3956106543
implement PR7569, warning about assignment to null, which
...
people seem to write when they want a deterministic trap.
Suggest instead that they use a volatile pointer or
__builtin_trap.
llvm-svn: 107756
2010-07-07 06:14:23 +00:00
49f1e908b2
Fix idempotent operations test command line arguments.
...
llvm-svn: 107735
2010-07-06 23:47:26 +00:00
134a236a14
Add a new path-sensitive checker for functions in <string.h>, for both null-terminated strings and memory blocks. Currently only checks memcpy(), memmove(), and bcopy(), but this is intended to be expanded soon.
...
llvm-svn: 107722
2010-07-06 23:11:01 +00:00
3ff08a8e76
Added a path-sensitive idempotent operation checker (-analyzer-idempotent-operation). Finds idempotent and/or tautological operations in a path sensitive context, flagging operations that have no effect or a predictable effect.
...
Example:
{
int a = 1;
int b = 5;
int c = b / a; // a is 1 on all paths
}
- New IdempotentOperationChecker class
- Moved recursive Stmt functions in r107675 to IdempotentOperationChecker
- Minor refactoring of SVal to allow checking for any integer
- Added command line option for check
- Added basic test cases
llvm-svn: 107706
2010-07-06 21:43:29 +00:00
4c0a919732
Oops, tabs --> spaces in test.
...
llvm-svn: 107634
2010-07-06 02:42:09 +00:00
40c5c24c06
Improve NULL-checking for CFRetain/CFRelease. We now remember that the argument was non-NULL, and we report where the null assumption came from (like AttrNonNullChecker already did).
...
llvm-svn: 107633
2010-07-06 02:34:42 +00:00
0704a7fe43
Support sizeof for VLA expressions (sizeof(someVLA)). sizeof(int[n]) still unimplemented. A VLA region's sizeof value matches its extent.
...
llvm-svn: 107611
2010-07-05 04:42:43 +00:00
e6b999bf9a
Track extents for VLAs.
...
llvm-svn: 107603
2010-07-05 00:50:15 +00:00
674bd55f02
Add a new symbol type, SymbolExtent, to represent the extents of memory regions that may not be known at compile-time (such as those created by malloc). This replaces the old setExtent/getExtent API on Store, which used the GRState's GDM to store SVals.
...
Also adds a getKnownValue() method to SValuator, which gets the integer value of an SVal if it is known to only have one possible value. There are more places in the code that could be using this, but in general we want to be dealing entirely in SVals, so its usefulness is limited.
The only visible functionality change is that extents are now honored for any DeclRegion, such as fields and Objective-C ivars, rather than just variables. This shows up in bounds-checking and cast-size-checking.
llvm-svn: 107577
2010-07-04 00:00:41 +00:00
bd862711fd
Fix PR 7475 by enhancing the static analyzer to also invalidate bindings for non-static global variables
...
when calling a function/method whose impact on global variables we cannot accurately estimate.
This change introduces two new MemSpaceRegions that divide up the memory space of globals, and causes
RegionStore and BasicStore to consult a binding to the NonStaticGlobalsMemSpaceRegion when lazily
determining the value of a global.
llvm-svn: 107423
2010-07-01 20:16:50 +00:00
639ffb0c07
Fix rdar://8139785 "implement warning on dead expression in comma operator"
...
As a bonus, fix the warning for || and && operators; it was emitted even if one of the operands had side effects, e.g:
x || test_logical_foo1();
emitted a bogus "expression result unused" for 'x'.
llvm-svn: 107274
2010-06-30 10:53:14 +00:00
dc48471861
Pointers casted as integers still count as locations to SimpleSValuator, so don't crash if we do a funny thing like ((int)ptr)&1. Fixes PR7527.
...
llvm-svn: 107236
2010-06-30 01:35:20 +00:00
61176897ba
Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL().
...
llvm-svn: 106992
2010-06-28 08:26:15 +00:00
7f8ea4d677
Implicitly compare symbolic expressions to zero when they're being used as constraints. Part of PR7491.
...
llvm-svn: 106972
2010-06-27 01:20:56 +00:00
c3bcc36a0b
When a constant size array is casted to another type, its length should be scaled as well.
...
llvm-svn: 106911
2010-06-25 23:23:04 +00:00
da42d523cf
Add dead stores C++ test case that was previously asserting due to an
...
invalid source range for CXXNewExpr.
llvm-svn: 106904
2010-06-25 22:48:52 +00:00
76abf19ea6
Fix -analyze-display-progress (once again), this time with an additional regression test.
...
llvm-svn: 106883
2010-06-25 20:59:24 +00:00
9aa0d39443
A bug I've introduced in STDIN handling surfaced a few broken tests, fix them.
...
Lexer/hexfloat.cpp is now XFAIL'd, I'd appreciate if someone could look into it.
llvm-svn: 106840
2010-06-25 12:48:07 +00:00
facf8a8e74
Add check for illegal whence argument of fseek.
...
llvm-svn: 106742
2010-06-24 13:36:41 +00:00
322ab26387
Don't depend on system headers in clang -cc1 tests.
...
The constant was copied from clang's limits.h.
llvm-svn: 106732
2010-06-24 11:06:12 +00:00
b016d6c3d8
Revert "Tweak tests to hopefully fix include of limits.h on win32.", tweak fails on linux.
...
llvm-svn: 106661
2010-06-23 18:31:33 +00:00
08748457b9
Tweak tests to hopefully fix include of limits.h on win32.
...
llvm-svn: 106639
2010-06-23 18:06:20 +00:00
2a33a0deef
Correctly construct an ElementRegion for alloca() + pointer arithmetic. Fixes analyzer
...
crash reported in PR 7450.
llvm-svn: 106609
2010-06-22 23:58:31 +00:00
79404afc1c
When folding additive operations, convert the values to the same type. When assuming relationships, convert the integers to the same type as the symbol, at least for now.
...
llvm-svn: 106458
2010-06-21 20:15:15 +00:00
3d85888d4e
If a nonnull argument evaluates to UnknownVal, don't warn (and don't crash).
...
llvm-svn: 106456
2010-06-21 20:08:28 +00:00
895c899142
Adds analyzer support for idempotent and tautological binary operations such as "a*0" and "a+0". This is not very powerful, but does make the analyzer look a little smarter than it actually is.
...
llvm-svn: 106402
2010-06-20 04:56:29 +00:00
2dd9b02cc8
Casting to void* or any other pointer-to-sizeless type (e.g. function pointers) causes a divide-by-zero error. Simple fix: check if the pointee type size is 0 and bail out early if it is.
...
llvm-svn: 106401
2010-06-20 04:30:57 +00:00
c0fe8429f2
Fold additive constants, and support comparsions of the form $sym+const1 <> const2
...
llvm-svn: 106339
2010-06-18 22:49:11 +00:00
e96a9132b8
Add null stream check for more APIs.
...
llvm-svn: 106274
2010-06-18 02:47:46 +00:00
5df037e808
Tweak stack address checker to report multiple cases where globals may reference stack memory.
...
Also refactor the diagnostics so that we print out the kind of stack memory returned.
llvm-svn: 106210
2010-06-17 04:21:37 +00:00
17504bea33
Rework StackAddrLeakChecker to find stores of stack memory addresses to global variables
...
by inspecting the Store bindings instead of iterating over all the global variables
in a translation unit. By looking at the store directly, we avoid cases where we cannot
directly load from the global variable, such as an array (which can result in an assertion failure)
and it also catches cases where we store stack addresses to non-scalar globals.
Also, but not iterating over all the globals in the translation unit, we maintain cache
locality, and the complexity of the checker becomes restricted to the complexity of the
analyzed function, and doesn't scale with the size of the translation unit.
This fixes PR 7383.
llvm-svn: 106184
2010-06-17 00:24:44 +00:00
0fa7cddbab
Add StreamChecker. This checker models and checks stream manipulation functions.
...
This is the start.
llvm-svn: 106082
2010-06-16 05:38:05 +00:00
4c721bf892
Change AnalysisConsumer to analyze functions created by instantiantiating a macro. Fixes PR 7361.
...
llvm-svn: 105984
2010-06-15 00:55:40 +00:00
1225aacacf
Merge StackAddrLeakChecker and ReturnStackAddressChecker.
...
llvm-svn: 105687
2010-06-09 06:08:24 +00:00
4200be5e76
Directly compare the StackFrameContext. This greatly simplifies logic and
...
improves generality. Thanks Ted.
llvm-svn: 105686
2010-06-09 05:50:38 +00:00
87e7fc5dc2
Add a checker check if a global variable holds a local variable's address after
...
the function call is left where the local variable is declared.
llvm-svn: 105602
2010-06-08 10:00:00 +00:00
3597b21f20
Catch free()s on non-regions and regions known to be not from malloc(), by checking the symbol type and memory space.
...
llvm-svn: 105547
2010-06-07 19:32:37 +00:00
2e22268904
Assignments to reference variables shouldn't kill the variable.
...
llvm-svn: 105452
2010-06-04 01:14:56 +00:00
41cdf585c2
CFG: add all LHS of assingments as lvalue. This improves support for C++ reference. Patch by Jordy.
...
llvm-svn: 105383
2010-06-03 06:23:18 +00:00
527ff6d1dc
Add support for calloc() in MallocChecker. Patch by Jordy Rose, with my
...
modification.
llvm-svn: 105264
2010-06-01 03:01:33 +00:00
4708f5a89b
After conversations with Zhongxing Xu and Jordy Rose, refine the logic in
...
RegionStoreManager::RetrieveElement() that handles indexing into a larger scalar
object to only consult the direct binding of a super region if it is a scalar.
This isn't perfect yet, and a big FIXME is attached to the code. This causes
the test case for PR 7218 now to pass.
llvm-svn: 105195
2010-05-31 01:22:04 +00:00
94aec9381d
Revert r105097. Thinking about a better fix.
...
llvm-svn: 105099
2010-05-29 06:49:04 +00:00
928a190a8e
Fix PR7218. Patch by Jordy Rose.
...
llvm-svn: 105097
2010-05-29 06:23:24 +00:00
15a0abd399
Discard qualifiers for ElementRegions so that a 'const' doesn't change the lookup semantics
...
in the symbol store. We may wish to push this down into the StoreManager itself.
llvm-svn: 104788
2010-05-27 00:29:00 +00:00
34ddec630c
Predefine the '__clang_analyzer__' macro when using '-analyze'.
...
llvm-svn: 104742
2010-05-26 21:36:54 +00:00
658dd8b176
CastSizeChecker checks when casting a malloc'ed symbolic region to type T,
...
whether the size of the symbolic region is a multiple of the size of T.
Fixes PR6123 and PR7217.
llvm-svn: 104584
2010-05-25 04:59:19 +00:00
a2448b85be
Update retain-release checker to understand changes to how 'super' is represented
...
in the ASTs. Fixes <rdar://problem/8015556>.
llvm-svn: 104389
2010-05-21 21:57:00 +00:00
304a9537e1
Fix crash in CFG construction for 'break' statements appearing in statement expressions
...
within the increment code of a for loop.
llvm-svn: 104375
2010-05-21 20:30:15 +00:00
ecc31c93c2
Don't add a null successor to a CFGBlock when the contents of an @synchronized statement is empty.
...
Fixes <rdar://problem/7979430>.
llvm-svn: 103717
2010-05-13 16:38:08 +00:00
1a56a488ed
Turn -analyzer-inline-call on for C functions. This also fixed a bug that
...
after inlining post-call checking shouldn't be done.
llvm-svn: 103161
2010-05-06 03:38:27 +00:00
9174b2c2f9
Make -analyzer-inline-call not a separate analysis. Instead it's a boolean
...
flag now, and can be used with other analyses. Only turned it on for C++
methods for now.
llvm-svn: 103160
2010-05-06 02:59:29 +00:00
685a1d818d
Refactor the AnalysisConsumer to analyze functions after the whole
...
translation unit is parsed. This enables us to inline some calls when still
analyzing one function at a time.
Actions are classified into Function, CXXMethod, ObjCMethod,
ObjCImplementation.
This does not hurt performance much. The analysis time for sqlite3.c:
before:
real 17m52.440s
user 17m49.460s
sys 0m2.010s
after:
real 18m0.500s
user 17m56.900s
sys 0m2.330s
DisplayProgress option is broken now. -inine-call action is removed. It
will be reenabled in another form, perhaps as an indenpendant option.
llvm-svn: 102689
2010-04-30 04:14:20 +00:00
989da5eeff
Fix CFG crasher involving statement expressions reported in PR 6938.
...
llvm-svn: 102576
2010-04-29 01:10:26 +00:00
f29231ece0
The second check point in the old test case was invalid.
...
llvm-svn: 101983
2010-04-21 02:22:25 +00:00
52c28fe61a
Add test cases.
...
llvm-svn: 101878
2010-04-20 05:48:57 +00:00
ef55dd17ec
Static analyzer: Don't crash when casting a symbolic region address to a float. Fixes PR 6854.
...
llvm-svn: 101499
2010-04-16 17:54:33 +00:00
8db54ff1de
Fix PR 6844, a regression caused by the introduction of llvm_unreachable for the default
...
case in GRExprEngine::Visit (in r101129). Instead, enumerate all Stmt cases and have
no 'default' case in the switch statement. When we encounter a Stmt we don't handle,
we should explicitly add it to the switch statement.
llvm-svn: 101378
2010-04-15 17:33:31 +00:00
5868ec6e3d
Fix CFG bug where bases of member expressions were not always evaluated in a lvalue context. Fixes <rdar://problem/7813989>.
...
llvm-svn: 100966
2010-04-11 17:02:10 +00:00
c68e140657
Improve diagnostics when we fail to convert from a source type to a
...
destination type for initialization, assignment, parameter-passing,
etc. The main issue fixed here is that we used rather confusing
wording for diagnostics such as
t.c:2:9: warning: initializing 'char const [2]' discards qualifiers,
expected 'char *' [-pedantic]
char *name = __func__;
^ ~~~~~~~~
We're not initializing a 'char const [2]', we're initializing a 'char
*' with an expression of type 'char const [2]'. Similar problems
existed for other diagnostics in this area, so I've normalized them all
with more precise descriptive text to say what we're
initializing/converting/assigning/etc. from and to. The warning for
the code above is now:
t.c:2:9: warning: initializing 'char *' from an expression of type
'char const [2]' discards qualifiers [-pedantic]
char *name = __func__;
^ ~~~~~~~~
Fixes <rdar://problem/7447179>.
llvm-svn: 100832
2010-04-09 00:35:39 +00:00
ea4a5abf61
Add static analyzer check for calls to 'pthread_once()' where the control-flow has
...
automatic storage. This matches the corresponding check for 'dispatch_once()'.
llvm-svn: 100803
2010-04-08 19:53:31 +00:00
198cb4df6e
Instead of counting totally diagnostics, split the count into a count
...
of errors and warnings. This allows us to emit something like this:
2 warnings and 1 error generated.
instead of:
3 diagnostics generated.
This also stops counting 'notes' because they are just follow-on information
about the previous diag, not a diagnostic in themselves.
llvm-svn: 100675
2010-04-07 18:47:42 +00:00
6e95bfc6a5
Fix crash in StoreManager::CastRegion() when the base region is a type with 0 size.
...
llvm-svn: 100594
2010-04-07 00:46:49 +00:00
f969841a1a
Teach MemRegion::getBaseRegion() about ObjCIvarRegions. We want to treat
...
them the same way as fields. This fixes a regression in RegionStore::RemoveDeadbindings()
that emerged from going to the cluster-based analysis.
llvm-svn: 100570
2010-04-06 22:06:03 +00:00
faa4905e0c
Always assume block-level expressions in the caller are alive when analyzing
...
the callee.
llvm-svn: 100429
2010-04-05 13:16:29 +00:00
640aad7667
Use the element type to compute the array size when the base region is a VarRegion.
...
Patch by Jordy Rose.
llvm-svn: 100099
2010-04-01 08:20:27 +00:00
c3e1f2f9ba
Fix a bug (PR 6699) in RegionStore::RemoveDeadBindings() where
...
array values with a non-zero offset would get prematurely pruned from the store.
llvm-svn: 100067
2010-04-01 00:15:55 +00:00
2d107f9d1d
RegionStore: specially handle loads from integer global variables declared 'const'.
...
Fixes a false positive reported in PR 6288.
llvm-svn: 99922
2010-03-30 20:31:04 +00:00
4be6a75884
Change the analyzer to recognize (but ignore) assignments to isa. Fixes PR 6302.
...
llvm-svn: 99904
2010-03-30 18:24:54 +00:00
97752f7c95
Improve diagnostics on incomplete implementation
...
of objc classes; including which methods
need be implemented and where they come from.
WIP.
llvm-svn: 99724
2010-03-27 19:02:17 +00:00
0f250e4c5b
Fix NoReturnFunctionChecker to properly look at a function's type
...
when determining if it returns. Fixes <rdar://problem/7796563>.
llvm-svn: 99663
2010-03-26 22:57:13 +00:00
bb6f5af4a4
Tweak null dereference diagnostics to give clearer diagnostics when
...
a null dereference results from a field access.
llvm-svn: 99236
2010-03-23 01:11:38 +00:00
28ec56d7dd
Improve the diagnostics for the UndefinedAssignmentChecker when an
...
uninitialized value is used in the LHS of a compound assignment.
llvm-svn: 99221
2010-03-22 22:16:26 +00:00
c517974e9e
Add test case for <rdar://problem/7770737>.
...
llvm-svn: 98979
2010-03-19 19:45:03 +00:00
c342c9c001
Refactor argument checking in CallAndMessageChecker to be the same
...
for both CallExprs and ObjCMessageExprs.
llvm-svn: 98800
2010-03-18 03:22:29 +00:00
9c05f4ef69
Detect pass-by-value arguments that are structs that contain
...
uninitialized data.
llvm-svn: 98796
2010-03-18 02:17:27 +00:00
e174fda979
Tweak dead stores checker to not emit a warning when initialization
...
a scalar variable with a scalar parameter. This is a
form of defensive programming. If the variable is unused,
it will be caused by -Wunused-variable.
llvm-svn: 98795
2010-03-18 01:22:39 +00:00
1bb6a1a593
Add use-after-free check to MallocChecker.
...
llvm-svn: 98136
2010-03-10 04:58:55 +00:00
575398e29b
When computing in AnalysisContext the variables referenced
...
by a block, also look at the contained blocks.
llvm-svn: 98111
2010-03-10 00:18:11 +00:00
5cb8d9d40f
When profiling Environment, also profile with AnalysisContext*, bacause
...
we now may have identical states with different analysis context.
Set the right AnalysisContext in state when entering and leaving a callee.
With both of the above changes, we can pass the test case.
llvm-svn: 97724
2010-03-04 09:04:52 +00:00
6b11b4e050
Add comments to test case.
...
llvm-svn: 97619
2010-03-03 01:02:48 +00:00
d497e126cb
Register all parameters even if they didn't occur in the function body.
...
We may query their liveness because they are added to store when passing
argument values.
llvm-svn: 97562
2010-03-02 10:08:30 +00:00
e334bb1a66
Add test case for inlining call analysis.
...
llvm-svn: 97300
2010-02-27 02:44:37 +00:00
d98d22b9af
Enhance the unused ivar checker to not consider an ivar to be accidentally unused
...
when it is explicitly marked as unused via __attribute__((unused)).
llvm-svn: 97104
2010-02-25 03:26:55 +00:00
8cf9eeb519
Remove test case dependancy on platform headers.
...
llvm-svn: 97088
2010-02-25 01:16:07 +00:00
d55522f02e
Add UnixAPIChecker, a meta checker to include various precondition checks for calls
...
to various unix/posix functions, e.g. 'open()'.
As a first check, check that when 'open()' is passed 'O_CREAT' that it has
a third argument.
llvm-svn: 97086
2010-02-25 00:20:35 +00:00
b4331a9908
Dead emit dead store warnings when assigning nil to an ObjC object
...
pointer (for defensive programming). This matches the behavior with
assigning NULL to a regular pointer. Fixes <rdar://problem/7631278>.
llvm-svn: 96985
2010-02-23 21:19:33 +00:00
e3c26d8f7e
Add test case for <rdar://problem/7242010>, which appears to have been fixed
...
in the recent changes to RegionStore::InvalidateRegions(). Note that we
are still not yet modeling 'memcpy()' explicitly.
llvm-svn: 96902
2010-02-23 07:17:57 +00:00
1fcc56c57a
Recognize attributes ns_returns_not_retained and cf_returns_not_retained
...
in the static analyzer.
llvm-svn: 96539
2010-02-18 00:06:12 +00:00
3eac2454dc
Add test case showing that a recursive block that captures a block pointer that
...
isn't marked '__block' is bad.
llvm-svn: 96357
2010-02-16 16:55:10 +00:00
228639746a
Add simpler checker to check if variables captured by a block are uninitialized.
...
llvm-svn: 96341
2010-02-16 08:33:59 +00:00
be36ecbb60
Fix pr6293. If ptr is NULL, no operation is preformed.
...
llvm-svn: 96154
2010-02-14 06:49:48 +00:00
1a6672a3d4
Enhance RegionStore::InvalidateRegions() to correctly invalidate bindings
...
by scanning through the values of LazyCompoundVals.
llvm-svn: 96067
2010-02-13 01:52:33 +00:00
499b4e3387
Fix lookup of fields from lazy bindings to check if the region is
...
NULL, not the store, to determine if a lookup succeeded. The store
can be null if it contained no bindings. This fixes a false positive
reported to me by a user of the analyzer.
llvm-svn: 95679
2010-02-09 19:11:53 +00:00
000a859f05
Add support for binding and retrieving VarRegions in flat store.
...
llvm-svn: 95529
2010-02-08 05:40:07 +00:00
bdfcacbe8f
Also teach RegionStore::RetrieveVar() to handle 'static' pointers that are implicitly initialized to NULL.
...
llvm-svn: 95479
2010-02-06 04:04:46 +00:00
30fe9ecac2
Fix regression in RegionStore (from BasicStore) where static variables were not treated as being implicitly initialized to 0 (and instead were getting symbolicated).
...
llvm-svn: 95478
2010-02-06 03:57:59 +00:00
5abd69d946
Teach RegionStore::InvalidateRegions() to also invalidate static variables referenced by blocks.
...
llvm-svn: 95459
2010-02-06 00:30:00 +00:00
94e6d98cae
Add test case showing the analyzer invalidates '__block' variables when the block is passed as an argument to an ObjC method.
...
llvm-svn: 95366
2010-02-05 06:10:46 +00:00
2f2692f8ca
Rename -cc1 option '-checker-cfref' to '-analyzer-check-objc-mem'.
...
llvm-svn: 95348
2010-02-05 02:06:54 +00:00
b6e400c87c
Rename -cc1 option '-warn-objc-missing-dealloc' to '-analyzer-check-objc-missing-dealloc'.
...
llvm-svn: 95347
2010-02-05 01:59:21 +00:00
Chris Lattner