summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers/Checkers.td
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] Always derive a CallEvent's return type from its origin expr.Jordan Rose2012-09-011-4/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we preferred to get a result type by looking at the callee's declared result type. This allowed us to handlereferences, which are represented in the AST as lvalues of their pointee type. (That is, a call to a function returning 'int &' has type 'int' and value kind 'lvalue'.) However, this results in us preferring the original type of a function over a casted type. This is a problem when a function pointer is casted to another type, because the conjured result value will have the wrong type. AdjustedReturnValueChecker is supposed to handle this, but still doesn't handle the case where there is no "original function" at all, i.e. where the callee is unknown. Now, we instead look at the call expression's value kind (lvalue, xvalue, or prvalue), and adjust the expr's type accordingly. This will have no effect when the function is inlined, and will conjure the value that will actually be used when it is not. This makes AdjustedReturnValueChecker /nearly/ unnecessary; unfortunately, the cases where it would still be useful are where we need to cast the result of an inlined function or a checker-evaluated function, and in these cases we don't know what we're casting /from/ by the time we can do post- call checks. In light of that, remove AdjustedReturnValueChecker, which was already not checking quite a few calls. llvm-svn: 163065
* Rename the "experimental" checker package to "alpha". We will then refineTed Kremenek2012-08-241-18/+18
| | | | | | | this group into "alpha" and "beta" to distinguish between checkers in different levels of premature state. llvm-svn: 162582
* [analyzer] Add osx.cocoa.NonNilReturnValue checker.Anna Zaks2012-08-221-0/+4
| | | | | | | | The checker adds assumptions that the return values from the known APIs are non-nil. Teach the checker about NSArray/NSMutableArray/NSOrderedSet objectAtIndex, objectAtIndexedSubscript. llvm-svn: 162398
* [analyzer] Add a checker to manage dynamic type propagation.Anna Zaks2012-08-061-0/+4
| | | | | | | | | | | | Instead of sprinkling dynamic type info propagation throughout ExprEngine, the added checker would add the more precise type information on known APIs (Ex: ObjC alloc, new) and propagate the type info in other cases (ex: ObjC init method, casts (the second is not implemented yet)). Add handling of ObjC alloc, new and init to the checker. llvm-svn: 161357
* Remove experimental invalid iterators checker from the codebase until we ↵Ted Kremenek2012-07-251-4/+0
| | | | | | | | | have the time to fix all the issues. Currently the code is essentially unmaintained and buggy, and needs major revision (with coupled enhancements to the analyzer core). llvm-svn: 160754
* [analyzer] Add debug.DumpCalls, which prints out any CallEvents it sees.Jordan Rose2012-07-101-0/+4
| | | | | | | | | | This is probably not so useful yet because it is not path-sensitive, though it does try to show inlining with indentation. This also adds a dump() method to CallEvent, which should be useful for debugging. llvm-svn: 160030
* [analyzer] Add a test that we are, in fact, doing a DFS on the ExplodedGraph.Jordan Rose2012-06-291-0/+4
| | | | | | | | | | | | | | | | | | | | Previously: ...the comment said DFS... ...the WorkList being instantiated said BFS... ...and the implementation was actually DFS... ...due to an unintentional change in 2010... ...and everything kept working anyway. This fixes our std::deque implementation of BFS, but switches back to a SmallVector-based implementation of DFS. We should probably still investigate the ramifications of DFS vs. BFS, especially for large functions (and especially when we hit our block path limit), since this might completely change our memory use. It can also mask some bugs and reveal others depending on when we halt analysis. But at least we will not have this kind of little mistake creep in again. llvm-svn: 159397
* [analyzer] Add ObjCLoopChecker: objects from NSArray et al are non-nil.Jordan Rose2012-06-111-0/+4
| | | | | | | | | | | | While collections containing nil elements can still be iterated over in an Objective-C for-in loop, the most common Cocoa collections -- NSArray, NSDictionary, and NSSet -- cannot contain nil elements. This checker adds that assumption to the analyzer state. This was the cause of some minor false positives concerning CFRelease calls on objects in an NSArray. llvm-svn: 158319
* [analyzer] Minor cleanup to checkers' help text.Anna Zaks2012-05-241-4/+4
| | | | llvm-svn: 157402
* [analyzer] Introduce clang_analyzer_eval for regression test constraint checks.Jordy Rose2012-05-161-0/+4
| | | | | | | | | | The new debug.ExprInspection checker looks for calls to clang_analyzer_eval, and emits a warning of TRUE, FALSE, or UNKNOWN (or UNDEFINED) based on the constrained value of its (boolean) argument. It does not modify the analysis state though the conditions tested can result in branches (e.g. through the use of short-circuit operators). llvm-svn: 156919
* [analyzer]Turn on MallocSizeOfChecker by default; shorten the diagnosticAnna Zaks2012-05-071-4/+4
| | | | llvm-svn: 156341
* Add a basic CallGraph to Analysis.Anna Zaks2012-03-081-0/+8
| | | | | | | | | | The final graph contains a single root node, which is a parent of all externally available functions(and 'main'). As well as a list of Parentless/Unreachable functions, which are either truly unreachable or are unreachable due to our analyses imprecision. The analyzer checkers debug.DumpCallGraph or debug.ViewGraph can be used to look at the produced graph. Currently, the graph is not very precise, for example, it entirely skips edges resulted from ObjC method calls. llvm-svn: 152272
* [analyzer] Turn on by default the Malloc Checker and a couple of CStringAnna Zaks2012-02-201-9/+13
| | | | | | | | | | | | checks: - unix.Malloc - Checks for memory leaks, double free, use-after-free. - unix.cstring.NullArg - Checks for null pointers passed as arguments to CString functions + evaluates CString functions. - unix.cstring.BadSizeArg - Checks for common anti-patterns in strncat size argument. llvm-svn: 150988
* [analyzer] New checker for assignment of non-0/1 values to Boolean variables.Ryan Govostes2012-02-111-0/+4
| | | | llvm-svn: 150306
* [analyzer] Split the MallocChecker into two versions - pessimistic andAnna Zaks2012-02-081-2/+6
| | | | | | | | | | | | optimistic. TODO: actually implement the pessimistic version of the checker. Ex: it needs to assume that any function that takes a pointer might free it. The optimistic version relies on annotations to tell us which functions can free the pointer. llvm-svn: 150111
* [analyzer] Allow each CString check to be enabled/disabledAnna Zaks2012-02-071-3/+15
| | | | | | separately. llvm-svn: 149947
* [analyzer] Turn on by default two checkers:Anna Zaks2012-02-041-11/+12
| | | | | | | - osx.coreFoundation.containers.IndexOutOfBounds - osx.cocoa.SelfInit llvm-svn: 149747
* [analyzer] Add checks for common anti-patterns in strncat.Anna Zaks2012-01-311-4/+12
| | | | | | | (Since this is syntax only, might be a good candidate for turning into a compiler warning.) llvm-svn: 149407
* [analyzer] Rename the checker as per Ted's comment. Remove the referenceAnna Zaks2012-01-301-4/+6
| | | | | | from the driver. llvm-svn: 149276
* [analyzer] Make osx.cocos.CFContainersSyntax a default checker.Anna Zaks2012-01-301-4/+4
| | | | llvm-svn: 149258
* [analyzer] Add index out of bounds check for CFArrayGetArrayAtIndex.Anna Zaks2012-01-301-0/+4
| | | | llvm-svn: 149228
* [analyzer] Add an AST checker that checks for a common pitfall whenAnna Zaks2012-01-261-0/+4
| | | | | | | | | | | using CFArrayCreate & family. Specifically, CFArrayCreate's input should be: 'A C array of the pointer-sized values to be in the new array.' (radar://10717339) llvm-svn: 149008
* Reenable DeadStoresChecker under --analyze, and move the ↵Ted Kremenek2012-01-201-4/+3
| | | | | | IdempotentOperationsChecker to the 'experimental' category. Fixes <rdar://problem/10146347>. llvm-svn: 148533
* Implement checker that looks for calls to mktemps and friends that have ↵Ted Kremenek2012-01-201-0/+6
| | | | | | fewer than 6 Xs. Implements <rdar://problem/6336672>. llvm-svn: 148531
* Turn 'SecuritySyntaxChecker' into a "meta" security checker for insecure ↵Ted Kremenek2012-01-201-4/+27
| | | | | | | | | APIs. Now multiple checks are exposed as separate checkers, but CheckerManager only creates one Checker object. llvm-svn: 148525
* Add initial version of checker to check if virtual member functions are ↵Ted Kremenek2012-01-031-0/+4
| | | | | | | | called transitively from C++ constructors or destructors. Checker by Lei Zhang with a few tweaks by Ted Kremenek. llvm-svn: 147494
* Add an experimental MallocSizeofChecker, which reports inconsistenciesPeter Collingbourne2011-12-081-0/+4
| | | | | | | | between the casted type of the return value of a malloc/calloc/realloc call and the operand of any sizeof expressions contained within its argument(s). llvm-svn: 146144
* [analyzer] Add a debug checker to test for tainted data.Anna Zaks2011-12-051-0/+4
| | | | llvm-svn: 145827
* [analyzer] Adding generic taint checker.Anna Zaks2011-11-161-0/+13
| | | | | | The checker is responsible for defining attack surface and adding taint to symbols. llvm-svn: 144825
* [analyzer] There should be a space between "expect" and "only"Anna Zaks2011-11-051-1/+1
| | | | llvm-svn: 143787
* Add source-level dominators analysis. Patch by Guoping Long!Ted Kremenek2011-10-251-0/+4
| | | | llvm-svn: 142885
* [analyzer] Move the knowledge of whether or not GC is enabled for the ↵Jordy Rose2011-09-021-0/+4
| | | | | | | | | | current analysis from CFRefCount to ExprEngine. Remove TransferFuncs from ExprEngine and AnalysisConsumer. Demote RetainReleaseChecker to a regular checker, and give it the name osx.cocoa.RetainCount (class name change coming shortly). Update tests accordingly. llvm-svn: 138998
* MacOSKeychainAPIChecker: Turn it on by default.Anna Zaks2011-08-161-7/+3
| | | | llvm-svn: 137740
* [analyzer] Remove 'all-experimental' checker group.Ted Kremenek2011-08-041-20/+7
| | | | llvm-svn: 136849
* [analyzer] rename all experimental checker packages to have 'experimental' ↵Ted Kremenek2011-08-031-7/+9
| | | | | | be the common root package. llvm-svn: 136835
* [analyzer] Introduce MallocOverflowSecurityChecker, a simple flow-sensitive ↵Ted Kremenek2011-08-031-0/+4
| | | | | | checker that may be useful for security auditing. This checker is currently too noisy to be on by default. llvm-svn: 136804
* KeychainAPI checker: only check the paths on which the allocator function ↵Anna Zaks2011-08-021-1/+1
| | | | | | returned noErr. (+ minor cleanup) llvm-svn: 136694
* Add a skeleton for the Keychain Services API Checker. Register it as OSX ↵Anna Zaks2011-08-011-0/+11
| | | | | | experimental for now. Note, the checker still does not handle tracking of escaped values, taking into account the return value of the allocator functions, nor the actual bug reporting.. llvm-svn: 136659
* [analyzer] CStringChecker checks functions in the C standard library, not ↵Jordy Rose2011-06-141-4/+4
| | | | | | C++. Its external name is now unix.experimental.CString. llvm-svn: 132958
* Move the SelfInit checker to the 'cocoa.experimental' package.Ted Kremenek2011-04-301-4/+4
| | | | llvm-svn: 130598
* [analyzer] Checker Packages can now belong to a group. This requires llvm ↵Argyrios Kyrtzidis2011-03-291-30/+18
| | | | | | commit r128474. llvm-svn: 128475
* Tweak grammar in checker description.Ted Kremenek2011-03-261-1/+1
| | | | llvm-svn: 128310
* Rework checker "packages" and groups to be more hierarchical.Ted Kremenek2011-03-241-191/+263
| | | | llvm-svn: 128187
* Add an Objective-C checker that checks that arguments passed to some ↵Anders Carlsson2011-03-131-0/+5
| | | | | | | | variadic Objective-C methods are of Objective-C pointer types. Ted or Argiris, I'd appreciate a review! llvm-svn: 127572
* Re-enable the IdempotentOperations checker for --analyze, and put it and the ↵Ted Kremenek2011-03-121-5/+9
| | | | | | DeadStores checker into the "deadcode" group. llvm-svn: 127531
* Add initial version of "IteratorsChecker", a checker to find misues uses of ↵Ted Kremenek2011-03-121-0/+5
| | | | | | | | | C++ iterators. This checker was created by Jim Goodnow II, and I migrated it to the new Checker interface (recent changes by Argiris). llvm-svn: 127525
* [analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2.Argyrios Kyrtzidis2011-02-281-0/+13
| | | | | | | | They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
* [analzyer] Migrate CallAndMessageChecker to CheckerV2.Argyrios Kyrtzidis2011-02-281-0/+4
| | | | llvm-svn: 126626
* [analyzer] Migrate AdjustedReturnValueChecker to CheckerV2.Argyrios Kyrtzidis2011-02-281-0/+4
| | | | llvm-svn: 126624
* [analyzer] Migrate AttrNonNullChecker to CheckerV2.Argyrios Kyrtzidis2011-02-281-0/+4
| | | | llvm-svn: 126623
OpenPOWER on IntegriCloud