summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers
Commit message (Collapse)AuthorAgeFilesLines
* Use pop_back_val() instead of both back() and pop_back().Robert Wilhelm2013-08-231-3/+2
| | | | | | No functionality change intended. llvm-svn: 189112
* [analyzer] Don't run unreachable code checker on inlined functions.Jordan Rose2013-08-191-0/+3
| | | | | | | | | This is still an alpha checker, but we use it in certain tests to make sure something is not being executed. This should fix the buildbots. llvm-svn: 188682
* [analyzer] Assume that strings are no longer than SIZE_MAX/4.Jordan Rose2013-08-191-2/+15
| | | | | | | | | This keeps the analyzer from making silly assumptions, like thinking strlen(foo)+1 could wrap around to 0. This fixes PR16558. Patch by Karthik Bhat! llvm-svn: 188680
* Omit arguments of __builtin_object_size from the CFG.Jordan Rose2013-08-191-6/+19
| | | | | | | | | | | | | | | | | This builtin does not actually evaluate its arguments for side effects, so we shouldn't include them in the CFG. In the analyzer, rely on the constant expression evaluator to get the proper semantics, at least for now. (In the future, we could get ambitious and try to provide path- sensitive size values.) In theory, this does pose a problem for liveness analysis: a variable can be used within the __builtin_object_size argument expression but not show up as live. However, it is very unlikely that such a value would be used to compute the object size and not used to access the object in some way. <rdar://problem/14760817> llvm-svn: 188679
* Use the number of parameters in the actual method or function to determine ↵Ted Kremenek2013-08-161-7/+1
| | | | | | the CallEffects size. llvm-svn: 188587
* RetainCountChecker: Replace some loops with std:: algorithms.Benjamin Kramer2013-08-161-17/+5
| | | | llvm-svn: 188581
* Revert r188574. Turns out it isn't needed.Ted Kremenek2013-08-161-1/+0
| | | | llvm-svn: 188578
* Need summary info. about arguments toFariborz Jahanian2013-08-161-0/+1
| | | | | | CF functions coming from static analyzer API. llvm-svn: 188574
* [analyzer] If realloc fails on an escaped region, that region doesn't leak.Jordan Rose2013-08-151-1/+1
| | | | | | | | | | | | | | | | | | When a region is realloc()ed, MallocChecker records whether it was known to be allocated or not. If it is, and the reallocation fails, the original region has to be freed. Previously, when an allocated region escaped, MallocChecker completely stopped tracking it, so a failed reallocation still (correctly) wouldn't require freeing the original region. Recently, however, MallocChecker started tracking escaped symbols, so that if it were freed we could check that the deallocator matched the allocator. This broke the reallocation model for whether or not a symbol was allocated. Now, MallocChecker will actually check if a symbol is owned, and only require freeing after a failed reallocation if it was owned before. PR16730 llvm-svn: 188468
* [static analyzer] add a simple "CallEffects" API to query the retain count ↵Ted Kremenek2013-08-141-0/+44
| | | | | | | | | | | | | | semantics of a method. This is intended to be a simplified API, whose internals are deliberately less efficient for the purpose of a simplified interface, for use with clients that want to query the analyzer's heuristics for determining retain count semantics. There are no immediate clients, but it is intended to be used by the ObjC modernizer. llvm-svn: 188433
* [static analyzer] Factor out ArgEffect and RetEffect into public header file.Ted Kremenek2013-08-141-93/+14
| | | | | | | This is a WIP change to allow other clients to query the retain count heuristics of the static analyzer. llvm-svn: 188432
* DirectIvarAssignment: Replace vtable'd objects with simple functions.Benjamin Kramer2013-08-091-31/+19
| | | | | | Avoids unnecessary static constructors. llvm-svn: 188083
* [analyzer] Warn when using 'delete' on an uninitialized variable.Jordan Rose2013-08-091-1/+29
| | | | | | Patch by Karthik Bhat, modified slightly by me. llvm-svn: 188043
* Eliminate CXXConstructorDecl::IsImplicitlyDefined.Jordan Rose2013-08-071-1/+1
| | | | | | | | | | | | This field is just IsDefaulted && !IsDeleted; in all places it's used, a simple check for isDefaulted() is superior anyway, and we were forgetting to set it in a few cases. Also eliminate CXXDestructorDecl::IsImplicitlyDefined, for the same reasons. No intended functionality change. llvm-svn: 187891
* [analyzer] Don't process autorelease counts in synthesized function bodies.Jordan Rose2013-08-011-1/+8
| | | | | | | | | | | | | | | We process autorelease counts when we exit functions, but if there's an issue in a synthesized body the report will get dropped. Just skip the processing for now and let it get handled when the caller gets around to processing autoreleases. (This is still suboptimal: objects autoreleased in the caller context should never be warned about when exiting a callee context, synthesized or not.) Second half of <rdar://problem/14611722> llvm-svn: 187625
* Make IgnoreParens() look through ChooseExprs.Eli Friedman2013-07-201-13/+2
| | | | | | | | | | | | | This is the same way GenericSelectionExpr works, and it's generally a more consistent approach. A large part of this patch is devoted to caching the value of the condition of a ChooseExpr; it's needed to avoid threading an ASTContext into IgnoreParens(). Fixes <rdar://problem/14438917>. llvm-svn: 186738
* [analyzer] Include analysis stack in crash traces.Jordan Rose2013-07-191-0/+7
| | | | | | | | | | | | | Sample output: 0. Program arguments: ... 1. <eof> parser at end of file 2. While analyzing stack: #0 void inlined() #1 void test() 3. crash-trace.c:6:3: Error evaluating statement llvm-svn: 186639
* Add 'static' and 'const' qualifiers to some arrays of strings.Craig Topper2013-07-151-1/+1
| | | | llvm-svn: 186314
* [analyzer] Add support for __builtin_addressof.Jordan Rose2013-07-121-1/+4
| | | | | | ...so we don't regress on std::addressof. llvm-svn: 186140
* Use SmallVectorImpl instead of SmallVector for iterators and references to ↵Craig Topper2013-07-042-4/+4
| | | | | | avoid specifying the vector size unnecessarily. llvm-svn: 185610
* [analyzer] Improve handling of noreturn destructorsPavel Labath2013-07-031-13/+11
| | | | | | | | | | | | | | | | Summary: The analyzer incorrectly handled noreturn destructors which were hidden inside function calls. This happened because NoReturnFunctionChecker only listened for PostStmt events, which are not executed for destructor calls. I've changed it to listen to PostCall events, which should catch both cases. Reviewers: jordan_rose CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D1056 llvm-svn: 185522
* Use getAs<> where appropriate on QualTypes instead of using dyn_cast.Eli Friedman2013-06-241-14/+7
| | | | llvm-svn: 184775
* [analyzer] Add a debug checker that prints Exploded GraphAnna Zaks2013-06-242-0/+25
| | | | | | | | | | | Add a debug checker that is useful to understand how the ExplodedGraph is built; it can be triggered using the following command: clang -cc1 -analyze -analyzer-checker=debug.ViewExplodedGraph my_program.c A patch by Béatrice Creusillet! llvm-svn: 184768
* Check the canonical parameter type with getAs<>() in a static checkerReid Kleckner2013-06-241-5/+5
| | | | | | This will prevent breakage when I introduce the DecayedType sugar node. llvm-svn: 184755
* [analyzer] Use output form collections’ count to decide if ObjC for loop ↵Anna Zaks2013-06-221-8/+175
| | | | | | | | | | | should be entered This fixes false positives by allowing us to know that a loop is always entered if the collection count method returns a positive value and vice versa. Addresses radar://14169391. llvm-svn: 184618
* Fix a crash in the static analyzer (bug #16307)Pavel Labath2013-06-191-1/+24
| | | | | | | | | | | | | | | Summary: When processing a call to a function, which got passed less arguments than it expects, the analyzer would crash. I've also added a test for that and a analyzer warning which detects these cases. CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D994 llvm-svn: 184288
* [analyzer] Do not report uninitialized value warnings inside swap functions.Anna Zaks2013-06-182-0/+17
| | | | | | | | | | This silences warnings that could occur when one is swapping partially initialized structs. We suppress not only the assignments of uninitialized members, but any values inside swap because swap could potentially be used as a subroutine to swap class members. This silences a warning from std::try::function::swap() on partially initialized objects. llvm-svn: 184256
* [AST] Don't include RecursiveASTVisitor.h in ASTContext.hReid Kleckner2013-06-171-0/+1
| | | | | | | | | | | | | | | | | | | | The untemplated implementation of getParents() doesn't need to be in a header file. RecursiveASTVisitor.h is full of repeated macro expansion. Moving this include to ASTContext.cpp speeds up compilation of LambdaMangleContext.cpp, a small C++ file with few includes, from 3.7s to 2.8s for me locally. I haven't measured a full build, but it can't hurt. I had to fix a few static analyzer files that were depending on transitive includes of C++ AST headers. Reviewers: rsmith, klimek Differential Revision: http://llvm-reviews.chandlerc.com/D982 llvm-svn: 184075
* Fix memory corruption in CStringCheckerPavel Labath2013-06-121-4/+1
| | | | | | | | | | | | | | | Summary: "register" functions for the checker were caching the checker objects in a static variable. This caused problems when the function is called with a different CheckerManager. Reviewers: klimek CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D955 llvm-svn: 183823
* [analyzer] Minor fixups to r183062Anna Zaks2013-06-081-7/+8
| | | | | | Based on feedback from Jordan. llvm-svn: 183600
* [analyzer] Malloc checker should only escape the receiver when “[O ↵Anna Zaks2013-05-311-29/+45
| | | | | | | | | init..]” is called. Jordan has pointed out that it is valuable to warn in cases when the arguments to init escape. For example, NSData initWithBytes id not going to free the memory. llvm-svn: 183062
* [analyzer] Fix a false positive reported on rare strange code, which happens ↵Anna Zaks2013-05-311-0/+6
| | | | | | to be in JSONKit llvm-svn: 183055
* Fix comment type pointed out by Kim Gräsman.Duncan Sands2013-05-251-1/+1
| | | | llvm-svn: 182702
* Fix comment typo pointed out by maslen on IRC.Duncan Sands2013-05-241-1/+1
| | | | llvm-svn: 182642
* Remove unused, awkward CFGStmtVisitor and subclasses.Jordan Rose2013-05-151-20/+17
| | | | | | | | | | | | | | | | | This class is a StmtVisitor that distinguishes between block-level and non-block-level statements in a CFG. However, it does so using a hard-coded idea of which statements might be block-level, which probably isn't accurate anymore. The only implementer of the CFGStmtVisitor hierarchy was the analyzer's DeadStoresChecker, and the analyzer creates a linearized CFG anyway (every non-trivial statement is a block-level statement). This also allows us to remove the block-expr map ("BlkExprMap"), which mapped statements to positions in the CFG. Apart from having a helper type that really should have just been Optional<unsigned>, it was only being used to ask /if/ a particular expression was block-level, for traversal purposes in CFGStmtVisitor. llvm-svn: 181945
* [analyzer] Refactor: address Jordan’s code review of r181738.Anna Zaks2013-05-131-14/+12
| | | | | | (Modifying the checker to record that the values are no longer nil will be done separately.) llvm-svn: 181744
* [analyzer] Warn about nil elements/keys/values in array and dictionary literals.Anna Zaks2013-05-131-19/+76
| | | | llvm-svn: 181738
* [analyzer] Assume [NSNull null] does not return nil.Anna Zaks2013-05-101-1/+14
| | | | llvm-svn: 181616
* [analyzer] Indirect invalidation counts as an escape for leak checkers.Jordan Rose2013-05-102-5/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Consider this example: char *p = malloc(sizeof(char)); systemFunction(&p); free(p); In this case, when we call systemFunction, we know (because it's a system function) that it won't free 'p'. However, we /don't/ know whether or not it will /change/ 'p', so the analyzer is forced to invalidate 'p', wiping out any bindings it contains. But now the malloc'd region looks like a leak, since there are no more bindings pointing to it, and we'll get a spurious leak warning. The fix for this is to notice when something is becoming inaccessible due to invalidation (i.e. an imperfect model, as opposed to being explicitly overwritten) and stop tracking it at that point. Currently, the best way to determine this for a call is the "indirect escape" pointer-escape kind. In practice, all the patch does is take the "system functions don't free memory" special case and limit it to direct parameters, i.e. just the arguments to a call and not other regions accessible to them. This is a conservative change that should only cause us to escape regions more eagerly, which means fewer leak warnings. This isn't perfect for several reasons, the main one being that this example is treated the same as the one above: char **p = malloc(sizeof(char *)); systemFunction(p + 1); // leak Currently, "addresses accessible by offsets of the starting region" and "addresses accessible through bindings of the starting region" are both considered "indirect" regions, hence this uniform treatment. Another issue is our longstanding problem of not distinguishing const and non-const bindings; if in the first example systemFunction's parameter were a char * const *, we should know that the function will not overwrite 'p', and thus we can safely report the leak. <rdar://problem/13758386> llvm-svn: 181607
* [analyzer] RetainCountChecker: don't track through xpc_connection_set_context.Jordan Rose2013-05-021-2/+4
| | | | | | | | | | | | It is unfortunate that we have to mark these exceptions in multiple places. This was already in CallEvent. I suppose it does let us be more precise about saying /which/ arguments have their retain counts invalidated -- the connection's is still valid even though the context object's isn't -- but we're not tracking the retain count of XPC objects anyway. <rdar://problem/13783514> llvm-svn: 180904
* [analyzer] An ObjC for-in loop runs 0 times if the collection is nil.Jordan Rose2013-04-261-22/+65
| | | | | | | | | | | | | | | In an Objective-C for-in loop "for (id element in collection) {}", the loop will run 0 times if the collection is nil. This is because the for-in loop is implemented using a protocol method that returns 0 when there are no elements to iterate, and messages to nil will result in a 0 return value. At some point we may want to actually model this message send, but for now we may as well get the nil case correct, and avoid the false positives that would come with this case. <rdar://problem/13744632> llvm-svn: 180639
* [analyzer] Teach DeadStoreChecker to look though BO_Comma and disregard the LHS.Anna Zaks2013-04-251-4/+10
| | | | llvm-svn: 180579
* [analyzer] Fix a crash in RetainCountChecker - we should not rely on ↵Anna Zaks2013-04-251-1/+1
| | | | | | | | | | | CallEnter::getCallExpr to return non-NULL We get a CallEnter with a null expression, when processing a destructor. All other users of CallEnter::getCallExpr work fine with null as return value. (Addresses PR15832, Thanks to Jordan for reducing the test case!) llvm-svn: 180234
* [analyzer] IvarInvalidation: correctly handle cases where only partial ↵Anna Zaks2013-04-241-13/+34
| | | | | | | | | | | | invalidators exist - If only partial invalidators exist and there are no full invalidators in @implementation, report every ivar that has not been invalidated. (Previously, we reported the first Ivar in the list, which could actually have been invalidated by a partial invalidator. The code assumed you cannot have only partial invalidators.) - Do not report missing invalidation method declaration if a partial invalidation method declaration exists. llvm-svn: 180170
* [analyzer] Set the allocation site to be the uniqueing location for retain ↵Anna Zaks2013-04-231-2/+11
| | | | | | | | | | count checker leaks. The uniqueing location is the location which is part of the hash used to determine if two reports are the same. This is used by the CmpRuns.py script to compare two analyzer runs and determine which warnings are new. llvm-svn: 180166
* [analyzer] RetainCountChecker: Clean up path notes for autorelease.Jordan Rose2013-04-231-7/+9
| | | | | | | | No functionality change. <rdar://problem/13710586> llvm-svn: 180075
* [analyzer] Model strsep(), particularly that it returns its input.Jordan Rose2013-04-221-0/+62
| | | | | | | This handles the false positive leak warning in PR15374, and also serves as a basic model for the strsep() function. llvm-svn: 180069
* [analyzer] Type information from C++ new expressions is perfect.Jordan Rose2013-04-221-1/+17
| | | | | | | This improves our handling of dynamic_cast and devirtualization for objects allocated by 'new'. llvm-svn: 180051
* [analyzer] Don't warn for returning void expressions in void blocks.Jordan Rose2013-04-171-2/+11
| | | | | | | | | | | This was slightly tricky because BlockDecls don't currently store an inferred return type. However, we can rely on the fact that blocks with inferred return types will have return statements that match the inferred type. <rdar://problem/13665798> llvm-svn: 179699
* [analyzer] Add experimental option "leak-diagnostics-reference-allocation".Ted Kremenek2013-04-164-10/+81
| | | | | | | | | | | | | | This is an opt-in tweak for leak diagnostics to reference the allocation site if the diagnostic consumer only wants a pithy amount of information, and not the entire path. This is a strawman enhancement that I expect to see some experimentation with over the next week, and can go away if we don't want it. Currently it is only used by RetainCountChecker, but could be used by MallocChecker if and when we decide this should stay in. llvm-svn: 179634
OpenPOWER on IntegriCloud