summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer]Turn on MallocSizeOfChecker by default; shorten the diagnosticAnna Zaks2012-05-072-8/+7
| | | | llvm-svn: 156341
* [analyzer]Fixup r156215: use StopTracking summary instead of ScratchArgsAnna Zaks2012-05-071-4/+2
| | | | | | | As per Jordy's and Ted's comment, use the default StopTracking summary instead of adding all arguments to ScratchArs. llvm-svn: 156310
* [analyzer] RetainCountChecker: Allow objects to escape through callbacksAnna Zaks2012-05-041-8/+20
| | | | | | Fixes radar://10973977. llvm-svn: 156215
* [analyzer] Allow pointers escape through calls containing callback args.Anna Zaks2012-05-031-0/+10
| | | | | | | (Since we don't have a generic pointer escape callback, modify ExprEngineCallAndReturn as well as the malloc checker.) llvm-svn: 156134
* [analyzer] CString Checker: Do not split the path unless the userAnna Zaks2012-05-031-1/+2
| | | | | | | | | | specifically checks for equality to null. Enforcing this general practice, which keeps the analyzer less noisy, in the CString Checker. This change suppresses "Assigned value is garbage or undefined" warning in the added test case. llvm-svn: 156085
* [analyzer] RetainRelease: Self assignment should not suppress a leakAnna Zaks2012-05-021-1/+5
| | | | | | warning. llvm-svn: 155966
* [analyzer] Fix the 'ptr = ptr' false negative in the Malloc checker.Anna Zaks2012-05-021-1/+16
| | | | llvm-svn: 155963
* Teach RetainCountchecker about IORegistryEntrySearchCFProperty returning ↵Ted Kremenek2012-05-011-0/+1
| | | | | | retained objects. I know there is an SDK enhancement request for this to have the cf_returns_retained annotation, so this is just a stop gap. llvm-svn: 155887
* malloc size checker: Ignore const'ness of pointer types when determining of ↵Ted Kremenek2012-05-011-1/+24
| | | | | | | | a sizeof() type is compatible with a pointed type. Fixes <rdar://problem/11292586>. llvm-svn: 155864
* Remove the ref/value inconsistency in filter_decl_iterator.David Blaikie2012-04-304-12/+12
| | | | | | | | | | | | | filter_decl_iterator had a weird mismatch where both op* and op-> returned T* making it difficult to generalize this filtering behavior into a reusable library of any kind. This change errs on the side of value, making op-> return T* and op* return T&. (reviewed by Richard Smith) llvm-svn: 155808
* Teach RetainCountChecker that it doesn't quite understand ↵Ted Kremenek2012-04-261-3/+3
| | | | | | pthread_setspecific and it should just give up when it sees it. Fixes <rdar://problem/11282706>. llvm-svn: 155613
* [analyzer] Fix a false alarm in SelfInitChecker (radar://11235991).Anna Zaks2012-04-161-5/+20
| | | | | | Along with it, fix a couple of other corner cases and add more tests. llvm-svn: 154866
* [analyzer] Don't crash even when the system functions are redefined.Anna Zaks2012-04-103-7/+72
| | | | | | | | | | (Applied changes to CStringAPI, Malloc, and Taint.) This might almost never happen, but we should not crash even if it does. This fixes a crash on the internal analyzer buildbot, where postgresql's configure was redefining memmove (radar://11219852). llvm-svn: 154451
* Rework ExprEngine::evalLoad and clients (e.g. VisitBinaryOperator) so that ↵Ted Kremenek2012-04-061-4/+4
| | | | | | | | | | | | | | | | | | when we generate a new ExplodedNode we use the same Expr* as the one being currently visited. This is preparation for transitioning to having ProgramPoints refer to CFGStmts. This required a bit of trickery. We wish to keep the old Expr* bindings in the Environment intact, as plenty of logic relies on it and there is no reason to change it, but we sometimes want the Stmt* for the ProgramPoint to be different than the Expr* being used for bindings. This requires adding an extra argument for some functions (e.g., evalLocation). This looks a bit strange for some clients, but it will look a lot cleaner when were start using CFGStmt* in the appropriate places. As some fallout, the diagnostics arrows are a bit difference, since some of the node locations have changed. I have audited these, and they look reasonable. llvm-svn: 154214
* [analyzer] Check that the arguments to NSOrderedSet creation methods are ↵Jordy Rose2012-04-061-0/+12
| | | | | | | | valid ObjC objects. Patch by Sean McBride! llvm-svn: 154194
* Require that all static analyzer issues have a category. As part of this ↵Ted Kremenek2012-04-0512-13/+39
| | | | | | | | | | change, consolidate some commonly used category strings into global references (more of this can be done, I just did a few). Fixes <rdar://problem/11191537>. llvm-svn: 154121
* Teach ObjCContainersChecker that the array passed to CFArrayGetValueAtIndex ↵Ted Kremenek2012-04-051-3/+6
| | | | | | might not be a symbolic value. llvm-svn: 154083
* Look through chains of 'x = y = z' when employing silencing heuristics in ↵Ted Kremenek2012-04-041-8/+30
| | | | | | | | the DeadStoresChecker. Fixes <rdar://problem/11185138>. llvm-svn: 154040
* Include the "issue context" (e.g. function or method) where a static ↵Ted Kremenek2012-04-0415-49/+68
| | | | | | | | analyzer issue occurred in the plist output. Fixes <rdar://problem/11004527> llvm-svn: 154030
* Analyzer: Store BugReports directly in a ilist instead of adding another ↵Benjamin Kramer2012-04-011-1/+1
| | | | | | layer of inderection with std::list llvm-svn: 153847
* [analyzer]Malloc,RetainRelease: Allow pointer to escape via NSMapInsert.Anna Zaks2012-03-302-0/+12
| | | | | | | | Fixes a false positive (radar://11152419). The current solution of adding the info into 3 places is quite ugly. Pending a generic pointer escapes callback. llvm-svn: 153731
* [analyzer] Refactor: Use Decl when determining if the Block belongs toAnna Zaks2012-03-281-7/+6
| | | | | | | | the root function. (This is a bit cleaner then using the StackFrame.) llvm-svn: 153580
* [analyzer] Stats checker: minor interprocedural tweaks.Anna Zaks2012-03-271-15/+20
| | | | | | | | | Report root function name with exhausted block diagnostic. Also, use stack frames, not just any location context when checking if the basic block is in the same context. llvm-svn: 153532
* Change RetainCountChecker to eagerly "escape" retained objects when they areTed Kremenek2012-03-271-0/+6
| | | | | | | | | | | | assigned to a struct. This is fallout from inlining results, which expose far more patterns where people stuff CF objects into structs and pass them around (and we can reason about it). The problem is that we don't have a general way to detect when values have escaped, so as an intermediate step we need to eagerly prune out such tracking. Fixes <rdar://problem/11104566>. llvm-svn: 153489
* [analyzer] Malloc: Allow a pointer to escape through OSAtomicEnqueue.Anna Zaks2012-03-261-1/+2
| | | | llvm-svn: 153453
* [analyzer] Tighten up the realloc() failure path note generation...make sure ↵Jordy Rose2012-03-241-22/+31
| | | | | | we get the right realloc()! llvm-svn: 153370
* [analyzer] Restart path diagnostic generation if any of the visitors change ↵Jordy Rose2012-03-241-4/+0
| | | | | | | | | | the report configuration while walking the path. This required adding a change count token to BugReport, but also allowed us to ditch ImmutableList as the BugReporterVisitor data type. Also, remove the hack from MallocChecker, now that visitors appear in the opposite order. This is not exactly a fix, but the common case -- custom diagnostics after generic ones -- is now the default behavior. llvm-svn: 153369
* [analyzer] Add a clone() method to BugReporterVisitor, so that we'll be able ↵Jordy Rose2012-03-243-3/+13
| | | | | | to reset diagnostic generation. llvm-svn: 153368
* Avoid applying retain/release effects twice in RetainCountChecker when a ↵Ted Kremenek2012-03-231-0/+3
| | | | | | function call was inlined (i.e., we do not need to apply summaries in such cases). llvm-svn: 153309
* corrected check::EndOfTranslationUnit checker name and added 'const' to ↵Anton Yartsev2012-03-231-3/+3
| | | | | | declaration llvm-svn: 153302
* [analyzer] Add stats useful for coverage investigations.Anna Zaks2012-03-221-0/+10
| | | | llvm-svn: 153280
* [analyzer] Add inlining awareness to the block coverage computationAnna Zaks2012-03-221-5/+12
| | | | | | (Stats Checker). llvm-svn: 153279
* "Teach" RetainCountChecker about dispatch_set_context, which can indirectly ↵Ted Kremenek2012-03-221-0/+8
| | | | | | free its argument later. Fixes <rdar://problem/11059275>. llvm-svn: 153244
* [analyzer] Malloc: drop symbols captured by blocks.Anna Zaks2012-03-221-0/+42
| | | | llvm-svn: 153232
* Remove unused variable, fix indentation.Benjamin Kramer2012-03-211-7/+5
| | | | llvm-svn: 153220
* [analyzer] Malloc: Utter the name of the leaked variable.Anna Zaks2012-03-211-10/+39
| | | | | | | | | | | | | | | Specifically, we use the last store of the leaked symbol in the leak diagnostic. (No support for struct fields since the malloc checker doesn't track those yet.) + Infrastructure to track the regions used in store evaluations. This approach is more precise than iterating the store to obtain the region bound to the symbol, which is used in RetainCount checker. The region corresponds to what is uttered in the code in the last store and we do not rely on the store implementation to support this functionality. llvm-svn: 153212
* [analyser] Factor out FindUniqueBinding from RetainCount checker.Anna Zaks2012-03-211-33/+1
| | | | | | So that others could use it as well. No functionality change. llvm-svn: 153211
* [analyzer] Mark a failed-realloc's result as an interesting symbol between ↵Jordy Rose2012-03-181-3/+27
| | | | | | | | | | the realloc call and the null check, so we get nicer path notes. Fixes a regression introduced by the diagnostic pruning added in r152361. This is accomplished by calling markInteresting /during/ path diagnostic generation, and as such relies on deterministic ordering of BugReporterVisitors -- namely, that BugReporterVisitors are run in /reverse/ order from how they are added. (Right now that's a consequence of storing visitors in an ImmutableList, where new items are added to the front.) It's a little hacky, but it works for now. I think this is the best we can do without storing the relation between the old and new symbols, and that would be a hit whether or not there ends up being an error. llvm-svn: 153010
* [analyzer] Use a FoldingSet to cache simple RetainSummary instances, rather ↵Jordy Rose2012-03-181-40/+58
| | | | | | | | | | than explicitly keeping DoNothing and StopTracking summaries and nothing else. I tried to test the effects of this change on memory usage and run time, but what I saw on retain-release.m was indistinguishable from noise (debug and release builds). Even so, some caveman profiling showed 101 cache hits that we would have generated new summaries for before (i.e. not default or stop summaries), and the more code we analyze, the more memory we should save. Maybe we should have a standard project for benchmarking the retain count checker's memory and time? llvm-svn: 153007
* [analyzer] Unify retain-count summary generation for class and instance ↵Jordy Rose2012-03-171-53/+26
| | | | | | methods. No functionality change. llvm-svn: 153001
* [analyzer] Remove duplicate work on deriving method behavior. No ↵Jordy Rose2012-03-171-83/+74
| | | | | | | | | | functionality change. The cocoa::deriveNamingConventions helper is just using method families anyway now, and the way RetainSummaryTemplate works means we're allocating an extra summary for every method with a relevant family. Also, fix RetainSummaryTemplate to do the right thing w/r/t annotating an /existing/ summary. This was probably the real cause of <rdar://problem/10824732> and the fix in r152448. llvm-svn: 152998
* [analyzer] Don't claim an object was returned with +1 retain count before ↵Jordy Rose2012-03-171-4/+8
| | | | | | | | counting autoreleases. Fixes PR10376. (Also, 80-column violations.) llvm-svn: 152976
* [analyzer] Shorten the stack hint diagnostic.Anna Zaks2012-03-161-6/+9
| | | | | | | Do not display the standard "Returning from 'foo'", when a stack hint is available. llvm-svn: 152964
* [analyzer] Create symbol-aware stack hints (building upon r152837).Anna Zaks2012-03-161-7/+31
| | | | | | | | | | | | | | | | | | The symbol-aware stack hint combines the checker-provided message with the information about how the symbol was passed to the callee: as a parameter or a return value. For malloc, the generated messages look like this : "Returning from 'foo'; released memory via 1st parameter" "Returning from 'foo'; allocated memory via 1st parameter" "Returning from 'foo'; allocated memory returned" "Returning from 'foo'; reallocation of 1st parameter failed" (We are yet to handle cases when the symbol is a field in a struct or an array element.) llvm-svn: 152962
* [analyzer] Allow checkers to supply call stack diagnostic hints for theAnna Zaks2012-03-151-4/+11
| | | | | | | | | | | | | | | | | | | | | | | | | BugVisitor DiagnosticPieces. When checkers create a DiagnosticPieceEvent, they can supply an extra string, which will be concatenated with the call exit message for every call on the stack between the diagnostic event and the final bug report. (This is a simple version, which could be/will be further enhanced.) For example, this is used in Malloc checker to produce the ", which allocated memory" in the following example: static char *malloc_wrapper() { // 2. Entered call from 'use' return malloc(12); // 3. Memory is allocated } void use() { char *v; v = malloc_wrapper(); // 1. Calling 'malloc_wrappers' // 4. Returning from 'malloc_wrapper', which allocated memory } // 5. Memory is never released; potential memory leak llvm-svn: 152837
* Unify naming of LangOptions variable/get function across the Clang stack ↵David Blaikie2012-03-116-15/+15
| | | | | | | | | | (Lex to AST). The member variable is always "LangOpts" and the member function is always "getLangOpts". Reviewed by Chris Lattner llvm-svn: 152536
* [analyzer] Replace a static helper with existing logic. No functionality change.Jordy Rose2012-03-111-26/+18
| | | | llvm-svn: 152521
* Remove BlockDeclRefExpr and introduce a bit on DeclRefExpr toJohn McCall2012-03-102-5/+4
| | | | | | | | track whether the referenced declaration comes from an enclosing local context. I'm amenable to suggestions about the exact meaning of this bit. llvm-svn: 152491
* Teach RetainCountChecker about mixing method families with explicit ↵Ted Kremenek2012-03-091-0/+30
| | | | | | annotations. Fixes <rdar://problem/10824732>. llvm-svn: 152448
* [analyzer] Implement basic path diagnostic pruning based on "interesting" ↵Ted Kremenek2012-03-0917-36/+84
| | | | | | | | | | | | | | | | | symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
OpenPOWER on IntegriCloud