1097b4c61f
Added line number diagnostics to indicate the allocation site of the leaked object.
...
llvm-svn: 50553
2008-05-01 23:13:35 +00:00
fabfb4677d
Do not highlight bogus ranges for leaks.
...
llvm-svn: 50549
2008-05-01 22:50:36 +00:00
8a56b06b5c
Correctly invalidate reference count state when passing objects by reference in message expressions we don't understand.
...
llvm-svn: 50541
2008-05-01 21:31:50 +00:00
7f824734e0
Added temporary fix for Obj-C exception handling in the static analyzer: treat these as panic functions.
...
llvm-svn: 50535
2008-05-01 18:33:28 +00:00
f0b0f2edfe
Renamed static method.
...
llvm-svn: 50533
2008-05-01 18:31:44 +00:00
b99d01269a
Added __assert_rtn to list of panic functions.
...
llvm-svn: 50530
2008-05-01 17:52:49 +00:00
ed36e4b9a4
Added ziperr as a panic function. Eventually inter-procedural analysis
...
should catch this one easily.
llvm-svn: 50526
2008-05-01 15:55:59 +00:00
9f696852c4
When processing "release", "retain", and "autorelease" messages return the
...
lval passed as an argument.
Fix: Inverted diagnostic messages.
llvm-svn: 50513
2008-05-01 04:02:04 +00:00
4828aa3152
Added support for "autorelease" message in CF ref. count checker.
...
llvm-svn: 50512
2008-05-01 02:18:37 +00:00
b0f87c48cb
added preliminary diagnostics in scan-build results to denote whether
...
a CF memory leak occurred with GC enabled, etc.
llvm-svn: 50507
2008-04-30 23:47:44 +00:00
f20e2285c9
More cleanups with ObjCQualifiedIdType in the static analyzer.
...
llvm-svn: 50503
2008-04-30 22:48:21 +00:00
a16dacb6aa
Add placeholder code in the static analyzer for MemberExprs involving struct temporaries.
...
llvm-svn: 50502
2008-04-30 22:17:15 +00:00
ca67cab1e8
Add workaround for __builtin_offsetof in the static analyzer.
...
llvm-svn: 50500
2008-04-30 21:45:55 +00:00
99057462aa
Provide SizeOfAlignTypeExpr workaround in the static analyzer for taking the sizeof of a ObjCInterfaceType.
...
llvm-svn: 50499
2008-04-30 21:31:12 +00:00
e0e8b535cf
Support implicit casts from pointers to references.
...
llvm-svn: 50498
2008-04-30 21:10:19 +00:00
84dea154fc
When creating LVals for array entries, canonicalize entries with a 0 index.
...
llvm-svn: 50497
2008-04-30 21:05:35 +00:00
20d8006e93
Teach more of the static analyzer about ObjCQualifiedIdType.
...
llvm-svn: 50494
2008-04-30 20:17:27 +00:00
0940b99e3b
Teach the static analysis engine about ObjCQualifiedIdType.
...
llvm-svn: 50493
2008-04-30 20:01:29 +00:00
5ce35cc514
Add conjured symbols for decl initializations.
...
Add db_error as panic function.
llvm-svn: 50489
2008-04-30 17:54:04 +00:00
39a736f723
Handle lval::ArrayOffset and lval::FieldOffset in EvalNE and EvalEQ.
...
llvm-svn: 50486
2008-04-30 16:07:22 +00:00
5cc9e60a5f
Invalidate old subexpression bindings when binding UnknownVal.
...
llvm-svn: 50466
2008-04-30 04:23:07 +00:00
9700bd42f0
Simplify RemoveDeadBindings.
...
llvm-svn: 50458
2008-04-29 23:58:03 +00:00
10246e8bfa
Add lval::ArrayOffset, which represent the locations of entries in an array.
...
llvm-svn: 50453
2008-04-29 23:24:44 +00:00
0d2ccffa83
Added lval::FieldOffset, which represents symbolic lvalues for field offsets from other Lvalues.
...
This removes the failure in null-deref-ps.c (test suite).
llvm-svn: 50449
2008-04-29 22:17:41 +00:00
fa5a3d0fe7
Major rewrite/refactoring of static analysis engine. We now use
...
EvalStore/EvalLoad to handle all loads/stores from symbolic memory, allowing us
to do checks for null dereferences, etc., at any arbitrary load/store (these
were missed checks before). This also resulted in some major cleanups, some
conceptual, and others just in the structure of the code.
This temporarily introduces a regression in the test suite (null-deref-ps.c)
before I add a new LVal type for structure fields.
llvm-svn: 50443
2008-04-29 21:04:26 +00:00
a374ea9a35
Update typestate logic to support GC-mode.
...
llvm-svn: 50396
2008-04-29 05:44:10 +00:00
4b7ca776cf
Implement semantics of CFMakeCollectable for the CF-reference count checker.
...
llvm-svn: 50395
2008-04-29 05:33:51 +00:00
4d1f422c6f
Provide the option to run the CF-retain checker in GC enabled mode.
...
The transfer functions for the checker don't do anything special yet in GC mode.
llvm-svn: 50394
2008-04-29 05:13:59 +00:00
fa2d2f2886
Make assertions for all addresses passed to ProgramPoint that they have at least an 8-byte alignment.
...
llvm-svn: 50310
2008-04-26 15:19:51 +00:00
dd38e0bd0d
Fix bug in BugReporter where we didn't handle emitting diagnostics for
...
empty CFGBlocks that only contained a terminator.
Added improved diagnostics for break and continue statements and default branches in switch statements.
This fixes <rdar://problem/5889244>.
llvm-svn: 50286
2008-04-25 19:01:27 +00:00
99131c9f5a
Handle dereferences of function pointers (which return a handle to the function).
...
llvm-svn: 50246
2008-04-25 01:56:50 +00:00
2e5092320e
Don't abort on GetRVal when the LVal is a StringLiteralVal.
...
llvm-svn: 50245
2008-04-25 01:45:38 +00:00
4dd412e022
Don't emit empty strings for path diagnostics when taking the default branch of a switch statement that has no label.
...
llvm-svn: 50242
2008-04-25 01:29:56 +00:00
ecbdf75049
Do a better job at computing dead symbols.
...
Implemented support for better localized leaks in the CF reference count checker.
Now leaks should be flagged close to where they occur.
This should implement the desired functionality in <rdar://problem/5879592>, although the diagnostics still need to be improved.
llvm-svn: 50241
2008-04-25 01:25:15 +00:00
b0daf2f6f5
Add preliminary support for flagging leaks around when they happen (doesn't work yet).
...
llvm-svn: 50237
2008-04-24 23:57:27 +00:00
ae8014cb7e
More boilerplate for handling specialized-transfer function logic for dead symbols.
...
llvm-svn: 50233
2008-04-24 23:35:58 +00:00
3812b7676c
Added initial boilerplate in GRExprEngine to allow checker-specific transfer
...
function logic to act when symbols become dead.
llvm-svn: 50221
2008-04-24 18:31:42 +00:00
f7141597e8
CF reference count checker: handle variadic functions that allocate CF objects.
...
This fixes <rdar://problem/5886141>.
Part of this change resulted in creating sparser summaries. I also added
some more comments and did some minor code cleanups.
llvm-svn: 50214
2008-04-24 17:22:33 +00:00
21bf6006b0
For case statements involving enums, BugReporter now generates PathDiagnostics
...
that say that we are jumping to "case a" instead of "case 0".
This is a feature implementation for <rdar://problem/5880430>.
llvm-svn: 50197
2008-04-23 23:35:07 +00:00
05e6267466
Fix minor regression in bug report generation.
...
llvm-svn: 50195
2008-04-23 23:04:32 +00:00
f26bc55b9a
When building PathDiagnostics for bug reports, generate a trimmed ExplodedGraph with a single path that BugReport objects can safely walk and introspect.
...
llvm-svn: 50194
2008-04-23 23:02:12 +00:00
dd43aeee54
Fixed: <rdar://problem/5881148>
...
Problem:
In the recently refactored VisitDeref (which processes dereferences), we
were incorrectly skipping the node just generated for the subexpression
of the dereference. This was a horrible regression.
llvm-svn: 50176
2008-04-23 20:12:28 +00:00
d2419a0730
Remove false path where the default branch in a switch statement would
...
always be taken even if it was not feasible.
llvm-svn: 50132
2008-04-23 05:03:18 +00:00
ef9af73887
Added panic function "assfail".
...
llvm-svn: 50119
2008-04-23 00:41:25 +00:00
0224ac57e0
For default branches in switch statements with no default label, print out
...
the line we are going to.
llvm-svn: 50113
2008-04-22 22:29:46 +00:00
3b42715930
Rewrote VisitDeclStmt to properly handle initializers that can do anything.
...
llvm-svn: 50112
2008-04-22 22:25:27 +00:00
c79c0591d6
Added lval type (and tracking) for StringLiterals.
...
llvm-svn: 50109
2008-04-22 21:39:21 +00:00
eccf3e5821
Added "nonlval::LValAsInteger" to represent abstract LVals casted to integers, allowing us to track lvals when they are casted back to pointers.
...
llvm-svn: 50108
2008-04-22 21:10:18 +00:00
9718c9e8ee
PathDiagnosticClients now retain ownership of passed PathDiagnostics, requiring
...
them to not be stack-allocated.
HTMLDiagnostics now batches PathDiagnostics before emitting HTML in its dtor.
This is a workaround for a problem when we trampled the Preprocessor state
when highlighting macros (sometimes resulting in an assertion failure).
llvm-svn: 50102
2008-04-22 16:15:03 +00:00
901a4e406b
Use back() instead of end()-1
...
llvm-svn: 50098
2008-04-22 07:37:18 +00:00
80f2c111bd
Added panic function "dtrace_assfail".
...
llvm-svn: 50091
2008-04-22 06:09:33 +00:00
a2cca7dbdf
Hardcode "Assert" as a no-return function (panic).
...
llvm-svn: 50089
2008-04-22 05:37:33 +00:00
da5cdda248
Added null-dereference check for ArraySubscriptExpr.
...
llvm-svn: 50083
2008-04-22 04:56:29 +00:00
38213f9573
Added support for detected bad dereferences involving MemberExprs, e.g. x->f where "x" is NULL.
...
llvm-svn: 50071
2008-04-21 23:43:38 +00:00
5fa90e49a9
Fix improper dereference of end() iterator. Patch by Argiris Kirtzidis!
...
llvm-svn: 50012
2008-04-20 23:54:24 +00:00
575f24ef73
Gracefully handle when the receiver of a message expression is not a pointer type.
...
llvm-svn: 49959
2008-04-19 19:12:50 +00:00
423edc2384
Another bug fix in emitting warnings without a path: construct a unit PathDiagnostic as we did
...
before. This allows the HTMLDiagnostic object to retrieve the bug type, bug description, etc.
llvm-svn: 49939
2008-04-18 22:56:53 +00:00
bf27dc9659
Reenable using the PathDiagnosticClient for BugReports without paths.
...
llvm-svn: 49934
2008-04-18 22:11:59 +00:00
31484b2477
Generalize caching mechanism for bugs reports. Now individual BugTypes
...
can decide the policy on how to cache related bugs. This allows us to
properly to handle warning about multiple leaks in the same location in the
ref count checker (not yet done).
llvm-svn: 49918
2008-04-18 20:54:29 +00:00
c072b820cf
Fixed more caching bugs related to the one fixed in r49914. Silence
...
compiler warning introduced by a recent patch of mine.
llvm-svn: 49917
2008-04-18 20:35:30 +00:00
acefba896c
Fixed elusive caching bug that led to false positives.
...
llvm-svn: 49914
2008-04-18 19:34:16 +00:00
4d83728a57
Added "GetErrorNodes()" to BugType so that -trim-egraph can recognize errors
...
from registered BugTypes. This helps with debugging.
Add detection of NULL values in ref count checker; this suppresses false positives.
llvm-svn: 49912
2008-04-18 19:23:43 +00:00
3388381993
Added "EvalAssume" virtual method to GRTransferFuncs; this is for evaluating
...
the checker-specific logic of symbolic assumptions.
llvm-svn: 49910
2008-04-18 17:20:23 +00:00
d004c418b6
Fixed bug in GREndPathNodeBuilder: only return a node if it wasn't in the node cache.
...
llvm-svn: 49907
2008-04-18 16:30:14 +00:00
f03e07c34d
More grammar fixes.
...
llvm-svn: 49895
2008-04-18 05:32:44 +00:00
ca8892b456
Fix plurality debacle.
...
llvm-svn: 49894
2008-04-18 05:13:26 +00:00
40d601f958
Added path diagnostics for reference counts.
...
llvm-svn: 49892
2008-04-18 04:55:01 +00:00
396f43620f
BugReport::VisitNode now takes BugReporter& instead of ASTContext&.
...
Shuffled around code in CFRefCount to better pair classes with implementation,
and started adding subclasses of RangedBugReport to handle better diagnostics
for reference count bugs.
llvm-svn: 49889
2008-04-18 03:39:05 +00:00
89e6a9b98c
Added null check.
...
llvm-svn: 49887
2008-04-18 02:24:50 +00:00
cffe635699
Simplified internal logic of BugReporter, consolidating EmitWarning and
...
EmitPathWarning into one method. We now properly handle emitting warnings
without a PathDiagnosticClient when the warning does not involve a particular
statement.
llvm-svn: 49884
2008-04-18 01:56:37 +00:00
69049c272f
Modified BugReport::getEndPath() to handle the case where end path is at
...
the exit block of the CFG.
llvm-svn: 49880
2008-04-17 23:44:37 +00:00
cc0951bde1
Hook up reporting reference count memory leaks to the BugReporter mechanism.
...
llvm-svn: 49879
2008-04-17 23:43:50 +00:00
a506fec90a
Added transfer function support for ReturnStmt to support detecting leaks
...
involving objects that are returned but have an excessive reference count.
llvm-svn: 49861
2008-04-17 18:12:53 +00:00
fc2f058230
Fix MSVC compiler error: "initialization of 'VD' is skipped by 'case' label"
...
llvm-svn: 49853
2008-04-17 13:52:22 +00:00
9c375158a0
Handle ReturnStmts by dispatching to "EvalReturn" in the transfer function object.
...
llvm-svn: 49826
2008-04-16 23:05:51 +00:00
cbf4c6134e
CF ref. count checker: Register memory leaks at the end of a path.
...
llvm-svn: 49824
2008-04-16 22:32:20 +00:00
86051690ea
Bug fix in GREndPathNodeBuilderImpl: Use the specified state to construct
...
a node, not the state of the predecessor.
llvm-svn: 49823
2008-04-16 22:30:40 +00:00
c1f9a28e4d
Added CFGBlock::getTerminatorCondition() to get the Expr* of the condition a block's terminator.
...
Refactored LiveVariables to use getTerminatorCondition() in VisitTerminator().
Bug fix: CFG now computes Block-level expression numbers using information
from block terminators. This fixes <rdar://problem/5868189>.
llvm-svn: 49818
2008-04-16 21:10:48 +00:00
7145489c37
Small tweaks to EvalStore: pass an "RVal" instead of "LVal" for the TargetLV to
...
represent possible stores to "Unknown."
llvm-svn: 49811
2008-04-16 20:40:59 +00:00
673b5c1e42
Add missing file.
...
llvm-svn: 49805
2008-04-16 18:39:25 +00:00
90c7cb6810
Hook up "EvalStore" from GRTransferFuncs to GRExprEngine.
...
llvm-svn: 49804
2008-04-16 18:39:06 +00:00
2044a5183d
Take first step to migrating handling of "stores" to values from GRExprEngine
...
to the plug-in GRTransferFuncs object.
llvm-svn: 49801
2008-04-16 18:21:25 +00:00
ed30e8da56
LiveVariables now updates the liveness state of block-level expressions that
...
are referenced by CFGBlock terminators.
llvm-svn: 49798
2008-04-16 17:07:59 +00:00
08e562d3c8
In ExplodedGraphImpl::Trim, prioritize for paths that don't span loops by using
...
two worklists: for nodes whose locations are block edges with loop terminators
and another for nodes with all other locations. We only dequeue from the loop
worklist when the other is empty. Exploration of the graph is still in
reverse-BFS.
llvm-svn: 49791
2008-04-16 15:51:26 +00:00
8cb96e92a1
Implemented toll-free bridging support for CF Reference count checker.
...
llvm-svn: 49771
2008-04-16 04:28:53 +00:00
e556f9e39c
Simplify some code.
...
llvm-svn: 49763
2008-04-16 02:59:55 +00:00
748c7ce4ba
Added initial boilerplate to support toll-free bridging in the ref-count checker.
...
llvm-svn: 49756
2008-04-15 23:44:31 +00:00
667cacb2ff
Added some comments to GRExprEngine. Reorder some of the method definitions
...
to start logically organizing them.
Added initial plug-in transfer function support for Objective-C message expressions.
llvm-svn: 49752
2008-04-15 23:06:53 +00:00
6204498aad
Change "VisitBlockVarDecl" to "VisitVarDecl". UninitializedValues now works
...
as before r49748 (where BlockVarDecl was removed).
llvm-svn: 49749
2008-04-15 23:02:18 +00:00
08899ff85d
Remove FileVarDecl and BlockVarDecl. They are replaced by VarDecl::isBlockVarDecl() and VarDecl::isFileVarDecl().
...
This is a fairly mechanical/large change. As a result, I avoided making any changes/simplifications that weren't directly related. I did break two Analysis tests. I also have a couple FIXME's in UninitializedValues.cpp. Ted, can you take a look? If the bug isn't obvious, I am happy to dig in and fix it (since I broke it).
llvm-svn: 49748
2008-04-15 22:42:06 +00:00
82ff6d65bc
Fix bug in terminator processing for uninitialized-values: simply ignore the terminator, don't reprocess it.
...
LiveVariables analysis now does a flow-insensitive analysis to determine what variables have their address taken; these variables are now always treated as being live.
The DataflowSolver now uses "SetTopValue()" when getting the initial value for the entry/exit block.
llvm-svn: 49734
2008-04-15 18:35:30 +00:00
45887902b6
Fix a compiler error on MSVC (variable name 'E' clash).
...
llvm-svn: 49727
2008-04-15 16:30:10 +00:00
6d41b82ea4
Improve dead store diagnostic.
...
llvm-svn: 49711
2008-04-15 05:31:00 +00:00
8adeebb274
Added initial support into the flow-sensitive dataflow solver to visit the Block-level expression
...
in a block's terminator. This expression is visited within a block, but it is accessed by the
terminator. This is important to observe because for live-variables analysis the block-level
expression is live between the terminator and where the expression occurs in the block. So far
this hasn't been an issue to not observe this because the block-level expression used in the
terminator is always the last one in the block, and we have never queried the liveness information
about this point (but before the terminator).
llvm-svn: 49709
2008-04-15 04:39:08 +00:00
66279073f7
Bug fix in dead stores: don't always check the liveness of the first decl
...
in a DeclStmt.
llvm-svn: 49708
2008-04-15 04:11:48 +00:00
cd76f95dd0
++/-- makes a variable live since it is used; thus the liveness state is
...
"Alive" as opposed to staying the same.
llvm-svn: 49707
2008-04-15 04:08:54 +00:00
f4212bdbc3
Bug fix in LiveVariables: Operators ++/-- may kill a value, but the variable
...
is still live.
llvm-svn: 49705
2008-04-15 03:47:30 +00:00
87bfc03f4a
Don't flag dead stores that occur in macros.
...
llvm-svn: 49672
2008-04-14 18:28:25 +00:00
bae225d57a
Have BugReporter::EmitWarning use the PathDiagnosticClient if it is available.
...
llvm-svn: 49668
2008-04-14 18:06:42 +00:00
75ff623e2e
Bug fix in dead-store checker when walking the Decls in a DeclStmt: don't
...
assume that DeclStmts only have VarDecls; they can have TypedefDecls.
llvm-svn: 49662
2008-04-14 17:52:13 +00:00
Ted Kremenek