| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
Currently clang static analyzer does warn on:
```
int x;
x+=1;
x-=1;
x=x+1;
x=x-1;
```
But does warn on:
```
int x;
x++;
x--;
--x;
++x;
```
This differential should fix that.
Fixes https://bugs.llvm.org/show_bug.cgi?id=35419
Reviewers: dcoughlin, NoQ
Reviewed By: dcoughlin
Subscribers: NoQ, xazax.hun, szepet, cfe-commits, a.sidorin
Tags: #clang
Differential Revision: https://reviews.llvm.org/D40463
llvm-svn: 319411
|
| |
|
|
|
|
|
|
|
|
| |
Teach the retain-count checker that CoreMedia reference types use
CoreFoundation-style reference counting. This enables the checker
to catch leaks and over releases of those types.
rdar://problem/33599757
llvm-svn: 318979
|
| |
|
|
|
|
|
|
|
|
|
| |
This diff extends StackAddrEscapeChecker
to catch stack addresses leaks via block captures
if the block is executed asynchronously or
returned from a function.
Differential revision: https://reviews.llvm.org/D39438
llvm-svn: 318705
|
| |
|
|
|
|
| |
warnings.
llvm-svn: 318371
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reviewers: rsmith, sfantao, mcrosier
Reviewed By: mcrosier
Subscribers: jholewinski, cfe-commits
Tags: #clang
Differential Revision: https://reviews.llvm.org/D39915
llvm-svn: 318074
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ObjCGenerics checker warns on a cast when there is no subtyping relationship
between the tracked type of the value and the destination type of the cast. It
does this even if the cast was explicitly written. This means the user can't
write an explicit cast to silence the diagnostic.
This commit treats explicit casts involving generic types as an indication from
the programmer that the Objective-C type system is not rich enough to express
the needed invariant. On explicit casts, the checker now removes any existing
information inferred about the type arguments. Further, it no longer assumes
the casted-to specialized type because the invariant the programmer specifies
in the cast may only hold at a particular program point and not later ones. This
prevents a suppressing cast from requiring a cascade of casts down the
line.
rdar://problem/33603303
Differential Revision: https://reviews.llvm.org/D39711
llvm-svn: 318054
|
| |
|
|
|
|
|
|
|
|
|
| |
Do not crash when trying to define and call a non-standard
strcpy(unsigned char *, unsigned char *) during analysis.
At the same time, do not try to actually evaluate the call.
Differential Revision: https://reviews.llvm.org/D39422
llvm-svn: 317565
|
| |
|
|
|
|
|
|
|
|
| |
The analyzer did not return an UndefVal in case a negative value was left
shifted. I also altered the UndefResultChecker to emit a clear warning in this
case.
Differential Revision: https://reviews.llvm.org/D39423
llvm-svn: 316924
|
| |
|
|
|
|
|
|
|
|
| |
Extend ExprInspection checker to make it possible to dump the issue hash of
arbitrary expressions. This change makes it possible to make issue hash related
tests more concise and also makes debugging issue hash related problems easier.
Differential Revision: https://reviews.llvm.org/D38844
llvm-svn: 316899
|
| |
|
|
|
|
|
|
|
|
| |
checker
A patch by zdtorok (Zoltán Dániel Török)!
Differential Revision: https://reviews.llvm.org/D33729
llvm-svn: 316892
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Added new enum in order to differentiate the warning messages on "misusing" into
3 categories: function calls, moving an object, copying an object. (At the
moment the checker gives the same message in case of copying and moving.)
Additional test cases added as well.
Differential Revision: https://reviews.llvm.org/D38674
llvm-svn: 316852
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
handling method calls on base-class sub-objects
An earlier solution from Artem r315301 solves the reset problem, however, the
reports should be handled the same way in case of method calls. We should not
just report the base class of the object where the method was defined but the
whole object.
Fixed false positive which came from not removing the subobjects in case of a
state-resetting function. (Just replaced the State->remove(...) call to
removeFromState(..) which was defined exactly for that purpose.)
Some minor typos fixed in this patch as well which did not worth a whole new
patch in my opinion, so included them here.
Differential Revision: https://reviews.llvm.org/D31538
llvm-svn: 316850
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The checker used to crash when a mempcpy's length argument is symbolic. In this
case the cast from 'void *' to 'char *' failed because the respective
ElementRegion that represents cast is hard to add on top of the existing
ElementRegion that represents the offset to the last copied byte, while
preseving a sane memory region structure.
Additionally, a few test cases are added (to casts.c) which demonstrate problems
caused by existing sloppy work we do with multi-layer ElementRegions. If said
cast would be modeled properly in the future, these tests would need to be
taken into account.
Differential Revision: https://reviews.llvm.org/D38797
llvm-svn: 315742
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It is not uncommon for the users to make their own wrappers around
CoreFoundation's CFRetain and CFRelease functions that are defensive
against null references. In such cases CFRetain is often incorrectly
marked as CF_RETURNS_RETAINED. Ignore said annotation and treat such
wrappers similarly to the regular CFRetain.
rdar://problem/31699502
Differential Revision: https://reviews.llvm.org/D38877
llvm-svn: 315736
|
| |
|
|
|
|
| |
Differential Revision: https://reviews.llvm.org/D38867
llvm-svn: 315655
|
| |
|
|
| |
llvm-svn: 315492
|
| |
|
|
|
|
| |
Differential Revision: https://reviews.llvm.org/D38764
llvm-svn: 315488
|
| |
|
|
|
|
| |
Differential Revision: https://reviews.llvm.org/D30295
llvm-svn: 315462
|
| |
|
|
|
|
|
|
|
|
|
| |
If a method is resetting the state of an object that was moved from, it should
be safe to use this object again. However if the method was defined in a parent
class, but used in a child class, the reset didn't happen from the checker's
perspective.
Differential Revision: https://reviews.llvm.org/D31538
llvm-svn: 315301
|
| |
|
|
|
|
|
|
|
| |
This method injects additional information into program state dumps,
describing which objects have been moved from.
Differential Revision: https://reviews.llvm.org/D31541
llvm-svn: 315300
|
| |
|
|
|
|
|
|
|
| |
This method injects additional information into program state dumps,
describing states of mutexes tracked by the checker.
Differential Revision: https://reviews.llvm.org/D37805
llvm-svn: 315298
|
| |
|
|
|
|
|
|
|
| |
Fixes the test failure: temporary is now bound to std::string, tests
fully pass on Linux.
This reverts commit b36ee0924038e1d95ea74230c62d46e05f80587e.
llvm-svn: 314859
|
| |
|
|
|
|
|
|
| |
The test retain-release.m fails with this patch.
Differential Revision: https://reviews.llvm.org/D38487
llvm-svn: 314831
|
| |
|
|
|
|
|
|
|
| |
Only assume that IOBSDNameMatching and friends increment a reference counter
if their return type is a CFMutableDictionaryRef.
Differential Revision: https://reviews.llvm.org/D38487
llvm-svn: 314820
|
| |
|
|
|
|
|
|
| |
Patch by: Reka Nikolett Kovacs
Differential Revision: https://reviews.llvm.org/D35796
llvm-svn: 313973
|
| |
|
|
|
|
| |
Differential Revision: https://reviews.llvm.org/D37978
llvm-svn: 313866
|
| |
|
|
|
|
| |
https://reviews.llvm.org/D37908
llvm-svn: 313385
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The implementation is in AnalysisDeclContext.cpp and the class is called
AnalysisDeclContext.
Making those match up has numerous benefits, including:
- Easier jump from header to/from implementation.
- Easily identify filename from class.
Differential Revision: https://reviews.llvm.org/D37500
llvm-svn: 312671
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
So far we used a value of 10 which was useful for testing but produces many false-positives in real programs. The usual suspicious clones we find seem to be at around a complexity value of 70 and for normal clone-reporting everything above 50 seems to be a valid normal clone for users, so let's just go with 50 for now and set this as the new default value.
This patch also explicitly sets the complexity value for the regression tests as they serve more of a regression testing/debugging purpose and shouldn't really be reported by default in real programs. I'll add more tests that reflect actual found bugs that then need to pass with the default setting in the future.
Reviewers: NoQ
Subscribers: cfe-commits, javed.absar, xazax.hun, v.g.vassilev
Differential Revision: https://reviews.llvm.org/D34178
llvm-svn: 312468
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
This patch aims at optimizing the CloneChecker for larger programs. Before this
patch we took around 102 seconds to analyze sqlite3 with a complexity value of
50. After this patch we now take 2.1 seconds to analyze sqlite3.
The biggest performance optimization is that we now put the constraint for group
size before the constraint for the complexity. The group size constraint is much
faster in comparison to the complexity constraint as it only does a simple
integer comparison. The complexity constraint on the other hand actually
traverses each Stmt and even checks the macro stack, so it is obviously not able
to handle larger amounts of incoming clones. The new order filters out all the
single-clone groups that the type II constraint generates in a faster way before
passing the fewer remaining clones to the complexity constraint. This reduced
runtime by around 95%.
The other change is that we also delay the verification part of the type II
clones back in the chain of constraints. This required to split up the
constraint into two parts - a verification and a hash constraint (which is also
making it more similar to the original design of the clone detection algorithm).
The reasoning for this is the same as before: The verification constraint has to
traverse many statements and shouldn't be at the start of the constraint chain.
However, as the type II hashing has to be the first step in our algorithm, we
have no other choice but split this constrain into two different ones. Now our
group size and complexity constrains filter out a chunk of the clones before
they reach the slow verification step, which reduces the runtime by around 8%.
I also kept the full type II constraint around - that now just calls it's two
sub-constraints - in case someone doesn't care about the performance benefits
of doing this.
Reviewers: NoQ
Reviewed By: NoQ
Subscribers: klimek, v.g.vassilev, xazax.hun, cfe-commits
Differential Revision: https://reviews.llvm.org/D34182
llvm-svn: 312222
|
| |
|
|
|
|
|
|
|
|
| |
path-sensitive way
Patch by: Xin Wang
Differential Revision: https://reviews.llvm.org/D34275
llvm-svn: 311877
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds the functionality of performing reference counting on the
callee side for Integer Set Library (ISL) to Clang Static Analyzer's
RetainCountChecker.
Reference counting on the callee side can be extensively used to perform
debugging within a function (For example: Finding leaks on error paths).
Patch by Malhar Thakkar!
Differential Revision: https://reviews.llvm.org/D36441
llvm-svn: 311063
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Example:
#define MACRO(C) if (C) { static int x; .. }
void foo() {
MACRO(0);
}
Differential Revision: https://reviews.llvm.org/D36141
llvm-svn: 309799
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This feature allows the analyzer to consider loops to completely unroll.
New requirements/rules (for unrolling) can be added easily via ASTMatchers.
Right now it is hidden behind a flag, the aim is to find the correct heuristic
and create a solution which results higher coverage % and more precise
analysis, thus can be enabled by default.
Right now the blocks which belong to an unrolled loop are marked by the
LoopVisitor which adds them to the ProgramState.
Then whenever we encounter a CFGBlock in the processCFGBlockEntrance which is
marked then we skip its investigating. That means, it won't be considered to
be visited more than the maximal bound for visiting since it won't be checked.
llvm-svn: 309006
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a 'Generalized' object kind to the retain-count checker and suitable
generic diagnostic text for retain-count diagnostics involving those objects.
For now the object kind is introduced in summaries by 'annotate' attributes.
Once we have more experience with these annotations we will propose explicit
attributes.
Patch by Malhar Thakkar!
Differential Revision: https://reviews.llvm.org/D35613
llvm-svn: 308990
|
| |
|
|
|
|
|
|
| |
Bitrig code has been merged back to OpenBSD, thus the OS has been abandoned.
Differential Revision: https://reviews.llvm.org/D35708
llvm-svn: 308797
|
| |
|
|
|
|
|
|
|
|
| |
bound option"
Revert r308561 and r308558.
Clang-ppc64be-linux seems to crash while running the test cases.
llvm-svn: 308592
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
requirements/rules (for unrolling) can be added easily via ASTMatchers.
The current implementation is hidden behind a flag.
Right now the blocks which belong to an unrolled loop are marked by the
LoopVisitor which adds them to the ProgramState. Then whenever we encounter a
CFGBlock in the processCFGBlockEntrance which is marked then we skip its
investigating. That means, it won't be considered to be visited more than the
maximal bound for visiting since it won't be checked.
Differential Revision: https://reviews.llvm.org/D34260
llvm-svn: 308558
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support to the retain-count checker for an annotation indicating that a
function's implementation should be trusted by the retain count checker.
Functions with these attributes will not be inlined and the arguments will
be treating as escaping.
Adding this annotation avoids spurious diagnostics when the implementation of
a reference counting operation is visible but the analyzer can't reason
precisely about the ref count.
Patch by Malhar Thakkar!
Differential Revision: https://reviews.llvm.org/D34937
llvm-svn: 308416
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was already a returns_localized_nsstring annotation to indicate
that the return value could be passed to UIKit methods that would
display them. However, those UIKit methods were hard-coded, and it was
not possible to indicate that other classes/methods in a code-base would
do the same.
The takes_localized_nsstring annotation can be put on function
parameters and selector parameters to indicate that those will also show
the string to the user.
Differential Revision: https://reviews.llvm.org/D35186
llvm-svn: 308012
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a new checker package. It contains checkers that highlight
well-documented implementation-defined behavior. Such checkers are only useful
to developers that intend to write portable code. Code that is only compiled for
a single platform should be allowed to rely on this platform's specific
documented behavior.
rdar://problem/30545046
Differential Revision: https://reviews.llvm.org/D34102
llvm-svn: 306396
|
| |
|
|
|
|
|
|
| |
with builtin assume
Differential Revision: https://reviews.llvm.org/D34502
llvm-svn: 305991
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add support for new methods that were added in macOS High Sierra & iOS 11
and require a localized string.
Patch by Kulpreet Chilana!
rdar://problem/32795210
Differential Revision: https://reviews.llvm.org/D34266
llvm-svn: 305896
|
| |
|
|
|
|
|
|
|
|
|
|
| |
generated files
Reviewers: v.g.vassilev, teemperor
Reviewed By: teemperor
Differential Revision: https://reviews.llvm.org/D34353
llvm-svn: 305774
|
| |
|
|
|
|
|
|
|
|
| |
Reviewers: dcoughlin, zaks.anna, NoQ, danielmarjamaki
Reviewed By: NoQ, danielmarjamaki
Differential Revision: https://reviews.llvm.org/D31868
llvm-svn: 305773
|
| |
|
|
|
|
|
|
|
|
| |
Reviewers: v.g.vassilev, zaks.anna, NoQ, teemperor
Reviewed By: v.g.vassilev, zaks.anna, NoQ, teemperor
Differential Revision: https://reviews.llvm.org/D31320
llvm-svn: 305659
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Nullable-to-nonnull checks used to crash when the custom bug visitor was trying
to add its notes to autosynthesized accessors of Objective-C properties.
Now we avoid this, mostly automatically outside of checker control, by
moving the diagnostic to the parent stack frame where the accessor has been
called.
Differential revision: https://reviews.llvm.org/D32437
llvm-svn: 304710
|
| |
|
|
| |
llvm-svn: 304644
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The analyzer's taint analysis can now reason about structures or arrays
originating from taint sources in which only certain sections are tainted.
In particular, it also benefits modeling functions like read(), which may
read tainted data into a section of a structure, but RegionStore is incapable of
expressing the fact that the rest of the structure remains intact, even if we
try to model read() directly.
Patch by Vlad Tsyrklevich!
Differential revision: https://reviews.llvm.org/D28445
llvm-svn: 304162
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new checker currently contains the very core infrastructure for tracking
the state of iterator-type objects in the analyzer: relating iterators to
their containers, tracking symbolic begin and end iterator values for
containers, and solving simple equality-type constraints over iterators.
A single specific check over this infrastructure is capable of finding usage of
out-of-range iterators in some simple cases.
Patch by Ádám Balogh!
Differential revision: https://reviews.llvm.org/D32592
llvm-svn: 304160
|
