Ted Kremenek
bc15d8539d
Add PostStore, a new ProgramPoint to distinguish between 'stores' and other PostStmts.
...
GRExprEngine:
Use PostStore in EvalStore.
Use a second version of EvalStore in EvalBinaryOperator to associate the store with the expression on the LHS.
llvm-svn: 56383
2008-09-20 01:50:34 +00:00
Ted Kremenek
31a15f8ba2
Bug fix: for the base transfer function logic for casts, handle const casts as just propagating the value.
...
llvm-svn: 56368
2008-09-19 20:51:22 +00:00
Ted Kremenek
a417c0e80a
Add panic function "__assert_fail".
...
llvm-svn: 56327
2008-09-19 02:30:47 +00:00
Ted Kremenek
b42f482c91
Implement second part of PR 2600: NSError** parameter may be null, and should be checked before being dereferenced.
...
llvm-svn: 56318
2008-09-18 23:09:54 +00:00
Ted Kremenek
0ecb53a421
ProgramPoint now takes the space of two pointers instead of one. This change was
...
motivated because it became clear that the number of subclasses of ProgramPoint
would expand and we ran out of bits to represent a pointer variant. As a plus of
this change, BlockEdge program points can now be represented explicitly without
using a cache of CFGBlock* pairs in CFG.
llvm-svn: 56245
2008-09-16 18:44:52 +00:00
Ted Kremenek
2d470fc0ba
Patch by Csaba Hruska!
...
"Here is a patch what replaces std::ostream with llvm::raw_ostream. This patch
covers the AST library, but ignores Analysis lib."
llvm-svn: 56185
2008-09-13 05:16:45 +00:00
Ted Kremenek
5909059524
Remove BasicStore.h (migrated function prototype for CreateBasicStore() to Store.h)
...
llvm-svn: 55519
2008-08-28 23:39:42 +00:00
Ted Kremenek
e91874f71f
Make store "Regions" and "Bindings" more abstract instead of concrete variants.
...
Their precise semantics will be implemented by a specific StoreManager.
Use function pointer to create the StoreManager in GRStateManager. This matches how we create ConstraintsManager.
llvm-svn: 55514
2008-08-28 23:31:31 +00:00
Ted Kremenek
f1b9209a34
Fixed analyzer caching bug involving the transfer function for loads.
...
llvm-svn: 55494
2008-08-28 18:43:46 +00:00
Ted Kremenek
b45e6b91c6
Fixed analyzer caching bug in DeclStmt.
...
llvm-svn: 55487
2008-08-28 18:34:26 +00:00
Zhongxing Xu
f71b5f39bb
Refactor Assume logic into a separate class ConstraintManager.
...
llvm-svn: 55412
2008-08-27 14:03:33 +00:00
Ted Kremenek
2a2c875b9c
Added 'extents' for Regions.
...
Added 'getExtent()' to StoreManager.
Implemented 'getExtent()' for BasicStoreManager.
llvm-svn: 55321
2008-08-25 19:33:03 +00:00
Zhongxing Xu
d95495f601
Move the handling of DeclStmt from GRExprEngine to BasicStoreManager.
...
llvm-svn: 55144
2008-08-21 22:34:01 +00:00
Ted Kremenek
67102b281e
Patch by Zhongxing Xu!
...
This patch extends BasicStoreManager::getInitialStore() to include code that symbolicates input variables.
It also removes redundant handling of ImplicitParamDecl, since it is a subclass of VarDecl.
llvm-svn: 54993
2008-08-19 16:51:45 +00:00
Argyrios Kyrtzidis
3bab3d21f9
Add ExplicitCastExpr to replace the current CastExpr, and have ImplicitCastExpr and ExplicitCastExpr derive from a common base class (CastExpr):
...
Expr
-> CastExpr
-> ExplicitCastExpr
-> ImplicitCastExpr
llvm-svn: 54955
2008-08-18 23:01:59 +00:00
Ted Kremenek
ceba6ead45
GRState:
...
- Remove ConstNotEq from GRState/GRStateManager (!= tracking uses GDM instead).
- GRStateManager now can book-keep "contexts" (e.g., factory objects) for uses
with data elements stored into the GDM.
- Refactor pretty-printing of states to use GRState::Printer objects
exclusively. This removed a huge amount of pretty-printing logic from
GRExprEngine.
CFRefCount
- Simplified some API calls based on refinements to the GDM api.
llvm-svn: 54835
2008-08-16 00:49:49 +00:00
Ted Kremenek
c7138bb0a7
Default initialize only pointers and integer types (for now).
...
llvm-svn: 54798
2008-08-14 22:11:13 +00:00
Ted Kremenek
16306107cf
Renamed GRState::CheckerStatePrinter to GRState::Printer.
...
Updated checker state printer interface to allow transfer functions to return an arbitrary number of GRState::Printers.
llvm-svn: 54762
2008-08-13 21:24:49 +00:00
Ted Kremenek
5ab5a1b578
Rename ValueState -> GRState.
...
Rename ValueStateManager -> GRStateManager.
llvm-svn: 54721
2008-08-13 04:27:00 +00:00
Ted Kremenek
dccd9883c4
Initialize tracked local variables to undefined.
...
llvm-svn: 54716
2008-08-13 03:28:04 +00:00
Ted Kremenek
98f6e582f2
Added path-sensitive checking for null pointer values passed to function arguments marked nonnull.
...
This implements <rdar://problem/6069935>
llvm-svn: 53891
2008-07-22 00:46:16 +00:00
Ted Kremenek
d785465167
Add panic function.
...
llvm-svn: 53755
2008-07-18 16:28:33 +00:00
Ted Kremenek
8d6b42e096
Created ValueStateSet class to manage the creation of multiple states by a method.
...
Modified the new EvalBinOpNN to generate states instead of nodes. This is a much simpler interface and is what clients will want to do.
llvm-svn: 53750
2008-07-18 05:53:58 +00:00
Ted Kremenek
9c32a1ecf5
Move GRTransferFunc* into ValueStateManager, and move the assumption logic there as well.
...
llvm-svn: 53743
2008-07-17 23:15:45 +00:00
Ted Kremenek
a79d9a9c79
Remove redundant logic.
...
llvm-svn: 53740
2008-07-17 21:36:43 +00:00
Ted Kremenek
bc9118b165
Begin major changes to EvalXXX methods in GRTransferFuncs. Currently some of the methods only return an RVal; we want them to be able to create an arbitrary number of states.
...
llvm-svn: 53739
2008-07-17 21:27:31 +00:00
Ted Kremenek
c50e1a196e
Refactored auditor interface within GRExprEngine and GRCoreEngine to use a "batch auditor" to dispatch to specialized auditors instead of having a separate vector for each audited Expr*. This not only provides a much cleaner implementation, but also allows us to install auditors for any expression.
...
llvm-svn: 53464
2008-07-11 18:37:32 +00:00
Ted Kremenek
a7b8ffb05b
Refactored most of the "Store" piece of ValueState into a Store type. The
...
current store implementation is now encapsulated by BasicStore.
These changes prompted some long due constification of ValueState. Much of the
diffs in this patch include adding "const" qualifiers.
llvm-svn: 53423
2008-07-10 22:03:41 +00:00
Ted Kremenek
5f996d5a06
Remove getParentMap() from GRExprEngine.
...
llvm-svn: 53343
2008-07-09 19:46:42 +00:00
Ted Kremenek
b1d0118a1a
Refactored some of the BugReporter interface so that data such as the ASTContext&, PathDiagnosticClient*, can be provided by an external source.
...
Split BugReporter into BugReporter and GRBugReporter so checkers not based on GRExprEngine can still use the BugReporter mechanism.
llvm-svn: 53048
2008-07-02 21:24:01 +00:00
Ted Kremenek
125d4a3b2d
GRExprEngine now expects the LiveVariables information to be provided by its creator.
...
This allows an optimization in AnalysisConsumer where the same LiveVariables information is used between multiple analyses.
llvm-svn: 53046
2008-07-02 20:13:38 +00:00
Ted Kremenek
34a691734e
Modified the dead stores checker to...
...
1) Check if a dead store appears as a subexpression. For such cases, we emit
a verbose diagnostic so that users aren't confused. This addresses:
<rdar://problem/5968508> checker gives misleading report for dead store in loop
2) Don't emit a dead store warning when assigning a null value to a pointer.
This is a common form of defensive programming. We may wish to make
this an option to the the checker one day.
This addresses the feature request in the following email:
http://lists.cs.uiuc.edu/pipermail/cfe-dev/2008-June/001978.html
llvm-svn: 52555
2008-06-20 21:45:25 +00:00
Ted Kremenek
46c82ab994
Introduce initial transfer function support for __imag__ and __real__. We don't
...
have complex RValues yet, so this logic is only fully implemented when __imag__
and __real__ are used on non-complex types.
llvm-svn: 52501
2008-06-19 17:55:38 +00:00
Ted Kremenek
9a935fbdeb
Added a new ProgramPoint: PostPurgeDeadSymbols. This new program point distinguishes between the cases when we just evaluated the transfer function of a Stmt* (PostStmt) or performed a load (PostLoad). This solves a caching bug observed in a recent bug report.
...
llvm-svn: 52443
2008-06-18 05:34:07 +00:00
Chris Lattner
5696e7badf
Change self/_cmd to be instances of ImplicitParamDecl instead of ParmVarDecl.
...
Patch by David Chisnall!
llvm-svn: 52422
2008-06-17 18:05:57 +00:00
Ted Kremenek
b120ff1b95
Fixed bug in the transfer function for dereferences: the loaded value from EvalLoad should bind to the UnaryOperator*, not its subexpression.
...
Added test case to exercise this fix when checking for uses of uninitialized values.
Patch by Zhongxing Xu!
llvm-svn: 51377
2008-05-21 15:48:33 +00:00
Ted Kremenek
d727220d1a
Micro-optimization when checking for panic functions.
...
llvm-svn: 51214
2008-05-17 00:42:01 +00:00
Ted Kremenek
c8081b4e16
Fix 80 col violation.
...
llvm-svn: 51213
2008-05-17 00:40:45 +00:00
Ted Kremenek
0e76583574
Added panic function _XCAssertionFailureHandler.
...
llvm-svn: 51212
2008-05-17 00:33:23 +00:00
Ted Kremenek
acdde6f099
Rename IsPointerType to LVal::IsLValType, and update CFRefCount::EvalSummary to use IsLValType when conjuring symbols for return values (this fixes a bug with an assertion firing in the analyzer when two qualified objective-c types were compared).
...
llvm-svn: 50924
2008-05-09 23:45:33 +00:00
Ted Kremenek
bb7386aff5
Really noreturn on exceptions.
...
llvm-svn: 50579
2008-05-02 17:12:56 +00:00
Ted Kremenek
7f824734e0
Added temporary fix for Obj-C exception handling in the static analyzer: treat these as panic functions.
...
llvm-svn: 50535
2008-05-01 18:33:28 +00:00
Ted Kremenek
b99d01269a
Added __assert_rtn to list of panic functions.
...
llvm-svn: 50530
2008-05-01 17:52:49 +00:00
Ted Kremenek
ed36e4b9a4
Added ziperr as a panic function. Eventually inter-procedural analysis
...
should catch this one easily.
llvm-svn: 50526
2008-05-01 15:55:59 +00:00
Ted Kremenek
a16dacb6aa
Add placeholder code in the static analyzer for MemberExprs involving struct temporaries.
...
llvm-svn: 50502
2008-04-30 22:17:15 +00:00
Ted Kremenek
ca67cab1e8
Add workaround for __builtin_offsetof in the static analyzer.
...
llvm-svn: 50500
2008-04-30 21:45:55 +00:00
Ted Kremenek
99057462aa
Provide SizeOfAlignTypeExpr workaround in the static analyzer for taking the sizeof of a ObjCInterfaceType.
...
llvm-svn: 50499
2008-04-30 21:31:12 +00:00
Ted Kremenek
84dea154fc
When creating LVals for array entries, canonicalize entries with a 0 index.
...
llvm-svn: 50497
2008-04-30 21:05:35 +00:00
Ted Kremenek
20d8006e93
Teach more of the static analyzer about ObjCQualifiedIdType.
...
llvm-svn: 50494
2008-04-30 20:17:27 +00:00
Ted Kremenek
0940b99e3b
Teach the static analysis engine about ObjCQualifiedIdType.
...
llvm-svn: 50493
2008-04-30 20:01:29 +00:00
Ted Kremenek
5ce35cc514
Add conjured symbols for decl initializations.
...
Add db_error as panic function.
llvm-svn: 50489
2008-04-30 17:54:04 +00:00
Ted Kremenek
5cc9e60a5f
Invalidate old subexpression bindings when binding UnknownVal.
...
llvm-svn: 50466
2008-04-30 04:23:07 +00:00
Ted Kremenek
10246e8bfa
Add lval::ArrayOffset, which represent the locations of entries in an array.
...
llvm-svn: 50453
2008-04-29 23:24:44 +00:00
Ted Kremenek
0d2ccffa83
Added lval::FieldOffset, which represents symbolic lvalues for field offsets from other Lvalues.
...
This removes the failure in null-deref-ps.c (test suite).
llvm-svn: 50449
2008-04-29 22:17:41 +00:00
Ted Kremenek
fa5a3d0fe7
Major rewrite/refactoring of static analysis engine. We now use
...
EvalStore/EvalLoad to handle all loads/stores from symbolic memory, allowing us
to do checks for null dereferences, etc., at any arbitrary load/store (these
were missed checks before). This also resulted in some major cleanups, some
conceptual, and others just in the structure of the code.
This temporarily introduces a regression in the test suite (null-deref-ps.c)
before I add a new LVal type for structure fields.
llvm-svn: 50443
2008-04-29 21:04:26 +00:00
Ted Kremenek
ecbdf75049
Do a better job at computing dead symbols.
...
Implemented support for better localized leaks in the CF reference count checker.
Now leaks should be flagged close to where they occur.
This should implement the desired functionality in <rdar://problem/5879592>, although the diagnostics still need to be improved.
llvm-svn: 50241
2008-04-25 01:25:15 +00:00
Ted Kremenek
ae8014cb7e
More boilerplate for handling specialized-transfer function logic for dead symbols.
...
llvm-svn: 50233
2008-04-24 23:35:58 +00:00
Ted Kremenek
3812b7676c
Added initial boilerplate in GRExprEngine to allow checker-specific transfer
...
function logic to act when symbols become dead.
llvm-svn: 50221
2008-04-24 18:31:42 +00:00
Ted Kremenek
dd43aeee54
Fixed: <rdar://problem/5881148>
...
Problem:
In the recently refactored VisitDeref (which processes dereferences), we
were incorrectly skipping the node just generated for the subexpression
of the dereference. This was a horrible regression.
llvm-svn: 50176
2008-04-23 20:12:28 +00:00
Ted Kremenek
d2419a0730
Remove false path where the default branch in a switch statement would
...
always be taken even if it was not feasible.
llvm-svn: 50132
2008-04-23 05:03:18 +00:00
Ted Kremenek
ef9af73887
Added panic function "assfail".
...
llvm-svn: 50119
2008-04-23 00:41:25 +00:00
Ted Kremenek
3b42715930
Rewrote VisitDeclStmt to properly handle initializers that can do anything.
...
llvm-svn: 50112
2008-04-22 22:25:27 +00:00
Ted Kremenek
c79c0591d6
Added lval type (and tracking) for StringLiterals.
...
llvm-svn: 50109
2008-04-22 21:39:21 +00:00
Ted Kremenek
eccf3e5821
Added "nonlval::LValAsInteger" to represent abstract LVals casted to integers, allowing us to track lvals when they are casted back to pointers.
...
llvm-svn: 50108
2008-04-22 21:10:18 +00:00
Ted Kremenek
80f2c111bd
Added panic function "dtrace_assfail".
...
llvm-svn: 50091
2008-04-22 06:09:33 +00:00
Ted Kremenek
a2cca7dbdf
Hardcode "Assert" as a no-return function (panic).
...
llvm-svn: 50089
2008-04-22 05:37:33 +00:00
Ted Kremenek
da5cdda248
Added null-dereference check for ArraySubscriptExpr.
...
llvm-svn: 50083
2008-04-22 04:56:29 +00:00
Ted Kremenek
38213f9573
Added support for detected bad dereferences involving MemberExprs, e.g. x->f where "x" is NULL.
...
llvm-svn: 50071
2008-04-21 23:43:38 +00:00
Ted Kremenek
c072b820cf
Fixed more caching bugs related to the one fixed in r49914. Silence
...
compiler warning introduced by a recent patch of mine.
llvm-svn: 49917
2008-04-18 20:35:30 +00:00
Ted Kremenek
acefba896c
Fixed elusive caching bug that led to false positives.
...
llvm-svn: 49914
2008-04-18 19:34:16 +00:00
Ted Kremenek
4d83728a57
Added "GetErrorNodes()" to BugType so that -trim-egraph can recognize errors
...
from registered BugTypes. This helps with debugging.
Add detection of NULL values in ref count checker; this suppresses false positives.
llvm-svn: 49912
2008-04-18 19:23:43 +00:00
Ted Kremenek
3388381993
Added "EvalAssume" virtual method to GRTransferFuncs; this is for evaluating
...
the checker-specific logic of symbolic assumptions.
llvm-svn: 49910
2008-04-18 17:20:23 +00:00
Ted Kremenek
9c375158a0
Handle ReturnStmts by dispatching to "EvalReturn" in the transfer function object.
...
llvm-svn: 49826
2008-04-16 23:05:51 +00:00
Ted Kremenek
7145489c37
Small tweaks to EvalStore: pass an "RVal" instead of "LVal" for the TargetLV to
...
represent possible stores to "Unknown."
llvm-svn: 49811
2008-04-16 20:40:59 +00:00
Ted Kremenek
90c7cb6810
Hook up "EvalStore" from GRTransferFuncs to GRExprEngine.
...
llvm-svn: 49804
2008-04-16 18:39:06 +00:00
Ted Kremenek
2044a5183d
Take first step to migrating handling of "stores" to values from GRExprEngine
...
to the plug-in GRTransferFuncs object.
llvm-svn: 49801
2008-04-16 18:21:25 +00:00
Ted Kremenek
667cacb2ff
Added some comments to GRExprEngine. Reorder some of the method definitions
...
to start logically organizing them.
Added initial plug-in transfer function support for Objective-C message expressions.
llvm-svn: 49752
2008-04-15 23:06:53 +00:00
Steve Naroff
08899ff85d
Remove FileVarDecl and BlockVarDecl. They are replaced by VarDecl::isBlockVarDecl() and VarDecl::isFileVarDecl().
...
This is a fairly mechanical/large change. As a result, I avoided making any changes/simplifications that weren't directly related. I did break two Analysis tests. I also have a couple FIXME's in UninitializedValues.cpp. Ted, can you take a look? If the bug isn't obvious, I am happy to dig in and fix it (since I broke it).
llvm-svn: 49748
2008-04-15 22:42:06 +00:00
Ted Kremenek
4b77209694
Fixed some logic errors in the CF ref count checker; we now can detect simple
...
use-after-release errors. Added test case.
llvm-svn: 49509
2008-04-10 23:44:06 +00:00
Ted Kremenek
7acc3a36ef
Major refactoring/cleanup of GRExprEngine, ExplodedGraph, and BugReporter.
...
Bugs are now reported using a combination of "BugType" (previously
BugDescription) and Bug "BugReport" objects, which are fed to BugReporter (which
generates PathDiagnostics). This provides a far more modular way of registering
bug types and plugging in diagnostics.
GRExprEngine now owns its copy of GRCoreEngine, and is not owned by the
ExplodedGraph.
ExplodedGraph is no longer templated on the "checker", but instead on the state
contained in the nodes.
llvm-svn: 49453
2008-04-09 21:41:14 +00:00
Chris Lattner
182f660d8d
simplify some code by using PointerLikeType.
...
llvm-svn: 49101
2008-04-02 17:45:06 +00:00
Ted Kremenek
f646774f32
Added path-sensitive check for return statements that return the address
...
of a stack variable. This is the path-sensitive version of a check that
is already done during semantic analysis.
llvm-svn: 48980
2008-03-31 15:02:58 +00:00
Ted Kremenek
27156c8c9f
Hooked up initial NSString interface checking to GRSimpleVals.
...
llvm-svn: 48895
2008-03-27 21:15:17 +00:00
Ted Kremenek
c04149299c
Added "GRAuditor" and "GRSimpleAPICheck" interface to allow simple stateless checkers to be injected into the analyzer.
...
Added "AnnotatedPath" class to record an annotated path that will be useful for inspecting paths.
Added some boilerplate code for simple checks of Apple's Foundation API.
llvm-svn: 48867
2008-03-27 07:25:52 +00:00
Ted Kremenek
ea128437b3
Bug fix: use GetRVal instead of GetLVal (were getting the value of a DeclRefExpr, not it's address).
...
llvm-svn: 48846
2008-03-26 22:21:58 +00:00
Ted Kremenek
cb047289a8
Bug fix in transfer function for ObjCMessageExpr: Visit the receiver expression as an ordinary expression, not using VisitLVal.
...
llvm-svn: 48842
2008-03-26 21:36:08 +00:00
Ted Kremenek
3335120f69
Tweak to transfer function for ObjCMessageExpr: handle both instance methods
...
and message expressions with a specified receiver.
llvm-svn: 48773
2008-03-25 16:07:41 +00:00
Ted Kremenek
945a246ad8
Added logic to check for uninitialized values as the receivers for message expressions
...
and uninitialized values passed-by-value as arguments to message expressions.
llvm-svn: 48760
2008-03-25 02:10:28 +00:00
Ted Kremenek
64100da427
Added initial transfer function support for ObjCMessageExpr.
...
llvm-svn: 48757
2008-03-25 00:34:37 +00:00
Ted Kremenek
181f72369f
Rename "Nodify" to "MakeNode"
...
llvm-svn: 48659
2008-03-21 21:30:14 +00:00
Ted Kremenek
a9b30c0651
Fix assertion.
...
llvm-svn: 48470
2008-03-17 22:18:22 +00:00
Ted Kremenek
9eae403cde
Fix integer overflow bug when processing switch statements.
...
llvm-svn: 48469
2008-03-17 22:17:56 +00:00
Ted Kremenek
58021a617b
Properly hook up inline asm transfer function logic to the main GRExprEngine logic.
...
llvm-svn: 48468
2008-03-17 21:31:48 +00:00
Ted Kremenek
7c7a331f74
Added initial transfer function support for inline asm.
...
llvm-svn: 48466
2008-03-17 21:11:24 +00:00
Chris Lattner
7a51313d8a
Make a major restructuring of the clang tree: introduce a top-level
...
lib dir and move all the libraries into it. This follows the main
llvm tree, and allows the libraries to be built in parallel. The
top level now enforces that all the libs are built before Driver,
but we don't care what order the libs are built in. This speeds
up parallel builds, particularly incremental ones.
llvm-svn: 48402
2008-03-15 23:59:48 +00:00