summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
Commit message (Collapse)AuthorAgeFilesLines
* [analyzer] Make CStringChecker correctly calculate return value of mempcpyAnna Zaks2014-10-031-1/+6
| | | | | | | | | | The return value of mempcpy is only correct when the destination type is one byte in size. This patch casts the argument to a char* so the calculation is also correct for structs, ints etc. A patch by Daniel Fahlgren! llvm-svn: 219024
* [C++11] Use 'nullptr'. StaticAnalyzer edition.Craig Topper2014-05-271-36/+41
| | | | llvm-svn: 209642
* [C++11] Replacing DeclStmt iterators decl_begin() and decl_end() with ↵Aaron Ballman2014-03-141-3/+2
| | | | | | iterator_range decls(). Updating all of the usages of the iterators with range-based for loops. llvm-svn: 203947
* Replace OwningPtr with std::unique_ptr.Ahmed Charles2014-03-071-5/+2
| | | | | | This compiles cleanly with lldb/lld/clang-tools-extra/llvm. llvm-svn: 203279
* [C++11] Replace llvm::tie with std::tie.Benjamin Kramer2014-03-021-16/+16
| | | | llvm-svn: 202639
* Expose the name of the checker producing each diagnostic message.Alexander Kornienko2014-02-111-17/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | Summary: In clang-tidy we'd like to know the name of the checker producing each diagnostic message. PathDiagnostic has BugType and Category fields, which are both arbitrary human-readable strings, but we need to know the exact name of the checker in the form that can be used in the CheckersControlList option to enable/disable the specific checker. This patch adds the CheckName field to the CheckerBase class, and sets it in the CheckerManager::registerChecker() method, which gets them from the CheckerRegistry. Checkers that implement multiple checks have to store the names of each check in the respective registerXXXChecker method. Reviewers: jordan_rose, krememek Reviewed By: jordan_rose CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D2557 llvm-svn: 201186
* [analyzer] Better modeling of memcpy by the CStringChecker (PR16731).Anton Yartsev2013-11-171-13/+41
| | | | | | | | | | | | | | New rules of invalidation/escape of the source buffer of memcpy: the source buffer contents is invalidated and escape while the source buffer region itself is neither invalidated, nor escape. In the current modeling of memcpy the information about allocation state of regions, accessible through the source buffer, is not copied to the destination buffer and we can not track the allocation state of those regions anymore. So we invalidate/escape the source buffer indirect regions in anticipation of their being invalidated for real later. This eliminates false-positive leaks reported by the unix.Malloc and alpha.cplusplus.NewDeleteLeaks checkers for the cases like char *f() { void *x = malloc(47); char *a; memcpy(&a, &x, sizeof a); return a; } llvm-svn: 194953
* [analyzer] Replace bug category magic strings with shared constants, take 2.Jordan Rose2013-10-041-4/+4
| | | | | | | Re-commit r191910 (reverted in r191936) with layering violation fixed, by moving the bug categories to StaticAnalyzerCore instead of ...Checkers. llvm-svn: 191937
* Temporarily revert r191910 until the layering violation can be fixed.Richard Smith2013-10-031-4/+4
| | | | llvm-svn: 191936
* [analyzer] Replace bug category magic strings with shared constants.Jordan Rose2013-10-031-4/+4
| | | | | | | | | | One small functionality change is to bring the sizeof-pointer checker in line with the other checkers by making its category be "Logic error" instead of just "Logic". There should be no other functionality changes. Patch by Daniel Marjamäki! llvm-svn: 191910
* [analyzer] Assume that strings are no longer than SIZE_MAX/4.Jordan Rose2013-08-191-2/+15
| | | | | | | | | This keeps the analyzer from making silly assumptions, like thinking strlen(foo)+1 could wrap around to 0. This fixes PR16558. Patch by Karthik Bhat! llvm-svn: 188680
* Fix memory corruption in CStringCheckerPavel Labath2013-06-121-4/+1
| | | | | | | | | | | | | | | Summary: "register" functions for the checker were caching the checker objects in a static variable. This caused problems when the function is called with a different CheckerManager. Reviewers: klimek CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D955 llvm-svn: 183823
* [analyzer] Model strsep(), particularly that it returns its input.Jordan Rose2013-04-221-0/+62
| | | | | | | This handles the false positive leak warning in PR15374, and also serves as a basic model for the strsep() function. llvm-svn: 180069
* Replace ProgramPoint llvm::cast support to be well-defined.David Blaikie2013-02-211-1/+1
| | | | | | See r175462 for another example/more details. llvm-svn: 175812
* Include llvm::Optional in clang/Basic/LLVM.hDavid Blaikie2013-02-201-33/+28
| | | | | | Post-commit CR feedback from Jordan Rose regarding r175594. llvm-svn: 175679
* Replace SVal llvm::cast support to be well-defined.David Blaikie2013-02-201-80/+74
| | | | | | See r175462 for another example/more details. llvm-svn: 175594
* Remove some stray uses of <ctype.h> functions.Jordan Rose2013-02-091-1/+2
| | | | | | These are causing assertions on some MSVC builds. llvm-svn: 174805
* [analyzer] Refactor: parameter rename.Anna Zaks2013-01-161-1/+1
| | | | llvm-svn: 172595
* [analyzer] Address Jordan's nitpicks as per code review of r170625.Anna Zaks2012-12-211-1/+1
| | | | llvm-svn: 170832
* [analyzer] Add the pointer escaped callback.Anna Zaks2012-12-201-3/+4
| | | | | | | | | | Instead of using several callbacks to identify the pointer escape event, checkers now can register for the checkPointerEscape. Converted the Malloc checker to use the new callback. SimpleStreamChecker will be converted next. llvm-svn: 170625
* Sort all of Clang's files under 'lib', and fix up the broken headersChandler Carruth2012-12-041-2/+2
| | | | | | | | | | | | | uncovered. This required manually correcting all of the incorrect main-module headers I could find, and running the new llvm/utils/sort_includes.py script over the files. I also manually added quite a few missing headers that were uncovered by shuffling the order or moving headers up to be main-module-headers. llvm-svn: 169237
* Include pruning and general cleanup.Benjamin Kramer2012-12-011-0/+1
| | | | llvm-svn: 169095
* [analyzer] Use nice macros for the common ProgramStateTraits (map, set, list).Jordan Rose2012-11-021-22/+10
| | | | | | | | | Also, move the REGISTER_*_WITH_PROGRAMSTATE macros to ProgramStateTrait.h. This doesn't get rid of /all/ explicit uses of ProgramStatePartialTrait, but it does get a lot of them. llvm-svn: 167276
* [analyzer] Rename 'EmitReport' to 'emitReport'.Jordan Rose2012-11-021-6/+6
| | | | | | No functionality change. llvm-svn: 167275
* [analyzer] Teach the analyzer about implicit initialization of staticsAnna Zaks2012-09-171-1/+1
| | | | | | | | | | | in ObjCMethods. Extend FunctionTextRegion to represent ObjC methods as well as functions. Note, it is not clear what type ObjCMethod region should return. Since the type of the FunctionText region is not currently used, defer solving this issue. llvm-svn: 164046
* [analyzer] Rename addTrackNullOrUndefValueVisitor to trackNullOrUndefValue.Jordan Rose2012-08-281-1/+1
| | | | | | | | | | | This helper function (in the clang::ento::bugreporter namespace) may add more than one visitor, but conceptually it's tracking a single use of a null or undefined value and should do so as best it can. Also, the BugReport parameter has been made a reference to underscore that it is non-optional. llvm-svn: 162720
* Rename 'unbindLoc()' (in ProgramState) and 'Remove()' toTed Kremenek2012-08-221-1/+1
| | | | | | | | | 'killBinding()'. The name is more specific, and one just forwarded to the other. Add some doxygen comments along the way. llvm-svn: 162350
* Rename 'currentX' to 'currX' throughout analyzer and libAnalysis.Ted Kremenek2012-08-221-16/+10
| | | | | | | | | Also rename 'getCurrentBlockCounter()' to 'blockCount()'. This ripples a bunch of code simplifications; mostly aesthetic, but makes the code a bit tighter. llvm-svn: 162349
* Rename 'getConjuredSymbol*' to 'conjureSymbol*'.Ted Kremenek2012-08-221-7/+6
| | | | | | | | | | No need to have the "get", the word "conjure" is a verb too! Getting a conjured symbol is the same as conjuring one up. This shortening is largely cosmetic, but just this simple changed cleaned up a handful of lines, making them less verbose. llvm-svn: 162348
* [analyzer] When a symbol is null, we should track its constraints.Jordan Rose2012-08-031-2/+1
| | | | | | | | Because of this, we would previously emit NO path notes when a parameter is constrained to null (because there are no stores). Now we show where we made the assumption, which is much more useful. llvm-svn: 161280
* [analyzer] Add a new abstraction over all types of calls: CallEventJordan Rose2012-07-021-2/+2
| | | | | | | | | | This is intended to replace CallOrObjCMessage, and is eventually intended to be used for anything that cares more about /what/ is being called than /how/ it's being called. For example, inlining destructors should be the same as inlining blocks, and checking __attribute__((nonnull)) should apply to the allocator calls generated by operator new. llvm-svn: 159554
* [analyzer] strncpy: Special-case a length of 0 to avoid an incorrect warning.Jordy Rose2012-05-141-0/+18
| | | | | | | | | | We check the address of the last element accessed, but with 0 calculating that address results in element -1. This patch bails out early (and avoids a bunch of other work at that). Fixes PR12807. llvm-svn: 156769
* [analyzer] CString Checker: Do not split the path unless the userAnna Zaks2012-05-031-1/+2
| | | | | | | | | | specifically checks for equality to null. Enforcing this general practice, which keeps the analyzer less noisy, in the CString Checker. This change suppresses "Assigned value is garbage or undefined" warning in the added test case. llvm-svn: 156085
* [analyzer] Don't crash even when the system functions are redefined.Anna Zaks2012-04-101-0/+48
| | | | | | | | | | (Applied changes to CStringAPI, Malloc, and Taint.) This might almost never happen, but we should not crash even if it does. This fixes a crash on the internal analyzer buildbot, where postgresql's configure was redefining memmove (radar://11219852). llvm-svn: 154451
* [analyzer] Implement basic path diagnostic pruning based on "interesting" ↵Ted Kremenek2012-03-091-1/+2
| | | | | | | | | | | | | | | | | symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
* Have conjured symbols depend on LocationContext, to add context sensitivity ↵Ted Kremenek2012-02-171-7/+8
| | | | | | for functions called more than once. llvm-svn: 150849
* [analyzer] Fix another false positive in the Malloc Checker, by makingAnna Zaks2012-02-171-0/+5
| | | | | | | | | | | | it aware of CString APIs that return the input parameter. Malloc Checker needs to know how the 'strcpy' function is evaluated. Introduce the dependency on CStringChecker for that. CStringChecker knows all about these APIs. Addresses radar://10864450 llvm-svn: 150846
* [analyzer] Generalize function name checking in CString checker.Anna Zaks2012-02-171-23/+39
| | | | | | | (Ex: It was not treating __inline_strcpy as strcpy. Will add tests that rely on this later on.) llvm-svn: 150845
* [analyzer] Make Malloc Checker optimistic in presence of inlining.Anna Zaks2012-02-141-2/+4
| | | | | | | | | | | | (In response of Ted's review of r150112.) This moves the logic which checked if a symbol escapes through a parameter to invalidateRegionCallback (instead of post CallExpr visit.) To accommodate the change, added a CallOrObjCMessage parameter to checkRegionChanges callback. llvm-svn: 150513
* [analyzer] Allow each CString check to be enabled/disabledAnna Zaks2012-02-071-9/+62
| | | | | | separately. llvm-svn: 149947
* Basic: import SmallString<> into clang namespaceDylan Noblesmith2012-02-051-4/+4
| | | | | | | (I was going to fix the TODO about DenseMap too, but that would break self-host right now. See PR11922.) llvm-svn: 149799
* Basic: import OwningPtr<> into clang namespaceDylan Noblesmith2012-02-051-1/+1
| | | | llvm-svn: 149798
* Move a method from IdentifierTable.h out of line and remove the SmallString ↵Benjamin Kramer2012-02-041-0/+1
| | | | | | | | include. Fix all the transitive include users. llvm-svn: 149783
* Move various diagnostic operator<< overloads out of line and remove includes ↵Benjamin Kramer2012-02-041-0/+1
| | | | | | | | | of Diagnostic.h. Fix all the files that depended on transitive includes of Diagnostic.h. With this patch in place changing a diagnostic no longer requires a full rebuild of the StaticAnalyzer. llvm-svn: 149781
* Change references to 'const ProgramState *' to typedef 'ProgramStateRef'.Ted Kremenek2012-01-261-72/+72
| | | | | | | | At this point this is largely cosmetic, but it opens the door to replace ProgramStateRef with a smart pointer that more eagerly acts in the role of reclaiming unused ProgramState objects. llvm-svn: 149081
* [analyzer] Make the entries in 'Environment' context-sensitive by making ↵Ted Kremenek2012-01-061-36/+49
| | | | | | | | | | | | | | | | | | entries map from (Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals. This is needed to support basic IPA via inlining. Without this, we cannot tell if a Stmt* binding is part of the current analysis scope (StackFrameContext) or part of a parent context. This change introduces an uglification of the use of getSVal(), and thus takes two steps forward and one step back. There are also potential performance implications of enlarging the Environment. Both can be addressed going forward by refactoring the APIs and optimizing the internal representation of Environment. This patch mainly introduces the functionality upon when we want to build upon (and clean up). llvm-svn: 147688
* [analyzer] CStringChecker should not rely on the analyzer generating ↵Anna Zaks2011-12-111-4/+5
| | | | | | | | | | | | | | UndefOrUnknown value when it cannot reason about the expression. We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.) This patch also contains 2 small bug fixes: - swap the order of operators inside SValBuilder::makeGenericVal. - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol. llvm-svn: 146343
* [analyzer] Refactor: Move symbol_iterator from SVal to SymExpr, use itAnna Zaks2011-12-061-2/+2
| | | | | | for finding dependent symbols for taint. llvm-svn: 145986
* [analyzer] Refactor checkers to use helper function for getting callee Decl ↵Anna Zaks2011-12-011-13/+2
| | | | | | | | and name. We are getting name of the called function or it's declaration in a few checkers. Refactor them to use the helper function in the CheckerContext. llvm-svn: 145576
* [analyzer] Add getLocationContext to CheckerContextAnna Zaks2011-10-261-1/+1
| | | | | | | CheckerContext::getPredecessor is only used to get to the LocationContext half of the times. llvm-svn: 143061
OpenPOWER on IntegriCloud