handling pseudo-path sensitivity, and instead
use those assertion conditions as dynamic checks.
These assertions would be violated when analyzing
a CFG where some branches where optimized away
during CFG construction because their branch
conditions could be trivially determined.
llvm-svn: 123943
analysis for short-circuited operations. For branch written like "if (x && y)",
we maintain two sets of dataflow values for the outgoing
branches. This suppresses some common false positives
for -Wuninitialized-experimental.
This change introduces some assertion failures
when running on the LLVM codebase. WIP.
llvm-svn: 123923
references by monitoring whether an access to
a variable is solely to compute it's lvalue or
to do an lvalue-to-rvalue conversion (i.e., a load).
llvm-svn: 123777
the prefix should be ignored.
E.g. if ignorePrefix is true, "_init" and "init" selectors will both be result in InitRule, but if
ignorePrefix is false, only "init" will return InitRule.
llvm-svn: 123262
temporaries with no-return destructors. The CFG now properly supports
temporaries and implicit destructors which both makes this kludge no
longer work, and conveniently removes the need for it.
Turn on CFG handling of implicit destructors and initializers. Several
ad-hoc benchmarks don't indicate any measurable performance impact from
growing the CFG, and it fixes real correctness problems with warnings.
As a result of turning on these CFG elements, we started to tickle an
inf-loop in the unreachable code logic used for warnings. The fix is
trivial.
llvm-svn: 123056
16-bits in size. Implement this by splitting WChar into two enums, like we have
for char. This fixes a miscompmilation of XULRunner, PR8856.
llvm-svn: 122558
to libAnalysis. Similar to Format (format string checking),
CocoaConventions has the
potential to serve clients other than the
static analyzer.
llvm-svn: 122040
implicit lvalue-to-rvalue casts that John McCall
recently introduced. This causes a whole bunch
of logic in the analyzer for handling lvalues
to vanish. It does, however, raise a few issues
in the analyzer w.r.t to modeling various constructs
(e.g., field accesses to compound literals).
The .c/.m analysis test cases that fail are
due to a missing lvalue-to-rvalue cast that
will get introduced into the AST. The .cpp
failures were more than I could investigate in
one go, and the patch was already getting huge.
I have XFAILED some of these tests, and they
should obviously be further investigated.
Some highlights of this patch include:
- CFG no longer requires an lvalue bit for
CFGElements
- StackFrameContext doesn't need an 'asLValue'
flag
- The "VisitLValue" path from GRExprEngine has
been eliminated.
Besides the test case failures (XFAILed), there
are surely other bugs that are fallout from
this change.
llvm-svn: 121960
struct X {
X() : au_i1(123) {}
union {
int au_i1;
float au_f1;
};
};
clang will now deal with au_i1 explicitly as an IndirectFieldDecl.
llvm-svn: 120900
not actually frequently used, because ImpCastExprToType only creates a node
if the types differ. So explicitly create an ICE in the lvalue-to-rvalue
conversion code in DefaultFunctionArrayLvalueConversion() as well as several
other new places, and consistently deal with the consequences throughout the
compiler.
In addition, introduce a new cast kind for loading an ObjCProperty l-value,
and make sure we emit those nodes whenever an ObjCProperty l-value appears
that's not on the LHS of an assignment operator.
This breaks a couple of rewriter tests, which I've x-failed until future
development occurs on the rewriter.
Ted Kremenek kindly contributed the analyzer workarounds in this patch.
llvm-svn: 120890
1. "no 'else' after 'return'" -- this is for conformance with the
coding standards.
2. move 'else' to the line of the previous '}' -- this is for consistency.
Reviewed by kremenek.
llvm-svn: 119983
it is possible for the confluence block to only have a single predecessor due to calls to 'noreturn'
functions. Fixes assertion failure reported in PR 8619.
llvm-svn: 119284
Elidable CXXConstructExpr should inhibit calling destructor for temporary
that is copied, not the one created. This is because eliding copy constructor
means that the object that was to be copied will be constructed directly in
memory the copy would be constructed in.
llvm-svn: 119044
1. For statement: const C& c = C(0) ?: C(1) destructors generated for condition will not differ from those generated for case without prolonged lifetime of temporary,
2. There will be no destructor for constant reference member bound to temporary at the exit from constructor.
llvm-svn: 118158
containing a DoStmt, and the LHS doesn't create a new block, then we should
return RBlock. Otherwise we'll incorrectly return NULL.
Also relax an assertion in VisitWhileStmt(). Reset 'Block' when it is finished.
llvm-svn: 117436
- Adding LocalScope for CompoundStmt,
- Adding CFGAutomaticObjDtors for end of scope, return, goto, break, continue,
- Regression tests for above cases.
llvm-svn: 115252
- post-increament, distance and bool conversion methods to LocalScope::const_iterator,
- adding VarDecl to LocalScope.
Fixed some misspells in comments.
llvm-svn: 115227
-cfg-add-implicit-dtors - sets CFG::BuildOptions::AddImplicitDtors for AnalysisCosumer to true,
-cfg-add-initializers - sets CFG::BuildOptions::AddInitializers for AnalysisCosumer to true.
llvm-svn: 115142
- LocalScope class with iterator used to pointing into it,
- fat doxygen comment for LocalScope indended usage,
- BlockScopePosPair class used for storing jump targets/sources (for: goto, break, continue), that replaces raw CFGBlock pointer used earlier for this purpose.
llvm-svn: 114790
- definitions of interfaces for CFGInitializer and CFGAutomaticObjDtor,
- support for above classes to print_elem function (renamed print_stmt),
- support for VarDecls in StmtPrinterHelper.
llvm-svn: 114403
to selectively walk successors/predecessors based on commonly used filters. For starters, add
a filter to ignore 'default:' cases for SwitchStmts when all enum values are covered by CaseStmts.
llvm-svn: 113449
- Removed the assumption that __block vars are all non-constant
- Simplified some repetitive code in RunAnalysis
- Added block walking support
- Code/comments cleanup
- Separated out test for block pseudoconstants
llvm-svn: 112098
- Added wasReferenced function to PseudoConstantAnalysis to determine if a variable was ever referenced in a function (outside of a self-assignment)
- BlockDeclRefExpr referenced variables are now explicitly added to the non-constant list
- Remove unnecessary ignore of implicit casts
- Generalized parameter self-assign detection to detect deliberate self-assigns of variables to avoid unused variable warnings
- Updated test cases with deliberate self-assignments
- Fixed bug with C++ references and pseudoconstants
- Added test case for C++ references and pseudoconstants
llvm-svn: 111965
- Psuedo -> Pseudo (doh...)
- C++ reference support
- Added pseudoconstant test case for __block vars
- Separated out static local checking from pseudoconstant analysis and generalized to non-local checking
- Added missing test cases for storage false positives
llvm-svn: 111832
- Renamed IdempotentOperationChecker::isConstant to isConstantOrPseudoConstant to better reflect the function
- Changed IdempotentOperationChecker::PreVisitBinaryOperator to only run 'CanVary' once on undefined assumptions
- Created new PsuedoConstantAnalysis class and added it to AnalysisContext
- Changed IdempotentOperationChecker to exploit the new analysis
- Updated tests with psuedo-constants
- Added check to IdempotentOperationChecker to see if a Decl is const qualified
llvm-svn: 111426
handling the parsing of scanf format strings and hooking the checking into Sema.
Most of this checking logic piggybacks on what was already there for checking printf format
strings, but the checking logic has been refactored to support both.
What is left to be done is to support argument type checking in format strings and of course
fix the usual tail of bugs that will follow.
llvm-svn: 108500
types, updating callers of both isFloatingType() and
isRealFloatingType() accordingly. Caught at least one issue where we
allowed one to declare a vector of vectors (!), along with cleaning up
the standard-conversion logic for C++.
llvm-svn: 106595
- Precision toStrings shouldn't print a dot when they have no value.
- Length of char length modifier is now returned correctly.
- Added several fixit tests.
Note: fixit tests are currently broken due to a bug in HighlightRange. Marking as XFAIL for now.
M test/Sema/format-strings-fixit.c
M include/clang/Analysis/Analyses/PrintfFormatString.h
M lib/Analysis/PrintfFormatString.cpp
llvm-svn: 106275
- Added warning for undefined behavior when using field specifier
- Added warning for undefined behavior when using length modifier
- Fixed warnings for invalid flags
- Added warning for ignored flags
- Added fixits for the above warnings
- Fixed accuracy of detecting several undefined behavior conditions
- Receive normal warnings in addition to security warnings when using %n
- Fix bug where '+' flag would remain on unsigned conversion suggestions
Summary of changes:
- Added expanded tests
- Added/expanded warnings
- Added position info to OptionalAmounts for fixits
- Extracted optional flags to a wrapper class with position info for fixits
- Added several methods to validate a FormatSpecifier by component, each checking for undefined behavior
- Fixed conversion specifier checking to conform to C99 standard
- Added hooks to detect the invalid states in CheckPrintfHandler::HandleFormatSpecifier
Note: warnings involving the ' ' (space) flag are temporarily disabled until whitespace highlighting no longer triggers assertions. I will make a post about this on cfe-dev shortly.
M test/Sema/format-strings.c
M include/clang/Basic/DiagnosticSemaKinds.td
M include/clang/Analysis/Analyses/PrintfFormatString.h
M lib/Analysis/PrintfFormatString.cpp
M lib/Sema/SemaChecking.cpp
llvm-svn: 106233
- Added some handling of flags that become invalid when changing the conversion specifier.
- Changed fixit behavior to remove unnecessary length modifiers.
- Separated some tests out and added some comments.
modified:
lib/Analysis/PrintfFormatString.cpp
test/Sema/format-strings-fixit.c
llvm-svn: 105807
- Refactored LengthModifier to be a class.
- Added toString methods in all member classes of FormatSpecifier.
- FixIt suggestions keep user specified flags unless incorrect.
Limitations:
- The suggestions are not conversion specifier sensitive. For example, if we have a 'pad with zeroes' flag, and the correction is a string conversion specifier, we do not remove the flag. Clang will warn us on the next compilation.
A test/Sema/format-strings-fixit.c
M include/clang/Analysis/Analyses/PrintfFormatString.h
M lib/Analysis/PrintfFormatString.cpp
M lib/Sema/SemaChecking.cpp
llvm-svn: 105680
The macros required for DeclNodes use have changed to match the use of
StmtNodes. The FooFirst enumerator constants have been named firstFoo
to match usage elsewhere.
llvm-svn: 105165
This introduces FunctionType::ExtInfo to hold the calling convention and the
noreturn attribute. The next patch will extend it to include the regparm
attribute and fix the bug.
llvm-svn: 99920
After discussion with Zhongxing, don't force the initializer of DeclStmts to be
block-level expressions.
This led to some interesting fallout:
[UninitializedValues]
Always visit the initializer of DeclStmts (do not assume they are block-level expressions).
[BasicStore]
With initializers of DeclStmts no longer block-level expressions, this causes self-referencing initializers (e.g. 'int x = x') to no longer cause the initialized variable to be live before the DeclStmt. While this is correct, it caused BasicStore::RemoveDeadBindings() to prune off the values of these variables from the initial store (where they are set to uninitialized). The fix is to back-port some (and only some) of the lazy-binding logic from RegionStore to
BasicStore. Now the default values of local variables are determined lazily as opposed
to explicitly initialized.
llvm-svn: 97591
Sema and into analyze_printf::ParseFormatString(). Also use a bitvector to determine
what arguments have been covered (instead of just checking to see if the last argument consumed is the max argument). This is prep. for support positional arguments (an IEEE extension).
llvm-svn: 97248
- Add ConversionSpecifier::consumesDataArgument() as a helper method
to determine if a conversion specifier requires a matching argument.
- Add support for glibc-specific '%m' conversion
- Add an extra callback to HandleNull() for locations within the
format specifier that have a null character
llvm-svn: 94834
In addition, move ParseFormatString() and FormatStringHandler() from
the clang::analyze_printf to the clang namespace. Hopefully this will
resolve some link errors on Linux.
llvm-svn: 94794
strings than what we currently have in Sema. This is both an
experiment and a WIP.
The idea is simple: parse the format string incrementally,
constructing a well-structure representation of each format specifier.
Each format specifier is then handed back one-by-one to a client via a
callback. Malformed format strings are also handled with callbacks.
The idea is to separate the parsing of the format string from the
emission of diagnostics. Currently what we have in Sema for handling
format strings is a mongrel of both that is hard to follow and
difficult to modify (I can apply this label since I'm the original
author of that code).
This is in libAnalysis as it is reasonable generic and can potentially
be used both by libSema and libChecker.
Comments welcome.
llvm-svn: 94702
(1) libAnalysis is a generic analysis library that can be used by
Sema. It defines the CFG, basic dataflow analysis primitives, and
inexpensive flow-sensitive analyses (e.g. LiveVariables).
(2) libChecker contains the guts of the static analyzer, incuding the
path-sensitive analysis engine and domain-specific checks.
Now any clients that want to use the frontend to build their own tools
don't need to link in the entire static analyzer.
This change exposes various obvious cleanups that can be made to the
layout of files and headers in libChecker. More changes pending. :)
This change also exposed a layering violation between AnalysisContext
and MemRegion. BlockInvocationContext shouldn't explicitly know about
BlockDataRegions. For now I've removed the BlockDataRegion* from
BlockInvocationContext (removing context-sensitivity; although this
wasn't used yet). We need to have a better way to extend
BlockInvocationContext (and any LocationContext) to add
context-sensitivty.
llvm-svn: 94406
CallExprs as those edges help cause a n^2 explosion in the number of
destructor calls. Other consumers, such as static analysis, that
would like to have more a more complete CFG can select the inclusion
of those edges as CFG build time.
This also fixes up the two compilation users of CFGs to be tolerant of
having or not having those edges. All catch code is assumed be to
live if we didn't generate the exceptional edges for CallExprs.
llvm-svn: 94074
"ASTContext::getTypeSize() / 8". Replace [u]int64_t variables with CharUnits
ones as appropriate.
Also rename RawType, fromRaw(), and getRaw() in CharUnits to QuantityType,
fromQuantity(), and getQuantity() for clarity.
llvm-svn: 93153
value bindings. Along with a small change to OSAtomicChecker, this
resolves <rdar://problem/7527292> and resolves some long-standing
issues with how values can be bound to the same physical address by
not have the same "key". This change is only a beginning; logically
RegionStore needs to better handle loads from addresses where the
stored value is larger/smaller/different type than the loaded value.
We handle these cases in an approximate fashion now (via
CastRetrievedVal and help in SimpleSValuator), but it could be made
much smarter.
llvm-svn: 93137
(1) Introduce a new 'BindingKey' class to match 'BindingValue'. This
gives us the flexibility to change the current key value from 'const
MemRegion*' to something more interesting.
(2) Rework additions/removals/lookups from the store to use new
'Remove', 'Add', 'Lookup' utility methods.
No "real" functionality change; just prep work and abstraction.
llvm-svn: 93136
CallExpr/ObjCMessageExpr can be visited in an "lvalue" context if it
returns a struct temporary. Currently the analyzer doesn't reason
about struct temporary returned by function calls, but we shouldn't
crash here either.
llvm-svn: 93081
when the default case is winnowed down to be infeasible. When all
cases were ruled out (and the analysis state for the default case
would be infeasible) we would still consider the default case
possible. This fixes PR 5969.
llvm-svn: 93017
GRStateManager. Having these references was an abstraction violation,
as they really should only be known about GRExprEngine.
This change required adding a new 'ProcessAssume' callback in
GRSubEngine. GRExprEngine implements this callback by calling
'EvalAssume' on all registered Checker objects as well as the
registered GRTransferFunc object.
llvm-svn: 92549
Add new states for symbolic regions tracked by malloc checker. This enables us
to do malloc checking more accurately. See test case.
Based on Lei Zhang's patch and discussion.
llvm-svn: 92342