Commit Graph

2204 Commits

Author SHA1 Message Date
Jordan Rose 1a866cd54b [analyzer] Model getters of known-@synthesized Objective-C properties.
...by synthesizing their body to be "return self->_prop;", with an extra
nudge to RetainCountChecker to still treat the value as +0 if we have no
other information.

This doesn't handle weak properties, but that's mostly correct anyway,
since they can go to nil at any time. This also doesn't apply to properties
whose implementations we can't see, since they may not be backed by an
ivar at all. And finally, this doesn't handle properties of C++ class type,
because we can't invoke the copy constructor. (Sema has actually done this
work already, but the AST it synthesizes is one the analyzer doesn't quite
handle -- it has an rvalue DeclRefExpr.)

Modeling setters is likely to be more difficult (since it requires
handling strong/copy), but not impossible.

<rdar://problem/11956898>

llvm-svn: 198953
2014-01-10 20:06:06 +00:00
Alp Toker 099d4ee125 Add a test for Static Analyzer checker plugins
llvm-svn: 198820
2014-01-09 00:47:40 +00:00
Jordan Rose 656fdd55dd [analyzer] Warn about double-delete in C++ at the second delete...
...rather somewhere in the destructor when we try to access something and
realize the object has already been deleted. This is necessary because
the destructor is processed before the 'delete' itself.

Patch by Karthik Bhat!

llvm-svn: 198779
2014-01-08 18:46:55 +00:00
Jordan Rose 514f935411 [analyzer] Pointers escape into +[NSValue valueWithPointer:]...
...even though the argument is declared "const void *", because this is
just a way to pass pointers around as objects. (Though NSData is often
a better one.)

PR18262

llvm-svn: 198710
2014-01-07 21:39:48 +00:00
Ted Kremenek 776409286b [analyzer] Remove IdempotentOperations checker.
This checker has not been updated to work with interprocedural analysis,
and actually contains both logical correctness issues but also
memory bugs.  We can resuscitate it from version control once there
is focused interest in making it a real viable checker again.

llvm-svn: 198476
2014-01-04 05:52:11 +00:00
Ted Kremenek 9b12e72376 [analyzer] Don't track return value of NSNull +null for retain/release tracking.
Fixes <rdar://problem/12858915>.

llvm-svn: 198388
2014-01-03 01:19:28 +00:00
Jordan Rose 821f102985 [analyzer] Fix test in previous commit to account for compiler warning.
--analyze passes -w, but -cc1 -analyze doesn't. Oops!

llvm-svn: 197741
2013-12-19 23:05:40 +00:00
Jordan Rose 7ae3362458 [analyzer] Always use 'bool' as the SValBuilder condition type in C++.
We have assertions for this, but a few edge cases had snuck through where
we were still unconditionally using 'int'.

<rdar://problem/15703011>

llvm-svn: 197733
2013-12-19 22:32:39 +00:00
Ted Kremenek b79ee57080 Implemented delayed processing of 'unavailable' checking, just like with 'deprecated'.
Fixes <rdar://problem/15584219> and <rdar://problem/12241361>.

This change looks large, but all it does is reuse and consolidate
the delayed diagnostic logic for deprecation warnings with unavailability
warnings.  By doing so, it showed various inconsistencies between the
diagnostics, which were close, but not consistent.  It also revealed
some missing "note:"'s in the deprecated diagnostics that were showing
up in the unavailable diagnostics, etc.

This change also changes the wording of the core deprecation diagnostics.
Instead of saying "function has been explicitly marked deprecated"
we now saw "'X' has been been explicitly marked deprecated".  It
turns out providing a bit more context is useful, and often we
got the actual term wrong or it was not very precise
 (e.g., "function" instead of "destructor").  By just saying the name
of the thing that is deprecated/deleted/unavailable we define
this issue away.  This diagnostic can likely be further wordsmithed
to be shorter.

llvm-svn: 197627
2013-12-18 23:30:06 +00:00
Fariborz Jahanian 283bf89506 Objective-C. After providing a fix-it for a
cstring, converted to NSString, produce the
matching AST for it. This also required some
refactoring of the previous code. // rdar://14106083

llvm-svn: 197605
2013-12-18 21:04:43 +00:00
Alp Toker 6ed7251683 Revert "Don't require -re suffix on -verify directives with regexes."
This patch was submitted to the list for review and didn't receive a LGTM.

(In fact one explicit objection and one query were raised.)

This reverts commit r197295.

llvm-svn: 197299
2013-12-14 01:07:05 +00:00
Hans Wennborg 9b395ef284 Don't require -re suffix on -verify directives with regexes.
Differential Revision: http://llvm-reviews.chandlerc.com/D2392

llvm-svn: 197295
2013-12-14 00:46:53 +00:00
Ted Kremenek 2ccf19e1ab Change 'method X in protocol not implemented' warning to include the name of the protocol.
This removes an extra "note:", which wasn't really all that more useful
and overall reduces the diagnostic spew for this case.

llvm-svn: 197207
2013-12-13 05:58:51 +00:00
Ted Kremenek 5d0fb1ea1c Add CFG tests for switch's involving "extended" enum.
llvm-svn: 197094
2013-12-11 23:44:05 +00:00
Hans Wennborg cda4b6dd00 Change semantics of regex expectations in the diagnostic verifier
Previously, a line like

  // expected-error-re {{foo}}

treats the entirety of foo as a regex. This is inconvenient when matching type
names containing regex characters. For example, to match
"void *(class test8::A::*)(void)" inside such a regex, one would have to type
"void \*\(class test8::A::\*\)\(void\)".

This patch changes the semantics of expected-error-re to only treat the parts
of the directive wrapped in double curly braces as regexes. This avoids the
escaping problem and leads to nicer patterns for those cases; see e.g. the
change to test/Sema/format-strings-scanf.c.

(The balanced search for closing }} of a directive also makes us handle the
full directive in test\SemaCXX\constexpr-printing.cpp:41 and :53.)

Differential Revision: http://llvm-reviews.chandlerc.com/D2388

llvm-svn: 197092
2013-12-11 23:40:50 +00:00
Jordan Rose 60bd88d341 [analyzer] Extend IdenticalExprChecker to check ternary operator results.
Warn if both result expressions of a ternary operator (? :) are the same.
Because only one of them will be executed, this warning will fire even if
the expressions have side effects.

Patch by Anders Rönnholm and Per Viberg!

llvm-svn: 196937
2013-12-10 18:18:06 +00:00
Alp Toker 544bd43624 Remove duplicated -cc1 in tests
llvm-svn: 196728
2013-12-08 18:06:52 +00:00
Anna Zaks f5308fac1e Fixup to r196593.
This is another regression fixed by reverting r189090.

In this case, the problem is not live variables but the approach that was taken in r189090. This regression was caused by explicitly binding "true" to the condition when we take the true branch. Normally that's okay, but in this case we're planning to reuse that condition as the value of the expression.

llvm-svn: 196599
2013-12-06 19:28:16 +00:00
Anna Zaks cf8d2165ff Revert "[analyzer] Refactor conditional expression evaluating code"
This reverts commit r189090.

The original patch introduced regressions (see the added live-variables.* tests). The patch depends on the correctness of live variable analyses, which are not computed correctly. I've opened PR18159 to track the proper resolution to this problem.

The patch was a stepping block to r189746. This is why part of the patch reverts temporary destructor tests that started crashing. The temporary destructors feature is disabled by default.

llvm-svn: 196593
2013-12-06 18:56:29 +00:00
Alp Toker f6a24ce40f Fix a tranche of comment, test and doc typos
llvm-svn: 196510
2013-12-05 16:25:25 +00:00
Alp Toker d473363876 Correct hyphenations in comments and assert messages
This patch tries to avoid unrelated changes other than fixing a few
hyphen-related ambiguities in nearby lines.

llvm-svn: 196466
2013-12-05 04:47:09 +00:00
Anna Zaks d2a807d831 [analyzer] Fix an infinite recursion in region invalidation by adding block count to the BlockDataRegion.
llvm-svn: 195174
2013-11-20 00:11:42 +00:00
Anton Yartsev 968c60a554 [analyzer] Better modeling of memcpy by the CStringChecker (PR16731).
New rules of invalidation/escape of the source buffer of memcpy: the source buffer contents is invalidated and escape while the source buffer region itself is neither invalidated, nor escape.
In the current modeling of memcpy the information about allocation state of regions, accessible through the source buffer, is not copied to the destination buffer and we can not track the allocation state of those regions anymore. So we invalidate/escape the source buffer indirect regions in anticipation of their being invalidated for real later. This eliminates false-positive leaks reported by the unix.Malloc and alpha.cplusplus.NewDeleteLeaks checkers for the cases like

char *f() {
  void *x = malloc(47);
  char *a;
  memcpy(&a, &x, sizeof a);
  return a;
}

llvm-svn: 194953
2013-11-17 09:18:48 +00:00
Jordan Rose 4c56c22634 [analyzer] Silence warnings coming from allocators used by std::basic_string.
This is similar to r194004: because we can't reason about the data structure
invariants of std::basic_string, the analyzer decides it's possible for an
allocator to be used to deallocate the string's inline storage. Just ignore
this by walking up the stack, skipping past methods in classes with
"allocator" in the name, and seeing if we reach std::basic_string that way.

PR17866

llvm-svn: 194764
2013-11-15 02:11:19 +00:00
Jordan Rose dba2692865 [analyzer] Treat MSVC's _wassert as noreturn.
This makes sure the analyzer actually honors assert() in an MSVC project.

Patch by Anders Montonen!

llvm-svn: 194716
2013-11-14 17:55:00 +00:00
Jordan Rose 51327f9237 [analyzer] Add IdenticalExprChecker, to find copy-pasted code.
This syntactic checker looks for expressions on both sides of comparison
operators that are structurally the same. As a special case, the
floating-point idiom "x != x" for "isnan(x)" is left alone.

Currently this only checks comparison operators, but in the future we could
extend this to include logical operators or chained if-conditionals.

Checker by Per Viberg!

llvm-svn: 194236
2013-11-08 01:15:39 +00:00
Jordan Rose 1a4ae202c7 [analyzer] Track whether an ObjC for-in loop had zero iterations.
An Objective-C for-in loop will have zero iterations if the collection is
empty. Previously, we could only detect this case if the program asked for
the collection's -count /before/ the for-in loop. Now, the analyzer
distinguishes for-in loops that had zero iterations from those with at
least one, and can use this information to constrain the result of calling
-count after the loop.

In order to make this actually useful, teach the checker that methods on
NSArray, NSDictionary, and the other immutable collection classes don't
change the count.

<rdar://problem/14992886>

llvm-svn: 194235
2013-11-08 01:15:35 +00:00
Jordan Rose 236dbd25e7 [analyzer] Specialize "loop executed 0 times" for for-in and for-range loops.
The path note that says "Loop body executed 0 times" has been changed to
"Loop body skipped when range is empty" for C++11 for-range loops, and to
"Loop body skipped when collection is empty" for Objective-C for-in loops.

Part of <rdar://problem/14992886>

llvm-svn: 194234
2013-11-08 01:15:30 +00:00
Alp Toker 52ca4a4e47 Fix test that wasn't testing anything
llvm-svn: 194069
2013-11-05 12:45:37 +00:00
Anna Zaks 3d46ac66d8 [analyzer] Track the count of NSOrderedSet similarly to other fast enumerations.
llvm-svn: 194005
2013-11-04 19:13:08 +00:00
Anna Zaks 830d2f7701 [analyzer] Suppress warnings coming out of std::basic_string.
The analyzer cannot reason about the internal invariances of the data structure (radar://15194597).

llvm-svn: 194004
2013-11-04 19:13:03 +00:00
Jordan Rose 1417a7b174 [analyzer] Don't crash when a path goes through a 'delete' destructor call.
This was just left unimplemnted from r191381; the fix is to report this call
location as the location of the 'delete' expr.

PR17746

llvm-svn: 193783
2013-10-31 18:41:15 +00:00
Alp Toker 93c33c1be6 Switch %clang -cc1 tests to %clang_cc1
llvm-svn: 193561
2013-10-28 23:47:09 +00:00
Jordan Rose e692cfa330 [analyzer] Don't emit an "Assuming x is <OP> y" if it's not a comparison op.
We could certainly be more precise in many of our diagnostics, but before we
were printing "Assuming x is && y", which is just ridiculous.

<rdar://problem/15167979>

llvm-svn: 193455
2013-10-26 01:16:26 +00:00
Jordan Rose bb61c8cc73 [analyzer] Generate a LazyCompoundVal when loading from a union-typed region.
This ensures that variables accessible through a union are invalidated when
the union value is passed to a function. We still don't fully handle union
values, but this should at least quiet some false positives.

PR16596

llvm-svn: 193265
2013-10-23 20:08:55 +00:00
Jordan Rose 69d0aed6f1 CFG: Properly print delegating initializer CFG elements.
...rather than segfaulting.

Patch by Enrico P!

llvm-svn: 193208
2013-10-22 23:19:47 +00:00
Chandler Carruth b3b8ea8007 Revert r193073 and the attempt to fix it in r193170.
This patch wasn't reviewed, and isn't correctly preserving the behaviors
relied upon by QT. I don't have a direct example of fallout, but it
should go through the standard code review process. For example, it
should never have removed the QT test case that was added when fixing
those users.

llvm-svn: 193174
2013-10-22 18:07:04 +00:00
Serge Pavlov 6652921d5a Fix to PR8880 (clang dies processing a for loop).
Due to statement expressions supported as GCC extension, it is possible
to put 'break' or 'continue' into a loop/switch statement but outside its
body, for example:

    for ( ; ({ if (first) { first = 0; continue; } 0; }); )

Such usage must be diagnosed as an error, GCC rejects it. To recognize
this and similar patterns the flags BreakScope and ContinueScope are
temporarily turned off while parsing condition expression.

Differential Revision: http://llvm-reviews.chandlerc.com/D1762

llvm-svn: 193073
2013-10-21 09:34:44 +00:00
Jordan Rose ac07c8dae7 [analyzer] Don't draw edges to C++11 in-class member initializers.
Since these aren't lexically in the constructor, drawing arrows would
be a horrible jump across the body of the class. We could still do
better here by skipping over unimportant initializers, but this at least
keeps everything within the body of the constructor.

<rdar://problem/14960554>

llvm-svn: 192818
2013-10-16 17:45:35 +00:00
Jordan Rose 7741132f47 [analyzer] RetainCountChecker: add support for CFAutorelease.
<rdar://problems/13710586&13710643>

llvm-svn: 192113
2013-10-07 17:16:52 +00:00
Jordan Rose 9db2d9adef [analyzer] Add new debug helper clang_analyzer_warnIfReached.
This will emit a warning if a call to clang_analyzer_warnIfReached is
executed, printing REACHABLE. This is a more explicit way to declare
expected reachability than using clang_analyzer_eval or triggering
a bug (divide-by-zero or null dereference), and unlike the former will
work the same in inlined functions and top-level functions. Like the
other debug helpers, it is part of the debug.ExprInspection checker.

Patch by Jared Grubb!

llvm-svn: 191909
2013-10-03 16:57:03 +00:00
Jordan Rose 44e066c72a [analyzer] Add missing return after function pointer null check.
Also add some tests that there is actually a message and that the bug is
actually a hard error. This actually behaved correctly before, because:

- addTransition() doesn't actually add a transition if the new state is null;
  it assumes you want to propagate the predecessor forward and does nothing.
- generateSink() is called in order to emit a bug report.
- If at least one new node has been generated, the predecessor node is /not/
  propagated forward.

But now it's spelled out explicitly.

Found by Richard Mazorodze, who's working on a patch that may require this.

llvm-svn: 191805
2013-10-02 01:20:28 +00:00
Richard Smith bb13c9a49d Per latest drafting, switch to implementing init-captures as if by declaring
and capturing a variable declaration, and complete the implementation of them.

llvm-svn: 191605
2013-09-28 04:02:39 +00:00
Jordan Rose 3553bb384b [analyzer] Make inlining decisions based on the callee being variadic.
...rather than trying to figure it out from the call site, and having
people complain that we guessed wrong and that a prototype-less call is
the same as a variadic call on their system. More importantly, fix a
crash when there's no decl at the call site (though we could have just
returned a default value).

<rdar://problem/15037033>

llvm-svn: 191599
2013-09-28 02:04:19 +00:00
Rafael Espindola ea1ba0adfc Replace -fobjc-default-synthesize-properties with disable-objc-default-synthesize-properties.
We want the modern behavior most of the time, so inverting the option simplifies
the driver and the tests.

llvm-svn: 191551
2013-09-27 20:21:48 +00:00
Jordan Rose 1ccc43d50e [analyzer] Handle destructors for the argument to C++ 'delete'.
Now that the CFG includes nodes for the destructors in a delete-expression,
process them in the analyzer using the same common destructor interface
currently used for local, member, and base destructors. Also, check for when
the value is known to be null, in which case no destructor is actually run.

This does not yet handle destructors for deleted /arrays/, which may need
more CFG work. It also causes a slight regression in the location of
double delete warnings; the double delete is detected at the destructor
call, which is implicit, and so is reported on the first access within the
destructor instead of at the 'delete' statement. This will be fixed soon.

Patch by Karthik Bhat!

llvm-svn: 191381
2013-09-25 16:06:17 +00:00
Jordan Rose 36bc6b4559 [analyzer] Don't even try to convert floats to booleans for now.
We now have symbols with floating-point type to make sure that
(double)x == (double)x comes out true, but we still can't do much with
these. For now, don't even bother trying to create a floating-point zero
value; just give up on conversion to bool.

PR14634, C++ edition.

llvm-svn: 190953
2013-09-18 18:58:58 +00:00
Anna Zaks fb05094b52 [analyzer] Stop tracking the objects with attribute cleanup in the RetainCountChecker.
This suppresses false positive leaks. We stop tracking a value if it is assigned to a variable declared with a cleanup attribute.

llvm-svn: 190835
2013-09-17 00:53:28 +00:00
Amara Emerson 8c3de546d6 Add error checking to reject neon_vector_type attribute on targets without NEON.
Patch by Artyom Skrobov.

llvm-svn: 190801
2013-09-16 18:07:35 +00:00
Anton Yartsev f5bcccee76 New message for cases when ownership is taken:
"+method_name: cannot take ownership of memory allocated by 'new'."
instead of the old
"Memory allocated by 'new' should be deallocated by 'delete', not +method_name"

llvm-svn: 190800
2013-09-16 17:51:25 +00:00