summaryrefslogtreecommitdiffstats
path: root/clang/lib/Analysis/GRExprEngine.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Make static analysis support for C++ 'this' expression context-sensitive. ↵Ted Kremenek2010-01-051-2/+7
| | | | | | Essentially treat 'this' as a implicit parameter to the method call, and associate a region with it. llvm-svn: 92675
* Remove references to 'Checker' and 'GRTransferFuncs' fromTed Kremenek2010-01-051-11/+27
| | | | | | | | | | | | GRStateManager. Having these references was an abstraction violation, as they really should only be known about GRExprEngine. This change required adding a new 'ProcessAssume' callback in GRSubEngine. GRExprEngine implements this callback by calling 'EvalAssume' on all registered Checker objects as well as the registered GRTransferFunc object. llvm-svn: 92549
* Let constraint manager inform checkers that some assumption logic has happend.Zhongxing Xu2009-12-311-1/+2
| | | | | | | | | Add new states for symbolic regions tracked by malloc checker. This enables us to do malloc checking more accurately. See test case. Based on Lei Zhang's patch and discussion. llvm-svn: 92342
* Remove some dead variables clang-analyzer found.Benjamin Kramer2009-12-251-2/+0
| | | | llvm-svn: 92162
* Fix typo spotted by MSVC.Benjamin Kramer2009-12-251-2/+2
| | | | | | GRExprEngine.cpp(1348) : warning C4305: 'argument' : truncation from 'clang::ProgramPoint::Kind' to 'bool' llvm-svn: 92154
* Teach GRExprEngine to handle the initialization of the condition variable of ↵Ted Kremenek2009-12-241-0/+6
| | | | | | a ForStmt. llvm-svn: 92114
* Teach GRExprEngine to handle the initialization of the condition variable of ↵Ted Kremenek2009-12-241-0/+6
| | | | | | a WhileStmt. llvm-svn: 92106
* Teach GRExprEngine to handle the initialization of the condition variable of ↵Ted Kremenek2009-12-241-7/+11
| | | | | | a SwitchStmt. llvm-svn: 92102
* Add CFG support for the condition variable that can appear in IfStmts in C++ ↵Ted Kremenek2009-12-231-0/+37
| | | | | | | | mode. Add transfer function support in GRExprEngine for IfStmts with initialized condition variables. llvm-svn: 91987
* Add stack trace pretty printing in GRExprEngine::VisitLValue().Ted Kremenek2009-12-231-0/+4
| | | | llvm-svn: 91985
* Teach GRExprEngine::VisitLValue to ignore CXXExprWithTempories (for now).Ted Kremenek2009-12-231-0/+1
| | | | llvm-svn: 91982
* Teach GRExprEngine::VisitLValue that we don't handle CXXZeroInitValueExprs yet.Ted Kremenek2009-12-231-1/+2
| | | | llvm-svn: 91970
* Also treat the type of the subexpression as a pointer in ↵Ted Kremenek2009-12-231-0/+1
| | | | | | GRExprEngine::VisitCast when the expression is handled as an lvalue. llvm-svn: 91969
* Add basic support for analyzing CastExprs as lvalues.Ted Kremenek2009-12-231-3/+27
| | | | llvm-svn: 91952
* Add transfer functions support for visiting an Objective-C message ↵Ted Kremenek2009-12-221-38/+73
| | | | | | expression as an lvalue when the return type is a C++ reference. llvm-svn: 91926
* Enhance GRExprEngine::VisitCallExpr() to be used in an lvalue context. ↵Ted Kremenek2009-12-181-5/+52
| | | | | | Uncovered a new failing test case along the way, but we're making progress on handling C++ references in the analyzer. llvm-svn: 91710
* Tweak formatting and comments.Ted Kremenek2009-12-171-6/+4
| | | | llvm-svn: 91615
* Convert GRExprEngine::VisitCallExpr() to use a worklist instead of recursion ↵Ted Kremenek2009-12-171-45/+64
| | | | | | to evaluate the arguments of a CallExpr. This simplifies the logic and makes it easier to read. (it also avoids any issues with blowing out the stack if the CallExpr had a ridiculous number of arguments) llvm-svn: 91613
* Reduce nesting by using early exits. No functionality change.Ted Kremenek2009-12-171-35/+46
| | | | llvm-svn: 91610
* Sort switch statement. No functionality change.Ted Kremenek2009-12-171-15/+15
| | | | llvm-svn: 91591
* Fix check in GRExprEngine for the 'main' function to handle NULL ↵Ted Kremenek2009-12-171-16/+17
| | | | | | IdentifierInfo*'s. llvm-svn: 91577
* Add a new kind of region: CXXObjectRegion. Currently it has only one Zhongxing Xu2009-12-161-15/+30
| | | | | | | | attribute: the object type. Add initial support for visiting CXXThisExpr. Fix a bunch of 80-col violations. llvm-svn: 91535
* Add (initial?) static analyzer support for handling C++ references.Ted Kremenek2009-12-161-16/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change was a lot bigger than I originally anticipated; among other things it requires us storing more information in the CFG to record what block-level expressions need to be evaluated as lvalues. The big change is that CFGBlocks no longer contain Stmt*'s by CFGElements. Currently CFGElements just wrap Stmt*, but they also store a bit indicating whether the block-level expression should be evalauted as an lvalue. DeclStmts involving the initialization of a reference require us treating the initialization expression as an lvalue, even though that information isn't recorded in the AST. Conceptually this change isn't that complicated, but it required bubbling up the data through the CFGBuilder, to GRCoreEngine, and eventually to GRExprEngine. The addition of CFGElement is also useful for when we want to handle more control-flow constructs or other data we want to keep in the CFG that isn't represented well with just a block of statements. In GRExprEngine, this patch introduces logic for evaluating the lvalues of references, which currently retrieves the internal "pointer value" that the reference represents. EvalLoad does a two stage load to catch null dereferences involving an invalid reference (although this could possibly be caught earlier during the initialization of a reference). Symbols are currently symbolicated using the reference type, instead of a pointer type, and special handling is required creating ElementRegions that layer on SymbolicRegions (see the changes to RegionStoreManager). Along the way, the DeadStoresChecker also silences warnings involving dead stores to references. This was the original change I introduced (which I wrote test cases for) that I realized caused GRExprEngine to crash. llvm-svn: 91501
* Start the ball rolling on C++ support in the static analyzer. ForTed Kremenek2009-12-151-0/+35
| | | | | | | | now, don't construct CFGs that contain C++ try/catch statements, and have GRExprEngine abort a path if it encounters a C++ construct it doesn't understand (which is mostly everything at this point). llvm-svn: 91389
* Fix: <rdar://problem/7468209> SymbolManager::isLive() should not crash on ↵Ted Kremenek2009-12-141-2/+3
| | | | | | captured block variables that are passed by reference llvm-svn: 91348
* Use insert to avoid destroying existing nodes.Zhongxing Xu2009-12-141-1/+1
| | | | llvm-svn: 91258
* Refactor OSAtomic evaluation logic into OSAtomicChecker.Zhongxing Xu2009-12-091-150/+2
| | | | llvm-svn: 90968
* Use a temporary destination set such that we can clear fake auto transitions.Zhongxing Xu2009-12-091-3/+24
| | | | | | | | Otherwise, even when real evaluation occurs, the previous fake auto transitions would still be in the destination set, causing fake state bifurcation. llvm-svn: 90967
* OSAtomic simulation: use the original region as the location to load from,Zhongxing Xu2009-12-091-2/+5
| | | | | | | | instead of the ElementRegion obtained from casts. Test cast: the leak cannot occur bacause the true branch cannot be taken. llvm-svn: 90964
* remove dead code.Zhongxing Xu2009-12-091-41/+0
| | | | llvm-svn: 90953
* Insert instead of assign to the dest node set, since we use the dest node setZhongxing Xu2009-12-091-1/+1
| | | | | | repeatedly. llvm-svn: 90952
* Fix a horrid bug in GRExprEngine::CheckerVisit() that was identifiedTed Kremenek2009-12-091-41/+58
| | | | | | | | | by the test case in PR 5627. Essentially we shouldn't clear the ExplodedNodeSet where we deposit newly constructed nodes if that set is the 'Dst' set passed in. It is not okay to clear that set because it may already contain nodes. llvm-svn: 90931
* Refactor builtin function evaluation into a checker.Zhongxing Xu2009-12-081-8/+1
| | | | llvm-svn: 90847
* Add analysis support for blocks. This includes a few key changes:Ted Kremenek2009-12-071-5/+27
| | | | | | | | | | | | | | | | | - Refactor the MemRegion hierarchy to distinguish between different StackSpaceRegions for locals and parameters. - VarRegions for "captured" variables now have the BlockDataRegion as their super region (except those passed by reference) - Add transfer function support to GRExprEngine for BlockDeclRefExprs. This change also supports analyzing blocks as an analysis entry point (top-of-the-stack), which required pushing more context-sensitivity around in the MemRegion hierarchy via the use of LocationContext objects. Functionally almost everything is the same, except we track LocationContexts in a few more areas and StackSpaceRegions now refer to a StackFrameContext object. In the future we will need to modify MemRegionManager to allow multiple StackSpaceRegions in flight at once (for the analysis of multiple stack frames). llvm-svn: 90809
* Add EvalCallExpr interface to checker, and migrate the no-return functionZhongxing Xu2009-12-071-59/+53
| | | | | | | | | handler to this interface. GRExprEngine::CheckerEvalCall() will return true if one of the checkers has processed the node. In the future this might return void when we have some default checker. llvm-svn: 90755
* Hard bifurcate the state into nil receiver and non-nil receiver, so thatZhongxing Xu2009-12-021-40/+58
| | | | | | | | | | | we don't need to use the DoneEvaluation hack when check for ObjCMessageExpr. PreVisitObjCMessageExpr() only checks for undefined receiver or arguments. Add checker interface EvalNilReceiver(). This is a 'once-and-done' interface. llvm-svn: 90296
* Eliminate another VISIBILITY_HIDDENDouglas Gregor2009-11-301-4/+1
| | | | llvm-svn: 90139
* Adapt to the DOTGraphTraits changes in LLVM.Tobias Grosser2009-11-301-1/+4
| | | | llvm-svn: 90137
* lib/Analysis: Remove VISIBILITY_HIDDEN from definitions in anonymous namespaceKovarththanan Rajaratnam2009-11-281-2/+4
| | | | llvm-svn: 90028
* Refine MemRegions for blocks. Add a new region calledTed Kremenek2009-11-251-1/+3
| | | | | | | | | | | 'BlockDataRegion' to distinguish between the code associated with a block (which is represented by 'BlockTextRegion') and an instance of a block, which includes both code and data. 'BlockDataRegion' has an associated LocationContext, which can be used to eventually model the lifetime of a block object once LocationContexts can represent scopes (and iterations around a loop, etc.). llvm-svn: 89900
* Add post-visit Checker support in GRExprEngine for BlockExpr.Ted Kremenek2009-11-251-1/+7
| | | | llvm-svn: 89890
* Make RegisterInternalChecks() part of GRExprEngine's private implementation ↵Ted Kremenek2009-11-251-30/+32
| | | | | | by making it a static function within GRExprEngine.cpp. llvm-svn: 89884
* Register internal checks with GRExprEngine when it is constructed, not ↵Ted Kremenek2009-11-251-1/+5
| | | | | | manually in AnalysisConsumer.cpp. llvm-svn: 89883
* When dispatching to Checker objects in GRExprEngine::CheckerVisit(),Ted Kremenek2009-11-251-4/+12
| | | | | | | | | only stop processing the checkers after all the nodes for a current check have been processed. This (I believe) handles the case where PredSet (the input nodes) contains more than one node due to state bifurcation. Zhongxing: can you review this? llvm-svn: 89882
* Add transfer function support for BlockExpr.Ted Kremenek2009-11-251-0/+12
| | | | llvm-svn: 89829
* Cleanups and fixes to the nil-receiver checker, some of it fallout theTed Kremenek2009-11-241-7/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | initial transition of the nil-receiver checker to the Checker interface as done in r89745. Some important changes include: 1) We consolidate the BugType object used for nil receiver bug reports, and don't include the type of the returned value in the BugType (which would be wrong if a nil receiver bug was reported more than once) 2) Added a new (temporary) flag to CheckerContext: DoneEvauating. This is used by GRExprEngine when evaluating message expressions to not continue evaluating the message expression if this flag is set. This flag is currently set by the nil receiver checker. This is an intermediate solution to allow the nil-receiver checker to properly work as a plug-in outside of GRExprEngine. Basically, this flag indicates that the entire message expression has been evaluated, not just a precondition (which is what the nil-receiver checker does). This flag *should not* be repurposed for general use, but just to pull more things out of GRExprEngine that already in there as we devise a better interface in the Checker class. 3) Cleaned up the logic in the nil-receiver checker, making the control-flow a lot easier to read. llvm-svn: 89804
* Refactor undefined result checker. This is the last one.Zhongxing Xu2009-11-241-14/+34
| | | | llvm-svn: 89750
* Refactor NilReceiverStructRet and NilReceiverLargerThanVoidPtrRet into Zhongxing Xu2009-11-241-86/+9
| | | | | | CallAndMessageChecker. llvm-svn: 89745
* Clean up the Checker API a little more, resolving some hidden bugsTed Kremenek2009-11-231-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | along the way. Important changes: 1) To generate a sink node, use GenerateSink(); GenerateNode() is for generating regular transitions. This makes the API clearer and also allows us to use the 'bool' option to GenerateNode() for a different purpose. 2) GenerateNode() now automatically adds the generated node to the destination ExplodedNodeSet (autotransition) unless the client specifies otherwise with a bool flag. Several checkers did not call 'addTransition()' after calling 'GenerateNode()', causing the simulation path to be prematurely culled when a non-fail stop bug was encountered. 3) Add variants of GenerateNode()/GenerateSink() that take neither a Stmt* or a GRState*; most callers of GenerateNode() just pass in the same Stmt* as provided when the CheckerContext object is created; we can just use that the majority of the time. This cleanup also allows us to potentially coelesce the APIs for evaluating branches and end-of-paths (which currently directly use builders). 4) addTransition() no longer needs to be called except for a few cases. We now have a variant of addTransition() that takes a GRState*; this allows one to propagate the updated state without caring about generating a new node explicitly. This nicely cleaned up a bunch of cases that called autoTransition() with a bunch of conditional logic surround the call (that common logic has now been swallowed up by addTransition() itself). llvm-svn: 89707
* Initial refactor of UndefBranchChecker. We still use GRBranchNodeBuilderZhongxing Xu2009-11-231-40/+34
| | | | | | in the checker directly. But I don't have a better approach for now. llvm-svn: 89640
OpenPOWER on IntegriCloud