summaryrefslogtreecommitdiffstats
path: root/clang/lib/Analysis/GRExprEngine.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Static Analyzer: Replace LiveSymbols/DeadSymbols sets with a new object ↵Ted Kremenek2009-01-211-9/+8
| | | | | | called "SymbolReaper". Right now it just consolidates the two and cleans up some client code, but shortly it will be used to enable "lazy computation" of live symbols for use with RegionStore. llvm-svn: 62722
* Remove ScopedDecl, collapsing all of its functionality into Decl, soDouglas Gregor2009-01-201-1/+1
| | | | | | | | | | | | | | | | that every declaration lives inside a DeclContext. Moved several things that don't have names but were ScopedDecls (and, therefore, NamedDecls) to inherit from Decl rather than NamedDecl, including ObjCImplementationDecl and LinkageSpecDecl. Now, we don't store empty DeclarationNames for these things, nor do we try to insert them into DeclContext's lookup structure. The serialization tests are temporarily disabled. We'll re-enable them once we've sorted out the remaining ownership/serialiazation issues between DeclContexts and TranslationUnion, DeclGroups, etc. llvm-svn: 62562
* Fix analyzer crash found when scanning Wine sources where the analyzer used ↵Ted Kremenek2009-01-171-35/+25
| | | | | | old logic to determine the value of a switch 'case' label. llvm-svn: 62395
* static analyzer: Handle casts from arrays to integers. This fixes PR 3297.Ted Kremenek2009-01-131-11/+33
| | | | llvm-svn: 62130
* Add QualifiedDeclRefExpr, which retains additional source-locationDouglas Gregor2009-01-061-0/+2
| | | | | | | | | | | | | | | | | | | information for declarations that were referenced via a qualified-id, e.g., N::C::value. We keep track of the location of the start of the nested-name-specifier. Note that the difference between QualifiedDeclRefExpr and DeclRefExpr does have an effect on the semantics of function calls in two ways: 1) The use of a qualified-id instead of an unqualified-id suppresses argument-dependent lookup 2) If the name refers to a virtual function, the qualified-id version will call the function determined statically while the unqualified-id version will call the function determined dynamically (by looking up the appropriate function in the vtable). Neither of these features is implemented yet, but we do print out qualified names for QualifiedDeclRefExprs as part of the AST printing. llvm-svn: 61789
* Fix initialization order.Zhongxing Xu2008-12-221-3/+3
| | | | llvm-svn: 61333
* Add an option to make 'RemoveDeadBindings' a configurable behavior. This enablesZhongxing Xu2008-12-221-3/+8
| | | | | | us to measure the effect of this optimization. llvm-svn: 61319
* Add support for member references (E1.E2, E1->E2) with C++ semantics,Douglas Gregor2008-12-201-2/+6
| | | | | | | | | | which can refer to static data members, enumerators, and member functions as well as to non-static data members. Implement correct lvalue computation for member references in C++. Compute the result type of non-static data members of reference type properly. llvm-svn: 61294
* Lazy bingding for region-store manager.Zhongxing Xu2008-12-201-6/+5
| | | | | | | | | | | | | * Now Bind() methods take and return GRState* because binding could also alter GDM. * No variables are initialized except those declared with initial values. * failed C test cases are due to bugs in RemoveDeadBindings(), which removes constraints that is still alive. This will be fixed in later patch. * default value of array and struct regions will be implemented in later patch. llvm-svn: 61274
* ProgramPoint:Ted Kremenek2008-12-161-80/+88
| | | | | | | | | | | | | | | | | | | | - Added four new ProgramPoint types that subclass PostStmt for use in GRExprEngine::EvalLocation: - PostOutOfBoundsCheckFailed - PostUndefLocationCheckFailed - PostNullCheckFailed - PostLocationChecksSucceed These were created because of a horribly subtle caching bug in EvalLocation where a node representing an "bug condition" in EvalLocation (e.g. a null dereference) could be re-used as the "non-bug condition" because the Store did not contain any information to differentiate between the two. The extra program points just disables any accidental caching between EvalLocation and its callers. GRExprEngine: - EvalLocation now returns a NodeTy* instead of GRState*. This should be used as the "vetted" predecessor for EvalLoad/EvalStore. llvm-svn: 61105
* Fix regression in handling sizeof(void) in the static analyzer.Ted Kremenek2008-12-151-13/+15
| | | | llvm-svn: 61039
* MemRegion:Ted Kremenek2008-12-131-8/+17
| | | | | | | | | | | | | | | | | | | | | | - Overhauled the notion of "types" for TypedRegions. We now distinguish between the "lvalue" of a region (via getLValueRegion()) and the "rvalue" of a region (va getRValueRegion()). Since a region represents a chunk of memory it has both, but we were conflating these concepts in some cases, leading to some insidious bugs. - Removed AnonPointeeType, partially because it is unused and because it doesn't have a clear notion of lvalue vs rvalue type. We can add it back once there is a need for it and we can resolve its role with these concepts. StoreManager: - Overhauled StoreManager::CastRegion. It expects an *lvalue* type for a region. This is actually what motivated the overhaul to the MemRegion type mechanism. It also no longer returns an SVal; we can just return a MemRegion*. - BasicStoreManager::CastRegion now overlays an "AnonTypedRegion" for pointer-pointer casts. This matches with the MemRegion changes. - Similar changes to RegionStore, except I've added a bunch of FIXMEs where it wasn't 100% clear where we should use TypedRegion::getRValueRegion() or TypedRegion::getLValueRegion(). AuditCFNumberCreate check: - Now blasts through AnonTypedRegions that may layer the original memory region, thus checking if the actually memory block is of the appropriate type. This change was needed to work with the changes to StoreManager::CastRegion. GRExprEngine::VisitCast: - Conform to the new interface of StoreManager::CastRegion. Tests: - None of the analysis tests fail now for using the "basic store". - Disabled the tests 'array-struct.c' and 'rdar-6442306-1.m' pending further testing and bug fixing. llvm-svn: 60995
* A series of cleanups/fixes motivated by <rdar://problem/6442306>:Ted Kremenek2008-12-131-9/+3
| | | | | | | | | | | | | | | | | | GRExprEngine (VisitCast): - When using StoreManager::CastRegion, always use the state and value it returns to generate the next node. Failure to do so means that region values returned that don't require the state to be modified will get ignored. MemRegion: - Tighten the interface for ElementRegion. Now ElementRegion can only be created with a super region that is a 'TypedRegion' instead of any MemRegion. Code in BasicStoreManager/RegionStoreManager already assumed this, but it would result in a dynamic assertion check (and crash) rather than just having the compiler forbid the construction of such regions. - Added ElementRegion::getArrayRegion() to return the 'typed version' of an ElementRegion's super region. - Removed bogus assertion in ElementRegion::getType() that assumed that the super region was an AnonTypedRegion. All that matters is that it is a TypedRegion, which is now true all the time by design. BasicStore: - Modified getLValueElement() to check if the 'array' region is a TypedRegion before creating an ElementRegion. This conforms to the updated interface for ElementRegion. RegionStore: - In ArrayToPointer() gracefully handle things we don't reason about, and only create an ElementRegion if the array region is indeed a TypedRegion. llvm-svn: 60990
* In GRExprEngine treat @throw as an 'abort' that ends the current path. This ↵Ted Kremenek2008-12-091-0/+9
| | | | | | is a temporary solution. llvm-svn: 60789
* [static analyzer] Extend VLA size checking to look for undefined sizes.Ted Kremenek2008-12-091-2/+10
| | | | llvm-svn: 60734
* Add checking for zero-sized VLAs.Ted Kremenek2008-12-081-2/+28
| | | | llvm-svn: 60726
* Add bandaid transfer function support for assignments involving ObjCKVCRefExpr.Ted Kremenek2008-12-061-0/+7
| | | | llvm-svn: 60622
* Rename SymbolID to SymbolRef. This is a precursor to some overhauling of ↵Ted Kremenek2008-12-051-4/+4
| | | | | | the representation of symbolic values. llvm-svn: 60575
* Add support for initializing array with string literal.Zhongxing Xu2008-11-301-0/+4
| | | | | | | This fixes PR3127 http://llvm.org/bugs/show_bug.cgi?id=3127 llvm-svn: 60280
* Code cleanup. No functional change.Zhongxing Xu2008-11-281-3/+5
| | | | llvm-svn: 60206
* Add support for pluggable components of static analyzer.Zhongxing Xu2008-11-271-3/+3
| | | | | | | | | | - Creator function pointers are saved in ManagerRegistry. - The Register* class is used to notify ManagerRegistry new module is available. - AnalysisManager queries ManagerRegistry for configurable module. Then it passes them to GRExprEngine, in turn to GRStateManager. llvm-svn: 60143
* Remove FIXME comment.Ted Kremenek2008-11-241-1/+0
| | | | llvm-svn: 59973
* Add support for AllocaRegion extent with GDM.Zhongxing Xu2008-11-241-0/+7
| | | | | | | | | | | | One design problem that is emerging is the signed-ness problem during static analysis. Many unsigned value have to be converted into signed value because it partipates in operations with signed values. On the other hand, we cannot blindly make all values occuring in static analysis signed, because we do have cases where unsignedness is required, for example, integer overflow detection. llvm-svn: 59957
* Cleanup code with utility method.Zhongxing Xu2008-11-241-2/+2
| | | | llvm-svn: 59951
* Add out-of-bound memory access warning report code.Zhongxing Xu2008-11-231-4/+17
| | | | llvm-svn: 59903
* Initial support for checking out of bound memory access. Only support Zhongxing Xu2008-11-221-2/+7
| | | | | | ConcreteInt index for now. llvm-svn: 59869
* - Clean up transfer function logic for 'return' statements.Ted Kremenek2008-11-211-36/+26
| | | | | | - Add check for returning an undefined value to a caller. llvm-svn: 59764
* Enhance modularization: return a <state,loc> pair to let GRExprEngine modify theZhongxing Xu2008-11-161-2/+6
| | | | | | environment. llvm-svn: 59407
* Enhances SCA to process untyped region to typed region conversion.Zhongxing Xu2008-11-161-0/+15
| | | | | | | | | | | | - RegionView and RegionViewMap is introduced to assist back-mapping from super region to subregions. - GDM is used to carry RegionView information. - AnonTypedRegion is added to represent a typed region introduced by pointer casting. Later AnonTypedRegion can be used in other similar cases, e.g., malloc()'ed region. - The specific conversion is delegated to store manager. llvm-svn: 59382
* Reduce permissiveness of assertion.Ted Kremenek2008-11-151-2/+1
| | | | llvm-svn: 59354
* Reverted part of r59335: ↵Ted Kremenek2008-11-151-23/+37
| | | | | | | | | | http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20081110/009243.html In that patch I added a bogus type promotion for unary '!'. The real bug was more fallout from edges cases with compound assignments and conjured symbolic values. Now the conjured value has the type of the LHS expression, and we do a promotion to the computation type. We also now correctly do a conversion from the computation type back to the LHS type. llvm-svn: 59349
* Re-enable an assertion that I mistakenly removed.Ted Kremenek2008-11-151-7/+1
| | | | llvm-svn: 59348
* Use the correct QualType when creating the '0' constant.Ted Kremenek2008-11-151-1/+1
| | | | llvm-svn: 59343
* Implement FIXME in GRExprEngine::VisitUnaryOperator() to handle implicit ↵Ted Kremenek2008-11-151-5/+11
| | | | | | conversions caused by the '!' operator. This required adding some logic to GRSimpleVals to reason about nonloc::LocAsInteger SVals. This code appears to work fine, but it should eventually be cleaned up. llvm-svn: 59335
* Second attempt at implementation transfer function support for ↵Ted Kremenek2008-11-141-35/+52
| | | | | | ObjCForCollectionStmt. We now assume that the 'element' expression can be any lvalue. llvm-svn: 59313
* Add a new expression node, CXXOperatorCallExpr, which expresses aDouglas Gregor2008-11-141-1/+2
| | | | | | | | | | | | | | | | | | | function call created in response to the use of operator syntax that resolves to an overloaded operator in C++, e.g., "str1 + str2" that resolves to std::operator+(str1, str2)". We now build a CXXOperatorCallExpr in C++ when we pick an overloaded operator. (But only for binary operators, where we actually implement overloading) I decided *not* to refactor the current CallExpr to make it abstract (with FunctionCallExpr and CXXOperatorCallExpr as derived classes). Doing so would allow us to make CXXOperatorCallExpr a little bit smaller, at the cost of making the argument and callee accessors virtual. We won't know if this is going to be a win until we can parse lots of C++ code to determine how much memory we'll save by making this change vs. the performance penalty due to the extra virtual calls. llvm-svn: 59306
* Improve comments.Zhongxing Xu2008-11-141-1/+1
| | | | llvm-svn: 59294
* - Revert r59229 and r59232: AllocRegion should be immutable.Ted Kremenek2008-11-131-20/+0
| | | | | | - Temporarily disabled test Analysis/array-struct.c for region store. llvm-svn: 59245
* Lift the pointer to alloca'ed region to the pointer to its first element.Zhongxing Xu2008-11-131-1/+21
| | | | | | | This is required by some operations, e.g., *p = 1; p[0] = 1;. Also set the AllocaRegion's type during the cast. llvm-svn: 59232
* GRExprEngine/CFRefCount/GRSimpleVals: We don't do any special handling (yet) ↵Ted Kremenek2008-11-131-12/+18
| | | | | | of vector types. Add explicit checks that when we process integers that they really are scalars. llvm-svn: 59225
* GRExprEngine::VisitInitListExpr:Ted Kremenek2008-11-131-2/+2
| | | | | | | - Don't crash on vector types. - Handle typedefs. llvm-svn: 59220
* Shore up transfer function for ObjCForCollectionStmt.Ted Kremenek2008-11-121-9/+17
| | | | llvm-svn: 59162
* Add (preliminary) transfer function support for ObjCForCollectionStmt. ↵Ted Kremenek2008-11-121-5/+105
| | | | | | | | Still need to flesh out some logic. When processing DeclStmt, use the new interface to StateManager::BindDecl. Conjuring of symbols is now done in VisitDeclStmt. llvm-svn: 59155
* Introduce a single AST node SizeOfAlignOfExpr for all sizeof and alignof ↵Sebastian Redl2008-11-111-41/+7
| | | | | | expressions, both of values and types. llvm-svn: 59057
* silence a warning from gcc.Chris Lattner2008-11-101-0/+1
| | | | llvm-svn: 58956
* Add a boilerplate for out-of-bound array checking. This has no real function ↵Zhongxing Xu2008-11-081-0/+22
| | | | | | currently. llvm-svn: 58886
* Finish the implementation of VisitCompoundLiteralExpr. As VisitInitListExpr is Zhongxing Xu2008-11-071-20/+14
| | | | | | | | | available, things get much simplified. One addition is that CompoundLiteralExpr can appear both in rvalue and lvalue context. llvm-svn: 58837
* Add transfer function logic for alloca().Ted Kremenek2008-11-021-0/+10
| | | | llvm-svn: 58552
* Comment out invalid assertion. I'm leaving it in the code for now as a ↵Ted Kremenek2008-10-311-1/+3
| | | | | | reminder to produce a test case. llvm-svn: 58510
* Fix 80-col violations.Zhongxing Xu2008-10-311-5/+5
| | | | llvm-svn: 58495
OpenPOWER on IntegriCloud