22:47:05 +00:00
George Karpenkov 47bb3f7033 [analyzer] Change the warning message for GCD antipattern checker
llvm-svn: 332544
2018-05-16 22:46:47 +00:00
Henry Wong afe62cdc4e [analyzer] Improve the modeling of memset().
Since there is no perfect way bind the non-zero value with the default binding, this patch only considers the case where buffer's offset is zero and the char value is 0. And according to the value for overwriting, decide how to update the string length.

Reviewers: dcoughlin, NoQ, xazax.hun, a.sidorin, george.karpenkov

Reviewed By: NoQ

Differential Revision: https://reviews.llvm.org/D44934

llvm-svn: 332463
2018-05-16 12:37:53 +00:00
George Karpenkov faa03f4aca [analyzer] Do not crash on callback for call_once passed by value
https://bugs.llvm.org/show_bug.cgi?id=37312
rdar://40270582

Differential Revision: https://reviews.llvm.org/D46913

llvm-svn: 332422
2018-05-16 00:29:13 +00:00
Artem Dergachev 21948346b3 [analyzer] Make plist-html diagnostic consumer produce multi-file reports.
Previously plist-html output produced multi-file HTML reports
but only single-file Plist reports.

Change plist-html output to produce multi-file Plist reports as well.

Differential Revision: https://reviews.llvm.org/D46902

llvm-svn: 332417
2018-05-16 00:11:24 +00:00
Artem Dergachev c19843714c [analyzer] Re-apply r331096 "CStringChecker: Add support for BSD strlcpy()...".
Fixed after revert in r331401.

Patch by David Carlier!

Differential Revision: https://reviews.llvm.org/D45177

llvm-svn: 332303
2018-05-14 22:32:24 +00:00
George Karpenkov 434019a617 [analyzer] Extend the ObjCAutoreleaseWriteChecker to warn on captures as well
A common pattern is that the code in the block does not write into the
variable explicitly, but instead passes it to a helper function which
performs the write.

Differential Revision: https://reviews.llvm.org/D46772

llvm-svn: 332300
2018-05-14 21:39:54 +00:00
George Karpenkov 3ee2a6bd5c [analyzer] Ignore the nullability quantifiers for autoreleasewritechecker
llvm-svn: 332136
2018-05-11 20:39:19 +00:00
George Karpenkov c41c5b2747 [analyzer] Fix the filename for the exploration_order test.
Ensures that the test is being run.

llvm-svn: 332135
2018-05-11 20:38:39 +00:00
Alexander Kornienko 48fcfc3274 Fixes issue introduced by r331556.
Closes bug: https://bugs.llvm.org/show_bug.cgi?id=37357

Patch by Rafael Stahl!

Differential revision: https://reviews.llvm.org/D46633

llvm-svn: 331870
2018-05-09 12:27:21 +00:00
Artem Dergachev 394588a1a6 [analyzer] Invalidate union regions properly. Don't hesitate to load later.
We weren't invalidating our unions correctly. The previous behavior in
invalidateRegionsWorker::VisitCluster() was to direct-bind an UnknownVal
to the union (at offset 0).

For that reason we were never actually loading default bindings from our unions,
because there never was any default binding to load, and the value
that is presumed when there's no default binding to load
is usually completely incorrect (eg. UndefinedVal for stack unions).

The new behavior is to default-bind a conjured symbol (of irrelevant type)
to the union that's being invalidated, similarly to what we do for structures
and classes. Then it becomes safe to load the value properly.

Differential Revision: https://reviews.llvm.org/D45241

llvm-svn: 331563
2018-05-04 22:19:32 +00:00
Artem Dergachev e603e076f5 [analyzer] pr36458: Fix retrieved value cast for symbolic void pointers.
C allows us to write any bytes into any memory region. When loading weird bytes
from memory regions of known types, the analyzer is required to make sure that
the loaded value makes sense by casting it to an appropriate type.

Fix such cast for loading values that represent void pointers from non-void
pointer type places.

Differential Revision: https://reviews.llvm.org/D46415

llvm-svn: 331562
2018-05-04 22:11:12 +00:00
Artem Dergachev 806486c781 [analyzer] pr18953: Split C++ zero-initialization from default initialization.
The bindDefault() API of the ProgramState allows setting a default value
for reads from memory regions that were not preceded by writes.

It was used for implementing C++ zeroing constructors (i.e. default constructors
that boil down to setting all fields of the object to 0).

Because differences between zeroing consturctors and other forms of default
initialization have been piling up (in particular, zeroing constructors can be
called multiple times over the same object, probably even at the same offset,
requiring a careful and potentially slow cleanup of previous bindings in the
RegionStore), we split the API in two: bindDefaultInitial() for modeling
initial values and bindDefaultZero() for modeling zeroing constructors.

This fixes a few assertion failures from which the investigation originated.

The imperfect protection from both inability of the RegionStore to support
binding extents and lack of information in ASTRecordLayout has been loosened
because it's, well, imperfect, and it is unclear if it fixing more than it
was breaking.

Differential Revision: https://reviews.llvm.org/D46368

llvm-svn: 331561
2018-05-04 21:56:51 +00:00
Artem Dergachev 2fd6aa7d56 [analyzer] pr37209: Fix casts of glvalues to references.
Many glvalue expressions aren't of their respective reference type -
they are simply glvalues of their value type.

This was causing problems when we were trying to obtain type of the original
expression while evaluating certain glvalue bit-casts.

Fixed by artificially forging a reference type to provide to the casting
procedure.

Differential Revision: https://reviews.llvm.org/D46224

llvm-svn: 331558
2018-05-04 21:39:25 +00:00
Artem Dergachev a2e053638b [analyzer] Treat more const variables and fields as known contants.
When loading from a variable or a field that is declared as constant,
the analyzer will try to inspect its initializer and constant-fold it.
Upon success, the analyzer would skip normal load and return the respective
constant.

The new behavior also applies to fields/elements of brace-initialized structures
and arrays.

Patch by Rafael Stahl!

Differential Revision: https://reviews.llvm.org/D45774

llvm-svn: 331556
2018-05-04 20:52:39 +00:00
Alexander Kornienko a61d4c959a Remove explicit cfg-temporary-dtors=true
Summary:
Remove explicit -analyzer-config cfg-temporary-dtors=true in analyzer tests,
since this option defaults to true since r326461.

Reviewers: NoQ

Reviewed By: NoQ

Subscribers: cfe-commits

Differential Revision: https://reviews.llvm.org/D46393

llvm-svn: 331520
2018-05-04 14:13:14 +00:00
Henry Wong e14e591c93 [analyzer] Add `TaintBugVisitor` to the ArrayBoundV2, DivideZero and VLASize.
Summary: Add `TaintBugVisitor` to the ArrayBoundV2, DivideZero, VLASize to be able to indicate where the taint information originated from.

Reviewers: NoQ, george.karpenkov, xazax.hun, a.sidorin

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, cfe-commits, MTC

Differential Revision: https://reviews.llvm.org/D46007

llvm-svn: 331345
2018-05-02 12:11:22 +00:00
Artem Dergachev befce13328 [analyzer] ObjCAutoreleaseWrite: Support a few more APIs and fix warning text.
API list and improved warning text composed by Devin Coughlin.

llvm-svn: 331089
2018-04-27 22:00:51 +00:00
Artem Dergachev 4fbd97e183 [analyzer] Fix operator delete[] array-type-sub-expression handling.
Avoid crash when the sub-expression of operator delete[] is of array type.

This is not the same as simply using a delete[] syntax.

We're still not properly calling destructors in this case in the analyzer.

Differential Revision: https://reviews.llvm.org/D46146

llvm-svn: 331014
2018-04-27 02:16:03 +00:00
Artem Dergachev 310bca0178 [analyzer] Fix a crash on lifetime extension through aggregate initialization.
If 'A' is a C++ aggregate with a reference field of type 'C', in code like
  A a = { C() };
C() is lifetime-extended by 'a'. The analyzer wasn't expecting this pattern and
crashing. Additionally, destructors aren't added in the CFG for this case,
so for now we shouldn't be inlining the constructor for C().

Differential Revision: https://reviews.llvm.org/D46037

llvm-svn: 330882
2018-04-25 23:02:06 +00:00
Artem Dergachev 516837f2a1 [analyzer] Enable analysis of WebKit "unified sources".
Normally the analyzer begins path-sensitive analysis from functions within
the main file, even though the path is allowed to go through any functions
within the translation unit.

When a recent version of WebKit is compiled, the "unified sources" technique
is used, that assumes #including multiple code files into a single main file.
Such file would have no functions defined in it, so the analyzer wouldn't be
able to find any entry points for path-sensitive analysis.

This patch pattern-matches unified file names that are similar to those
used by WebKit and allows the analyzer to find entry points in the included
code files. A more aggressive/generic approach is being planned as well.

Differential Revision: https://reviews.llvm.org/D45839

llvm-svn: 330876
2018-04-25 21:51:26 +00:00
Artem Dergachev a4e557f908 [analyzer] Add support for the note diagnostic pieces to plist output format.
Note diagnostic pieces are an additional way of highlighting code sections to
the user. They aren't part of the normal path diagnostic sequence. They can
also be attached to path-insensitive reports.

Notes are already supported by the text output and scan-build.

Expanding our machine-readable plist output format to be able to represent notes
opens up the possibility for various analyzer GUIs to pick them up.

Patch by Umann Kristóf!

Differential Revision: https://reviews.llvm.org/D45407

llvm-svn: 330766
2018-04-24 20:45:48 +00:00
Aleksei Sidorin 04fbffcc52 [ASTImporter] Allow testing of import sequences; fix import of typedefs for anonymous decls
This patch introduces the ability to test an arbitrary sequence of imports
between a given set of virtual source files. This should finally allow
us to write simple tests and fix annoying issues inside ASTImporter
that cause failures in CSA CTU. This is done by refactoring
ASTImporterTest functions and introducing `testImportSequence` facility.
As a side effect, `testImport` facility was generalized a bit more. It
should now allow import of non-decl AST nodes; however, there is still no
test using this ability.

As a "test for test", there is also a fix for import anonymous TagDecls
referred by typedef. Before this patch, the setting of typedef for anonymous
structure was delayed; however, this approach misses the corner case if
an enum constant is imported directly. In this patch, typedefs for
anonymous declarations are imported right after the anonymous declaration
is imported, without any delay.

Thanks to Adam Balogh for suggestions included into this patch.

Differential Revision: https://reviews.llvm.org/D44079

llvm-svn: 330704
2018-04-24 10:11:53 +00:00
Aleksei Sidorin 787fce4f78 Quick fix for rC330605: specify a target arch for test
llvm-svn: 330613
2018-04-23 16:38:29 +00:00
Aleksei Sidorin b659dd3a45 [analyzer] Don't crash on printing ConcreteInt of size >64 bits
Printing of ConcreteInts with size >64 bits resulted in assertion failure
in get[Z|S]ExtValue() because these methods are only allowed to be used
with integers of 64 max bit width. This patch fixes the issue.

llvm-svn: 330605
2018-04-23 15:41:44 +00:00
Artem Dergachev ab9b78b200 [CFG] [analyzer] Add construction contexts for loop condition variables.
Loop condition variables, eg.

  while (shared_ptr<int> P = getIntPtr()) { ... })

weren't handled in r324794 because they don't go through the common
CFGBuilder::VisitDeclStmt method. Which means that they regressed
after r324800.

Fix the regression by duplicating the necessary construction context scan in
the loop visiting code.

Differential Revision: https://reviews.llvm.org/D45706

llvm-svn: 330382
2018-04-19 23:30:15 +00:00
Artem Dergachev 468bc0d8b9 [analyzer] When we fail to evaluate a pointer cast, escape the pointer.
If a pointer cast fails (evaluates to an UnknownVal, i.e. not implemented in the
analyzer) and such cast is in fact the last use of the pointer, the pointer
symbol is no longer referenced by the program state and a leak is
(mis-)diagnosed.

"Escape" the pointer upon a failed cast, i.e. inform the checker that we can no
longer reliably track it.

Differential Revision: https://reviews.llvm.org/D45698

llvm-svn: 330380
2018-04-19 23:24:32 +00:00
Artem Dergachev 72da02fc30 [CFG] [analyzer] Don't treat argument constructors as temporary constructors.
Function argument constructors (that are used for passing objects into functions
by value) are completely unlike temporary object constructors, but we were
treating them as such because they are also wrapped into a CXXBindTemporaryExpr.

This patch adds a partial construction context layer for call argument values,
but doesn't proceed to transform it into an actual construction context yet.
This is tells the clients that we aren't supporting these constructors yet.

Differential Revision: https://reviews.llvm.org/D45650

llvm-svn: 330377
2018-04-19 23:09:22 +00:00
Artem Dergachev f7281b4752 [analyzer] RetainCount: Accept more "safe" CFRetain wrappers.
r315736 added support for the misplaced CF_RETURNS_RETAINED annotation on
CFRetain() wrappers. It works by trusting the function's name (seeing if it
confirms to the CoreFoundation naming convention) rather than the annotation.

There are more false positives caused by users using a different naming
convention, namely starting the function name with "retain" or "release"
rather than suffixing it with "retain" or "release" respectively.

Because this isn't according to the naming convention, these functions
are usually inlined and the annotation is therefore ignored, which is correct.
But sometimes we run out of inlining stack depth and the function is
evaluated conservatively and then the annotation is trusted.

Add support for the "alternative" naming convention and test the situation when
we're running out of inlining stack depth.

rdar://problem/18270122

Differential Revision: https://reviews.llvm.org/D45117

llvm-svn: 330375
2018-04-19 23:00:22 +00:00
Henry Wong 525d4122c9 [analyzer] Do not invalidate the `this` pointer.
Summary:
`this` pointer is not an l-value, although we have modeled `CXXThisRegion` for `this` pointer, we can only bind it once, which is when we start to inline method. And this patch fixes https://bugs.llvm.org/show_bug.cgi?id=35506.

In addition, I didn't find any other cases other than loop-widen that could invalidate `this` pointer.

Reviewers: NoQ, george.karpenkov, a.sidorin, seaneveson, szepet

Reviewed By: NoQ

Subscribers: xazax.hun, rnkovacs, cfe-commits, MTC

Differential Revision: https://reviews.llvm.org/D45491

llvm-svn: 330095
2018-04-15 10:34:06 +00:00
Adam Balogh 13e186c088 [Analyzer] Fix for SValBuilder expressions rearrangement
Expression rearrangement in SValBuilder (see rL329780) crashes with an assert if the type of the integer is different from the type of the symbol. This fix adds a check that prevents rearrangement in such cases.

Differential Revision: https://reviews.llvm.org/D45557

llvm-svn: 330064
2018-04-13 20:23:02 +00:00
Gabor Horvath ca7923ab00 [analyzer] Fix null deref in AnyFunctionCall::getRuntimeDefinition
Patch by: Rafael Stahl!

Differential Revision: https://reviews.llvm.org/D45564

llvm-svn: 330009
2018-04-13 12:36:08 +00:00
Adam Balogh 2bbccca9f7 [Analyzer] SValBuilder Comparison Rearrangement (with Restrictions and Analyzer Option)
Since the range-based constraint manager (default) is weak in handling comparisons where symbols are on both sides it is wise to rearrange them to have symbols only on the left side. Thus e.g. A + n >= B + m becomes A - B >= m - n which enables the constraint manager to store a range m - n .. MAX_VALUE for the symbolic expression A - B. This can be used later to check whether e.g. A + k == B + l can be true, which is also rearranged to A - B == l - k so the constraint manager can check whether l - k is in the range (thus greater than or equal to m - n).

The restriction in this version is the the rearrangement happens only if both the symbols and the concrete integers are within the range [min/4 .. max/4] where min and max are the minimal and maximal values of their type.

The rearrangement is not enabled by default. It has to be enabled by using -analyzer-config aggressive-relational-comparison-simplification=true.

Co-author of this patch is Artem Dergachev (NoQ).

Differential Revision: https://reviews.llvm.org/D41938

llvm-svn: 329780
2018-04-11 06:21:12 +00:00
Alexander Kornienko 2a8c18d991 Fix typos in clang
Found via codespell -q 3 -I ../clang-whitelist.txt
Where whitelist consists of:

  archtype
  cas
  classs
  checkk
  compres
  definit
  frome
  iff
  inteval
  ith
  lod
  methode
  nd
  optin
  ot
  pres
  statics
  te
  thru

Patch by luzpaz! (This is a subset of D44188 that applies cleanly with a few
files that have dubious fixes reverted.)

Differential revision: https://reviews.llvm.org/D44188

llvm-svn: 329399
2018-04-06 15:14:32 +00:00
Jan Korous 604f036394 [analyzer][test] Set C++14 as language standard for test depending on new
features

llvm-svn: 329225
2018-04-04 19:58:48 +00:00
Artem Dergachev c8b1d5f329 [analyzer] Fix diagnostics in callees of interesting callees.
removeUnneededCalls() is responsible for removing path diagnostic pieces within
functions that don't contain "interesting" events. It makes bug reports
much tidier.

When a stack frame is known to be interesting, the function doesn't descend
into it to prune anything within it, even other callees that are totally boring.

Fix the function to prune boring callees in interesting stack frames.

Differential Revision: https://reviews.llvm.org/D45117

llvm-svn: 329102
2018-04-03 18:52:30 +00:00
Henry Wong f717d4795a [analyzer] Unroll the loop when it has a unsigned counter.
Summary:
The original implementation in the `LoopUnrolling.cpp` didn't consider the case where the counter is unsigned. This case is only handled in `simpleCondition()`, but this is not enough, we also need to deal with the unsinged counter with the counter initialization.

Since `IntegerLiteral` is `signed`, there is a `ImplicitCastExpr<IntegralCast>` in `unsigned counter = IntergerLiteral`. This patch add the `ignoringParenImpCasts()` in the `IntegerLiteral` matcher.

Reviewers: szepet, a.sidorin, NoQ, george.karpenkov

Reviewed By: szepet, george.karpenkov

Subscribers: xazax.hun, rnkovacs, cfe-commits, MTC

Differential Revision: https://reviews.llvm.org/D45086

llvm-svn: 328919
2018-03-31 12:46:46 +00:00
George Karpenkov 96871864d2 [analyzer] Hopefully fix the ARM buildbot.
llvm-svn: 328913
2018-03-31 02:17:15 +00:00
George Karpenkov 6fe0f035bd [analyzer] Fix assertion crash in CStringChecker
An offset might be unknown.

rdar://39054939

Differential Revision: https://reviews.llvm.org/D45115

llvm-svn: 328912
2018-03-31 01:20:08 +00:00
George Karpenkov 137ca91f52 [analyzer] Fix liveness calculation for C++17 structured bindings
C++ structured bindings for non-tuple-types are defined in a peculiar
way, where the resulting declaration is not a VarDecl, but a
BindingDecl.
That means a lot of existing machinery stops working.

rdar://36912381

Differential Revision: https://reviews.llvm.org/D44956

llvm-svn: 328910
2018-03-31 01:20:06 +00:00
Artem Dergachev d1fe360b06 [analyzer] Fix test triple in missing-bind-temporary.cpp.
Otherwise the default triple for x86-windows-msvc2015 auto-inserts
__attribute__((thiscall)) to some calls.

Fixes the respective buildbot.

llvm-svn: 328903
2018-03-30 21:22:35 +00:00
Artem Dergachev 95f9a68b1f [analyzer] Track null or undef values through pointer arithmetic.
Pointer arithmetic on null or undefined pointers results in null or undefined
pointers. This is obvious for undefined pointers; for null pointers it follows
from our incorrect-but-somehow-working approach that declares that 0 (Loc)
doesn't necessarily represent a pointer of numeric address value 0, but instead
it represents any pointer that will cause a valid "null pointer dereference"
issue when dereferenced.

For now we've been seeing through pointer arithmetic at the original dereference
expression, i.e. in bugreporter::getDerefExpr(), but not during further
investigation of the value's origins in bugreporter::trackNullOrUndefValue().
The patch fixes it.

Differential Revision: https://reviews.llvm.org/D45071

llvm-svn: 328896
2018-03-30 19:27:42 +00:00
Artem Dergachev 6a5cd5e1ca [CFG] [analyzer] Work around a disappearing CXXBindTemporaryExpr.
Sometimes template instantiation causes CXXBindTemporaryExpr to be missing in
its usual spot. In CFG, temporary destructors work by relying on
CXXBindTemporaryExprs, so they won't work in this case.

Avoid the crash and notify the clients that we've encountered an unsupported AST
by failing to provide the ill-formed construction context for the temporary.

Differential Revision: https://reviews.llvm.org/D44955

llvm-svn: 328895
2018-03-30 19:25:39 +00:00
Artem Dergachev 9d3a7d8b2b [CFG] [analyzer] Avoid modeling C++17 constructors that aren't fully supported.
Not enough work has been done so far to ensure correctness of construction
contexts in the CFG when C++17 copy elision is in effect, so for now we
should drop construction contexts in the CFG and in the analyzer when
they seem different from what we support anyway.

This includes initializations with conditional operators and return values
across multiple stack frames.

Differential Revision: https://reviews.llvm.org/D44854

llvm-svn: 328893
2018-03-30 19:21:18 +00:00
Douglas Yung 0934c19982 Adding UNSUPPORTED: system-windows at George's request until the problem can be debugged.
llvm-svn: 328853
2018-03-30 01:29:07 +00:00
George Karpenkov f05d495669 [analyzer] Fix target triple for autorelease-write-checker test
llvm-svn: 328837
2018-03-29 22:28:04 +00:00
George Karpenkov d676ba0f28 [analyzer] Path-insensitive checker for writes into an auto-releasing pointer
from the wrong auto-releasing pool, as such writes may crash.

rdar://25301111

Differential Revision: https://reviews.llvm.org/D44722

llvm-svn: 328827
2018-03-29 20:55:34 +00:00
Peter Szecsi 4c87d233b0 [analyzer] LoopUnrolling: update the matched assignment operators
Extended the matched assignment operators when checking for bound changes in a body of the loop by using the freshly added isAssignmentOperator matcher.
This covers all the (current) possible assignments, tests added as well.

Differential Revision: https://reviews.llvm.org/D38921

llvm-svn: 328619
2018-03-27 12:16:56 +00:00