Commit Graph

1051 Commits

Author SHA1 Message Date
Jordan Rose 89b917e399 [analyzer] RetainCountChecker: remove unused SelfOwn ArgEffect kind.
llvm-svn: 159245
2012-06-27 00:51:18 +00:00
Jordan Rose 88be136cff [analyzer] Remove unneeded helper function (it's in ASTContext.h)
llvm-svn: 159244
2012-06-27 00:51:16 +00:00
Jordan Rose 4688e60861 [analyzer] Be careful about implicitly-declared operator new/delete. (PR13090)
The implicit global allocation functions do not have valid source locations,
but we still want to treat them as being "system header" functions for the
purposes of how they affect program state.

llvm-svn: 159160
2012-06-25 20:48:28 +00:00
Ted Kremenek 72b3452c2b Implement initial static analysis inlining support for C++ methods.
llvm-svn: 159047
2012-06-22 23:55:50 +00:00
Anna Zaks 26712c845e [analyzer] Teach malloc checker that initWith[Bytes|Characters}NoCopy
relinquish memory.

llvm-svn: 159043
2012-06-22 22:42:30 +00:00
Anna Zaks 301e0d6074 [analyzer] Remove a statistic - it's too expensive.
(Committed in r159038 by mistake.)

llvm-svn: 159040
2012-06-22 22:24:45 +00:00
Anna Zaks 7aa3687bb6 [analyzer]scan-build: report the total number of steps analyzer performs
This would be useful to investigate performance issues.

llvm-svn: 159038
2012-06-22 22:08:12 +00:00
Anna Zaks e4b6d5e1c1 [analyzer] Fixup to r158958.
llvm-svn: 159037
2012-06-22 22:08:09 +00:00
Anna Zaks ce519153fd [analyzer] Report the cumulative number of steps the analyzer performs.
llvm-svn: 159036
2012-06-22 22:08:06 +00:00
Jordan Rose ef1c7ae323 [analyzer] Check for +raise:format: on subclasses of NSException as well.
We don't handle exceptions yet, so we treat them as sinks. ExprEngine
hardcodes messages that are known to raise Objective-C exceptions like -raise,
but it was only checking for +raise:format: and +raise:format:arguments: on
NSException itself, not subclasses.

<rdar://problem/11724201>

llvm-svn: 159010
2012-06-22 17:15:58 +00:00
Anna Zaks 0d6989bd10 [analyzer] Malloc: Warn about use-after-free when memory ownership was
transfered with dataWithBytesNoCopy.

llvm-svn: 158958
2012-06-22 02:04:31 +00:00
Chandler Carruth 28969b4139 Remove a goofy CMake hack and use the standard CMake facilities to
express library-level dependencies within Clang.

This is no more verbose really, and plays nicer with the rest of the
CMake facilities. It should also have no change in functionality.

llvm-svn: 158888
2012-06-21 01:30:21 +00:00
Anna Zaks 886dfb8cfa [analyzer] Malloc leak false positive: Allow xpc context to escape.
llvm-svn: 158875
2012-06-20 23:35:57 +00:00
Anna Zaks 9050ffd57c [analyzer] Malloc: cleanup, disallow free on relinquished memory.
This commits sets the grounds for more aggressive use after free
checking. We will use the Relinquished sate to denote that someone
else is now responsible for releasing the memory.

llvm-svn: 158850
2012-06-20 20:57:46 +00:00
Jordan Rose 44320367ac [analyzer] Invalidate placement args; return the pointer given to placement new
The default global placement new just returns the pointer it is given.
Note that other custom 'new' implementations with placement args are not
guaranteed to do this.

In addition, we need to invalidate placement args, since they may be updated by
the allocator function. (Also, right now we don't properly handle the
constructor inside a CXXNewExpr, so we need to invalidate the placement args
just so that callers know something changed!)

This invalidation is not perfect because CallOrObjCMessage doesn't support
CXXNewExpr, and all of our invalidation callbacks expect that if there's no
CallOrObjCMessage, the invalidation is happening manually (e.g. by a direct
assignment) and shouldn't affect checker-specific metadata (like malloc state);
hence the malloc test case in new-fail.cpp. But region values are now
properly invalidated, at least.

The long-term solution to this problem is to rework CallOrObjCMessage into
something more general, rather than the morass of branches it is today.

<rdar://problem/11679031>

llvm-svn: 158784
2012-06-20 01:32:01 +00:00
Anna Zaks 42908c7ac9 [analyzer] Allow pointers to escape into NSPointerArray.
(Fixes radar://11691035 PR13140)

llvm-svn: 158703
2012-06-19 05:10:32 +00:00
Jordan Rose 832c2134a9 [analyzer] Add a comment: why we treat array compound literals as lvalues.
llvm-svn: 158681
2012-06-18 21:31:27 +00:00
Jordan Rose b4712d142a [analyzer] Array CompoundLiteralExprs need to be treated like lvalues.
llvm-svn: 158588
2012-06-16 01:28:03 +00:00
Jordan Rose e42412be39 [analyzer] Return an UnknownVal when we try to get the binding for a VLA.
This happens in C++ mode right at the declaration of a struct VLA;
MallocChecker sees a bind and tries to get see if it's an escaping bind.
It's likely that our handling of this is still incomplete, but it fixes a
crash on valid without disturbing anything else for now.

llvm-svn: 158587
2012-06-16 01:28:00 +00:00
Jordan Rose de409b6d5f [analyzer] Buffers passed to CGBitmapContextCreate can escape.
Specifically, although the bitmap context does not take ownership of the
buffer (unlike CGBitmapContextCreateWithData), the data buffer can be extracted
out of the created CGContextRef. Thus the buffer is not leaked even if its
original pointer goes out of scope, as long as
- the context escapes, or
- it is retrieved via CGBitmapContextGetData and freed.

Actually implementing that logic is beyond the current scope of MallocChecker,
so for now CGBitmapContextCreate goes on our system function exception list.

llvm-svn: 158579
2012-06-16 00:09:20 +00:00
James Dennett 1bc5f0c7ef Documentation cleanup: fix a type, LocatioinE -> LocationE
llvm-svn: 158566
2012-06-15 22:32:14 +00:00
Jordan Rose 95dfae824e [analyzer] RetainCount: don't track objects init'd with a delegate
We already didn't track objects that have delegates or callbacks or
objects that are passed through void * "context pointers". It's a
not-uncommon pattern to release the object in its callback, and so
the leak message we give is not very helpful.

llvm-svn: 158532
2012-06-15 18:19:52 +00:00
James Dennett 845619a285 Documentation cleanup:
* Add \brief to produce a summary in the Doxygen output;
* Add missing parameter names to \param commands;
* Fix mismatched parameter names for \param commands;
* Add a parameter name so that the \param has a target.

llvm-svn: 158503
2012-06-15 07:41:35 +00:00
Jordan Rose 2fdc07ee89 Revert "[analyzer] Treat LValueBitCasts like regular pointer bit casts."
This does not actually give us the right behavior for reinterpret_cast
of references. Reverting so I can think about it some more.

This reverts commit 50a75a6e26a49011150067adac556ef978639fe6.

llvm-svn: 158341
2012-06-12 00:20:22 +00:00
Jordan Rose ca00b28a47 [analyzer] Treat LValueBitCasts like regular pointer bit casts.
These casts only appear in very well-defined circumstances, in which the
target of a reinterpret_cast or a function formal parameter is an lvalue
reference. According to the C++ standard, the following are equivalent:

 reinterpret_cast<T&>( x)
*reinterpret_cast<T*>(&x)

[expr.reinterpret.cast]p11

llvm-svn: 158338
2012-06-11 23:20:52 +00:00
Chad Rosier 32503020a4 Etch out the code path for MS-style inline assembly.
llvm-svn: 158325
2012-06-11 20:47:18 +00:00
Jordan Rose efef760214 [analyzer] Add ObjCLoopChecker: objects from NSArray et al are non-nil.
While collections containing nil elements can still be iterated over in an
Objective-C for-in loop, the most common Cocoa collections -- NSArray,
NSDictionary, and NSSet -- cannot contain nil elements. This checker adds
that assumption to the analyzer state.

This was the cause of some minor false positives concerning CFRelease calls
on objects in an NSArray.

llvm-svn: 158319
2012-06-11 16:40:41 +00:00
Jordan Rose 3ba8ae3fd9 [analyzer] When looking for a known class, only traverse the hierarchy once.
This has a small hit in the case where only one class is interesting
(NilArgChecker) but is a big improvement when looking for one of several
interesting classes (VariadicMethodTypeChecker), in which the most common
case is that there is no match.

llvm-svn: 158318
2012-06-11 16:40:37 +00:00
Anna Zaks 528b14c5d9 [analyzer] MallocSizeofChecker false positive: when sizeof is argument
to addition.

We should not to warn in case the malloc size argument is an
addition containing 'sizeof' operator - it is common to use the pattern
to pack values of different sizes into a buffer. 

Ex:

uint8_t *buffer = (uint8_t*)malloc(dataSize + sizeof(length));

llvm-svn: 158219
2012-06-08 18:44:43 +00:00
Anna Zaks b60908db3a [analyzer] Add experimental "issue hash" to the plist diagnostic.
CmpRuns.py can be used to compare issues from different analyzer runs.
Since it uses the issue line number to unique 2 issues, adding a new
line to the beginning of a file makes all issues in the file reported as
new. 

The hash will be an opaque value which could be used (along with the
function name) by CmpRuns to identify the same issues. This way, we only
fail to identify the same issue from two runs if the function it appears
in changes (not perfect, but much better than nothing).

llvm-svn: 158180
2012-06-08 00:04:43 +00:00
Anna Zaks a7dcc996a9 [analyzer] Fixit for r158136.
I falsely assumed that the memory spaces are equal when we reach this
point, they might not be when memory space of one or more is stack or
Unknown. We don't want a region from Heap space alias something with
another memory space.

llvm-svn: 158165
2012-06-07 20:18:08 +00:00
Anna Zaks 3563fde6a0 [analyzer] Anti-aliasing: different heap allocations do not alias
Add a concept of symbolic memory region belonging to heap memory space.
When comparing symbolic regions allocated on the heap, assume that they
do not alias. 

Use symbolic heap region to suppress a common false positive pattern in
the malloc checker, in code that relies on malloc not returning the
memory aliased to other malloc allocations, stack.

llvm-svn: 158136
2012-06-07 03:57:32 +00:00
Jordan Rose 0da4e77880 [analyzer] Provide debug descriptions for all memory space regions.
Patch by Guillem Marpons!

llvm-svn: 158106
2012-06-06 20:47:00 +00:00
David Blaikie 40ed29730b Revert Decl's iterators back to pointer value_type rather than reference value_type
In addition, I've made the pointer and reference typedef 'void' rather than T*
just so they can't get misused. I would've omitted them entirely but
std::distance likes them to be there even if it doesn't use them.

This rolls back r155808 and r155869.

Review by Doug Gregor incorporating feedback from Chandler Carruth.

llvm-svn: 158104
2012-06-06 20:45:41 +00:00
Benjamin Kramer d1d76b2da7 Remove unused private member variables found by clang's new -Wunused-private-field.
llvm-svn: 158086
2012-06-06 17:32:50 +00:00
Ted Kremenek f470a4c2ca Disable path pruning for UndefResultChecker. It turns out we usually want to see more of the path
to discover how a value was used uninitialized.

llvm-svn: 158048
2012-06-06 06:25:37 +00:00
Ted Kremenek 54baf2e57d PlistDiagnostics: force the ranges for control-flow edges to be single locations, forcing
adjacent edges to have compatible ranges.  This simplifies the layout logic for some clients.

llvm-svn: 158028
2012-06-05 22:00:52 +00:00
Anna Zaks 4ff9097fcc [analyzer] Fix a diagnostics bug which lead to a crash on the buildbot.
This bug was triggered by r157851. It only happens in the case where we
don't perform optimal diagnostic pruning.

llvm-svn: 157950
2012-06-04 21:03:31 +00:00
Benjamin Kramer 474261af7b Fix typos found by http://github.com/lyda/misspell-check
llvm-svn: 157886
2012-06-02 10:20:41 +00:00
Anna Zaks 7ba2615047 [analyzer] Rely on canBeInlined utility instead of checking CallExpr
explicitly.

This will make it easier to add inlining support to more expressions.

llvm-svn: 157870
2012-06-02 00:40:52 +00:00
Anna Zaks bec49efdf2 [analyzer] Fix a spurious undef value warning.
When we timeout or exceed a max number of blocks within an inlined
function, we retry with no inlining starting from a node right before
the CallEnter node. We assume the state of that node is the state of the
program before we start evaluating the call. However, the node pruning
removes this node as unimportant. 

Teach the node pruning to keep the predecessors of the call enter nodes.

llvm-svn: 157860
2012-06-01 23:48:44 +00:00
Anna Zaks 1b37ea0a5f [analyzer] Fix lack of coverage after empty inlined function.
We should not stop exploring the path after we return from an empty
function.

llvm-svn: 157859
2012-06-01 23:48:40 +00:00
Ted Kremenek 5d6e7c3351 Disable diagnosic path pruning for ReturnUndefChecker.
llvm-svn: 157851
2012-06-01 23:04:04 +00:00
Ted Kremenek c3da376fbc static analyzer: add inlining support for directly called blocks.
llvm-svn: 157833
2012-06-01 20:04:04 +00:00
Tom Care 698daefb58 [analyzer] Fix BugType memory leak in IdempotentOperationChecker.
llvm-svn: 157772
2012-05-31 21:24:58 +00:00
Anna Zaks 2774f99913 [analyzer] Cleanup for r157721.
We should lock the number of elements after the initial parsing is
complete. Recursive AST visitors in AnalyzesConsumer and CallGarph can
trigger lazy pch deserialization resulting in more calls to
HandleTopLevelDecl and appending to the LocalTUDecls list. We should
ignore those.

llvm-svn: 157762
2012-05-31 18:07:55 +00:00
Ted Kremenek 16704bb15b Allow some BugReports to opt-out of PathDiagnostic callstack pruning until we have significantly
improved the pruning heuristics.  The current heuristics are pretty good, but they make diagnostics
for uninitialized variables warnings particularly useless in some cases.

llvm-svn: 157734
2012-05-31 06:03:17 +00:00
Anna Zaks 34d89b7ddc [analyzer]Fix another occurrence of iterator invalidation (LocalTUDecls)
Follow up in r155693, r155680.

Prevents a hard to reproduce crash with the following stack trace:
3  libsystem_c.dylib 0x00007ff55a835050 _sigtramp + 18446744029881443184
4  clang             0x0000000106218e97 (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
+ 519
5  clang             0x0000000105cf3002 clang::ParseAST(clang::Sema&,
bool, bool) + 690
6  clang             0x00000001059a41d8
clang::ASTFrontendAction::ExecuteAction() + 312
7  clang             0x00000001059a3df7 clang::FrontendAction::Execute()
+ 231
8  clang             0x00000001059b0ecc
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 860
9  clang             0x000000010595e451
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 961
10 clang             0x0000000105947f29 cc1_main(char const**, char
const**, char const*, void*) + 969
11 clang             0x0000000105958259 main + 473
12 clang             0x0000000105947b34 start + 52

llvm-svn: 157721
2012-05-30 23:14:48 +00:00
Benjamin Kramer 69b5a60d96 Replace some custom hash combines with the standard stuff from DenseMapInfo.
llvm-svn: 157531
2012-05-27 13:28:44 +00:00
Anna Zaks 6a65819ba3 [analyzer] Don't crash on LValBitCast
llvm-svn: 157478
2012-05-25 16:02:16 +00:00