| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GRTransferFuncs had the conflated role of both constructing SVals (symbolic
expressions) as well as handling checker-specific logic. Now SValuator has the
role of constructing SVals from expressions and GRTransferFuncs just handles
checker-specific logic. The motivation is by separating these two concepts we
will be able to much more easily create richer constraint-generating logic
without coupling it to the main checker transfer function logic.
We now have one implementation of SValuator: SimpleSValuator.
SimpleSValuator is essentially the SVal-related logic that was in GRSimpleVals
(which is removed in this patch). This includes the logic for EvalBinOp,
EvalCast, etc. Because SValuator has a narrower role than the old
GRTransferFuncs, the interfaces are much simpler, and so is the implementation
of SimpleSValuator compared to GRSimpleVals. I also did a line-by-line review of
SVal-related logic in GRSimpleVals and cleaned it up while moving it over to
SimpleSValuator.
As a consequence of removing GRSimpleVals, there is no longer a
'-checker-simple' option. The '-checker-cfref' did everything that option did
but also ran the retain/release checker. Of course a user may not always wish to
run the retain/release checker, nor do we wish core analysis logic buried in the
checker-specific logic. The next step is to refactor the logic in CFRefCount.cpp
to separate out these pieces into the core analysis engine.
llvm-svn: 74229
|
| |
|
|
| |
llvm-svn: 73996
|
| |
|
|
| |
llvm-svn: 73954
|
| |
|
|
|
|
|
|
| |
- Embed a reference to MemRegionManager objects in MemSpaceRegion objects
- Use this embedded reference for MemRegion objects to access ASTContext objects without external help
- Use this access to ASTContext to simplify 'isBoundable' (no ASTContext& argument required)
llvm-svn: 73935
|
| |
|
|
|
|
| |
GRState->bindXXX and friends (and constify some arguments along the way).
llvm-svn: 73740
|
| |
|
|
| |
llvm-svn: 73474
|
| |
|
|
|
|
|
|
| |
RegionStore needs to know the type of alloca region.
* RegionStoreManager::EvalBinOp() now converts the alloca region to its first
element region, as what is done to symbolic region.
llvm-svn: 72164
|
| |
|
|
|
|
|
|
| |
implicitly be changed to unsigned values in GRSimpleVals.cpp. This can happen
when the comparison involves logic in specialized transfer functions (e.g.,
OSAtomicCompareAndSwap).
llvm-svn: 71200
|
| |
|
|
|
|
|
| |
'==' and '!=' (some code in the '!=' was not replicated in the '==' code,
causing some constraints to get lost).
llvm-svn: 70885
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
reasoning about OSCompareAndSwap32Barrier/OSCompareAndSwap64Barrier. Essentially
the address of reference to a region (pointer-to-pointer) can be casted to
(int32_t*), and we need to handle the logic to convert the involved locations
back and forth from nonloc::LocAsInteger, nonloc::ConcreteInt, to Loc and
loc::ConcreteInt respectively. This adds some potentially suspect logic to
BasicStoreManager that allows the analyzer to reason about abuses of the C type
system. This should probably be refined, be ported over to RegionStoreManager,
and extended with "path-sensitive type checking" to flag bugs in clearly
incoherent code.
llvm-svn: 70382
|
| |
|
|
| |
llvm-svn: 69577
|
| |
|
|
| |
llvm-svn: 68800
|
| |
|
|
| |
llvm-svn: 68771
|
| |
|
|
|
|
|
| |
- Pull SVal::GetConjuredSymbol() and friends into ValueManager. This greatly
simplifies the calling interface to clients.
llvm-svn: 68731
|
| |
|
|
| |
llvm-svn: 68703
|
| |
|
|
| |
llvm-svn: 68701
|
| |
|
|
|
|
| |
<rdar://problem/6732151>.
llvm-svn: 67954
|
| |
|
|
| |
llvm-svn: 67748
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Zhongxing and I discussed by email.
Main changes:
- Removed SymIntConstraintVal and SymIntConstraint
- Added SymExpr as a parent class to SymbolData, SymSymExpr, SymIntExpr
- Added nonloc::SymExprVal to wrap SymExpr
- SymbolRef is now just a typedef of 'const SymbolData*'
- Bunch of minor code cleanups in how some methods were invoked (no functionality change)
This changes are part of a long-term plan to have full symbolic expression
trees. This will be useful for lazily evaluating complicated expressions.
llvm-svn: 67731
|
| |
|
|
|
|
|
|
| |
representing symbolic expressions like 'x'+3 and 'x'+'y'. The design is
subjected to change later when we fix the class hierarchy of symbolic
expressions.
llvm-svn: 67678
|
| |
|
|
|
|
|
| |
SymbolicRegions. This fixes a serious regression when checking symbolic pointers
against null.
llvm-svn: 66444
|
| |
|
|
|
|
| |
offsets for now.
llvm-svn: 65814
|
| |
|
|
| |
llvm-svn: 64200
|
| |
|
|
|
|
| |
the representation of symbolic values.
llvm-svn: 60575
|
| |
|
|
|
|
| |
conversions caused by the '!' operator. This required adding some logic to GRSimpleVals to reason about nonloc::LocAsInteger SVals. This code appears to work fine, but it should eventually be cleaned up.
llvm-svn: 59335
|
| |
|
|
|
|
| |
of vector types. Add explicit checks that when we process integers that they really are scalars.
llvm-svn: 59225
|
| |
|
|
|
|
|
| |
- SetSVal(GRState*, Loc, SVal) => BindLoc
- SetSVal(GRState*, Expr*, SVal) => BindExpr
llvm-svn: 58421
|
| |
|
|
|
|
| |
when a function pointer is used as an argument.
llvm-svn: 58233
|
| |
|
|
|
|
| |
the Store.
llvm-svn: 58182
|
| |
|
|
|
|
| |
that represent an entire struct. We need to implement struct temporaries as an actual "region", and then bind symbols to the FieldRegion of those temporaries.
llvm-svn: 57739
|
| |
|
|
|
|
|
|
|
|
| |
RVal => SVal
LVal => Loc
NonLVal => NonLoc
lval => loc
nonlval => nonloc
llvm-svn: 57671
|
| |
|
|
|
|
|
|
|
|
|
| |
regions.
Remove GRExprEngine::getLVal and RValues::MakeVal.
Enhance StoreManager "GetLValue" methods to dispatch for specific kinds of lvalue queries, as opposed to interogating the expression tree (GRExprEngine already does this).
Added FIXMEs. In particular, we no longer "assume" that a base pointer in a field/array access is null (this logic was removed). Perhaps we should do this when fetching the lvalue for fields and array elements?
llvm-svn: 57657
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
the patch consists of deltas due to API changes.
This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on.
The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables.
There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized.
The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker.
llvm-svn: 57042
|
| |
|
|
|
|
|
|
| |
'symbol operator-reverse int'. This patch is a combination of code from
Zhongxing Xu and myself (Zhongxing noticed this bug for the cases of
relational operators).
llvm-svn: 56351
|
| |
|
|
|
|
| |
Rename ValueStateManager -> GRStateManager.
llvm-svn: 54721
|
| |
|
|
|
|
| |
GRExprEngineInternalChecks.cpp.
llvm-svn: 53909
|
| |
|
|
|
|
|
|
| |
arguments marked nonnull.
This implements <rdar://problem/6069935>
llvm-svn: 53891
|
| |
|
|
| |
llvm-svn: 53753
|
| |
|
|
| |
llvm-svn: 53752
|
| |
|
|
|
|
| |
unfortunately needed because virtual methods with the same name can be hidden by subclasses.
llvm-svn: 53751
|
| |
|
|
|
|
|
|
| |
method.
Modified the new EvalBinOpNN to generate states instead of nodes. This is a much simpler interface and is what clients will want to do.
llvm-svn: 53750
|
| |
|
|
|
|
|
|
| |
http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20080714/006514.html.
The regression was the casts from integers to pointers where not being handled: they would just return UnknownVal. This would greatly decrease path-sensitivity.
llvm-svn: 53659
|
| |
|
|
|
|
|
|
| |
casts from integers to integers.
This fixes a crash reported by Anders Carlsson!
llvm-svn: 53649
|
| |
|
|
|
|
| |
"batch auditor" to dispatch to specialized auditors instead of having a separate vector for each audited Expr*. This not only provides a much cleaner implementation, but also allows us to install auditors for any expression.
llvm-svn: 53464
|
| |
|
|
|
|
|
|
|
| |
current store implementation is now encapsulated by BasicStore.
These changes prompted some long due constification of ValueState. Much of the
diffs in this patch include adding "const" qualifiers.
llvm-svn: 53423
|
| |
|
|
|
|
| |
BugReporter interface.
llvm-svn: 53054
|
| |
|
|
|
|
|
|
| |
ASTContext&, PathDiagnosticClient*, can be provided by an external source.
Split BugReporter into BugReporter and GRBugReporter so checkers not based on GRExprEngine can still use the BugReporter mechanism.
llvm-svn: 53048
|
| |
|
|
|
|
| |
CFCreateNumber.
llvm-svn: 52799
|
| |
|
|
| |
llvm-svn: 50979
|
| |
|
|
|
|
| |
to use IsLValType when conjuring symbols for return values (this fixes a bug with an assertion firing in the analyzer when two qualified objective-c types were compared).
llvm-svn: 50924
|
