summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers/MacOSKeychainAPIChecker.cpp
Commit message (Collapse)AuthorAgeFilesLines
* [analyzer] Do not run visitors until the fixpoint, run only once.George Karpenkov2018-06-261-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | In the current implementation, we run visitors until the fixed point is reached. That is, if a visitor adds another visitor, the currently processed path is destroyed, all diagnostics is discarded, and it is regenerated again, until it's no longer modified. This pattern has a few negative implications: - This loop does not even guarantee to terminate. E.g. just imagine two visitors bouncing a diagnostics around. - Performance-wise, e.g. for sqlite3 all visitors are being re-run at least 10 times for some bugs. We have already seen a few reports where it leads to timeouts. - If we want to add more computationally intense visitors, this will become worse. - From architectural standpoint, the current layout requires copying visitors, which is conceptually wrong, and can be annoying (e.g. no unique_ptr on visitors allowed). The proposed change is a much simpler architecture: the outer loop processes nodes upwards, and whenever the visitor is added it only processes current nodes and above, thus guaranteeing termination. Differential Revision: https://reviews.llvm.org/D47856 llvm-svn: 335666
* [analyzer] introduce getSVal(Stmt *) helper on ExplodedNode, make sure the ↵George Karpenkov2018-01-171-4/+3
| | | | | | | | | | | | | | | | | | helper is used consistently In most cases using `N->getState()->getSVal(E, N->getLocationContext())` is ugly, verbose, and also opens up more surface area for bugs if an inconsistent location context is used. This patch introduces a helper on an exploded node, and ensures consistent usage of either `ExplodedNode::getSVal` or `CheckContext::getSVal` across the codebase. As a result, a large number of redundant lines is removed. Differential Revision: https://reviews.llvm.org/D42155 llvm-svn: 322753
* [analyzer] Fix false positives in Keychain API checkerAnna Zaks2017-01-131-83/+89
| | | | | | | | | | | | | | The checker has several false positives that this patch addresses: - Do not check if the return status has been compared to error (or no error) at the time when leaks are reported since the status symbol might no longer be alive. Instead, pattern match on the assume and stop tracking allocated symbols on error paths. - The checker used to report error when an unknown symbol was freed. This could lead to false positives, let's not repot those. This leads to loss of coverage in double frees. - Do not enforce that we should only call free if we are sure that error was not returned and the pointer is not null. That warning is too noisy and we received several false positive reports about it. (I removed: "Only call free if a valid (non-NULL) buffer was returned") - Use !isDead instead of isLive in leak reporting. Otherwise, we report leaks for objects we loose track of. This change triggered change #1. This also adds checker specific dump to the state. Differential Revision: https://reviews.llvm.org/D28330 llvm-svn: 291866
* Migrate PathDiagnosticPiece to std::shared_ptrDavid Blaikie2017-01-051-11/+10
| | | | | | | Simplifies and makes explicit the memory ownership model rather than implicitly passing/acquiring ownership. llvm-svn: 291143
* [analyzer] Small cleanups when checkers retrieving statements from explodedGabor Horvath2016-08-181-6/+1
| | | | | | | | nodes. Differential Revision: https://reviews.llvm.org/D23550 llvm-svn: 279037
* Refactor: Simplify boolean conditional return statements in ↵Alexander Kornienko2015-12-281-11/+3
| | | | | | | | | | | | | | | | lib/StaticAnalyzer/Checkers Summary: Use clang-tidy to simplify boolean conditional return values Reviewers: dcoughlin, krememek Subscribers: krememek, cfe-commits Patch by Richard Thomson! Differential Revision: http://reviews.llvm.org/D10021 llvm-svn: 256491
* Drop useless const in for-range loops.Benjamin Kramer2015-09-241-1/+1
| | | | | | | | StringRefs always point to immutable memory so the const doesn't add value here. Also quiets clang's -Wrange-loop-analysis which warns about the implicit copying. llvm-svn: 248496
* [analyzer] Add generateErrorNode() APIs to CheckerContext.Devin Coughlin2015-09-161-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
* [analyzer] Apply whitespace cleanups by Honggyu Kim.Ted Kremenek2015-09-081-2/+2
| | | | llvm-svn: 246978
* Wdeprecated: Make the SecKeychainBugVisitor copyable (for the clone support ↵David Blaikie2015-08-131-1/+0
| | | | | | | | | in the CRTP base) my removing the user-declared dtor The implicit dtor is just as good, and avoid suppressing implicit copy/move ops. llvm-svn: 244981
* Clarify pointer ownership semantics by hoisting the std::unique_ptr creation ↵Aaron Ballman2015-06-231-25/+22
| | | | | | to the caller instead of hiding it in emitReport. NFC. llvm-svn: 240400
* Revert r240270 ("Fixed/added namespace ending comments using clang-tidy").Alexander Kornienko2015-06-221-1/+1
| | | | llvm-svn: 240353
* Fixed/added namespace ending comments using clang-tidy. NFCAlexander Kornienko2015-06-221-1/+1
| | | | | | | | | | | | The patch is generated using this command: $ tools/extra/clang-tidy/tool/run-clang-tidy.py -fix \ -checks=-*,llvm-namespace-comment -header-filter='llvm/.*|clang/.*' \ work/llvm/tools/clang To reduce churn, not touching namespaces spanning less than 10 lines. llvm-svn: 240270
* Use 'override/final' instead of 'virtual' for overridden methodsAlexander Kornienko2015-04-111-1/+1
| | | | | | | | | | | | | | | | | | | | Summary: The patch is generated using clang-tidy misc-use-override check. This command was used: tools/clang/tools/extra/clang-tidy/tool/run-clang-tidy.py \ -checks='-*,misc-use-override' -header-filter='llvm|clang' -j=32 -fix Reviewers: dblaikie Reviewed By: dblaikie Subscribers: klimek, cfe-commits Differential Revision: http://reviews.llvm.org/D8926 llvm-svn: 234678
* [analyzer] Do not crash in the KeychainAPI checker on user defined 'free()'.Anna Zaks2015-02-051-2/+10
| | | | llvm-svn: 228248
* [analyzer] Look for allocation site in the parent frames as well as the ↵Anna Zaks2015-02-051-3/+5
| | | | | | | | | | | | | current one. Instead of handling edge cases (mostly involving blocks), where we have difficulty finding an allocation statement, allow the allocation site to be in a parent node. Previously we assumed that the allocation site can always be found in the same frame as allocation, but there are scenarios in which an element is leaked in a child frame but is allocated in the parent. llvm-svn: 228247
* unique_ptrify BugReporter::visitorsDavid Blaikie2014-09-041-4/+4
| | | | llvm-svn: 217205
* [C++11] Use 'nullptr'. StaticAnalyzer edition.Craig Topper2014-05-271-6/+6
| | | | llvm-svn: 209642
* [C++11] Add 'override' keyword to virtual methods that override their base ↵Craig Topper2014-03-151-2/+2
| | | | | | class. llvm-svn: 203999
* Replace OwningPtr with std::unique_ptr.Ahmed Charles2014-03-071-1/+1
| | | | | | This compiles cleanly with lldb/lld/clang-tools-extra/llvm. llvm-svn: 203279
* [analyzer] Improved checker naming in CFG dump.Anton Yartsev2014-02-171-1/+1
| | | | | | This implements FIXME from Checker.cpp (FIXME: We want to return the package + name of the checker here.) and replaces hardcoded checker names with the new ones obtained via getCheckName().getName(). llvm-svn: 201525
* Expose the name of the checker producing each diagnostic message.Alexander Kornienko2014-02-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Summary: In clang-tidy we'd like to know the name of the checker producing each diagnostic message. PathDiagnostic has BugType and Category fields, which are both arbitrary human-readable strings, but we need to know the exact name of the checker in the form that can be used in the CheckersControlList option to enable/disable the specific checker. This patch adds the CheckName field to the CheckerBase class, and sets it in the CheckerManager::registerChecker() method, which gets them from the CheckerRegistry. Checkers that implement multiple checks have to store the names of each check in the respective registerXXXChecker method. Reviewers: jordan_rose, krememek Reviewed By: jordan_rose CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D2557 llvm-svn: 201186
* [analyzer] Rename “Mac OS X API”, “Mac OS API” -> “API Misuse ↵Anna Zaks2013-04-031-1/+2
| | | | | | | | (Apple)” As they are relevant on both Mac and iOS. llvm-svn: 178687
* Replace ProgramPoint llvm::cast support to be well-defined.David Blaikie2013-02-211-4/+4
| | | | | | See r175462 for another example/more details. llvm-svn: 175812
* Include llvm::Optional in clang/Basic/LLVM.hDavid Blaikie2013-02-201-1/+1
| | | | | | Post-commit CR feedback from Jordan Rose regarding r175594. llvm-svn: 175679
* Replace SVal llvm::cast support to be well-defined.David Blaikie2013-02-201-2/+2
| | | | | | See r175462 for another example/more details. llvm-svn: 175594
* Remove useless 'llvm::' qualifier from names like StringRef and others that areDmitri Gribenko2013-01-121-1/+1
| | | | | | brought into 'clang' namespace by clang/Basic/LLVM.h llvm-svn: 172323
* [analyzer] Include the bug uniqueing location in the issue_hash.Anna Zaks2013-01-081-13/+19
| | | | | | | | | | | | | | | The issue here is that if we have 2 leaks reported at the same line for which we cannot print the corresponding region info, they will get treated as the same by issue_hash+description. We need to AUGMENT the issue_hash with the allocation info to differentiate the two issues. Add the "hash" (offset from the beginning of a function) representing allocation site to solve the issue. We might want to generalize solution in the future when we decide to track more than just the 2 locations from the diagnostics. llvm-svn: 171825
* [analyzer] Fix a false positive in Secure Keychain API checker.Anna Zaks2013-01-071-7/+9
| | | | | | | | | Better handle the blacklisting of known bad deallocators when symbol escapes through a call to CFStringCreateWithBytesNoCopy. Addresses radar://12702952. llvm-svn: 171770
* Sort all of Clang's files under 'lib', and fix up the broken headersChandler Carruth2012-12-041-1/+1
| | | | | | | | | | | | | uncovered. This required manually correcting all of the incorrect main-module headers I could find, and running the new llvm/utils/sort_includes.py script over the files. I also manually added quite a few missing headers that were uncovered by shuffling the order or moving headers up to be main-module-headers. llvm-svn: 169237
* Include pruning and general cleanup.Benjamin Kramer2012-12-011-0/+1
| | | | llvm-svn: 169095
* [analyzer] MacOSKeychainAPIChecker: Remove now-unnecessary check::EndPath.Jordan Rose2012-11-151-75/+0
| | | | | | | Also, don't bother to stop tracking symbols in the return value, either. They are now properly considered live during checkDeadSymbols. llvm-svn: 168068
* [analyzer] Use nice macros for the common ProgramStateTraits (map, set, list).Jordan Rose2012-11-021-14/+7
| | | | | | | | | Also, move the REGISTER_*_WITH_PROGRAMSTATE macros to ProgramStateTrait.h. This doesn't get rid of /all/ explicit uses of ProgramStatePartialTrait, but it does get a lot of them. llvm-svn: 167276
* [analyzer] Rename 'EmitReport' to 'emitReport'.Jordan Rose2012-11-021-6/+6
| | | | | | No functionality change. llvm-svn: 167275
* [analyzer] Rename ConditionTruthVal::isTrue to isConstrainedTrue.Jordan Rose2012-11-011-2/+6
| | | | | | | | (and the same for isFalse) No functionality change. llvm-svn: 167186
* Revert 'Fix a typo 'iff' => 'if''. iff is an abreviation of if and only if. ↵Sylvestre Ledru2012-09-271-2/+2
| | | | | | See: http://en.wikipedia.org/wiki/If_and_only_if Commit 164766 llvm-svn: 164769
* Fix a typo 'iff' => 'if'Sylvestre Ledru2012-09-271-2/+2
| | | | llvm-svn: 164766
* Remove ProgramState::getSymVal(). It was being misused by Checkers,Ted Kremenek2012-09-071-2/+2
| | | | | | | | | | | | | | | | | | | | with at least one subtle bug in MacOSXKeyChainAPIChecker where the calling the method was a substitute for assuming a symbolic value was null (which is not the case). We still keep ConstraintManager::getSymVal(), but we use that as an optimization in SValBuilder and ProgramState::getSVal() to constant-fold SVals. This is only if the ConstraintManager can provide us with that information, which is no longer a requirement. As part of this, introduce a default implementation of ConstraintManager::getSymVal() which returns null. For Checkers, introduce ConstraintManager::isNull(), which queries the state to see if the symbolic value is constrained to be a null value. It does this without assuming it has been implicitly constant folded. llvm-svn: 163428
* [analyzer] Guard against C++ member functions that look like system functions.Jordan Rose2012-07-101-2/+10
| | | | | | | | | C++ method calls and C function calls both appear as CallExprs in the AST. This was causing crashes for an object that had a 'free' method. <rdar://problem/11822244> llvm-svn: 160029
* [analyzer] Make CallEnter, CallExitBegin, and CallExitEnd not be StmtPointsJordan Rose2012-07-101-3/+5
| | | | | | | These ProgramPoints are used in inlining calls, and not all calls have associated statements anymore. llvm-svn: 160021
* [analyzer] Add a clone() method to BugReporterVisitor, so that we'll be able ↵Jordy Rose2012-03-241-1/+2
| | | | | | to reset diagnostic generation. llvm-svn: 153368
* [analyzer] Replace a static helper with existing logic. No functionality change.Jordy Rose2012-03-111-26/+18
| | | | llvm-svn: 152521
* [analyzer] Implement basic path diagnostic pruning based on "interesting" ↵Ted Kremenek2012-03-091-0/+12
| | | | | | | | | | | | | | | | | symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
* [analyzer] Leaks should be uniqued by the allocation point in theAnna Zaks2012-02-281-5/+12
| | | | | | closest function context (Keychain API). llvm-svn: 151613
* [analyzer] KeyChainAPI: unique the leaks by allocation site.Anna Zaks2012-02-231-21/+60
| | | | | | (Very similar to the previous change in malloc.) llvm-svn: 151297
* [analyzer] Make KeyChainAPI checker inlining-aware.Anna Zaks2012-02-211-1/+11
| | | | llvm-svn: 151007
* Basic: import SmallString<> into clang namespaceDylan Noblesmith2012-02-051-3/+3
| | | | | | | (I was going to fix the TODO about DenseMap too, but that would break self-host right now. See PR11922.) llvm-svn: 149799
* Basic: import OwningPtr<> into clang namespaceDylan Noblesmith2012-02-051-1/+1
| | | | llvm-svn: 149798
* Move a method from IdentifierTable.h out of line and remove the SmallString ↵Benjamin Kramer2012-02-041-0/+1
| | | | | | | | include. Fix all the transitive include users. llvm-svn: 149783
* Change references to 'const ProgramState *' to typedef 'ProgramStateRef'.Ted Kremenek2012-01-261-11/+11
| | | | | | | | At this point this is largely cosmetic, but it opens the door to replace ProgramStateRef with a smart pointer that more eagerly acts in the role of reclaiming unused ProgramState objects. llvm-svn: 149081
OpenPOWER on IntegriCloud