summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
Commit message (Collapse)AuthorAgeFilesLines
* [analyzer] Apply whitespace cleanups by Honggyu Kim.Ted Kremenek2015-09-081-74/+74
| | | | llvm-svn: 246978
* Wdeprecated: BugReporterVisitors are copied for cloning ↵David Blaikie2015-08-131-3/+2
| | | | | | | | | | (BugReporterVisitorImpl), make sure such copies are safe Make the copy/move ctors defaulted in the base class and make the derived classes final to avoid any intermediate hierarchy slicing if these types were further derived. llvm-svn: 244979
* Wdeprecated: CollectReachableSymbolsCallback are move constructed/returned ↵David Blaikie2015-08-131-1/+1
| | | | | | | | | | | | | | by value, so make sure they're copy/moveable (return by value is in ExprEngine::processPointerEscapedOnBind and any other call to the scanReachableSymbols function template used there) Protect the special members in the base class to avoid slicing, and make derived classes final so these special members don't accidentally become public on an intermediate base which would open up the possibility of slicing again. llvm-svn: 244975
* Clarify pointer ownership semantics by hoisting the std::unique_ptr creation ↵Aaron Ballman2015-06-231-28/+29
| | | | | | to the caller instead of hiding it in emitReport. NFC. llvm-svn: 240400
* [analyzer] This implements potential undefbehavior.ZeroAllocDereference checker.Anton Yartsev2015-04-141-11/+155
| | | | | TODO: support realloc(). Currently it is not possible due to the present realloc() handling. Currently RegionState is not being attached to realloc() in case of a zero Size argument. llvm-svn: 234889
* Use 'override/final' instead of 'virtual' for overridden methodsAlexander Kornienko2015-04-111-1/+1
| | | | | | | | | | | | | | | | | | | | Summary: The patch is generated using clang-tidy misc-use-override check. This command was used: tools/clang/tools/extra/clang-tidy/tool/run-clang-tidy.py \ -checks='-*,misc-use-override' -header-filter='llvm|clang' -j=32 -fix Reviewers: dblaikie Reviewed By: dblaikie Subscribers: klimek, cfe-commits Differential Revision: http://reviews.llvm.org/D8926 llvm-svn: 234678
* [analyzer] Make getCheckIfTracked() return either leak or regular checker.Anton Yartsev2015-03-101-19/+29
| | | | llvm-svn: 231863
* [analyzer] Remove unused type (addition to r231540: "Revert changes from ↵Anton Yartsev2015-03-071-1/+0
| | | | | | r229593") llvm-svn: 231548
* [analyzer] Revert changes from r229593; an enhancement is under discussionAnton Yartsev2015-03-071-87/+67
| | | | llvm-svn: 231540
* [analyzer] Bug fix: do not report leaks for alloca()Anton Yartsev2015-03-041-0/+5
| | | | llvm-svn: 231314
* [analyzer] Individual configuration options can be specified for checkers.Gabor Horvath2015-03-041-25/+19
| | | | | | | | | | Reviewed by: Anna Zaks Original patch by: Aleksei Sidorin Differential Revision: http://reviews.llvm.org/D7905 llvm-svn: 231266
* [analyzer] unix.Malloc: preserve AllocaRegion bound to __builtin_alloca().Anton Yartsev2015-03-031-13/+17
| | | | | | Binding __builtin_alloca() return value to the symbolic value kills previous binding to a AllocaRegion established by the core.BuiltinFunctions checker. Other checkers may rely upon this information. Rollback handling of __builtin_alloca() to the way prior to r229850. llvm-svn: 231160
* [analyzer] Different handling of alloca().Anton Yartsev2015-02-191-30/+78
| | | | | | | | | | + separate bug report for "Free alloca()" error to be able to customize checkers responsible for this error. + Muted "Free alloca()" error for NewDelete checker that is not responsible for c-allocated memory, turned on for unix.MismatchedDeallocator checker. + RefState for alloca() - to be able to detect usage of zero-allocated memory by upcoming ZeroAllocDereference checker. + AF_Alloca family to handle alloca() consistently - keep proper family in RefState, handle 'alloca' by getCheckIfTracked() facility, etc. + extra tests. llvm-svn: 229850
* [analyzer] Refactoring: clarified the way the proper check kind is chosen.Anton Yartsev2015-02-181-64/+86
| | | | llvm-svn: 229593
* [analyzer] Pass actual state to alloc/dealloc handling functions.Anton Yartsev2015-02-101-43/+78
| | | | | | The state obtained from CheckerContext::getState() may be outdated by the time the alloc/dealloc handling function is called (e.g. the state was modified but the transition was not performed). State argument was added to all alloc/dealloc handling functions in order to get the latest state and to allow sequential calls to those functions. llvm-svn: 228737
* [analyzer] Look for allocation site in the parent frames as well as the ↵Anna Zaks2015-02-051-3/+5
| | | | | | | | | | | | | current one. Instead of handling edge cases (mostly involving blocks), where we have difficulty finding an allocation statement, allow the allocation site to be in a parent node. Previously we assumed that the allocation site can always be found in the same frame as allocation, but there are scenarios in which an element is leaked in a child frame but is allocated in the parent. llvm-svn: 228247
* Remove stray enum keywords. MSVC sees this as a redeclaration at global scope.Benjamin Kramer2014-10-031-2/+2
| | | | llvm-svn: 219031
* [analyzer] Make Malloc Checker track memory allocated by if_nameindexAnna Zaks2014-10-031-37/+81
| | | | | | | | | | | | | | | The MallocChecker does currently not track the memory allocated by if_nameindex. That memory is dynamically allocated and should be freed by calling if_freenameindex. The attached patch teaches the checker about these functions. Memory allocated by if_nameindex is treated as a separate allocation "family". That way the checker can verify it is freed by the correct function. A patch by Daniel Fahlgren! llvm-svn: 219025
* [analyzer] Don't crash if malloc() has an unexpected function prototype.Jordan Rose2014-09-051-4/+4
| | | | | | Patch by Daniel Fahlgren! llvm-svn: 217258
* unique_ptrify BugReporter::visitorsDavid Blaikie2014-09-041-5/+5
| | | | llvm-svn: 217205
* unique_ptr-ify PathDiagnosticPiece ownershipDavid Blaikie2014-08-291-4/+5
| | | | llvm-svn: 216751
* [Analyzer] fix for PR19102Anton Yartsev2014-08-051-0/+41
| | | | | | Newly-created unconsumed instance is now assumed escaped if an invoked constructor has an argument of a pointer-to-record type. llvm-svn: 214909
* [C++11] Use 'nullptr'. StaticAnalyzer edition.Craig Topper2014-05-271-57/+58
| | | | llvm-svn: 209642
* Updated the attribute tablegen emitter for variadic arguments to emit a ↵Aaron Ballman2014-05-021-3/+2
| | | | | | range accessor in addition to the iterators. Updated code using iterators to use range-based for loops. llvm-svn: 207837
* [analyzer] Handle the M_ZERO and __GFP_ZERO flags in kernel mallocs.Jordan Rose2014-03-261-5/+114
| | | | | | | | | | | | | | | | | | | | | Add M_ZERO awareness to malloc() static analysis in Clang for FreeBSD, NetBSD, and OpenBSD in a similar fashion to O_CREAT for open(2). These systems have a three-argument malloc() in the kernel where the third argument contains flags; the M_ZERO flag will zero-initialize the allocated buffer. This should reduce the number of false positives when running static analysis on BSD kernels. Additionally, add kmalloc() (Linux kernel malloc()) and treat __GFP_ZERO like M_ZERO on Linux. Future work involves a better method of checking for named flags without hardcoding values. Patch by Conrad Meyer, with minor modifications by me. llvm-svn: 204832
* [C++11] Add 'override' keyword to virtual methods that override their base ↵Craig Topper2014-03-151-7/+8
| | | | | | class. llvm-svn: 203999
* [C++11] Replacing DeclBase iterators specific_attr_begin() and ↵Aaron Ballman2014-03-101-18/+9
| | | | | | specific_attr_end() with iterator_range specific_attrs(). Updating all of the usages of the iterators with range-based for loops. llvm-svn: 203474
* Replace OwningPtr with std::unique_ptr.Ahmed Charles2014-03-071-7/+7
| | | | | | This compiles cleanly with lldb/lld/clang-tools-extra/llvm. llvm-svn: 203279
* [C++11] Replace llvm::tie with std::tie.Benjamin Kramer2014-03-021-4/+4
| | | | llvm-svn: 202639
* [analyzer] Improved checker naming in CFG dump.Anton Yartsev2014-02-171-6/+9
| | | | | | This implements FIXME from Checker.cpp (FIXME: We want to return the package + name of the checker here.) and replaces hardcoded checker names with the new ones obtained via getCheckName().getName(). llvm-svn: 201525
* Expose the name of the checker producing each diagnostic message.Alexander Kornienko2014-02-111-94/+136
| | | | | | | | | | | | | | | | | | | | | | | | | | Summary: In clang-tidy we'd like to know the name of the checker producing each diagnostic message. PathDiagnostic has BugType and Category fields, which are both arbitrary human-readable strings, but we need to know the exact name of the checker in the form that can be used in the CheckersControlList option to enable/disable the specific checker. This patch adds the CheckName field to the CheckerBase class, and sets it in the CheckerManager::registerChecker() method, which gets them from the CheckerRegistry. Checkers that implement multiple checks have to store the names of each check in the respective registerXXXChecker method. Reviewers: jordan_rose, krememek Reviewed By: jordan_rose CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D2557 llvm-svn: 201186
* [analyzer] Future-proof MallocChecker CFG dumping.Jordan Rose2014-01-231-7/+7
| | | | | | Now we'll get a warning if we miss a case. Refinement of r199800. llvm-svn: 199868
* [analyzer] The patch prevents the analyzer from crashing during CFG dump.Anton Yartsev2014-01-221-1/+2
| | | | llvm-svn: 199800
* [analyzer] BlockCall shouldn't really be an AnyFunctionCall.Jordan Rose2014-01-151-3/+3
| | | | | | | | | | | | | | Per discussion with Anna a /long/ time ago, it was way too easy to misuse BlockCall: because it inherited from AnyFunctionCall (through SimpleCall), getDecl() was constrained to return a FunctionDecl, and you had to call getBlockDecl() instead. This goes against the whole point of CallEvent (to abstract over different ways to invoke bodies of code). Now, BlockCall just inherits directly from CallEvent. There's a bit of duplication in getting things out of the origin expression (which is still known to be a CallExpr), but nothing significant. llvm-svn: 199321
* [analyzer] Warn about double-delete in C++ at the second delete...Jordan Rose2014-01-081-2/+42
| | | | | | | | | | ...rather somewhere in the destructor when we try to access something and realize the object has already been deleted. This is necessary because the destructor is processed before the 'delete' itself. Patch by Karthik Bhat! llvm-svn: 198779
* [analyzer] Pointers escape into +[NSValue valueWithPointer:]...Jordan Rose2014-01-071-1/+2
| | | | | | | | | | ...even though the argument is declared "const void *", because this is just a way to pass pointers around as objects. (Though NSData is often a better one.) PR18262 llvm-svn: 198710
* Only mark dump() function definitions 'used' in debug buildsAlp Toker2014-01-041-3/+1
| | | | | | | | | | | | | | | | This has the dual effect of (1) enabling more dead-stripping in release builds and (2) ensuring that debug helper functions aren't stripped away in debug builds, as they're intended to be called from the debugger. Note that the attribute is applied to definitions rather than declarations in headers going forward because it's now conditional on NDEBUG: /// \brief Mark debug helper function definitions like dump() that should not be /// stripped from debug builds. Requires corresponding macro added in LLVM r198456. llvm-svn: 198489
* Fixed a FIXME; created a print method for Selectors that accepts a ↵Aaron Ballman2014-01-031-1/+1
| | | | | | | | raw_ostream, and started using it in places it made sense. No functional changes intended, just API cleanliness. llvm-svn: 198428
* Correct a user-visible static analyzer message typoAlp Toker2013-12-021-2/+2
| | | | llvm-svn: 196062
* Remove 'DistinctSpellings' support from Attr.td and change its only user toRichard Smith2013-11-271-9/+9
| | | | | | | | look at the attribute spelling instead. The 'ownership_*' attributes should probably be split into separate *Attr classes, but that's more than I wanted to do here. llvm-svn: 195805
* [analyzer] Handle destructors for the argument to C++ 'delete'.Jordan Rose2013-09-251-1/+2
| | | | | | | | | | | | | | | | | Now that the CFG includes nodes for the destructors in a delete-expression, process them in the analyzer using the same common destructor interface currently used for local, member, and base destructors. Also, check for when the value is known to be null, in which case no destructor is actually run. This does not yet handle destructors for deleted /arrays/, which may need more CFG work. It also causes a slight regression in the location of double delete warnings; the double delete is detected at the destructor call, which is implicit, and so is reported on the first access within the destructor instead of at the 'delete' statement. This will be fixed soon. Patch by Karthik Bhat! llvm-svn: 191381
* New message for cases when ownership is taken:Anton Yartsev2013-09-161-10/+23
| | | | | | | | "+method_name: cannot take ownership of memory allocated by 'new'." instead of the old "Memory allocated by 'new' should be deallocated by 'delete', not +method_name" llvm-svn: 190800
* [analyzer] If realloc fails on an escaped region, that region doesn't leak.Jordan Rose2013-08-151-1/+1
| | | | | | | | | | | | | | | | | | When a region is realloc()ed, MallocChecker records whether it was known to be allocated or not. If it is, and the reallocation fails, the original region has to be freed. Previously, when an allocated region escaped, MallocChecker completely stopped tracking it, so a failed reallocation still (correctly) wouldn't require freeing the original region. Recently, however, MallocChecker started tracking escaped symbols, so that if it were freed we could check that the deallocator matched the allocator. This broke the reallocation model for whether or not a symbol was allocated. Now, MallocChecker will actually check if a symbol is owned, and only require freeing after a failed reallocation if it was owned before. PR16730 llvm-svn: 188468
* Add 'static' and 'const' qualifiers to some arrays of strings.Craig Topper2013-07-151-1/+1
| | | | llvm-svn: 186314
* Use SmallVectorImpl instead of SmallVector for iterators and references to ↵Craig Topper2013-07-041-2/+2
| | | | | | avoid specifying the vector size unnecessarily. llvm-svn: 185610
* [analyzer] Minor fixups to r183062Anna Zaks2013-06-081-7/+8
| | | | | | Based on feedback from Jordan. llvm-svn: 183600
* [analyzer] Malloc checker should only escape the receiver when “[O ↵Anna Zaks2013-05-311-29/+45
| | | | | | | | | init..]” is called. Jordan has pointed out that it is valuable to warn in cases when the arguments to init escape. For example, NSData initWithBytes id not going to free the memory. llvm-svn: 183062
* [analyzer] Fix a false positive reported on rare strange code, which happens ↵Anna Zaks2013-05-311-0/+6
| | | | | | to be in JSONKit llvm-svn: 183055
* [analyzer] Indirect invalidation counts as an escape for leak checkers.Jordan Rose2013-05-101-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Consider this example: char *p = malloc(sizeof(char)); systemFunction(&p); free(p); In this case, when we call systemFunction, we know (because it's a system function) that it won't free 'p'. However, we /don't/ know whether or not it will /change/ 'p', so the analyzer is forced to invalidate 'p', wiping out any bindings it contains. But now the malloc'd region looks like a leak, since there are no more bindings pointing to it, and we'll get a spurious leak warning. The fix for this is to notice when something is becoming inaccessible due to invalidation (i.e. an imperfect model, as opposed to being explicitly overwritten) and stop tracking it at that point. Currently, the best way to determine this for a call is the "indirect escape" pointer-escape kind. In practice, all the patch does is take the "system functions don't free memory" special case and limit it to direct parameters, i.e. just the arguments to a call and not other regions accessible to them. This is a conservative change that should only cause us to escape regions more eagerly, which means fewer leak warnings. This isn't perfect for several reasons, the main one being that this example is treated the same as the one above: char **p = malloc(sizeof(char *)); systemFunction(p + 1); // leak Currently, "addresses accessible by offsets of the starting region" and "addresses accessible through bindings of the starting region" are both considered "indirect" regions, hence this uniform treatment. Another issue is our longstanding problem of not distinguishing const and non-const bindings; if in the first example systemFunction's parameter were a char * const *, we should know that the function will not overwrite 'p', and thus we can safely report the leak. <rdar://problem/13758386> llvm-svn: 181607
* [analyzer] Improve the malloc checker stack hint messageAnna Zaks2013-04-161-8/+8
| | | | llvm-svn: 179580
OpenPOWER on IntegriCloud