summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Replace ProgramPoint llvm::cast support to be well-defined.David Blaikie2013-02-211-5/+5
| | | | | | See r175462 for another example/more details. llvm-svn: 175812
* Include llvm::Optional in clang/Basic/LLVM.hDavid Blaikie2013-02-201-6/+4
| | | | | | Post-commit CR feedback from Jordan Rose regarding r175594. llvm-svn: 175679
* Replace SVal llvm::cast support to be well-defined.David Blaikie2013-02-201-17/+19
| | | | | | See r175462 for another example/more details. llvm-svn: 175594
* [analyzer] Report bugs when freeing memory with offset pointerAnna Zaks2013-02-071-20/+71
| | | | | | | | | | | | | | | | | The malloc checker will now catch the case when a previously malloc'ed region is freed, but the pointer passed to free does not point to the start of the allocated memory. For example: int *p1 = malloc(sizeof(int)); p1++; free(p1); // warn From the "memory.LeakPtrValChanged enhancement to unix.Malloc" entry in the list of potential checkers. A patch by Branden Archer! llvm-svn: 174678
* [analyzer] Add pointer escape type param to checkPointerEscape callbackAnna Zaks2013-02-071-3/+8
| | | | | | | | | | | | | | The checkPointerEscape callback previously did not specify how a pointer escaped. This change includes an enum which describes the different ways a pointer may escape. This enum is passed to the checkPointerEscape callback when a pointer escapes. If the escape is due to a function call, the call is passed. This changes previous behavior where the call is passed as NULL if the escape was due to indirectly invalidating the region the pointer referenced. A patch by Branden Archer! llvm-svn: 174677
* Remove useless 'llvm::' qualifier from names like StringRef and others that areDmitri Gribenko2013-01-121-3/+3
| | | | | | brought into 'clang' namespace by clang/Basic/LLVM.h llvm-svn: 172323
* [analyzer] Include the bug uniqueing location in the issue_hash.Anna Zaks2013-01-081-15/+18
| | | | | | | | | | | | | | | The issue here is that if we have 2 leaks reported at the same line for which we cannot print the corresponding region info, they will get treated as the same by issue_hash+description. We need to AUGMENT the issue_hash with the allocation info to differentiate the two issues. Add the "hash" (offset from the beginning of a function) representing allocation site to solve the issue. We might want to generalize solution in the future when we decide to track more than just the 2 locations from the diagnostics. llvm-svn: 171825
* Tighten code. No functionality change.Ted Kremenek2013-01-041-7/+7
| | | | llvm-svn: 171501
* Make MallocChecker debug output useful.Ted Kremenek2013-01-031-2/+22
| | | | llvm-svn: 171439
* [analyzer] Add the pointer escaped callback.Anna Zaks2012-12-201-89/+16
| | | | | | | | | | Instead of using several callbacks to identify the pointer escape event, checkers now can register for the checkPointerEscape. Converted the Malloc checker to use the new callback. SimpleStreamChecker will be converted next. llvm-svn: 170625
* [analyzer] Don't generate a summary for "freeWhenDone" if method isAnna Zaks2012-12-111-0/+3
| | | | | | | | | inlined. Fixes a false positive that occurs if a user writes their own initWithBytesNoCopy:freeWhenDone wrapper. llvm-svn: 169795
* Only provide explicit getCapturedRegion() and getOriginalRegion() from ↵Ted Kremenek2012-12-061-1/+1
| | | | | | | | referenced_vars_iterator. This is a nice conceptual cleanup. llvm-svn: 169480
* Sort all of Clang's files under 'lib', and fix up the broken headersChandler Carruth2012-12-041-4/+4
| | | | | | | | | | | | | uncovered. This required manually correcting all of the incorrect main-module headers I could find, and running the new llvm/utils/sort_includes.py script over the files. I also manually added quite a few missing headers that were uncovered by shuffling the order or moving headers up to be main-module-headers. llvm-svn: 169237
* Pull the Attr iteration parts out of Attr.h, so including DeclBase.h doesn't ↵Benjamin Kramer2012-12-011-1/+2
| | | | | | | | | pull in all the generated Attr code. Required to pull some functions out of line, but this shouldn't have a perf impact. No functionality change. llvm-svn: 169092
* Make helpers static/anonymous.Benjamin Kramer2012-11-221-2/+2
| | | | llvm-svn: 168500
* [analyzer] MallocChecker: Remove now-unnecessary check::EndPath callback.Jordan Rose2012-11-151-29/+1
| | | | | | | Also, don't bother to stop tracking symbols in the return value, either. They are now properly considered live during checkDeadSymbols. llvm-svn: 168067
* [analyzer] Address Jordan's code review for r167813.Anna Zaks2012-11-131-20/+15
| | | | | | | This simplifies logic, fixes a bug, and adds a test case. Thanks Jordan! llvm-svn: 167868
* Fix a Malloc Checker FP by tracking return values from initWithCharacterAnna Zaks2012-11-131-20/+81
| | | | | | | | | | and other functions. When these functions return null, the pointer is not freed by them/ownership is not transfered. So we should allow the user to free the pointer by calling another function when the return value is NULL. llvm-svn: 167813
* [analyzer] Use nice macros for the common ProgramStateTraits (map, set, list).Jordan Rose2012-11-021-26/+9
| | | | | | | | | Also, move the REGISTER_*_WITH_PROGRAMSTATE macros to ProgramStateTrait.h. This doesn't get rid of /all/ explicit uses of ProgramStatePartialTrait, but it does get a lot of them. llvm-svn: 167276
* [analyzer] Rename 'EmitReport' to 'emitReport'.Jordan Rose2012-11-021-4/+4
| | | | | | No functionality change. llvm-svn: 167275
* [analyzer] Fix typo in r167186.Jordan Rose2012-11-011-1/+1
| | | | llvm-svn: 167189
* [analyzer] Rename ConditionTruthVal::isTrue to isConstrainedTrue.Jordan Rose2012-11-011-2/+7
| | | | | | | | (and the same for isFalse) No functionality change. llvm-svn: 167186
* [analyzer] Malloc checker cleanup/refactorAnna Zaks2012-10-291-9/+7
| | | | | | | No need for the auxiliary flag. No need to generate a leak node when there is no error. llvm-svn: 166977
* Use llvm::getOrdinalSuffix to print ordinal numbers in diagnostics.Jordan Rose2012-09-221-4/+6
| | | | | | Just a refactoring of common infrastructure. No intended functionality change. llvm-svn: 164443
* [analyzer] MallocChecker should not do post-call checks on inlined functions.Jordan Rose2012-09-201-0/+3
| | | | | | | | | | | If someone provides their own function called 'strdup', or 'reallocf', or even 'malloc', and we inlined it, the inlining should have given us all the malloc-related information we need. If we then try to attach new information to the return value, we could end up with spurious warnings. <rdar://problem/12317671> llvm-svn: 164276
* [analyzer] Teach the analyzer about implicit initialization of staticsAnna Zaks2012-09-171-1/+1
| | | | | | | | | | | in ObjCMethods. Extend FunctionTextRegion to represent ObjC methods as well as functions. Note, it is not clear what type ObjCMethod region should return. Since the type of the FunctionText region is not currently used, defer solving this issue. llvm-svn: 164046
* [analyzer] Fix another false positive in malloc realloc logic.Anna Zaks2012-09-121-13/+32
| | | | llvm-svn: 163749
* Remove ProgramState::getSymVal(). It was being misused by Checkers,Ted Kremenek2012-09-071-8/+5
| | | | | | | | | | | | | | | | | | | | with at least one subtle bug in MacOSXKeyChainAPIChecker where the calling the method was a substitute for assuming a symbolic value was null (which is not the case). We still keep ConstraintManager::getSymVal(), but we use that as an optimization in SValBuilder and ProgramState::getSVal() to constant-fold SVals. This is only if the ConstraintManager can provide us with that information, which is no longer a requirement. As part of this, introduce a default implementation of ConstraintManager::getSymVal() which returns null. For Checkers, introduce ConstraintManager::isNull(), which queries the state to see if the symbolic value is constrained to be a null value. It does this without assuming it has been implicitly constant folded. llvm-svn: 163428
* [analyzer] Fix realloc related bug in the malloc checker.Anna Zaks2012-08-241-12/+38
| | | | | | | When reallocation of a non-allocated (not owned) symbol fails do not expect it to be freed. llvm-svn: 162533
* Rename 'currentX' to 'currX' throughout analyzer and libAnalysis.Ted Kremenek2012-08-221-1/+1
| | | | | | | | | Also rename 'getCurrentBlockCounter()' to 'blockCount()'. This ripples a bunch of code simplifications; mostly aesthetic, but makes the code a bit tighter. llvm-svn: 162349
* [analyzer] Cleanup of malloc checker.Anna Zaks2012-08-091-22/+1
| | | | | | | Remove Escaped state, which is not really necessary. We can just stop tracking the symbol instead of keeping it around and marking escaped. llvm-svn: 161557
* [analyzer] Clean up the printing of FieldRegions for leaks.Jordan Rose2012-08-081-3/+2
| | | | | | | | | | | | | | Unfortunately, generalized region printing is very difficult: - ElementRegions are used both for casting and as actual elements. - Accessing values through a pointer means going through an intermediate SymbolRegionValue; symbolic regions are untyped. - Referring to implicitly-defined variables like 'this' and 'self' could be very confusing if they come from another stack frame. We fall back to simply not printing the region name if we can't be sure it will print well. This will allow us to improve in the future. llvm-svn: 161512
* [analyzer] Track malloc'd regions stored in structs.Jordan Rose2012-08-081-16/+14
| | | | | | | | | | | The main blocker on this (besides the previous commit) was that ScanReachableSymbols was not looking through LazyCompoundVals. Once that was fixed, it's easy enough to clear out malloc data on return, just like we do when we bind to a global region. <rdar://problem/10872635> llvm-svn: 161511
* [analyzer] Malloc: remove assert since is not valid as of r161248Anna Zaks2012-08-041-5/+0
| | | | | | | We can be in the situation where we did not track the symbol before realloc was called on it. llvm-svn: 161294
* [analyzer] Malloc: track non-allocated but freed memoryAnna Zaks2012-08-031-12/+4
| | | | | | | | | | There is no reason why we should not track the memory which was not allocated in the current function, but was freed there. This would allow to catch more use-after-free and double free with no/limited IPA. Also fix a realloc issue which surfaced as the result of this patch. llvm-svn: 161248
* [analyzer] Rename Calls.{h,cpp} to CallEvent.{h,cpp}. No functionality change.Jordan Rose2012-07-261-1/+1
| | | | llvm-svn: 160815
* [analyzer] Guard against C++ member functions that look like system functions.Jordan Rose2012-07-101-38/+39
| | | | | | | | | C++ method calls and C function calls both appear as CallExprs in the AST. This was causing crashes for an object that had a 'free' method. <rdar://problem/11822244> llvm-svn: 160029
* [analyzer] Make CallEnter, CallExitBegin, and CallExitEnd not be StmtPointsJordan Rose2012-07-101-6/+10
| | | | | | | These ProgramPoints are used in inlining calls, and not all calls have associated statements anymore. llvm-svn: 160021
* [analyzer] Add new PreImplicitCall and PostImplicitCall ProgramPoints.Jordan Rose2012-07-101-0/+3
| | | | | | | | | | | | | | | | | These are currently unused, but are intended to be used in lieu of PreStmt and PostStmt when the call is implicit (e.g. an automatic object destructor). This also modifies the Data1 field of ProgramPoints to allow storing any pointer-sized value, as opposed to only aligned pointers. This is necessary to store SourceLocations. There is currently no BugReporter support for these; they should be skipped over in any diagnostic output. This commit also tags checkers that currently rely on function calls only occurring at StmtPoints. llvm-svn: 160019
* [analyzer] Finish replacing ObjCMessage with ObjCMethodDecl and friends.Jordan Rose2012-07-021-12/+4
| | | | | | | | The preObjCMessage and postObjCMessage callbacks now take an ObjCMethodCall argument, which can represent an explicit message send (ObjCMessageSend) or an implicit message generated by a property access (ObjCPropertyAccess). llvm-svn: 159559
* [analyzer] Begin replacing ObjCMessage with ObjCMethodCall and friends.Jordan Rose2012-07-021-6/+8
| | | | | | | | | | | | Previously, the CallEvent subclass ObjCMessageInvocation was just a wrapper around the existing ObjCMessage abstraction (over message sends and property accesses). Now, we have abstract CallEvent ObjCMethodCall with subclasses ObjCMessageSend and ObjCPropertyAccess. In addition to removing yet another wrapper object, this should make it easy to add a ObjCSubscriptAccess call event soon. llvm-svn: 159558
* [analyzer] Move the last bits of CallOrObjCMessage over to CallEvent.Jordan Rose2012-07-021-27/+14
| | | | | | | | | | | | | This involved refactoring some common pointer-escapes code onto CallEvent, then having MallocChecker use those callbacks for whether or not to consider a pointer's /ownership/ as escaping. This still needs to be pinned down, and probably we want to make the new argumentsMayEscape() function a little more discerning (content invalidation vs. ownership/metadata invalidation), but this is a good improvement. As a bonus, also remove CallOrObjCMessage from the source completely. llvm-svn: 159557
* [analyzer] Add a new abstraction over all types of calls: CallEventJordan Rose2012-07-021-129/+119
| | | | | | | | | | This is intended to replace CallOrObjCMessage, and is eventually intended to be used for anything that cares more about /what/ is being called than /how/ it's being called. For example, inlining destructors should be the same as inlining blocks, and checking __attribute__((nonnull)) should apply to the allocator calls generated by operator new. llvm-svn: 159554
* [analyzer] Be careful about implicitly-declared operator new/delete. (PR13090)Jordan Rose2012-06-251-2/+1
| | | | | | | | The implicit global allocation functions do not have valid source locations, but we still want to treat them as being "system header" functions for the purposes of how they affect program state. llvm-svn: 159160
* [analyzer] Teach malloc checker that initWith[Bytes|Characters}NoCopy Anna Zaks2012-06-221-1/+3
| | | | | | relinquish memory. llvm-svn: 159043
* [analyzer] Fixup to r158958.Anna Zaks2012-06-221-2/+2
| | | | llvm-svn: 159037
* [analyzer] Malloc: Warn about use-after-free when memory ownership wasAnna Zaks2012-06-221-11/+73
| | | | | | transfered with dataWithBytesNoCopy. llvm-svn: 158958
* [analyzer] Malloc leak false positive: Allow xpc context to escape.Anna Zaks2012-06-201-0/+6
| | | | llvm-svn: 158875
* [analyzer] Malloc: cleanup, disallow free on relinquished memory.Anna Zaks2012-06-201-10/+17
| | | | | | | | This commits sets the grounds for more aggressive use after free checking. We will use the Relinquished sate to denote that someone else is now responsible for releasing the memory. llvm-svn: 158850
* [analyzer] Allow pointers to escape into NSPointerArray.Anna Zaks2012-06-191-0/+10
| | | | | | (Fixes radar://11691035 PR13140) llvm-svn: 158703
OpenPOWER on IntegriCloud