summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Remove ProgramState::getSymVal(). It was being misused by Checkers,Ted Kremenek2012-09-071-8/+5
| | | | | | | | | | | | | | | | | | | | with at least one subtle bug in MacOSXKeyChainAPIChecker where the calling the method was a substitute for assuming a symbolic value was null (which is not the case). We still keep ConstraintManager::getSymVal(), but we use that as an optimization in SValBuilder and ProgramState::getSVal() to constant-fold SVals. This is only if the ConstraintManager can provide us with that information, which is no longer a requirement. As part of this, introduce a default implementation of ConstraintManager::getSymVal() which returns null. For Checkers, introduce ConstraintManager::isNull(), which queries the state to see if the symbolic value is constrained to be a null value. It does this without assuming it has been implicitly constant folded. llvm-svn: 163428
* [analyzer] Fix realloc related bug in the malloc checker.Anna Zaks2012-08-241-12/+38
| | | | | | | When reallocation of a non-allocated (not owned) symbol fails do not expect it to be freed. llvm-svn: 162533
* Rename 'currentX' to 'currX' throughout analyzer and libAnalysis.Ted Kremenek2012-08-221-1/+1
| | | | | | | | | Also rename 'getCurrentBlockCounter()' to 'blockCount()'. This ripples a bunch of code simplifications; mostly aesthetic, but makes the code a bit tighter. llvm-svn: 162349
* [analyzer] Cleanup of malloc checker.Anna Zaks2012-08-091-22/+1
| | | | | | | Remove Escaped state, which is not really necessary. We can just stop tracking the symbol instead of keeping it around and marking escaped. llvm-svn: 161557
* [analyzer] Clean up the printing of FieldRegions for leaks.Jordan Rose2012-08-081-3/+2
| | | | | | | | | | | | | | Unfortunately, generalized region printing is very difficult: - ElementRegions are used both for casting and as actual elements. - Accessing values through a pointer means going through an intermediate SymbolRegionValue; symbolic regions are untyped. - Referring to implicitly-defined variables like 'this' and 'self' could be very confusing if they come from another stack frame. We fall back to simply not printing the region name if we can't be sure it will print well. This will allow us to improve in the future. llvm-svn: 161512
* [analyzer] Track malloc'd regions stored in structs.Jordan Rose2012-08-081-16/+14
| | | | | | | | | | | The main blocker on this (besides the previous commit) was that ScanReachableSymbols was not looking through LazyCompoundVals. Once that was fixed, it's easy enough to clear out malloc data on return, just like we do when we bind to a global region. <rdar://problem/10872635> llvm-svn: 161511
* [analyzer] Malloc: remove assert since is not valid as of r161248Anna Zaks2012-08-041-5/+0
| | | | | | | We can be in the situation where we did not track the symbol before realloc was called on it. llvm-svn: 161294
* [analyzer] Malloc: track non-allocated but freed memoryAnna Zaks2012-08-031-12/+4
| | | | | | | | | | There is no reason why we should not track the memory which was not allocated in the current function, but was freed there. This would allow to catch more use-after-free and double free with no/limited IPA. Also fix a realloc issue which surfaced as the result of this patch. llvm-svn: 161248
* [analyzer] Rename Calls.{h,cpp} to CallEvent.{h,cpp}. No functionality change.Jordan Rose2012-07-261-1/+1
| | | | llvm-svn: 160815
* [analyzer] Guard against C++ member functions that look like system functions.Jordan Rose2012-07-101-38/+39
| | | | | | | | | C++ method calls and C function calls both appear as CallExprs in the AST. This was causing crashes for an object that had a 'free' method. <rdar://problem/11822244> llvm-svn: 160029
* [analyzer] Make CallEnter, CallExitBegin, and CallExitEnd not be StmtPointsJordan Rose2012-07-101-6/+10
| | | | | | | These ProgramPoints are used in inlining calls, and not all calls have associated statements anymore. llvm-svn: 160021
* [analyzer] Add new PreImplicitCall and PostImplicitCall ProgramPoints.Jordan Rose2012-07-101-0/+3
| | | | | | | | | | | | | | | | | These are currently unused, but are intended to be used in lieu of PreStmt and PostStmt when the call is implicit (e.g. an automatic object destructor). This also modifies the Data1 field of ProgramPoints to allow storing any pointer-sized value, as opposed to only aligned pointers. This is necessary to store SourceLocations. There is currently no BugReporter support for these; they should be skipped over in any diagnostic output. This commit also tags checkers that currently rely on function calls only occurring at StmtPoints. llvm-svn: 160019
* [analyzer] Finish replacing ObjCMessage with ObjCMethodDecl and friends.Jordan Rose2012-07-021-12/+4
| | | | | | | | The preObjCMessage and postObjCMessage callbacks now take an ObjCMethodCall argument, which can represent an explicit message send (ObjCMessageSend) or an implicit message generated by a property access (ObjCPropertyAccess). llvm-svn: 159559
* [analyzer] Begin replacing ObjCMessage with ObjCMethodCall and friends.Jordan Rose2012-07-021-6/+8
| | | | | | | | | | | | Previously, the CallEvent subclass ObjCMessageInvocation was just a wrapper around the existing ObjCMessage abstraction (over message sends and property accesses). Now, we have abstract CallEvent ObjCMethodCall with subclasses ObjCMessageSend and ObjCPropertyAccess. In addition to removing yet another wrapper object, this should make it easy to add a ObjCSubscriptAccess call event soon. llvm-svn: 159558
* [analyzer] Move the last bits of CallOrObjCMessage over to CallEvent.Jordan Rose2012-07-021-27/+14
| | | | | | | | | | | | | This involved refactoring some common pointer-escapes code onto CallEvent, then having MallocChecker use those callbacks for whether or not to consider a pointer's /ownership/ as escaping. This still needs to be pinned down, and probably we want to make the new argumentsMayEscape() function a little more discerning (content invalidation vs. ownership/metadata invalidation), but this is a good improvement. As a bonus, also remove CallOrObjCMessage from the source completely. llvm-svn: 159557
* [analyzer] Add a new abstraction over all types of calls: CallEventJordan Rose2012-07-021-129/+119
| | | | | | | | | | This is intended to replace CallOrObjCMessage, and is eventually intended to be used for anything that cares more about /what/ is being called than /how/ it's being called. For example, inlining destructors should be the same as inlining blocks, and checking __attribute__((nonnull)) should apply to the allocator calls generated by operator new. llvm-svn: 159554
* [analyzer] Be careful about implicitly-declared operator new/delete. (PR13090)Jordan Rose2012-06-251-2/+1
| | | | | | | | The implicit global allocation functions do not have valid source locations, but we still want to treat them as being "system header" functions for the purposes of how they affect program state. llvm-svn: 159160
* [analyzer] Teach malloc checker that initWith[Bytes|Characters}NoCopy Anna Zaks2012-06-221-1/+3
| | | | | | relinquish memory. llvm-svn: 159043
* [analyzer] Fixup to r158958.Anna Zaks2012-06-221-2/+2
| | | | llvm-svn: 159037
* [analyzer] Malloc: Warn about use-after-free when memory ownership wasAnna Zaks2012-06-221-11/+73
| | | | | | transfered with dataWithBytesNoCopy. llvm-svn: 158958
* [analyzer] Malloc leak false positive: Allow xpc context to escape.Anna Zaks2012-06-201-0/+6
| | | | llvm-svn: 158875
* [analyzer] Malloc: cleanup, disallow free on relinquished memory.Anna Zaks2012-06-201-10/+17
| | | | | | | | This commits sets the grounds for more aggressive use after free checking. We will use the Relinquished sate to denote that someone else is now responsible for releasing the memory. llvm-svn: 158850
* [analyzer] Allow pointers to escape into NSPointerArray.Anna Zaks2012-06-191-0/+10
| | | | | | (Fixes radar://11691035 PR13140) llvm-svn: 158703
* [analyzer] Buffers passed to CGBitmapContextCreate can escape.Jordan Rose2012-06-161-5/+7
| | | | | | | | | | | | | | Specifically, although the bitmap context does not take ownership of the buffer (unlike CGBitmapContextCreateWithData), the data buffer can be extracted out of the created CGContextRef. Thus the buffer is not leaked even if its original pointer goes out of scope, as long as - the context escapes, or - it is retrieved via CGBitmapContextGetData and freed. Actually implementing that logic is beyond the current scope of MallocChecker, so for now CGBitmapContextCreate goes on our system function exception list. llvm-svn: 158579
* [analyzer] Anti-aliasing: different heap allocations do not aliasAnna Zaks2012-06-071-5/+13
| | | | | | | | | | | | Add a concept of symbolic memory region belonging to heap memory space. When comparing symbolic regions allocated on the heap, assume that they do not alias. Use symbolic heap region to suppress a common false positive pattern in the malloc checker, in code that relies on malloc not returning the memory aliased to other malloc allocations, stack. llvm-svn: 158136
* Fix typos found by http://github.com/lyda/misspell-checkBenjamin Kramer2012-06-021-2/+2
| | | | llvm-svn: 157886
* [analyzer] Malloc checker: remove unnecessary comparisons.Anna Zaks2012-05-181-16/+10
| | | | llvm-svn: 157081
* [analyzer]Malloc: refactor and report use after free by memoryAnna Zaks2012-05-181-10/+57
| | | | | | allocating functions. llvm-svn: 157037
* [analyzer] Do not highlight the range of the statement in case of leak.Anna Zaks2012-05-101-8/+24
| | | | | | | | | | We report a leak at a point a leaked variable is no longer accessible. The statement that happens to be at that point is not relevant to the leak diagnostic and, thus, should not be highlighted. radar://11178519 llvm-svn: 156530
* [analyzer] Allow pointers escape through calls containing callback args.Anna Zaks2012-05-031-0/+10
| | | | | | | (Since we don't have a generic pointer escape callback, modify ExprEngineCallAndReturn as well as the malloc checker.) llvm-svn: 156134
* [analyzer] Fix the 'ptr = ptr' false negative in the Malloc checker.Anna Zaks2012-05-021-1/+16
| | | | llvm-svn: 155963
* [analyzer] Don't crash even when the system functions are redefined.Anna Zaks2012-04-101-0/+11
| | | | | | | | | | (Applied changes to CStringAPI, Malloc, and Taint.) This might almost never happen, but we should not crash even if it does. This fixes a crash on the internal analyzer buildbot, where postgresql's configure was redefining memmove (radar://11219852). llvm-svn: 154451
* [analyzer]Malloc,RetainRelease: Allow pointer to escape via NSMapInsert.Anna Zaks2012-03-301-0/+5
| | | | | | | | Fixes a false positive (radar://11152419). The current solution of adding the info into 3 places is quite ugly. Pending a generic pointer escapes callback. llvm-svn: 153731
* [analyzer] Malloc: Allow a pointer to escape through OSAtomicEnqueue.Anna Zaks2012-03-261-1/+2
| | | | llvm-svn: 153453
* [analyzer] Tighten up the realloc() failure path note generation...make sure ↵Jordy Rose2012-03-241-22/+31
| | | | | | we get the right realloc()! llvm-svn: 153370
* [analyzer] Restart path diagnostic generation if any of the visitors change ↵Jordy Rose2012-03-241-4/+0
| | | | | | | | | | the report configuration while walking the path. This required adding a change count token to BugReport, but also allowed us to ditch ImmutableList as the BugReporterVisitor data type. Also, remove the hack from MallocChecker, now that visitors appear in the opposite order. This is not exactly a fix, but the common case -- custom diagnostics after generic ones -- is now the default behavior. llvm-svn: 153369
* [analyzer] Add a clone() method to BugReporterVisitor, so that we'll be able ↵Jordy Rose2012-03-241-1/+1
| | | | | | to reset diagnostic generation. llvm-svn: 153368
* [analyzer] Malloc: drop symbols captured by blocks.Anna Zaks2012-03-221-0/+42
| | | | llvm-svn: 153232
* Remove unused variable, fix indentation.Benjamin Kramer2012-03-211-7/+5
| | | | llvm-svn: 153220
* [analyzer] Malloc: Utter the name of the leaked variable.Anna Zaks2012-03-211-10/+39
| | | | | | | | | | | | | | | Specifically, we use the last store of the leaked symbol in the leak diagnostic. (No support for struct fields since the malloc checker doesn't track those yet.) + Infrastructure to track the regions used in store evaluations. This approach is more precise than iterating the store to obtain the region bound to the symbol, which is used in RetainCount checker. The region corresponds to what is uttered in the code in the last store and we do not rely on the store implementation to support this functionality. llvm-svn: 153212
* [analyzer] Mark a failed-realloc's result as an interesting symbol between ↵Jordy Rose2012-03-181-3/+27
| | | | | | | | | | the realloc call and the null check, so we get nicer path notes. Fixes a regression introduced by the diagnostic pruning added in r152361. This is accomplished by calling markInteresting /during/ path diagnostic generation, and as such relies on deterministic ordering of BugReporterVisitors -- namely, that BugReporterVisitors are run in /reverse/ order from how they are added. (Right now that's a consequence of storing visitors in an ImmutableList, where new items are added to the front.) It's a little hacky, but it works for now. I think this is the best we can do without storing the relation between the old and new symbols, and that would be a hit whether or not there ends up being an error. llvm-svn: 153010
* [analyzer] Shorten the stack hint diagnostic.Anna Zaks2012-03-161-6/+9
| | | | | | | Do not display the standard "Returning from 'foo'", when a stack hint is available. llvm-svn: 152964
* [analyzer] Create symbol-aware stack hints (building upon r152837).Anna Zaks2012-03-161-7/+31
| | | | | | | | | | | | | | | | | | The symbol-aware stack hint combines the checker-provided message with the information about how the symbol was passed to the callee: as a parameter or a return value. For malloc, the generated messages look like this : "Returning from 'foo'; released memory via 1st parameter" "Returning from 'foo'; allocated memory via 1st parameter" "Returning from 'foo'; allocated memory returned" "Returning from 'foo'; reallocation of 1st parameter failed" (We are yet to handle cases when the symbol is a field in a struct or an array element.) llvm-svn: 152962
* [analyzer] Allow checkers to supply call stack diagnostic hints for theAnna Zaks2012-03-151-4/+11
| | | | | | | | | | | | | | | | | | | | | | | | | BugVisitor DiagnosticPieces. When checkers create a DiagnosticPieceEvent, they can supply an extra string, which will be concatenated with the call exit message for every call on the stack between the diagnostic event and the final bug report. (This is a simple version, which could be/will be further enhanced.) For example, this is used in Malloc checker to produce the ", which allocated memory" in the following example: static char *malloc_wrapper() { // 2. Entered call from 'use' return malloc(12); // 3. Memory is allocated } void use() { char *v; v = malloc_wrapper(); // 1. Calling 'malloc_wrappers' // 4. Returning from 'malloc_wrapper', which allocated memory } // 5. Memory is never released; potential memory leak llvm-svn: 152837
* [analyzer] Implement basic path diagnostic pruning based on "interesting" ↵Ted Kremenek2012-03-091-0/+4
| | | | | | | | | | | | | | | | | symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
* [analyzer] Remove now-unused constant. No functionality change.Jordy Rose2012-03-061-2/+0
| | | | llvm-svn: 152080
* [analyzer] Fix unnecessary dyn_cast_or_null. No functionality change.Jordy Rose2012-03-061-2/+2
| | | | llvm-svn: 152078
* [analyzer] Malloc should assume that ownership is transfered whenAnna Zaks2012-03-051-1/+10
| | | | | | calling an ObjC method ending with 'NoCopy'. llvm-svn: 152037
* [analyzer] Fix a regression introduced in malloc withAnna Zaks2012-03-011-3/+7
| | | | | | | | | | attributes, introduced in r151188. + the test to catch it. Thanks to Ahmed Charles for pointing this out. llvm-svn: 151840
* [analyzer] Malloc: A pointer might escape through CFContainers APIs,Anna Zaks2012-02-291-3/+38
| | | | | | | | | | | | funopen, setvbuf. Teach the checker and the engine about these APIs to resolve malloc false positives. As I am adding more of these APIs, it is clear that all this should be factored out into a separate callback (for example, region escapes). Malloc, KeyChainAPI and RetainRelease checkers could all use it. llvm-svn: 151737
OpenPOWER on IntegriCloud