summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix a typo 'iff' => 'if'Sylvestre Ledru2012-09-271-2/+2
| | | | llvm-svn: 164766
* IvarInvalidationChecker.cpp: Remove an unused member, InterfD. ↵NAKAMURA Takumi2012-09-271-2/+1
| | | | | | [-Wunused-private-field] llvm-svn: 164745
* [analyzer] Add experimental ObjC invalidation method checker.Anna Zaks2012-09-263-7/+331
| | | | | | | | | | | This checker is annotation driven. It checks that the annotated invalidation method accesses all ivars of the enclosing objects that are objects of type, which in turn contains an invalidation method. This is driven by __attribute((annotation("objc_instance_variable_invalidator")). llvm-svn: 164716
* [analyzer] Fix a buildbot crash triggered by turning on dynamicAnna Zaks2012-09-251-1/+1
| | | | | | dispatch. llvm-svn: 164579
* Use llvm::getOrdinalSuffix to print ordinal numbers in diagnostics.Jordan Rose2012-09-221-4/+6
| | | | | | Just a refactoring of common infrastructure. No intended functionality change. llvm-svn: 164443
* [analyzer] Check that an ObjCIvarRefExpr's base is non-null even as an lvalue.Jordan Rose2012-09-221-12/+7
| | | | | | | | | | | Like with struct fields, we want to catch cases like this early, so that we can produce better diagnostics and path notes: PointObj *p = nil; int *px = &p->_x; // should warn here *px = 1; llvm-svn: 164442
* [analyzer] MallocChecker should not do post-call checks on inlined functions.Jordan Rose2012-09-201-0/+3
| | | | | | | | | | | If someone provides their own function called 'strdup', or 'reallocf', or even 'malloc', and we inlined it, the inlining should have given us all the malloc-related information we need. If we then try to attach new information to the return value, we could end up with spurious warnings. <rdar://problem/12317671> llvm-svn: 164276
* [analyzer] Teach the analyzer about implicit initialization of staticsAnna Zaks2012-09-172-2/+2
| | | | | | | | | | | in ObjCMethods. Extend FunctionTextRegion to represent ObjC methods as well as functions. Note, it is not clear what type ObjCMethod region should return. Since the type of the FunctionText region is not currently used, defer solving this issue. llvm-svn: 164046
* Fix grammar.Ted Kremenek2012-09-131-4/+4
| | | | llvm-svn: 163828
* When warning about unsafe uses of dispatch_once, specially handle theTed Kremenek2012-09-131-1/+13
| | | | | | | | | | crazy case where dispatch_once gets redefined as a macro that calls _dispatch_once (which calls the real dispatch_once). Users want to see the warning in their own code. Fixes <rdar://problem/11617767> llvm-svn: 163816
* [analyzer] Do not report use of undef on "return foo();" when the return ↵Anna Zaks2012-09-121-0/+14
| | | | | | | | type is void. Fixes a false positive found by analyzing LLVM code base. llvm-svn: 163750
* [analyzer] Fix another false positive in malloc realloc logic.Anna Zaks2012-09-121-13/+32
| | | | llvm-svn: 163749
* Remove redundant semicolons which are null statements.Dmitri Gribenko2012-09-101-1/+1
| | | | llvm-svn: 163546
* Make helper functions static.Benjamin Kramer2012-09-102-5/+5
| | | | llvm-svn: 163505
* [analyzer] ObjCSelfInitChecker should always clean up in postCall checks.Jordan Rose2012-09-081-2/+3
| | | | | | | | | | | | | | | | | | | | ObjCSelfInitChecker stashes information in the GDM to persist it across function calls; it is stored in pre-call checks and retrieved post-call. The post-call check is supposed to clear out the stored state, but was failing to do so in cases where the call did not have a symbolic return value. This was actually causing the inappropriate cache-out from r163361. Per discussion with Anna, we should never actually cache out when assuming the receiver of an Objective-C message is non-nil, because we guarded that node generation by checking that the state has changed. Therefore, the only states that could reach this exact ExplodedNode are ones that should have merged /before/ making this assumption. r163361 has been reverted and the test case removed, since it won't actually test anything interesting now. llvm-svn: 163449
* [analyzer] Add debug output for ObjCSelfInitChecker's state.Jordan Rose2012-09-081-0/+48
| | | | | | No functionality change. llvm-svn: 163448
* [analyzer] Address John's code review for r163407.Anna Zaks2012-09-081-12/+15
| | | | | | | Teach malloc sizeof checker to find type inconsistencies in multi- dimensional arrays. llvm-svn: 163438
* Remove ProgramState::getSymVal(). It was being misused by Checkers,Ted Kremenek2012-09-073-13/+9
| | | | | | | | | | | | | | | | | | | | with at least one subtle bug in MacOSXKeyChainAPIChecker where the calling the method was a substitute for assuming a symbolic value was null (which is not the case). We still keep ConstraintManager::getSymVal(), but we use that as an optimization in SValBuilder and ProgramState::getSVal() to constant-fold SVals. This is only if the ConstraintManager can provide us with that information, which is no longer a requirement. As part of this, introduce a default implementation of ConstraintManager::getSymVal() which returns null. For Checkers, introduce ConstraintManager::isNull(), which queries the state to see if the symbolic value is constrained to be a null value. It does this without assuming it has been implicitly constant folded. llvm-svn: 163428
* [analyzer] Fix a false positive in sizeof malloc checker.Anna Zaks2012-09-071-33/+49
| | | | | | | Don't warn when the sizeof argument is an array with the same element type as the pointee of the return type. llvm-svn: 163407
* Fix off-by-one bug in diagnostic prose of ObjCContainersASTChecker.Ted Kremenek2012-09-071-1/+3
| | | | | | | | | While the check itself should count 0-based for the parameter index, the diagnostic should be 1-based (first, second, third, not start at 0). Fixes <rdar://problem/12249569>. llvm-svn: 163375
* Teach RetainCountChecker that CFPlugInInstanceCreate does notTed Kremenek2012-09-061-0/+2
| | | | | | | | return a CF object at all. Fixes <rdar://problem/9566345> llvm-svn: 163362
* Refine diagnostics for leaks reported when returning an objectTed Kremenek2012-09-061-14/+22
| | | | | | | | via function/method with [CF,NS]_RETURNS_NOT_RETAINED. Fixes <rdar://problem/11379000>. llvm-svn: 163355
* Tweak DeadStoresChecker to not warn about dead stores to variables thatTed Kremenek2012-09-061-3/+55
| | | | | | | | | are used in EH code. Right now the CFG doesn't support exceptions well, so we need this hack to avoid bogus dead store warnings. Fixes <rdar://problem/12147586> llvm-svn: 163353
* [analyzer] Don't attempt to devirtualize calls to base class destructors.Jordan Rose2012-09-061-3/+3
| | | | | | | | | | | | | | | | | | | CXXDestructorCall now has a flag for when it is a base destructor call. Other kinds of destructor calls (locals, fields, temporaries, and 'delete') all behave as "whole-object" destructors and do not behave differently from one another (specifically, in these cases we /should/ try to devirtualize a call to a virtual destructor). This was causing crashes in both our internal buildbot, the crash still being tracked in PR13765, and some of the crashes being tracked in PR13763, due to a assertion failure. (The behavior under -Asserts happened to be correct anyway.) Adding this knowledge also allows our DynamicTypePropagation checker to do a bit less work; the special rules about virtual method calls during a destructor only require extra handling during base destructors. llvm-svn: 163348
* [analyzer] Enhance the member expr tracking to account for references.Anna Zaks2012-09-051-1/+1
| | | | | | As per Jordan's suggestion. (Came out of code review for r163261.) llvm-svn: 163269
* [analyzer] Remove unneeded code.Anna Zaks2012-09-051-18/+8
| | | | | | | This region is set as interesting as part of trackNullOrUndefValue call, no need to mark it as interesting twice. llvm-svn: 163260
* Fix indentation.Ted Kremenek2012-09-041-3/+3
| | | | llvm-svn: 163176
* [analyzer] Future-proofing r163012 (nameless functions and RetainCountChecker)Jordan Rose2012-09-011-4/+4
| | | | | | | | | Any future exceptions need to go INSIDE the test that checks if the IdentifierInfo is non-null! No functionality change. Thanks for the review, Ted. llvm-svn: 163067
* [analyzer] Always derive a CallEvent's return type from its origin expr.Jordan Rose2012-09-013-97/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we preferred to get a result type by looking at the callee's declared result type. This allowed us to handlereferences, which are represented in the AST as lvalues of their pointee type. (That is, a call to a function returning 'int &' has type 'int' and value kind 'lvalue'.) However, this results in us preferring the original type of a function over a casted type. This is a problem when a function pointer is casted to another type, because the conjured result value will have the wrong type. AdjustedReturnValueChecker is supposed to handle this, but still doesn't handle the case where there is no "original function" at all, i.e. where the callee is unknown. Now, we instead look at the call expression's value kind (lvalue, xvalue, or prvalue), and adjust the expr's type accordingly. This will have no effect when the function is inlined, and will conjure the value that will actually be used when it is not. This makes AdjustedReturnValueChecker /nearly/ unnecessary; unfortunately, the cases where it would still be useful are where we need to cast the result of an inlined function or a checker-evaluated function, and in these cases we don't know what we're casting /from/ by the time we can do post- call checks. In light of that, remove AdjustedReturnValueChecker, which was already not checking quite a few calls. llvm-svn: 163065
* [analyzer] RetainCountChecker: don't assume all functions have names.Jordan Rose2012-08-312-5/+10
| | | | | | | | | | | | | | | Fixes a hard-to-reach crash when calling a non-member overloaded operator with arguments that may be callbacks. Future-proofing: don't make the same assumption in MallocSizeofChecker. Aside from possibly respecting attributes in the future, it might be possible to call 'malloc' through a function pointer. I audited all other uses of FunctionDecl::getIdentifier() in the analyzer; they all now correctly test to see if the identifier is present before using it. llvm-svn: 163012
* [analyzer] Remove cast inside dyn_cast.Anna Zaks2012-08-301-1/+1
| | | | llvm-svn: 162951
* [analyzer] Fixup for r162935 as per Jordan's review.Anna Zaks2012-08-301-3/+3
| | | | | | Thanks for catching this! llvm-svn: 162949
* [analyzer] Do not propagate the [super init] could be nil assumptionAnna Zaks2012-08-301-8/+32
| | | | | | | | from callee to caller. radar://12109638 llvm-svn: 162935
* Teach RetainCountChecker about 'pragma clang arc_cf_code_audited'.Ted Kremenek2012-08-301-0/+5
| | | | llvm-svn: 162934
* [analyzer] Stop tracking symbols based on a retain count summary ofAnna Zaks2012-08-291-27/+101
| | | | | | | | | | | | inlined function. This resolves retain count checker false positives that are caused by inlining ObjC and other methods. Essentially, if we are passing an object to a method with "delegate" in the selector or a function pointer as another argument, we should stop tracking the other parameters/return value as far as the retain count checker is concerned. llvm-svn: 162876
* [analyzer] Improved diagnostic pruning for calls initializing values.Anna Zaks2012-08-295-5/+0
| | | | | | | | | | | | | | | | | | | | This heuristic addresses the case when a pointer (or ref) is passed to a function, which initializes the variable (or sets it to something other than '0'). On the branch where the inlined function does not set the value, we report use of undefined value (or NULL pointer dereference). The access happens in the caller and the path through the callee would get pruned away with regular path pruning. To solve this issue, we previously disabled diagnostic pruning completely on undefined and null pointer dereference checks, which entailed very verbose diagnostics in most cases. Furthermore, not all of the undef value checks had the diagnostic pruning disabled. This patch implements the following heuristic: if we pass a pointer (or ref) to the region (on which the error is reported) into a function and it's value is either undef or 'NULL' (and is a pointer), do not prune the function. llvm-svn: 162863
* [analyzer] C++ objects returned on the stack may be wrapped in ExprWithCleanups.Jordan Rose2012-08-291-1/+5
| | | | | | | | | | | | In C++, objects being returned on the stack are actually copy-constructed into the return value. That means that when a temporary is returned, it still has to be destroyed, i.e. the returned expression will be wrapped in an ExprWithCleanups node. Our "returning stack memory" checker needs to look through this node to see if we really are returning an object by value. PR13722 llvm-svn: 162817
* [analyzer] Rename addTrackNullOrUndefValueVisitor to trackNullOrUndefValue.Jordan Rose2012-08-2814-28/+22
| | | | | | | | | | | This helper function (in the clang::ento::bugreporter namespace) may add more than one visitor, but conceptually it's tracking a single use of a null or undefined value and should do so as best it can. Also, the BugReport parameter has been made a reference to underscore that it is non-optional. llvm-svn: 162720
* [analyzer] Inline constructors for any object with a trivial destructor.Jordan Rose2012-08-271-4/+11
| | | | | | | | | | | | This allows us to better reason about status objects, like Clang's own llvm::Optional (when its contents are trivially destructible), which are often intended to be passed around by value. We still don't inline constructors for temporaries in the general case. <rdar://problem/11986434> llvm-svn: 162681
* Rename the "experimental" checker package to "alpha". We will then refineTed Kremenek2012-08-241-18/+18
| | | | | | | this group into "alpha" and "beta" to distinguish between checkers in different levels of premature state. llvm-svn: 162582
* [analyzer] Fix realloc related bug in the malloc checker.Anna Zaks2012-08-241-12/+38
| | | | | | | When reallocation of a non-allocated (not owned) symbol fails do not expect it to be freed. llvm-svn: 162533
* [analyzer] Remove unnecessary code.Anna Zaks2012-08-241-16/+0
| | | | | | | | This code has been added a while ago and removing it does not trigger any test failures. The false positives it was trying to suppress are probably handled by other logic (ex: special handling of delegates). llvm-svn: 162529
* [analyzer] Make analyzer less aggressive when dealing with [self init].Anna Zaks2012-08-241-0/+29
| | | | | | | | | | | | | | With inlining, retain count checker starts tracking 'self' through the init methods. The analyser results were too noisy if the developer did not follow 'self = [super init]' pattern (which is common especially in older code bases) - we reported self init anti-pattern AND possible use-after-free. This patch teaches the retain count checker to assume that [super init] does not fail when it's not consumed by another expression. This silences the retain count warning that warns about possibility of use-after-free when init fails, while preserving all the other checking on 'self'. llvm-svn: 162508
* [analyzer] Fixup to r162399. Initialize the member variable.Anna Zaks2012-08-221-0/+2
| | | | llvm-svn: 162405
* [analyzer] Add osx.cocoa.NonNilReturnValue checker.Anna Zaks2012-08-222-0/+49
| | | | | | | | The checker adds assumptions that the return values from the known APIs are non-nil. Teach the checker about NSArray/NSMutableArray/NSOrderedSet objectAtIndex, objectAtIndexedSubscript. llvm-svn: 162398
* Rename 'unbindLoc()' (in ProgramState) and 'Remove()' toTed Kremenek2012-08-221-1/+1
| | | | | | | | | 'killBinding()'. The name is more specific, and one just forwarded to the other. Add some doxygen comments along the way. llvm-svn: 162350
* Rename 'currentX' to 'currX' throughout analyzer and libAnalysis.Ted Kremenek2012-08-225-24/+16
| | | | | | | | | Also rename 'getCurrentBlockCounter()' to 'blockCount()'. This ripples a bunch of code simplifications; mostly aesthetic, but makes the code a bit tighter. llvm-svn: 162349
* Rename 'getConjuredSymbol*' to 'conjureSymbol*'.Ted Kremenek2012-08-223-9/+8
| | | | | | | | | | No need to have the "get", the word "conjure" is a verb too! Getting a conjured symbol is the same as conjuring one up. This shortening is largely cosmetic, but just this simple changed cleaned up a handful of lines, making them less verbose. llvm-svn: 162348
* Remove stale header file.Ted Kremenek2012-08-221-1/+0
| | | | llvm-svn: 162341
* [analyzer] Replace boolean IsSink parameters with 'generateSink' methods.Jordan Rose2012-08-202-5/+3
| | | | | | | | | | | Generating a sink is significantly different behavior from generating a normal node, and a simple boolean parameter can be rather opaque. Per offline discussion with Anna, adding new generation methods is the clearest way to communicate intent. No functionality change. llvm-svn: 162215
OpenPOWER on IntegriCloud