summaryrefslogtreecommitdiffstats
path: root/clang/lib/Analysis/RegionStore.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Split libAnalysis into two libraries: libAnalysis and libChecker.Ted Kremenek2010-01-251-2015/+0
| | | | | | | | | | | | | | | | | | | | | | | | | (1) libAnalysis is a generic analysis library that can be used by Sema. It defines the CFG, basic dataflow analysis primitives, and inexpensive flow-sensitive analyses (e.g. LiveVariables). (2) libChecker contains the guts of the static analyzer, incuding the path-sensitive analysis engine and domain-specific checks. Now any clients that want to use the frontend to build their own tools don't need to link in the entire static analyzer. This change exposes various obvious cleanups that can be made to the layout of files and headers in libChecker. More changes pending. :) This change also exposed a layering violation between AnalysisContext and MemRegion. BlockInvocationContext shouldn't explicitly know about BlockDataRegions. For now I've removed the BlockDataRegion* from BlockInvocationContext (removing context-sensitivity; although this wasn't used yet). We need to have a better way to extend BlockInvocationContext (and any LocationContext) to add context-sensitivty. llvm-svn: 94406
* Add support for computing size in elements for symbolic regions obtained fromZhongxing Xu2010-01-181-4/+21
| | | | | | malloc(). llvm-svn: 93722
* Switch RegionStore over to using <BaseRegion+raw offset> to storeTed Kremenek2010-01-111-22/+58
| | | | | | | | | | | | | | value bindings. Along with a small change to OSAtomicChecker, this resolves <rdar://problem/7527292> and resolves some long-standing issues with how values can be bound to the same physical address by not have the same "key". This change is only a beginning; logically RegionStore needs to better handle loads from addresses where the stored value is larger/smaller/different type than the loaded value. We handle these cases in an approximate fashion now (via CastRetrievedVal and help in SimpleSValuator), but it could be made much smarter. llvm-svn: 93137
* Preliminary reworking of value-binding logic in RegionStore:Ted Kremenek2010-01-111-31/+110
| | | | | | | | | | | | | (1) Introduce a new 'BindingKey' class to match 'BindingValue'. This gives us the flexibility to change the current key value from 'const MemRegion*' to something more interesting. (2) Rework additions/removals/lookups from the store to use new 'Remove', 'Add', 'Lookup' utility methods. No "real" functionality change; just prep work and abstraction. llvm-svn: 93136
* Make static analysis support for C++ 'this' expression context-sensitive. ↵Ted Kremenek2010-01-051-9/+7
| | | | | | Essentially treat 'this' as a implicit parameter to the method call, and associate a region with it. llvm-svn: 92675
* Add comments.Zhongxing Xu2009-12-211-0/+1
| | | | llvm-svn: 91818
* Completely remove ObjCObjectRegion (tests pass this time).Ted Kremenek2009-12-161-4/+1
| | | | llvm-svn: 91572
* Add a new kind of region: CXXObjectRegion. Currently it has only one Zhongxing Xu2009-12-161-0/+2
| | | | | | | | attribute: the object type. Add initial support for visiting CXXThisExpr. Fix a bunch of 80-col violations. llvm-svn: 91535
* Add (initial?) static analyzer support for handling C++ references.Ted Kremenek2009-12-161-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change was a lot bigger than I originally anticipated; among other things it requires us storing more information in the CFG to record what block-level expressions need to be evaluated as lvalues. The big change is that CFGBlocks no longer contain Stmt*'s by CFGElements. Currently CFGElements just wrap Stmt*, but they also store a bit indicating whether the block-level expression should be evalauted as an lvalue. DeclStmts involving the initialization of a reference require us treating the initialization expression as an lvalue, even though that information isn't recorded in the AST. Conceptually this change isn't that complicated, but it required bubbling up the data through the CFGBuilder, to GRCoreEngine, and eventually to GRExprEngine. The addition of CFGElement is also useful for when we want to handle more control-flow constructs or other data we want to keep in the CFG that isn't represented well with just a block of statements. In GRExprEngine, this patch introduces logic for evaluating the lvalues of references, which currently retrieves the internal "pointer value" that the reference represents. EvalLoad does a two stage load to catch null dereferences involving an invalid reference (although this could possibly be caught earlier during the initialization of a reference). Symbols are currently symbolicated using the reference type, instead of a pointer type, and special handling is required creating ElementRegions that layer on SymbolicRegions (see the changes to RegionStoreManager). Along the way, the DeadStoresChecker also silences warnings involving dead stores to references. This was the original change I introduced (which I wrote test cases for) that I realized caused GRExprEngine to crash. llvm-svn: 91501
* Remove ValueManager::getRegionValueSymbolValOrUnknown(). It was just extra ↵Ted Kremenek2009-12-151-7/+6
| | | | | | veneer on top of getRegionValueSymbolVal(). llvm-svn: 91471
* Enhance understanding of VarRegions referenced by a block whose declarations ↵Ted Kremenek2009-12-111-1/+4
| | | | | | are outside the current stack frame. Fixes <rdar://problem/7462324>. llvm-svn: 91107
* Add analysis support for blocks. This includes a few key changes:Ted Kremenek2009-12-071-28/+17
| | | | | | | | | | | | | | | | | - Refactor the MemRegion hierarchy to distinguish between different StackSpaceRegions for locals and parameters. - VarRegions for "captured" variables now have the BlockDataRegion as their super region (except those passed by reference) - Add transfer function support to GRExprEngine for BlockDeclRefExprs. This change also supports analyzing blocks as an analysis entry point (top-of-the-stack), which required pushing more context-sensitivity around in the MemRegion hierarchy via the use of LocationContext objects. Functionally almost everything is the same, except we track LocationContexts in a few more areas and StackSpaceRegions now refer to a StackFrameContext object. In the future we will need to modify MemRegionManager to allow multiple StackSpaceRegions in flight at once (for the analysis of multiple stack frames). llvm-svn: 90809
* Replace SymbolReaper::isLive(VarDecl) with SymbolReaper::isLive(VarRegion).Ted Kremenek2009-12-041-1/+1
| | | | llvm-svn: 90582
* constify MemRegion* returned by MemRegionManager::getXXXRegion() methods.Ted Kremenek2009-12-041-11/+7
| | | | llvm-svn: 90503
* Tweak handling of BlockDataRegions in ↵Ted Kremenek2009-12-031-4/+6
| | | | | | RegionStoreManager::RemoveDeadBindings(): only the VarRegions for variables marked with the '__block' annotation should have their lifetime extended by a BlockDataRegion. llvm-svn: 90462
* Add value invalidation logic for block-captured variables. Conceptually ↵Ted Kremenek2009-12-031-0/+13
| | | | | | invoking a block (without specific reasoning of what the block does) can invalidate any value to it by reference when the block was created. llvm-svn: 90431
* Add batch version of 'StoreManager::InvalidateRegion()' for invalidating ↵Ted Kremenek2009-12-031-11/+21
| | | | | | multiple regions as once. After adopting this in the CFRefCount::EvalCall(), we see a reduction in analysis time of 1.5% when analyzing all of SQLite3. llvm-svn: 90405
* lib/Analysis: Remove VISIBILITY_HIDDEN from definitions in anonymous namespaceKovarththanan Rajaratnam2009-11-281-7/+6
| | | | llvm-svn: 90028
* Teach RegionStoreManager::RemoveDeadBindings() about BlockDataRegions. Any ↵Ted Kremenek2009-11-261-4/+17
| | | | | | VarRegion for a "captured" variable should also be considered live. llvm-svn: 89928
* Refine MemRegions for blocks. Add a new region calledTed Kremenek2009-11-251-0/+2
| | | | | | | | | | | 'BlockDataRegion' to distinguish between the code associated with a block (which is represented by 'BlockTextRegion') and an instance of a block, which includes both code and data. 'BlockDataRegion' has an associated LocationContext, which can be used to eventually model the lifetime of a block object once LocationContexts can represent scopes (and iterations around a loop, etc.). llvm-svn: 89900
* Remove recently added FIXME. The appropriate FIXME is already in ↵Ted Kremenek2009-11-251-2/+0
| | | | | | MemRegionManager::getVarRegion(). llvm-svn: 89897
* Add FIXME.Ted Kremenek2009-11-251-0/+2
| | | | llvm-svn: 89892
* Split CodeTextRegion into FunctionTextRegion and BlockTextRegion. This a ↵Ted Kremenek2009-11-251-2/+4
| | | | | | precursor to having basic static analysis support for blocks. llvm-svn: 89828
* Fix crash when using --analyzer-store=region when handling initializers with ↵Ted Kremenek2009-11-191-11/+39
| | | | | | nested arrays/structs whose values are not explicitly specified. Fixes <rdar://problem/7403269>. llvm-svn: 89384
* * Do the same thing to the basicstore as in r84163.Zhongxing Xu2009-11-161-4/+8
| | | | | | | | | | * Add a load type to GRExprEngine::EvalLoad(). * When retrieve from 'theValue' of OSAtomic funcitions, use the type of the region instead of the argument expression as the load type. * Then we can convert CastRetrievedSVal to a pure assertion. In the future we can let all Retrieve() methods simply return SVal. llvm-svn: 88888
* Make StoreManager::getSizeInElements() always return DefinedOrUnknownSVal.Zhongxing Xu2009-11-121-3/+4
| | | | llvm-svn: 86932
* Rename: StripCasts describes what it does better. Zhongxing Xu2009-11-101-1/+1
| | | | | | getBaseRegion will be used in another method. llvm-svn: 86649
* Fix clang's use of DenseMap iterators after r86636 fixed their constness.Jeffrey Yasskin2009-11-101-1/+1
| | | | | | Patch by Victor Zverovich! llvm-svn: 86638
* Make sure that Type::getAs<ArrayType>() (or Type::getAs<subclass ofDouglas Gregor2009-11-091-1/+1
| | | | | | | ArrayType>()) does not instantiate. Update all callers that used this unsafe feature to use the appropriate ASTContext::getAs*ArrayType method. llvm-svn: 86596
* Refactor StoreManager::BindDecl() to take a VarRegion* instead of a ↵Ted Kremenek2009-11-041-8/+6
| | | | | | VarDecl*, and modify GRExprEngine::EvalBind() to handle decl initialization as well. This paves the way for adding "checker" visitation in EvalBind(). llvm-svn: 85983
* Fix an insidious bug in RegionStore::RemoveDeadBindings() pointed outTed Kremenek2009-10-291-2/+23
| | | | | | | | by Zhongxing Xu. RemoveDeadBindings() would falsely prune SymbolicRegions from the store that wrapped derived symbols whose liveness could only be determined after scanning the store. llvm-svn: 85484
* RegionStore: Use the *default* binding (instead of the *direct* binding) of ↵Ted Kremenek2009-10-201-3/+3
| | | | | | | | | | an Objective-C object region when doing lazy value retrieval of an ivar. This fixes: <rdar://problem/7312221> llvm-svn: 84584
* use DenseSet instead of SmallSet.Zhongxing Xu2009-10-181-2/+2
| | | | llvm-svn: 84398
* Minor cleanup: move typedef out of anonymous namespace (which now contains ↵Ted Kremenek2009-10-171-4/+2
| | | | | | nothing) and into RemoveDeadBindings. No functionality change. llvm-svn: 84335
* Per discussion with Ted, the 'FromSuper'/'FromSub' logic is invalid. SimplifyZhongxing Xu2009-10-171-72/+33
| | | | | | | the code to standard worklist algorithm. Always add both sub and super regions of live regions. llvm-svn: 84323
* Actually all regions whose super region is not MemSpaceRegion are of these 3Zhongxing Xu2009-10-171-5/+4
| | | | | | kinds. This means we are visiting all regions 'from super region'. llvm-svn: 84319
* retain/release checker: Stop tracking reference counts for any symbols ↵Ted Kremenek2009-10-161-4/+18
| | | | | | | | touched by StoreManager::InvalidateRegion(). This fixes <rdar://problem/7257223> and <rdar://problem/7283470>. llvm-svn: 84223
* Per an astute observation from Zhongxing Xu, remove a "special case" logic inTed Kremenek2009-10-151-22/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RegionStoreManager::Retrieve() that was intended to handle conflated uses of pointers as integers. It turns out this isn't needed, and resulted in inconsistent behavior when creating symbolic values on the following test case in 'tests/Analysis/misc-ps.m': typedef struct _BStruct { void *grue; } BStruct; void testB_aux(void *ptr); void testB(BStruct *b) { { int *__gruep__ = ((int *)&((b)->grue)); int __gruev__ = *__gruep__; testB_aux(__gruep__); } { int *__gruep__ = ((int *)&((b)->grue)); int __gruev__ = *__gruep__; if (~0 != __gruev__) {} } } When the code was analyzed with '-arch x86_64', the value assigned to '__gruev__' be would be a symbolic integer, but for '-arch i386' the value assigned to '__gruev__' would be a symbolic region (a blob of memory). With this change the value created is always a symbolic integer. Since the code being removed was added to support analysis of code calling OSAtomicCompareAndSwapXXX(), I also modified 'test/Analysis/NSString.m' to analyze the code in both '-arch i386' and '-arch x86_64', and also added some complementary test cases to test the presence of leaks when using OSAtomicCompareAndSwap32Barrier()/OSAtomicCompareAndSwap64Barrier() instead of just their absence. This code change reveals that previously both RegionStore and BasicStore were handling these cases wrong, and would never cause the analyzer to emit a leak in these cases (false negatives). Now RegionStore gets it right, but BasicStore still gets it wrong (and hence it has been disabled temporarily for this test case). llvm-svn: 84163
* * Remove unused GRState* parameterZhongxing Xu2009-10-141-25/+18
| | | | | | * Make all Base value the last argument. llvm-svn: 84071
* Add an initial implementation of EnterStackFrame() to the StoreManager.Zhongxing Xu2009-10-131-0/+22
| | | | llvm-svn: 83934
* Introduces a new BindingVal which combines direct andZhongxing Xu2009-10-111-190/+165
| | | | | | | | default binding for regions. This allows us to simply a lot of code. A further simplification could be done is that many methods of regionstore can only work on Store instead of GRState. llvm-svn: 83762
* Make the behavior explicit by not using the method call.Zhongxing Xu2009-10-091-2/+2
| | | | llvm-svn: 83611
* Remove unused code.Zhongxing Xu2009-10-091-7/+0
| | | | llvm-svn: 83610
* Fix: <rdar://problem/7275774> Static analyzer warns about NULL pointer whenTed Kremenek2009-10-061-10/+23
| | | | | | | | | | | | | | | | | adding assert This fix required a few changes: SimpleSValuator: - Eagerly replace a symbolic value with its constant value in EvalBinOpNN when it is constrained to a constant. This allows us to better constant fold values along a path. - Handle trivial case of '<', '>' comparison of pointers when the two pointers are exactly the same. RegionStoreManager: llvm-svn: 83358
* Desugaring optimizations. Add single-step desugaring methods to allJohn McCall2009-09-291-1/+1
| | | | | | | | | concrete types. Use unqualified desugaring for getAs<> and sundry. Fix a few users to either not desugar or use qualified desugar, as seemed appropriate. Removed Type's qualified desugar method, as it was easy to accidentally use instead of QualType's. llvm-svn: 83116
* Fix: <rdar://problem/7261075> [RegionStore] crash when handling load: ↵Ted Kremenek2009-09-291-1/+8
| | | | | | | | '*((unsigned int *)"????")' This issue was originally reported via personal email by Thomas Clement! llvm-svn: 83069
* Fix really insidious bug in RegionStoreManager::RemoveDeadBindings()Ted Kremenek2009-09-291-155/+161
| | | | | | | | | | identified with a false positive reported by Thomas Clement. This involved doing another rewrite of RegionStoreManager::RemoveDeadBindings(), which phrases the entire problem of scanning for dead regions as a graph exploration problem. It is more methodic than the previous implementation. llvm-svn: 83053
* Reapply most of r82939, but add a guard that FieldRegions and friendsTed Kremenek2009-09-291-4/+9
| | | | | | | | | are only specially treated by RegionStore::InvalidateRegion() when their super region is also invalidated. When this isn't the case, conjure a new symbol for a FieldRegion. Thanks to Zhongxing Xu and Daniel Dunbar for pointing out this issue. llvm-svn: 83043
* Revert r82939. We can only not special case FieldRegions when the super ↵Ted Kremenek2009-09-291-9/+5
| | | | | | region has also been invalidated. llvm-svn: 83040
* Specially handle fields, elements, and ivars inTed Kremenek2009-09-271-5/+9
| | | | | | | RegionStoreManager::InvalidateRegion() by only removing their old binding, not conjuring a new symbol. llvm-svn: 82939
OpenPOWER on IntegriCloud