summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
Commit message (Collapse)AuthorAgeFilesLines
* [analyzer] pr34779: CStringChecker: Accept non-standard headers.Artem Dergachev2017-11-071-2/+4
| | | | | | | | | | | Do not crash when trying to define and call a non-standard strcpy(unsigned char *, unsigned char *) during analysis. At the same time, do not try to actually evaluate the call. Differential Revision: https://reviews.llvm.org/D39422 llvm-svn: 317565
* [analyzer] CStringChecker: pr34460: Avoid a crash when a cast is not modeled.Artem Dergachev2017-10-131-23/+14
| | | | | | | | | | | | | | | | | The checker used to crash when a mempcpy's length argument is symbolic. In this case the cast from 'void *' to 'char *' failed because the respective ElementRegion that represents cast is hard to add on top of the existing ElementRegion that represents the offset to the last copied byte, while preseving a sane memory region structure. Additionally, a few test cases are added (to casts.c) which demonstrate problems caused by existing sloppy work we do with multi-layer ElementRegions. If said cast would be modeled properly in the future, these tests would need to be taken into account. Differential Revision: https://reviews.llvm.org/D38797 llvm-svn: 315742
* [analyzer] Check NULL pointer dereference issue for memset functionLeslie Zhai2017-06-201-0/+51
| | | | | | | | | | Reviewers: dcoughlin, zaks.anna, NoQ, danielmarjamaki Reviewed By: NoQ, danielmarjamaki Differential Revision: https://reviews.llvm.org/D31868 llvm-svn: 305773
* [analyzer] Add LocationContext as a parameter to checkRegionChangesAnna Zaks2017-01-131-2/+8
| | | | | | | | | | | This patch adds LocationContext to checkRegionChanges and removes wantsRegionChangeUpdate as it was unused. A patch by Krzysztof Wiśniewski! Differential Revision: https://reviews.llvm.org/D27090 llvm-svn: 291869
* [analyzer] Remove unused check::RegionChanges::wantsRegionChangeUpdate callbackAnna Zaks2016-11-161-6/+0
| | | | | | | | | | | Remove the check::RegionChanges::wantsRegionChangeUpdate callback as it is no longer used (since checkPointerEscape has been added). A patch by Krzysztof Wiśniewski! Differential Revision: https://reviews.llvm.org/D26759 llvm-svn: 287175
* [analyzer] Add LocationContext information to SymbolMetadata.Artem Dergachev2016-08-171-0/+1
| | | | | | | | | | | | | | | | | | | | | Like SymbolConjured, SymbolMetadata also needs to be uniquely identified by the moment of its birth. Such moments are coded by the (Statement, LocationContext, Block count) triples. Each such triple represents the moment of analyzing a statement with a certain call backtrace, with corresponding CFG block having been entered a given amount of times during analysis of the current code body. The LocationContext information was accidentally omitted for SymbolMetadata, which leads to reincarnation of SymbolMetadata upon re-entering a code body with a different backtrace; the new symbol is incorrectly unified with the old symbol, which leads to unsound assumptions. Patch by Alexey Sidorin! Differential Revision: https://reviews.llvm.org/D21978 llvm-svn: 278937
* [NFC] Header cleanupMehdi Amini2016-07-181-1/+0
| | | | | | | | | | Summary: Removed unused headers, replaced some headers with forward class declarations Patch by: Eugene <claprix@yandex.ru> Differential Revision: https://reviews.llvm.org/D20100 llvm-svn: 275882
* [analyzer] Fix for PR23790 : constrain return value of strcmp() rather than ↵Anton Yartsev2016-05-191-17/+20
| | | | | | | | | | returning a concrete value. The function strcmp() can return any value, not just {-1,0,1} : "The strcmp(const char *s1, const char *s2) function returns an integer greater than, equal to, or less than zero, accordingly as the string pointed to by s1 is greater than, equal to, or less than the string pointed to by s2." [C11 7.24.4.2p3] https://llvm.org/bugs/show_bug.cgi?id=23790 http://reviews.llvm.org/D16317 llvm-svn: 270154
* [analyzer] Let TK_PreserveContents span across the whole base region.Artem Dergachev2016-04-251-1/+1
| | | | | | | | | | | | If an address of a field is passed through a const pointer, the whole structure's base region should receive the TK_PreserveContents trait and avoid invalidation. Additionally, include a few FIXME tests shown up during testing. Differential Revision: http://reviews.llvm.org/D19057 llvm-svn: 267413
* [analyzer] Invalidate destination of std::copy() and std::copy_backward().Devin Coughlin2016-02-071-0/+58
| | | | | | | | | Now that the libcpp implementations of these methods has a branch that doesn't call memmove(), the analyzer needs to invalidate the destination for these methods explicitly. rdar://problem/23575656 llvm-svn: 260043
* [analyzer] Fix SVal/SymExpr/MemRegion class and enum names for consistency.Artem Dergachev2016-01-131-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The purpose of these changes is to simplify introduction of definition files for the three hierarchies. 1. For every sub-class C of these classes, its kind in the relevant enumeration is changed to "CKind" (or C##Kind in preprocessor-ish terms), eg: MemRegionKind -> MemRegionValKind RegionValueKind -> SymbolRegionValueKind CastSymbolKind -> SymbolCastKind SymIntKind -> SymIntExprKind 2. MemSpaceRegion used to be inconsistently used as both an abstract base and a particular region. This region class is now an abstract base and no longer occupies GenericMemSpaceRegionKind. Instead, a new class, CodeSpaceRegion, is introduced for handling the unique use case for MemSpaceRegion as "the generic memory space" (when it represents a memory space that holds all executable code). 3. BEG_ prefixes in memory region kind ranges are renamed to BEGIN_ for consisitency with symbol kind ranges. 4. FunctionTextRegion and BlockTextRegion are renamed to FunctionCodeRegion and BlockCodeRegion, respectively. The term 'code' is less jargony than 'text' and we already refer to BlockTextRegion as a 'code region' in BlockDataRegion. Differential Revision: http://reviews.llvm.org/D16062 llvm-svn: 257598
* Refactor: Simplify boolean conditional return statements in ↵Alexander Kornienko2015-12-281-4/+1
| | | | | | | | | | | | | | | | lib/StaticAnalyzer/Checkers Summary: Use clang-tidy to simplify boolean conditional return values Reviewers: dcoughlin, krememek Subscribers: krememek, cfe-commits Patch by Richard Thomson! Differential Revision: http://reviews.llvm.org/D10021 llvm-svn: 256491
* [analyzer] When memcpy'ing into a fixed-size array, do not invalidate entire ↵Devin Coughlin2015-09-241-7/+91
| | | | | | | | | | | | | | | | | | | | region. Change the analyzer's modeling of memcpy to be more precise when copying into fixed-size array fields. With this change, instead of invalidating the entire containing region the analyzer now invalidates only offsets for the array itself when it can show that the memcpy stays within the bounds of the array. This addresses false positive memory leak warnings of the kind reported by krzysztof in https://llvm.org/bugs/show_bug.cgi?id=22954 (This is the second attempt, now with assertion failures resolved.) A patch by Pierre Gousseau! Differential Revision: http://reviews.llvm.org/D12571 llvm-svn: 248516
* [analyzer] Add generateErrorNode() APIs to CheckerContext.Devin Coughlin2015-09-161-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
* [analyzer] Apply whitespace cleanups by Honggyu Kim.Ted Kremenek2015-09-081-42/+42
| | | | llvm-svn: 246978
* Revert r246345 until an assertion is fixed.Gabor Horvath2015-08-311-85/+7
| | | | llvm-svn: 246479
* [analyzer] When memcpy'ing into a fixed-size array, do not invalidate entire ↵Devin Coughlin2015-08-281-7/+85
| | | | | | | | | | | | | | | | | | region. Change the analyzer's modeling of memcpy to be more precise when copying into fixed-size array fields. With this change, instead of invalidating the entire containing region the analyzer now invalidates only offsets for the array itself when it can show that the memcpy stays within the bounds of the array. This addresses false positive memory leak warnings of the kind reported by krzysztof in https://llvm.org/bugs/show_bug.cgi?id=22954 A patch by Pierre Gousseau! Differential Revision: http://reviews.llvm.org/D11832 llvm-svn: 246345
* Clarify pointer ownership semantics by hoisting the std::unique_ptr creation ↵Aaron Ballman2015-06-231-17/+15
| | | | | | to the caller instead of hiding it in emitReport. NFC. llvm-svn: 240400
* Remove the assertion as it was useless and broken.Sylvestre Ledru2015-04-171-4/+0
| | | | | | | | | | | | | Enforcing the assert caused the following tests to fail: Clang :: Analysis__bstring.c Clang :: Analysis__comparison-implicit-casts.cpp Clang :: Analysis__malloc-interprocedural.c Clang :: Analysis__malloc.c Clang :: Analysis__redefined_system.c Clang :: Analysis__string.c Clang :: Analysis__weak-functions.c llvm-svn: 235190
* Fix a bad assert. Found by coverity. CID 1101110Sylvestre Ledru2015-04-171-1/+1
| | | | llvm-svn: 235188
* [analyzer] Make CStringChecker correctly calculate return value of mempcpyAnna Zaks2014-10-031-1/+6
| | | | | | | | | | The return value of mempcpy is only correct when the destination type is one byte in size. This patch casts the argument to a char* so the calculation is also correct for structs, ints etc. A patch by Daniel Fahlgren! llvm-svn: 219024
* [C++11] Use 'nullptr'. StaticAnalyzer edition.Craig Topper2014-05-271-36/+41
| | | | llvm-svn: 209642
* [C++11] Replacing DeclStmt iterators decl_begin() and decl_end() with ↵Aaron Ballman2014-03-141-3/+2
| | | | | | iterator_range decls(). Updating all of the usages of the iterators with range-based for loops. llvm-svn: 203947
* Replace OwningPtr with std::unique_ptr.Ahmed Charles2014-03-071-5/+2
| | | | | | This compiles cleanly with lldb/lld/clang-tools-extra/llvm. llvm-svn: 203279
* [C++11] Replace llvm::tie with std::tie.Benjamin Kramer2014-03-021-16/+16
| | | | llvm-svn: 202639
* Expose the name of the checker producing each diagnostic message.Alexander Kornienko2014-02-111-17/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | Summary: In clang-tidy we'd like to know the name of the checker producing each diagnostic message. PathDiagnostic has BugType and Category fields, which are both arbitrary human-readable strings, but we need to know the exact name of the checker in the form that can be used in the CheckersControlList option to enable/disable the specific checker. This patch adds the CheckName field to the CheckerBase class, and sets it in the CheckerManager::registerChecker() method, which gets them from the CheckerRegistry. Checkers that implement multiple checks have to store the names of each check in the respective registerXXXChecker method. Reviewers: jordan_rose, krememek Reviewed By: jordan_rose CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D2557 llvm-svn: 201186
* [analyzer] Better modeling of memcpy by the CStringChecker (PR16731).Anton Yartsev2013-11-171-13/+41
| | | | | | | | | | | | | | New rules of invalidation/escape of the source buffer of memcpy: the source buffer contents is invalidated and escape while the source buffer region itself is neither invalidated, nor escape. In the current modeling of memcpy the information about allocation state of regions, accessible through the source buffer, is not copied to the destination buffer and we can not track the allocation state of those regions anymore. So we invalidate/escape the source buffer indirect regions in anticipation of their being invalidated for real later. This eliminates false-positive leaks reported by the unix.Malloc and alpha.cplusplus.NewDeleteLeaks checkers for the cases like char *f() { void *x = malloc(47); char *a; memcpy(&a, &x, sizeof a); return a; } llvm-svn: 194953
* [analyzer] Replace bug category magic strings with shared constants, take 2.Jordan Rose2013-10-041-4/+4
| | | | | | | Re-commit r191910 (reverted in r191936) with layering violation fixed, by moving the bug categories to StaticAnalyzerCore instead of ...Checkers. llvm-svn: 191937
* Temporarily revert r191910 until the layering violation can be fixed.Richard Smith2013-10-031-4/+4
| | | | llvm-svn: 191936
* [analyzer] Replace bug category magic strings with shared constants.Jordan Rose2013-10-031-4/+4
| | | | | | | | | | One small functionality change is to bring the sizeof-pointer checker in line with the other checkers by making its category be "Logic error" instead of just "Logic". There should be no other functionality changes. Patch by Daniel Marjamäki! llvm-svn: 191910
* [analyzer] Assume that strings are no longer than SIZE_MAX/4.Jordan Rose2013-08-191-2/+15
| | | | | | | | | This keeps the analyzer from making silly assumptions, like thinking strlen(foo)+1 could wrap around to 0. This fixes PR16558. Patch by Karthik Bhat! llvm-svn: 188680
* Fix memory corruption in CStringCheckerPavel Labath2013-06-121-4/+1
| | | | | | | | | | | | | | | Summary: "register" functions for the checker were caching the checker objects in a static variable. This caused problems when the function is called with a different CheckerManager. Reviewers: klimek CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D955 llvm-svn: 183823
* [analyzer] Model strsep(), particularly that it returns its input.Jordan Rose2013-04-221-0/+62
| | | | | | | This handles the false positive leak warning in PR15374, and also serves as a basic model for the strsep() function. llvm-svn: 180069
* Replace ProgramPoint llvm::cast support to be well-defined.David Blaikie2013-02-211-1/+1
| | | | | | See r175462 for another example/more details. llvm-svn: 175812
* Include llvm::Optional in clang/Basic/LLVM.hDavid Blaikie2013-02-201-33/+28
| | | | | | Post-commit CR feedback from Jordan Rose regarding r175594. llvm-svn: 175679
* Replace SVal llvm::cast support to be well-defined.David Blaikie2013-02-201-80/+74
| | | | | | See r175462 for another example/more details. llvm-svn: 175594
* Remove some stray uses of <ctype.h> functions.Jordan Rose2013-02-091-1/+2
| | | | | | These are causing assertions on some MSVC builds. llvm-svn: 174805
* [analyzer] Refactor: parameter rename.Anna Zaks2013-01-161-1/+1
| | | | llvm-svn: 172595
* [analyzer] Address Jordan's nitpicks as per code review of r170625.Anna Zaks2012-12-211-1/+1
| | | | llvm-svn: 170832
* [analyzer] Add the pointer escaped callback.Anna Zaks2012-12-201-3/+4
| | | | | | | | | | Instead of using several callbacks to identify the pointer escape event, checkers now can register for the checkPointerEscape. Converted the Malloc checker to use the new callback. SimpleStreamChecker will be converted next. llvm-svn: 170625
* Sort all of Clang's files under 'lib', and fix up the broken headersChandler Carruth2012-12-041-2/+2
| | | | | | | | | | | | | uncovered. This required manually correcting all of the incorrect main-module headers I could find, and running the new llvm/utils/sort_includes.py script over the files. I also manually added quite a few missing headers that were uncovered by shuffling the order or moving headers up to be main-module-headers. llvm-svn: 169237
* Include pruning and general cleanup.Benjamin Kramer2012-12-011-0/+1
| | | | llvm-svn: 169095
* [analyzer] Use nice macros for the common ProgramStateTraits (map, set, list).Jordan Rose2012-11-021-22/+10
| | | | | | | | | Also, move the REGISTER_*_WITH_PROGRAMSTATE macros to ProgramStateTrait.h. This doesn't get rid of /all/ explicit uses of ProgramStatePartialTrait, but it does get a lot of them. llvm-svn: 167276
* [analyzer] Rename 'EmitReport' to 'emitReport'.Jordan Rose2012-11-021-6/+6
| | | | | | No functionality change. llvm-svn: 167275
* [analyzer] Teach the analyzer about implicit initialization of staticsAnna Zaks2012-09-171-1/+1
| | | | | | | | | | | in ObjCMethods. Extend FunctionTextRegion to represent ObjC methods as well as functions. Note, it is not clear what type ObjCMethod region should return. Since the type of the FunctionText region is not currently used, defer solving this issue. llvm-svn: 164046
* [analyzer] Rename addTrackNullOrUndefValueVisitor to trackNullOrUndefValue.Jordan Rose2012-08-281-1/+1
| | | | | | | | | | | This helper function (in the clang::ento::bugreporter namespace) may add more than one visitor, but conceptually it's tracking a single use of a null or undefined value and should do so as best it can. Also, the BugReport parameter has been made a reference to underscore that it is non-optional. llvm-svn: 162720
* Rename 'unbindLoc()' (in ProgramState) and 'Remove()' toTed Kremenek2012-08-221-1/+1
| | | | | | | | | 'killBinding()'. The name is more specific, and one just forwarded to the other. Add some doxygen comments along the way. llvm-svn: 162350
* Rename 'currentX' to 'currX' throughout analyzer and libAnalysis.Ted Kremenek2012-08-221-16/+10
| | | | | | | | | Also rename 'getCurrentBlockCounter()' to 'blockCount()'. This ripples a bunch of code simplifications; mostly aesthetic, but makes the code a bit tighter. llvm-svn: 162349
* Rename 'getConjuredSymbol*' to 'conjureSymbol*'.Ted Kremenek2012-08-221-7/+6
| | | | | | | | | | No need to have the "get", the word "conjure" is a verb too! Getting a conjured symbol is the same as conjuring one up. This shortening is largely cosmetic, but just this simple changed cleaned up a handful of lines, making them less verbose. llvm-svn: 162348
* [analyzer] When a symbol is null, we should track its constraints.Jordan Rose2012-08-031-2/+1
| | | | | | | | Because of this, we would previously emit NO path notes when a parameter is constrained to null (because there are no stores). Now we show where we made the assumption, which is much more useful. llvm-svn: 161280
OpenPOWER on IntegriCloud