summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] Teach the MallocChecker about Glib API for two argumentsLeslie Zhai2017-04-261-28/+74
| | | | | | | | | | | | Reviewers: zaks.anna, NoQ, danielmarjamaki Reviewed By: zaks.anna, NoQ, danielmarjamaki Subscribers: cfe-commits, kalev, pwithnall Differential Revision: https://reviews.llvm.org/D30771 llvm-svn: 301384
* [analyzer] Teach the MallocChecker about about Glib APIAnna Zaks2017-03-091-7/+40
| | | | | | | | A patch by Leslie Zhai! Differential Revision: https://reviews.llvm.org/D28348 llvm-svn: 297323
* [analyzer] Add LocationContext as a parameter to checkRegionChangesAnna Zaks2017-01-131-1/+1
| | | | | | | | | | | This patch adds LocationContext to checkRegionChanges and removes wantsRegionChangeUpdate as it was unused. A patch by Krzysztof Wiśniewski! Differential Revision: https://reviews.llvm.org/D27090 llvm-svn: 291869
* Migrate PathDiagnosticPiece to std::shared_ptrDavid Blaikie2017-01-051-10/+8
| | | | | | | Simplifies and makes explicit the memory ownership model rather than implicitly passing/acquiring ownership. llvm-svn: 291143
* [analyzer] Fix crash in MallocChecker.Devin Coughlin2016-12-161-2/+1
| | | | | | | | | | | | | Fix a crash in the MallocChecker when the extent size for the argument to new[] is not known. A patch by Abramo Bagnara and Dániel Krupp! https://reviews.llvm.org/D27849 Differential Revision: https://reviews.llvm.org/D27849 llvm-svn: 289970
* [analyzer] Add another exception for Qt in MallocCheckerArtem Dergachev2016-12-161-0/+5
| | | | | | | | | | Treat pointers passed to QObject::connectImpl() as escaping. rdar://problem/29550440 Differential Revision: https://reviews.llvm.org/D27717 llvm-svn: 289939
* Revert "Revert "[analyzer] Make MallocChecker more robust against custom ↵Devin Coughlin2016-10-161-0/+4
| | | | | | | | | redeclarations"" This reverts commit r284340 to reapply r284335. The bot breakage was due to an unrelated change in the polybench test suite. llvm-svn: 284351
* Revert "[analyzer] Make MallocChecker more robust against custom redeclarations"Devin Coughlin2016-10-161-4/+0
| | | | | | | | | | This reverts commit r284335. It appears to be causing test-suite compile-time and execution-time performance measurements to take longer than expected on several bots. This is surprising, because r284335 is a static-analyzer-only change. llvm-svn: 284340
* [analyzer] Make MallocChecker more robust against custom redeclarationsDevin Coughlin2016-10-161-0/+4
| | | | | | | | | | | | | Add additional checking to MallocChecker to avoid crashing when memory routines have unexpected numbers of arguments. You wouldn't expect to see much of this in normal code (-Wincompatible-library-redeclaration warns on this), but, for example, CMake tests can generate these. This is PR30616. rdar://problem/28631974 llvm-svn: 284335
* [analyzer] Calculate extent size for memory regions allocated by new expression.Gabor Horvath2016-09-191-0/+52
| | | | | | | | | | | ArrayBoundChecker did not detect out of bounds memory access errors in case an array was allocated by the new expression. This patch resolves this issue. Patch by Daniel Krupp! Differential Revision: https://reviews.llvm.org/D24307 llvm-svn: 281934
* [analyzer] Small cleanups when checkers retrieving statements from explodedGabor Horvath2016-08-181-22/+4
| | | | | | | | nodes. Differential Revision: https://reviews.llvm.org/D23550 llvm-svn: 279037
* [NFC] Header cleanupMehdi Amini2016-07-181-1/+0
| | | | | | | | | | Summary: Removed unused headers, replaced some headers with forward class declarations Patch by: Eugene <claprix@yandex.ru> Differential Revision: https://reviews.llvm.org/D20100 llvm-svn: 275882
* Use more ArrayRefsDavid Majnemer2016-06-241-1/+1
| | | | | | No functional change is intended, just a small refactoring. llvm-svn: 273647
* Apply clang-tidy's misc-move-constructor-init throughout Clang.Benjamin Kramer2016-05-271-1/+2
| | | | | | No functionality change intended, maybe a tiny performance improvement. llvm-svn: 270996
* [analyzer] Fix missed leak from MSVC specific allocation functionsAnna Zaks2016-03-081-13/+23
| | | | | | | | | | | | Add the wide character strdup variants (wcsdup, _wcsdup) and the MSVC version of alloca (_alloca) and other differently named function used by the Malloc checker. A patch by Alexander Riccio! Differential Revision: http://reviews.llvm.org/D17688 llvm-svn: 262894
* [analyzer] Fix SVal/SymExpr/MemRegion class and enum names for consistency.Artem Dergachev2016-01-131-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The purpose of these changes is to simplify introduction of definition files for the three hierarchies. 1. For every sub-class C of these classes, its kind in the relevant enumeration is changed to "CKind" (or C##Kind in preprocessor-ish terms), eg: MemRegionKind -> MemRegionValKind RegionValueKind -> SymbolRegionValueKind CastSymbolKind -> SymbolCastKind SymIntKind -> SymIntExprKind 2. MemSpaceRegion used to be inconsistently used as both an abstract base and a particular region. This region class is now an abstract base and no longer occupies GenericMemSpaceRegionKind. Instead, a new class, CodeSpaceRegion, is introduced for handling the unique use case for MemSpaceRegion as "the generic memory space" (when it represents a memory space that holds all executable code). 3. BEG_ prefixes in memory region kind ranges are renamed to BEGIN_ for consisitency with symbol kind ranges. 4. FunctionTextRegion and BlockTextRegion are renamed to FunctionCodeRegion and BlockCodeRegion, respectively. The term 'code' is less jargony than 'text' and we already refer to BlockTextRegion as a 'code region' in BlockDataRegion. Differential Revision: http://reviews.llvm.org/D16062 llvm-svn: 257598
* [analyzer] Fix false warning about memory leak for QApplication::postEventAnna Zaks2016-01-061-0/+10
| | | | | | | | | | | According to Qt documentation Qt takes care of memory allocated for QEvent: http://doc.qt.io/qt-4.8/qcoreapplication.html#postEvent A patch by Evgeniy Dushistov! Differential Revision: http://reviews.llvm.org/D14170 llvm-svn: 256887
* Refactor: Simplify boolean conditional return statements in ↵Alexander Kornienko2015-12-281-6/+3
| | | | | | | | | | | | | | | | lib/StaticAnalyzer/Checkers Summary: Use clang-tidy to simplify boolean conditional return values Reviewers: dcoughlin, krememek Subscribers: krememek, cfe-commits Patch by Richard Thomson! Differential Revision: http://reviews.llvm.org/D10021 llvm-svn: 256491
* [analyzer] Assume escape is possible through system functions taking void*Anna Zaks2015-10-271-1/+1
| | | | | | | | | | | | | | | | | | The analyzer assumes that system functions will not free memory or modify the arguments in other ways, so we assume that arguments do not escape when those are called. However, this may lead to false positive leak errors. For example, in code like this where the pointers added to the rb_tree are freed later on: struct alarm_event *e = calloc(1, sizeof(*e)); <snip> rb_tree_insert_node(&alarm_tree, e); Add a heuristic to assume that calls to system functions taking void* arguments allow for pointer escape. llvm-svn: 251449
* [analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).Devin Coughlin2015-09-221-13/+25
| | | | | | | | | | | | | | | | | | Currently realloc(ptr, 0) is treated as free() which seems to be not correct. C standard (N1570) establishes equivalent behavior for malloc(0) and realloc(ptr, 0): "7.22.3 Memory management functions calloc, malloc, realloc: If the size of the space requested is zero, the behavior is implementation-defined: either a null pointer is returned, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object." The patch equalizes the processing of malloc(0) and realloc(ptr,0). The patch also enables unix.Malloc checker to detect references to zero-allocated memory returned by realloc(ptr,0) ("Use of zero-allocated memory" warning). A patch by Антон Ярцев! Differential Revision: http://reviews.llvm.org/D9040 llvm-svn: 248336
* [analyzer] Add generateErrorNode() APIs to CheckerContext.Devin Coughlin2015-09-161-11/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
* [analyzer] Apply whitespace cleanups by Honggyu Kim.Ted Kremenek2015-09-081-74/+74
| | | | llvm-svn: 246978
* Wdeprecated: BugReporterVisitors are copied for cloning ↵David Blaikie2015-08-131-3/+2
| | | | | | | | | | (BugReporterVisitorImpl), make sure such copies are safe Make the copy/move ctors defaulted in the base class and make the derived classes final to avoid any intermediate hierarchy slicing if these types were further derived. llvm-svn: 244979
* Wdeprecated: CollectReachableSymbolsCallback are move constructed/returned ↵David Blaikie2015-08-131-1/+1
| | | | | | | | | | | | | | by value, so make sure they're copy/moveable (return by value is in ExprEngine::processPointerEscapedOnBind and any other call to the scanReachableSymbols function template used there) Protect the special members in the base class to avoid slicing, and make derived classes final so these special members don't accidentally become public on an intermediate base which would open up the possibility of slicing again. llvm-svn: 244975
* Clarify pointer ownership semantics by hoisting the std::unique_ptr creation ↵Aaron Ballman2015-06-231-28/+29
| | | | | | to the caller instead of hiding it in emitReport. NFC. llvm-svn: 240400
* [analyzer] This implements potential undefbehavior.ZeroAllocDereference checker.Anton Yartsev2015-04-141-11/+155
| | | | | TODO: support realloc(). Currently it is not possible due to the present realloc() handling. Currently RegionState is not being attached to realloc() in case of a zero Size argument. llvm-svn: 234889
* Use 'override/final' instead of 'virtual' for overridden methodsAlexander Kornienko2015-04-111-1/+1
| | | | | | | | | | | | | | | | | | | | Summary: The patch is generated using clang-tidy misc-use-override check. This command was used: tools/clang/tools/extra/clang-tidy/tool/run-clang-tidy.py \ -checks='-*,misc-use-override' -header-filter='llvm|clang' -j=32 -fix Reviewers: dblaikie Reviewed By: dblaikie Subscribers: klimek, cfe-commits Differential Revision: http://reviews.llvm.org/D8926 llvm-svn: 234678
* [analyzer] Make getCheckIfTracked() return either leak or regular checker.Anton Yartsev2015-03-101-19/+29
| | | | llvm-svn: 231863
* [analyzer] Remove unused type (addition to r231540: "Revert changes from ↵Anton Yartsev2015-03-071-1/+0
| | | | | | r229593") llvm-svn: 231548
* [analyzer] Revert changes from r229593; an enhancement is under discussionAnton Yartsev2015-03-071-87/+67
| | | | llvm-svn: 231540
* [analyzer] Bug fix: do not report leaks for alloca()Anton Yartsev2015-03-041-0/+5
| | | | llvm-svn: 231314
* [analyzer] Individual configuration options can be specified for checkers.Gabor Horvath2015-03-041-25/+19
| | | | | | | | | | Reviewed by: Anna Zaks Original patch by: Aleksei Sidorin Differential Revision: http://reviews.llvm.org/D7905 llvm-svn: 231266
* [analyzer] unix.Malloc: preserve AllocaRegion bound to __builtin_alloca().Anton Yartsev2015-03-031-13/+17
| | | | | | Binding __builtin_alloca() return value to the symbolic value kills previous binding to a AllocaRegion established by the core.BuiltinFunctions checker. Other checkers may rely upon this information. Rollback handling of __builtin_alloca() to the way prior to r229850. llvm-svn: 231160
* [analyzer] Different handling of alloca().Anton Yartsev2015-02-191-30/+78
| | | | | | | | | | + separate bug report for "Free alloca()" error to be able to customize checkers responsible for this error. + Muted "Free alloca()" error for NewDelete checker that is not responsible for c-allocated memory, turned on for unix.MismatchedDeallocator checker. + RefState for alloca() - to be able to detect usage of zero-allocated memory by upcoming ZeroAllocDereference checker. + AF_Alloca family to handle alloca() consistently - keep proper family in RefState, handle 'alloca' by getCheckIfTracked() facility, etc. + extra tests. llvm-svn: 229850
* [analyzer] Refactoring: clarified the way the proper check kind is chosen.Anton Yartsev2015-02-181-64/+86
| | | | llvm-svn: 229593
* [analyzer] Pass actual state to alloc/dealloc handling functions.Anton Yartsev2015-02-101-43/+78
| | | | | | The state obtained from CheckerContext::getState() may be outdated by the time the alloc/dealloc handling function is called (e.g. the state was modified but the transition was not performed). State argument was added to all alloc/dealloc handling functions in order to get the latest state and to allow sequential calls to those functions. llvm-svn: 228737
* [analyzer] Look for allocation site in the parent frames as well as the ↵Anna Zaks2015-02-051-3/+5
| | | | | | | | | | | | | current one. Instead of handling edge cases (mostly involving blocks), where we have difficulty finding an allocation statement, allow the allocation site to be in a parent node. Previously we assumed that the allocation site can always be found in the same frame as allocation, but there are scenarios in which an element is leaked in a child frame but is allocated in the parent. llvm-svn: 228247
* Remove stray enum keywords. MSVC sees this as a redeclaration at global scope.Benjamin Kramer2014-10-031-2/+2
| | | | llvm-svn: 219031
* [analyzer] Make Malloc Checker track memory allocated by if_nameindexAnna Zaks2014-10-031-37/+81
| | | | | | | | | | | | | | | The MallocChecker does currently not track the memory allocated by if_nameindex. That memory is dynamically allocated and should be freed by calling if_freenameindex. The attached patch teaches the checker about these functions. Memory allocated by if_nameindex is treated as a separate allocation "family". That way the checker can verify it is freed by the correct function. A patch by Daniel Fahlgren! llvm-svn: 219025
* [analyzer] Don't crash if malloc() has an unexpected function prototype.Jordan Rose2014-09-051-4/+4
| | | | | | Patch by Daniel Fahlgren! llvm-svn: 217258
* unique_ptrify BugReporter::visitorsDavid Blaikie2014-09-041-5/+5
| | | | llvm-svn: 217205
* unique_ptr-ify PathDiagnosticPiece ownershipDavid Blaikie2014-08-291-4/+5
| | | | llvm-svn: 216751
* [Analyzer] fix for PR19102Anton Yartsev2014-08-051-0/+41
| | | | | | Newly-created unconsumed instance is now assumed escaped if an invoked constructor has an argument of a pointer-to-record type. llvm-svn: 214909
* [C++11] Use 'nullptr'. StaticAnalyzer edition.Craig Topper2014-05-271-57/+58
| | | | llvm-svn: 209642
* Updated the attribute tablegen emitter for variadic arguments to emit a ↵Aaron Ballman2014-05-021-3/+2
| | | | | | range accessor in addition to the iterators. Updated code using iterators to use range-based for loops. llvm-svn: 207837
* [analyzer] Handle the M_ZERO and __GFP_ZERO flags in kernel mallocs.Jordan Rose2014-03-261-5/+114
| | | | | | | | | | | | | | | | | | | | | Add M_ZERO awareness to malloc() static analysis in Clang for FreeBSD, NetBSD, and OpenBSD in a similar fashion to O_CREAT for open(2). These systems have a three-argument malloc() in the kernel where the third argument contains flags; the M_ZERO flag will zero-initialize the allocated buffer. This should reduce the number of false positives when running static analysis on BSD kernels. Additionally, add kmalloc() (Linux kernel malloc()) and treat __GFP_ZERO like M_ZERO on Linux. Future work involves a better method of checking for named flags without hardcoding values. Patch by Conrad Meyer, with minor modifications by me. llvm-svn: 204832
* [C++11] Add 'override' keyword to virtual methods that override their base ↵Craig Topper2014-03-151-7/+8
| | | | | | class. llvm-svn: 203999
* [C++11] Replacing DeclBase iterators specific_attr_begin() and ↵Aaron Ballman2014-03-101-18/+9
| | | | | | specific_attr_end() with iterator_range specific_attrs(). Updating all of the usages of the iterators with range-based for loops. llvm-svn: 203474
* Replace OwningPtr with std::unique_ptr.Ahmed Charles2014-03-071-7/+7
| | | | | | This compiles cleanly with lldb/lld/clang-tools-extra/llvm. llvm-svn: 203279
* [C++11] Replace llvm::tie with std::tie.Benjamin Kramer2014-03-021-4/+4
| | | | llvm-svn: 202639
OpenPOWER on IntegriCloud