summaryrefslogtreecommitdiffstats
path: root/clang/lib/Analysis/GRExprEngine.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Create "TypedViewRegions" that layer on top of SymbolicRegions when handlingTed Kremenek2009-03-041-5/+23
| | | | | | pointer-to-pointer casts involving symbolic locations. llvm-svn: 65984
* Revert 65707 (causes stack memory to be referenced after it is released).Ted Kremenek2009-02-281-3/+3
| | | | llvm-svn: 65717
* remove static ctor.Chris Lattner2009-02-281-3/+3
| | | | llvm-svn: 65707
* improve compatibility with the VC++'08 C++ compiler. Patch byChris Lattner2009-02-281-1/+2
| | | | | | Niklas Larsson! llvm-svn: 65706
* Create a new TypeNodes.def file that enumerates all of the types,Douglas Gregor2009-02-261-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | giving them rough classifications (normal types, never-canonical types, always-dependent types, abstract type representations) and making it far easier to make sure that we've hit all of the cases when decoding types. Switched some switch() statements on the type class over to using this mechanism, and filtering out those things we don't care about. For example, CodeGen should never see always-dependent or non-canonical types, while debug info generation should never see always-dependent types. More switch() statements on the type class need to be moved over to using this approach, so that we'll get warnings when we add a new type then fail to account for it somewhere in the compiler. As part of this, some types have been renamed: TypeOfExpr -> TypeOfExprType FunctionTypeProto -> FunctionProtoType FunctionTypeNoProto -> FunctionNoProtoType There shouldn't be any functionality change... llvm-svn: 65591
* Fix subtle bug in EvalEagerlyAssume: Check if the previous node was at the ↵Ted Kremenek2009-02-251-10/+17
| | | | | | same statement. llvm-svn: 65486
* Add experimental logic in GRExprEngine::EvalEagerlyAssume() to handleTed Kremenek2009-02-251-3/+49
| | | | | | | | | | | expressions of the form: 'short x = (y != 10);' While we handle 'int x = (y != 10)' lazily, the cast to another integer type currently loses the symbolic constraint. Eager evaluation of the constraint causes the paths to bifurcate and eagerly evaluate 'y != 10' to a constant of 1 or 0. This should address <rdar://problem/6619921> until we have a better (more lazy approach) for handling promotions/truncations of symbolic integer values. llvm-svn: 65480
* Fix <rdar://problem/6611677>: Add basic transfer function support in the staticTed Kremenek2009-02-241-1/+10
| | | | | | | | | analyzer for array subscript expressions involving bases that are vectors. This solution is probably a hack: it gets the lvalue of the vector instead of an rvalue like all other types. This should be reviewed (big FIXME in GRExprEngine). llvm-svn: 65366
* Implemented simple check in <rdar://problem/6600344>: When the receiver of aTed Kremenek2009-02-191-2/+28
| | | | | | | message expression is nil and the return type is struct then the returned value is undefined or potentially garbage. llvm-svn: 65003
* Add panic function.Ted Kremenek2009-02-171-1/+2
| | | | llvm-svn: 64852
* Add '_assert' to list of known panic functions.Ted Kremenek2009-02-171-2/+4
| | | | llvm-svn: 64772
* Add hook to add attributes to function declarations that we knowDouglas Gregor2009-02-141-1/+2
| | | | | | | | | | | | | | | | about, whether they are builtins or not. Use this to add the appropriate "format" attribute to NSLog, NSLogv, asprintf, and vasprintf, and to translate builtin attributes (from Builtins.def) into actual attributes on the function declaration. Use the "printf" format attribute on function declarations to determine whether we should do format string checking, rather than looking at an ad hoc list of builtins and "known" function names. Be a bit more careful about when we consider a function a "builtin" in C++. llvm-svn: 64561
* GRExprEngine: Handle empty statement expressions.Ted Kremenek2009-02-141-8/+12
| | | | llvm-svn: 64541
* Use GRTransferFuncs::EvalBind when processing variable initializations.Ted Kremenek2009-02-141-26/+34
| | | | llvm-svn: 64527
* Static analyzer:Ted Kremenek2009-02-141-32/+22
| | | | | | | | | | | | | | | | | | | | - Added a new 'node builder' class called GRStmtNodeBuilderRef (name may change). This is essentially a smart reference to a GRStmtNodeBuilder object that keeps track of the current context (predecessor node, GRExprEngine object, etc.) The idea is to gradually simplify the interface between GRExprEngine and GRTransferFuncs using this new builder (i.e., passing 1 argument instead of 5). It also handles some of the "auto-transition" for node creation, simplifying some of the logic in GRExprEngine itself. - Used GRStmtBuilderRef to replace GRTransferFuncs::EvalStore with GRTransferFuncs::EvalBind. The new EvalBind method will be used at any arbitrary places where a binding between a location and value takes place. Moreover, GRTransferFuncs no longer has the responsibility to request StoreManager to do the binding; this is now in GRExprEngine::EvalBind. All GRTransferFuncs::EvalBind does is checker-specific logic (which can be a no-op). llvm-svn: 64525
* Implicitly declare certain C library functions (malloc, strcpy, memmove,Douglas Gregor2009-02-131-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | etc.) when we perform name lookup on them. This ensures that we produce the correct signature for these functions, which has two practical impacts: 1) When we're supporting the "implicit function declaration" feature of C99, these functions will be implicitly declared with the right signature rather than as a function returning "int" with no prototype. See PR3541 for the reason why this is important (hint: GCC always predeclares these functions). 2) If users attempt to redeclare one of these library functions with an incompatible signature, we produce a hard error. This patch does a little bit of work to give reasonable error messages. For example, when we hit case #1 we complain that we're implicitly declaring this function with a specific signature, and then we give a note that asks the user to include the appropriate header (e.g., "please include <stdlib.h> or explicitly declare 'malloc'"). In case #2, we show the type of the implicit builtin that was incorrectly declared, so the user can see the problem. We could do better here: for example, when displaying this latter error message we say something like: 'strcpy' was implicitly declared here with type 'char *(char *, char const *)' but we should really print out a fake code line showing the declaration, like this: 'strcpy' was implicitly declared here as: char *strcpy(char *, char const *) This would also be good for printing built-in candidates with C++ operator overloading. The set of C library functions supported by this patch includes all functions from the C99 specification's <stdlib.h> and <string.h> that (a) are predefined by GCC and (b) have signatures that could cause codegen issues if they are treated as functions with no prototype returning and int. Future work could extend this set of functions to other C library functions that we know about. llvm-svn: 64504
* GRExprEngine:Ted Kremenek2009-02-131-194/+209
| | | | | | | - Add 'EvalBind', which will be used by 'EvalStore' to pull much of the value binding logic out of GRTransferFuncs. - Rename many cases of 'St' to 'state'. llvm-svn: 64426
* GRExprEngine: When processing compound assignments, do a switch table lookup ↵Ted Kremenek2009-02-071-6/+13
| | | | | | to get the non-compound opcode from the compound opcode instead of relying on the order of BinaryOperator::opcode values. This unbreaks the misc-ps.c test. llvm-svn: 63991
* Overhaul BugReporter interface and implementation. The new interface cleans upTed Kremenek2009-02-041-46/+13
| | | | | | | | | | | | | | | | | | | | | the ownership of BugTypes and BugReports. Now BugReports are owned by BugTypes, and BugTypes are owned by the BugReporter object. The major functionality change in this patch is that reports are not immediately emitted by a call to BugReporter::EmitWarning (now called EmitReport), but instead of queued up in report "equivalence classes". When BugReporter::FlushReports() is called, it emits one diagnostic per report equivalence class. This provides a nice cleanup with the caching of reports as well as enables the BugReporter engine to select the "best" path for reporting a path-sensitive bug based on all the locations in the ExplodedGraph that the same bug could occur. Along with this patch, Leaks are now coalesced into a common equivalence class by their allocation site, and the "summary" diagnostic for leaks now reports the allocation site as the location of the bug (this may later be augmented to also provide an example location where the leak occurs). llvm-svn: 63796
* Remove dead code.Zhongxing Xu2009-02-041-11/+1
| | | | llvm-svn: 63715
* make SM::getColumnNumber take a predecomposed FileID/offset, whichChris Lattner2009-02-041-4/+7
| | | | | | | | makes it clear to clients that they have to pick an instantiation or spelling location before calling it and allows optimization based on that. llvm-svn: 63698
* Move method out-of-line.Ted Kremenek2009-01-301-0/+30
| | | | llvm-svn: 63412
* Switch Type::isAggregateType to use the C++ definition of "aggregateDouglas Gregor2009-01-301-2/+1
| | | | | | | | type" rather than the C definition. We do this because both C99 and Clang always use "aggregate type" as "aggregate or union type", and the C++ definition includes union types. llvm-svn: 63395
* Static Analyzer: Replace LiveSymbols/DeadSymbols sets with a new object ↵Ted Kremenek2009-01-211-9/+8
| | | | | | called "SymbolReaper". Right now it just consolidates the two and cleans up some client code, but shortly it will be used to enable "lazy computation" of live symbols for use with RegionStore. llvm-svn: 62722
* Remove ScopedDecl, collapsing all of its functionality into Decl, soDouglas Gregor2009-01-201-1/+1
| | | | | | | | | | | | | | | | that every declaration lives inside a DeclContext. Moved several things that don't have names but were ScopedDecls (and, therefore, NamedDecls) to inherit from Decl rather than NamedDecl, including ObjCImplementationDecl and LinkageSpecDecl. Now, we don't store empty DeclarationNames for these things, nor do we try to insert them into DeclContext's lookup structure. The serialization tests are temporarily disabled. We'll re-enable them once we've sorted out the remaining ownership/serialiazation issues between DeclContexts and TranslationUnion, DeclGroups, etc. llvm-svn: 62562
* Fix analyzer crash found when scanning Wine sources where the analyzer used ↵Ted Kremenek2009-01-171-35/+25
| | | | | | old logic to determine the value of a switch 'case' label. llvm-svn: 62395
* static analyzer: Handle casts from arrays to integers. This fixes PR 3297.Ted Kremenek2009-01-131-11/+33
| | | | llvm-svn: 62130
* Add QualifiedDeclRefExpr, which retains additional source-locationDouglas Gregor2009-01-061-0/+2
| | | | | | | | | | | | | | | | | | | information for declarations that were referenced via a qualified-id, e.g., N::C::value. We keep track of the location of the start of the nested-name-specifier. Note that the difference between QualifiedDeclRefExpr and DeclRefExpr does have an effect on the semantics of function calls in two ways: 1) The use of a qualified-id instead of an unqualified-id suppresses argument-dependent lookup 2) If the name refers to a virtual function, the qualified-id version will call the function determined statically while the unqualified-id version will call the function determined dynamically (by looking up the appropriate function in the vtable). Neither of these features is implemented yet, but we do print out qualified names for QualifiedDeclRefExprs as part of the AST printing. llvm-svn: 61789
* Fix initialization order.Zhongxing Xu2008-12-221-3/+3
| | | | llvm-svn: 61333
* Add an option to make 'RemoveDeadBindings' a configurable behavior. This enablesZhongxing Xu2008-12-221-3/+8
| | | | | | us to measure the effect of this optimization. llvm-svn: 61319
* Add support for member references (E1.E2, E1->E2) with C++ semantics,Douglas Gregor2008-12-201-2/+6
| | | | | | | | | | which can refer to static data members, enumerators, and member functions as well as to non-static data members. Implement correct lvalue computation for member references in C++. Compute the result type of non-static data members of reference type properly. llvm-svn: 61294
* Lazy bingding for region-store manager.Zhongxing Xu2008-12-201-6/+5
| | | | | | | | | | | | | * Now Bind() methods take and return GRState* because binding could also alter GDM. * No variables are initialized except those declared with initial values. * failed C test cases are due to bugs in RemoveDeadBindings(), which removes constraints that is still alive. This will be fixed in later patch. * default value of array and struct regions will be implemented in later patch. llvm-svn: 61274
* ProgramPoint:Ted Kremenek2008-12-161-80/+88
| | | | | | | | | | | | | | | | | | | | - Added four new ProgramPoint types that subclass PostStmt for use in GRExprEngine::EvalLocation: - PostOutOfBoundsCheckFailed - PostUndefLocationCheckFailed - PostNullCheckFailed - PostLocationChecksSucceed These were created because of a horribly subtle caching bug in EvalLocation where a node representing an "bug condition" in EvalLocation (e.g. a null dereference) could be re-used as the "non-bug condition" because the Store did not contain any information to differentiate between the two. The extra program points just disables any accidental caching between EvalLocation and its callers. GRExprEngine: - EvalLocation now returns a NodeTy* instead of GRState*. This should be used as the "vetted" predecessor for EvalLoad/EvalStore. llvm-svn: 61105
* Fix regression in handling sizeof(void) in the static analyzer.Ted Kremenek2008-12-151-13/+15
| | | | llvm-svn: 61039
* MemRegion:Ted Kremenek2008-12-131-8/+17
| | | | | | | | | | | | | | | | | | | | | | - Overhauled the notion of "types" for TypedRegions. We now distinguish between the "lvalue" of a region (via getLValueRegion()) and the "rvalue" of a region (va getRValueRegion()). Since a region represents a chunk of memory it has both, but we were conflating these concepts in some cases, leading to some insidious bugs. - Removed AnonPointeeType, partially because it is unused and because it doesn't have a clear notion of lvalue vs rvalue type. We can add it back once there is a need for it and we can resolve its role with these concepts. StoreManager: - Overhauled StoreManager::CastRegion. It expects an *lvalue* type for a region. This is actually what motivated the overhaul to the MemRegion type mechanism. It also no longer returns an SVal; we can just return a MemRegion*. - BasicStoreManager::CastRegion now overlays an "AnonTypedRegion" for pointer-pointer casts. This matches with the MemRegion changes. - Similar changes to RegionStore, except I've added a bunch of FIXMEs where it wasn't 100% clear where we should use TypedRegion::getRValueRegion() or TypedRegion::getLValueRegion(). AuditCFNumberCreate check: - Now blasts through AnonTypedRegions that may layer the original memory region, thus checking if the actually memory block is of the appropriate type. This change was needed to work with the changes to StoreManager::CastRegion. GRExprEngine::VisitCast: - Conform to the new interface of StoreManager::CastRegion. Tests: - None of the analysis tests fail now for using the "basic store". - Disabled the tests 'array-struct.c' and 'rdar-6442306-1.m' pending further testing and bug fixing. llvm-svn: 60995
* A series of cleanups/fixes motivated by <rdar://problem/6442306>:Ted Kremenek2008-12-131-9/+3
| | | | | | | | | | | | | | | | | | GRExprEngine (VisitCast): - When using StoreManager::CastRegion, always use the state and value it returns to generate the next node. Failure to do so means that region values returned that don't require the state to be modified will get ignored. MemRegion: - Tighten the interface for ElementRegion. Now ElementRegion can only be created with a super region that is a 'TypedRegion' instead of any MemRegion. Code in BasicStoreManager/RegionStoreManager already assumed this, but it would result in a dynamic assertion check (and crash) rather than just having the compiler forbid the construction of such regions. - Added ElementRegion::getArrayRegion() to return the 'typed version' of an ElementRegion's super region. - Removed bogus assertion in ElementRegion::getType() that assumed that the super region was an AnonTypedRegion. All that matters is that it is a TypedRegion, which is now true all the time by design. BasicStore: - Modified getLValueElement() to check if the 'array' region is a TypedRegion before creating an ElementRegion. This conforms to the updated interface for ElementRegion. RegionStore: - In ArrayToPointer() gracefully handle things we don't reason about, and only create an ElementRegion if the array region is indeed a TypedRegion. llvm-svn: 60990
* In GRExprEngine treat @throw as an 'abort' that ends the current path. This ↵Ted Kremenek2008-12-091-0/+9
| | | | | | is a temporary solution. llvm-svn: 60789
* [static analyzer] Extend VLA size checking to look for undefined sizes.Ted Kremenek2008-12-091-2/+10
| | | | llvm-svn: 60734
* Add checking for zero-sized VLAs.Ted Kremenek2008-12-081-2/+28
| | | | llvm-svn: 60726
* Add bandaid transfer function support for assignments involving ObjCKVCRefExpr.Ted Kremenek2008-12-061-0/+7
| | | | llvm-svn: 60622
* Rename SymbolID to SymbolRef. This is a precursor to some overhauling of ↵Ted Kremenek2008-12-051-4/+4
| | | | | | the representation of symbolic values. llvm-svn: 60575
* Add support for initializing array with string literal.Zhongxing Xu2008-11-301-0/+4
| | | | | | | This fixes PR3127 http://llvm.org/bugs/show_bug.cgi?id=3127 llvm-svn: 60280
* Code cleanup. No functional change.Zhongxing Xu2008-11-281-3/+5
| | | | llvm-svn: 60206
* Add support for pluggable components of static analyzer.Zhongxing Xu2008-11-271-3/+3
| | | | | | | | | | - Creator function pointers are saved in ManagerRegistry. - The Register* class is used to notify ManagerRegistry new module is available. - AnalysisManager queries ManagerRegistry for configurable module. Then it passes them to GRExprEngine, in turn to GRStateManager. llvm-svn: 60143
* Remove FIXME comment.Ted Kremenek2008-11-241-1/+0
| | | | llvm-svn: 59973
* Add support for AllocaRegion extent with GDM.Zhongxing Xu2008-11-241-0/+7
| | | | | | | | | | | | One design problem that is emerging is the signed-ness problem during static analysis. Many unsigned value have to be converted into signed value because it partipates in operations with signed values. On the other hand, we cannot blindly make all values occuring in static analysis signed, because we do have cases where unsignedness is required, for example, integer overflow detection. llvm-svn: 59957
* Cleanup code with utility method.Zhongxing Xu2008-11-241-2/+2
| | | | llvm-svn: 59951
* Add out-of-bound memory access warning report code.Zhongxing Xu2008-11-231-4/+17
| | | | llvm-svn: 59903
* Initial support for checking out of bound memory access. Only support Zhongxing Xu2008-11-221-2/+7
| | | | | | ConcreteInt index for now. llvm-svn: 59869
* - Clean up transfer function logic for 'return' statements.Ted Kremenek2008-11-211-36/+26
| | | | | | - Add check for returning an undefined value to a caller. llvm-svn: 59764
OpenPOWER on IntegriCloud