| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
- Find the correct region to represent the first array element when
constructing a CXXConstructorCall.
- If the array is trivial, model the copy with a primitive load/store.
- Don't warn about the "uninitialized" subscript in the AST -- we don't use
the helper variable that Sema provides.
<rdar://problem/13091608>
llvm-svn: 178602
|
| |
|
|
| |
llvm-svn: 178529
|
| |
|
|
| |
llvm-svn: 178311
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
“newed” pointers to escape
Add a new callback that notifies checkers when a const pointer escapes. Currently, this only works
for const pointers passed as a top level parameter into a function. We need to differentiate the const
pointers escape from regular escape since the content pointed by const pointer will not change;
if it’s a file handle, a file cannot be closed; but delete is allowed on const pointers.
This should suppress several false positives reported by the NewDelete checker on llvm codebase.
llvm-svn: 178310
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
participates in the computation of the nil we warn about.
We should only suppress a bug report if the IDCed or null returned nil value is directly related to the value we are warning about. This was
not the case for nil receivers - we would suppress a bug report that had an IDCed nil receiver on the path regardless of how it’s
related to the warning.
1) Thread EnableNullFPSuppression parameter through the visitors to differentiate between tracking the value which
is directly responsible for the bug and other values that visitors are tracking (ex: general tracking of nil receivers).
2) in trackNullOrUndef specifically address the case when a value of the message send is nil due to the receiver being nil.
llvm-svn: 178309
|
| |
|
|
| |
llvm-svn: 178264
|
| |
|
|
| |
llvm-svn: 178255
|
| |
|
|
|
|
|
|
| |
+ Improved display names for allocators and deallocators
The checker checks if a deallocation function matches allocation one. ('free' for 'malloc', 'delete' for 'new' etc.)
llvm-svn: 178250
|
| |
|
|
|
|
|
|
| |
allocate memory in heap.
+ Improved test coverage for cplusplus.NewDelete checker.
llvm-svn: 178244
|
| |
|
|
|
|
|
|
|
| |
reclaimed
The visitor should look for the PreStmt node as the receiver is nil in the PreStmt and this is the node. Also, tag the nil
receiver nodes with a special tag for consistency.
llvm-svn: 178152
|
| |
|
|
|
|
|
|
|
| |
Register the nil tracking visitors with the region and refactor trackNullOrUndefValue a bit.
Also adds the cast and paren stripping before checking if the value is an OpaqueValueExpr
or ExprWithCleanups.
llvm-svn: 178093
|
| |
|
|
|
|
| |
double free, and use-after-free problems of memory managed by new/delete.
llvm-svn: 177849
|
| |
|
|
|
|
| |
and ensure it works with subscripting.
llvm-svn: 177789
|
| |
|
|
|
|
| |
Debug utility only, no functionality change.
llvm-svn: 177649
|
| |
|
|
| |
llvm-svn: 177318
|
| |
|
|
|
|
| |
non-deterministic.
llvm-svn: 177207
|
| |
|
|
| |
llvm-svn: 176956
|
| |
|
|
|
|
|
|
|
| |
+ Individual Report* method for each bug type
+ Comment improved: missing non-trivial alloca() case annotated
+ 'range' parameter of ReportBadFree() capitalized
+ 'SymbolRef Sym = State->getSVal(A, C.getLocationContext()).getAsSymbol();' shorten to 'SymbolRef Sym = C.getSVal(A).getAsSymbol();'
llvm-svn: 176949
|
| |
|
|
| |
llvm-svn: 176755
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, MallocChecker's pointer escape check and its post-call state
update for Objective-C method calls had a fair amount duplicated logic
and not-entirely-consistent checks. This commit restructures all this to
be more consistent and possibly allow us to be more aggressive in warning
about double-frees.
New policy (applies to system header methods only):
(1) If this is a method we know about, model it as taking/holding ownership
of the passed-in buffer.
(1a) ...unless there's a "freeWhenDone:" parameter with a zero (NO) value.
(2) If there's a "freeWhenDone:" parameter (but it's not a method we know
about), treat the buffer as escaping if the value is non-zero (YES) and
non-escaping if it's zero (NO).
(3) If the first selector piece ends with "NoCopy" (but it's not a method we
know about and there's no "freeWhenDone:" parameter), treat the buffer
as escaping.
The reason that (2) and (3) don't explicitly model the ownership transfer is
because we can't be sure that they will actually free the memory using free(),
and we wouldn't want to emit a spurious "mismatched allocator" warning
(coming in Anton's upcoming patch). In the future, we may have an idea of a
"generic deallocation", i.e. we assume that the deallocator is correct but
still continue tracking the region so that we can warn about double-frees.
Patch by Anton Yartsev, with modifications from me.
llvm-svn: 176744
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Warn about null pointer dereference earlier when a reference to a null pointer is
passed in a call. The idea is that even though the standard might allow this, reporting
the issue earlier is better for diagnostics (the error is reported closer to the place where
the pointer was set to NULL). This also simplifies analyzer’s diagnostic logic, which has
to track “where the null came from”. As a consequence, some of our null pointer
warning suppression mechanisms started triggering more often.
TODO: Change the name of the file and class to reflect the new check.
llvm-svn: 176612
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Officially in the C++ standard, a null reference cannot exist. However,
it's still very easy to create one:
int &getNullRef() {
int *p = 0;
return *p;
}
We already check that binds to reference regions don't create null references.
This patch checks that we don't create null references by returning, either.
<rdar://problem/13364378>
llvm-svn: 176601
|
| |
|
|
|
|
|
|
| |
with CompoundLiteralExpr
This allows us to trigger the IDC visitor in the added test case.
llvm-svn: 176577
|
| |
|
|
|
|
|
|
|
|
| |
We weren't treating a cf_audited_transfer CFRetain as returning +1 because
its name doesn't contain "Create" or "Copy". Oops! Fortunately, the
standard definitions of these functions are not marked audited.
<rdar://problem/13339601>
llvm-svn: 176463
|
| |
|
|
|
|
|
|
|
|
|
|
| |
With the new support for trivial copy constructors, we are not always
consistent about whether a CXXTempObjectRegion gets reused or created
from scratch, which affects whether qualifiers are preserved. However,
we probably don't care anyway.
This also switches to using the current PrintingPolicy for the type,
which means C++ types don't get a spurious 'struct' prefix anymore.
llvm-svn: 176068
|
| |
|
|
|
|
|
|
|
|
|
|
| |
type.
This addresses a case when we inline a wrong method due to incorrect
dynamic type inference. Specifically, when user code contains a method from init
family, which creates an instance of another class.
Use hasRelatedResultType() to find out if our inference rules should be triggered.
llvm-svn: 176054
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fields.
This required more changes than I originally expected:
- ObjCIvarRegion implements "canPrintPretty" et al
- DereferenceChecker indicates the null pointer source is an ivar
- bugreporter::trackNullOrUndefValue() uses an alternate algorithm
to compute the location region to track by scouring the ExplodedGraph.
This allows us to get the actual MemRegion for variables, ivars,
fields, etc. We only hand construct a VarRegion for C++ references.
- ExplodedGraph no longer drops nodes for expressions that are marked
'lvalue'. This is to facilitate the logic in the previous bullet.
This may lead to a slight increase in size in the ExplodedGraph,
which I have not measured, but it is likely not to be a big deal.
I have validated each of the changed plist output.
Fixes <rdar://problem/12114812>
llvm-svn: 175988
|
| |
|
|
|
|
|
| |
This provides a few sundry cleanups, and allows us to provide
a compile-time check for a case that was a runtime assertion.
llvm-svn: 175987
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use Optional<CFG*> where invalid states were needed previously. In the one case
where that's not possible (beginAutomaticObjDtorsInsert) just use a dummy
CFGAutomaticObjDtor.
Thanks for the help from Jordan Rose & discussion/feedback from Ted Kremenek
and Doug Gregor.
Post commit code review feedback on r175796 by Ted Kremenek.
llvm-svn: 175938
|
| |
|
|
|
|
|
| |
(found due to incoming improvements to llvm::cast machinery that will error on
this sort of mistake)
llvm-svn: 175817
|
| |
|
|
|
|
| |
See r175462 for another example/more details.
llvm-svn: 175812
|
| |
|
|
|
|
| |
See r175462 for another example/more details.
llvm-svn: 175796
|
| |
|
|
|
|
|
| |
This is a precursor to making Optional<T>'s operator bool 'explicit' when
building Clang & LLVM as C++11.
llvm-svn: 175722
|
| |
|
|
| |
llvm-svn: 175705
|
| |
|
|
|
|
| |
Post-commit CR feedback from Jordan Rose regarding r175594.
llvm-svn: 175679
|
| |
|
|
| |
llvm-svn: 175678
|
| |
|
|
|
|
| |
See r175462 for another example/more details.
llvm-svn: 175594
|
| |
|
|
|
|
| |
<rdar://problem/13213575>.
llvm-svn: 175425
|
| |
|
|
|
|
|
|
| |
declarations to synthesize their ivars in similar
determinstic order so they are laid out in
a determinstic order. // rdar://13192366
llvm-svn: 175214
|
| |
|
|
|
|
| |
These are causing assertions on some MSVC builds.
llvm-svn: 174805
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The missing definition check should be in the same category as the
missing ivar validation - in this case, the intent is to invalidate in
the given class, as described in the declaration, but the implementation
does not perform the invalidation. Whereas the MissingInvalidationMethod
checker checks the cases where the method intention is not to
invalidate. The second checker has potential to have a much higher false
positive rate.
llvm-svn: 174787
|
| |
|
|
| |
llvm-svn: 174782
|
| |
|
|
|
|
|
| |
Separate the checking for the missing invalidation methods into a
separate checker so that it can be turned on/off independently.
llvm-svn: 174781
|
| |
|
|
| |
llvm-svn: 174780
|
| |
|
|
|
|
|
|
|
|
|
| |
The new annotation allows having methods that only partially invalidate
IVars and might not be called from the invalidation methods directly
(instead, are guaranteed to be called before the invalidation occurs).
The checker is going to trust the programmer to call the partial
invalidation method before the invalidator.This is common in cases when
partial object tear down happens before the death of the object.
llvm-svn: 174779
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The malloc checker will now catch the case when a previously malloc'ed
region is freed, but the pointer passed to free does not point to the
start of the allocated memory. For example:
int *p1 = malloc(sizeof(int));
p1++;
free(p1); // warn
From the "memory.LeakPtrValChanged enhancement to unix.Malloc" entry
in the list of potential checkers.
A patch by Branden Archer!
llvm-svn: 174678
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The checkPointerEscape callback previously did not specify how a
pointer escaped. This change includes an enum which describes the
different ways a pointer may escape. This enum is passed to the
checkPointerEscape callback when a pointer escapes. If the escape
is due to a function call, the call is passed. This changes
previous behavior where the call is passed as NULL if the escape
was due to indirectly invalidating the region the pointer referenced.
A patch by Branden Archer!
llvm-svn: 174677
|
| |
|
|
|
|
|
| |
The Cnt variable is adjusted (incremented) for simplification of
checking logic. The increment should not be stored in the state.
llvm-svn: 174104
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This matches our behavior for autorelease pools created by +alloc. Some
people like to create autorelease pools in one method and release them
somewhere else.
If you want safe autorelease pool semantics, use the new ARC-compatible
syntax: @autoreleasepool { ... }
<rdar://problem/13121353>
llvm-svn: 174096
|
| |
|
|
|
|
|
|
|
|
| |
The expression 'a->b.c()' contains a call to the 'c' method of 'a->b'.
We emit an error if 'a' is NULL, but previously didn't actually track
the null value back through the 'a->b' expression, which caused us to
miss important false-positive-suppression cases, including
<rdar://problem/12676053>.
llvm-svn: 173547
|
