summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Checkers
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] Prevent AnalyzerStatsChecker from crashPeter Szecsi2018-02-211-0/+2
| | | | | | | | | | | | The checker marks the locations where the analyzer creates sinks. However, it can happen that the sink was created because of a loop which does not contain condition statement, only breaks in the body. The exhausted block is the block which should contain the condition but empty, in this case. This change only emits this marking in order to avoid the undefined behavior. Differential Revision: https://reviews.llvm.org/D42266 llvm-svn: 325693
* Teach Wreturn-type, Wunreachable-code, and alpha.deadcode.UnreachableCode to ↵Nico Weber2018-02-131-1/+2
| | | | | | | | | treat __assume(0) like __builtin_unreachable. Fixes PR29134. https://reviews.llvm.org/D43221 llvm-svn: 325052
* [analyzer] Add missing pre-post-statement callbacks for OffsetOfExpr.Artem Dergachev2018-02-101-0/+12
| | | | | | | | | | | | | This expression may or may not be evaluated in compile time, so tracking the result symbol is of potential interest. However, run-time offsetof is not yet supported by the analyzer, so for now this callback is only there to assist future implementation. Patch by Henry Wong! Differential Revision: https://reviews.llvm.org/D42300 llvm-svn: 324790
* [analyzer] Add support for __builtin_constant_p.Artem Dergachev2018-02-101-1/+2
| | | | | | | | | | | This builtin is evaluated in compile time. But in the analyzer we don't yet automagically evaluate all calls that can be evaluated in compile time. Patch by Felix Kostenzer! Differential Revision: https://reviews.llvm.org/D42745 llvm-svn: 324789
* [analyzer] MallocChecker: Fix one more bug category.Artem Dergachev2018-02-081-2/+2
| | | | | | | | | | | Even though most of the inconsistencies in MallocChecker's bug categories were fixed in r302016, one more was introduced in r301913 which was later missed. Patch by Henry Wong! Differential Revision: https://reviews.llvm.org/D43074 llvm-svn: 324680
* Revert r324166 "[analyzer] Add a checker for mmap()...".Artem Dergachev2018-02-032-76/+0
| | | | | | | | Due to Buildbot failures - most likely that's because target triples were not specified in the tests, even though the checker behaves differently with different target triples. llvm-svn: 324167
* [analyzer] Add a checker for mmap()s which are both writable and executable.Artem Dergachev2018-02-032-0/+76
| | | | | | | | | | | | | | This is a security check which is disabled by default but will be enabled whenever the user consciously enables the security package. If mmap()ed memory is both writable and executable, it makes it easier for the attacker to execute arbitrary code when contents of this memory are compromised. Some applications require such mmap()s though, such as different sorts of JIT. Patch by David Carlier! Differential Revision: https://reviews.llvm.org/D42645 llvm-svn: 324166
* [analyzer] Expose return statement from CallExit program pointGeorge Karpenkov2018-02-021-1/+8
| | | | | | | | | | | | | | | | If the return statement is stored, we might as well allow querying against it. Also fix the bug where the return statement is not stored if there is no return value. This change un-merges two ExplodedNodes during call exit when the state is otherwise identical - the CallExitBegin node itself and the "Bind Return Value"-tagged node. And expose the return statement through getStatement helper function. Differential Revision: https://reviews.llvm.org/D42130 llvm-svn: 324052
* [NFC] fix trivial typos in comments and documentsHiroshi Inoue2018-01-261-1/+1
| | | | | | "in in" -> "in", "on on" -> "on" etc. llvm-svn: 323509
* [analyzer] Model and check unrepresentable left shiftsGabor Horvath2018-01-221-0/+22
| | | | | | | | Patch by: Reka Nikolett Kovacs Differential Revision: https://reviews.llvm.org/D41816 llvm-svn: 323115
* [NFC] fix trivial typos in commentsHiroshi Inoue2018-01-222-2/+2
| | | | | | "the the" -> "the" llvm-svn: 323078
* [analyzer] Provide a check name when MallocChecker enables CStringCheckerDevin Coughlin2018-01-201-1/+11
| | | | | | | | | Fix an assertion failure caused by a missing CheckName. The malloc checker enables "basic" support in the CStringChecker, which causes some CString bounds checks to be enabled. In this case, make sure that we have a valid CheckName for the BugType. llvm-svn: 323052
* [analyzer] NFC: RetainCount: Protect from dumping raw region to path notes.Artem Dergachev2018-01-181-2/+8
| | | | | | | | | | | | | | | | | | MemRegion::getString() is a wrapper around MemRegion::dump(), which is not user-friendly and should never be used for diagnostic messages. Actual cases where raw dumps were reaching the user were unintentionally fixed in r315736; these were noticed accidentally and shouldn't be reproducible anymore. For now RetainCountChecker only tracks pointers through variable regions, and for those dumps are "fine". However, we should still use a less dangerous method for producing our path notes. This patch replaces the dump with printing a variable name, asserting that this is indeed a variable. Differential Revision: https://reviews.llvm.org/D42015 llvm-svn: 322799
* [analyzer] operator new: Fix callback order for CXXNewExpr.Artem Dergachev2018-01-181-0/+41
| | | | | | | | | | | | | | | | PreStmt<CXXNewExpr> was never called. Additionally, under c++-allocator-inlining=true, PostStmt<CXXNewExpr> was called twice when the allocator was inlined: once after evaluating the new-expression itself, once after evaluating the allocator call which, for the lack of better options, uses the new-expression as the call site. This patch fixes both problems. Differential Revision: https://reviews.llvm.org/D41934 rdar://problem/12180598 llvm-svn: 322797
* [analyzer] operator new: Add a new checker callback, check::NewAllocator.Artem Dergachev2018-01-172-25/+72
| | | | | | | | | | | | | | | The callback runs after operator new() and before the construction and allows the checker to access the casted return value of operator new() (in the sense of r322780) which is not available in the PostCall callback for the allocator call. Update MallocChecker to use the new callback instead of PostStmt<CXXNewExpr>, which gets called after the constructor. Differential Revision: https://reviews.llvm.org/D41406 rdar://problem/12180598 llvm-svn: 322787
* [analyzer] introduce getSVal(Stmt *) helper on ExplodedNode, make sure the ↵George Karpenkov2018-01-1733-145/+97
| | | | | | | | | | | | | | | | | | helper is used consistently In most cases using `N->getState()->getSVal(E, N->getLocationContext())` is ugly, verbose, and also opens up more surface area for bugs if an inconsistent location context is used. This patch introduces a helper on an exploded node, and ensures consistent usage of either `ExplodedNode::getSVal` or `CheckContext::getSVal` across the codebase. As a result, a large number of redundant lines is removed. Differential Revision: https://reviews.llvm.org/D42155 llvm-svn: 322753
* [analyzer] Make isSubRegionOf reflexiveGeorge Karpenkov2018-01-171-2/+0
| | | | | | | | | All usages of isSubRegionOf separately check for reflexive case, and in any case, set theory tells us that each set is a subset of itself. Differential Revision: https://reviews.llvm.org/D42140 llvm-svn: 322752
* [analyzer] Don't flag strcpy of string literals into sufficiently large buffers.Artem Dergachev2018-01-121-0/+11
| | | | | | | | | | | | | | | In the security package, we have a simple syntactic check that warns about strcpy() being insecure, due to potential buffer overflows. Suppress that check's warning in the trivial situation when the source is an immediate null-terminated string literal and the target is an immediate sufficiently large buffer. Patch by András Leitereg! Differential Revision: https://reviews.llvm.org/D41384 llvm-svn: 322410
* [analyzer] Fix some check's output plist not containing the check nameGabor Horvath2018-01-062-8/+17
| | | | | | Differential Revision: https://reviews.llvm.org/D41538 llvm-svn: 321933
* Re-commit r321223, which adds a printing policy to the ASTDumper.Aaron Ballman2017-12-211-328/+330
| | | | | | | | This allows you to dump C++ code that spells bool instead of _Bool, leaves off the elaborated type specifiers when printing struct or class names, and other C-isms. Fixes the -Wreorder issue and fixes the ast-dump-color.cpp test. llvm-svn: 321310
* Reverting r321223 and its follow-up commit because of failing bots due to ↵Aaron Ballman2017-12-201-330/+328
| | | | | | Misc/ast-dump-color.cpp. llvm-svn: 321229
* Add a printing policy to the ASTDumper.Aaron Ballman2017-12-201-328/+330
| | | | | | This allows you to dump C++ code that spells bool instead of _Bool, leaves off the elaborated type specifiers when printing struct or class names, and other C-isms. llvm-svn: 321223
* [analyzer] Fix a crash during C++17 aggregate construction of base objects.Artem Dergachev2017-12-201-2/+14
| | | | | | | | | | | | | | | | | | | | | | | Since C++17, classes that have base classes can potentially be initialized as aggregates. Trying to construct such objects through brace initialization was causing the analyzer to crash when the base class has a non-trivial constructor, while figuring target region for the base class constructor, because the parent stack frame didn't contain the constructor of the subclass, because there is no constructor for subclass, merely aggregate initialization. This patch avoids the crash, but doesn't provide the actually correct region for the constructor, which still remains to be fixed. Instead, construction goes into a fake temporary region which would be immediately discarded. Similar extremely conservative approach is used for other cases in which the logic for finding the target region is not yet implemented, including aggregate initialization with fields instead of base-regions (which is not C++17-specific but also never worked, just didn't crash). Differential revision: https://reviews.llvm.org/D40841 rdar://problem/35441058 llvm-svn: 321128
* [c++20] P0515R3: Parsing support and basic AST construction for operator <=>.Richard Smith2017-12-141-1/+4
| | | | | | | | | | | | | | | Adding the new enumerator forced a bunch more changes into this patch than I would have liked. The -Wtautological-compare warning was extended to properly check the new comparison operator, clang-format needed updating because it uses precedence levels as weights for determining where to break lines (and several operators increased their precedence levels with this change), thread-safety analysis needed changes to build its own IL properly for the new operator. All "real" semantic checking for this operator has been deferred to a future patch. For now, we use the relational comparison rules and arbitrarily give the builtin form of the operator a return type of 'void'. llvm-svn: 320707
* [analyzer] StackAddrEscape: For now, disable the new async escape checks.Artem Dergachev2017-12-121-3/+24
| | | | | | | | | | | | | | | | | The new check introduced in r318705 is useful, but suffers from a particular class of false positives, namely, it does not account for dispatch_barrier_sync() API which allows one to ensure that the asyncronously executed block that captures a pointer to a local variable does not actually outlive that variable. The new check is split into a separate checker, under the name of alpha.core.StackAddressAsyncEscape, which is likely to get enabled by default again once these positives are fixed. The rest of the StackAddressEscapeChecker is still enabled by default. Differential Revision: https://reviews.llvm.org/D41042 llvm-svn: 320455
* [analyzer] In getSVal() API, disable auto-detection of void type as char type.Artem Dergachev2017-12-122-5/+14
| | | | | | | | | | | | | | | | | | This is a follow-up from r314910. When a checker developer attempts to dereference a location in memory through ProgramState::getSVal(Loc) or ProgramState::getSVal(const MemRegion *), without specifying the second optional QualType parameter for the type of the value he tries to find at this location, the type is auto-detected from location type. If the location represents a value beyond a void pointer, we thought that auto-detecting the type as 'char' is a good idea. However, in most practical cases, the correct behavior would be to specify the type explicitly, as it is available from other sources, and the few cases where we actually need to take a 'char' are workarounds rather than an intended behavior. Therefore, try to fail with an easy-to-understand assertion when asked to read from a void pointer location. Differential Revision: https://reviews.llvm.org/D38801 llvm-svn: 320451
* [analyzer] Fix false negative on post-increment of uninitialized variable.Roman Lebedev2017-11-301-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: Currently clang static analyzer does warn on: ``` int x; x+=1; x-=1; x=x+1; x=x-1; ``` But does warn on: ``` int x; x++; x--; --x; ++x; ``` This differential should fix that. Fixes https://bugs.llvm.org/show_bug.cgi?id=35419 Reviewers: dcoughlin, NoQ Reviewed By: dcoughlin Subscribers: NoQ, xazax.hun, szepet, cfe-commits, a.sidorin Tags: #clang Differential Revision: https://reviews.llvm.org/D40463 llvm-svn: 319411
* [analyzer] Teach RetainCountChecker about CoreMedia APIsDevin Coughlin2017-11-251-4/+4
| | | | | | | | | | Teach the retain-count checker that CoreMedia reference types use CoreFoundation-style reference counting. This enables the checker to catch leaks and over releases of those types. rdar://problem/33599757 llvm-svn: 318979
* [analyzer] Diagnose stack leaks via block capturesAlexander Shaposhnikov2017-11-201-99/+192
| | | | | | | | | | | This diff extends StackAddrEscapeChecker to catch stack addresses leaks via block captures if the block is executed asynchronously or returned from a function. Differential revision: https://reviews.llvm.org/D39438 llvm-svn: 318705
* Add NDEBUG checks around LLVM_DUMP_METHOD functions for Wunused-function ↵Eric Christopher2017-11-161-1/+2
| | | | | | warnings. llvm-svn: 318371
* [clang] Remove redundant return [NFC]Mandeep Singh Grang2017-11-131-2/+0
| | | | | | | | | | | | | | Reviewers: rsmith, sfantao, mcrosier Reviewed By: mcrosier Subscribers: jholewinski, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D39915 llvm-svn: 318074
* [analyzer] ObjCGenerics: Don't warn on cast conversions involving explicit castDevin Coughlin2017-11-131-16/+16
| | | | | | | | | | | | | | | | | | | | | | The ObjCGenerics checker warns on a cast when there is no subtyping relationship between the tracked type of the value and the destination type of the cast. It does this even if the cast was explicitly written. This means the user can't write an explicit cast to silence the diagnostic. This commit treats explicit casts involving generic types as an indication from the programmer that the Objective-C type system is not rich enough to express the needed invariant. On explicit casts, the checker now removes any existing information inferred about the type arguments. Further, it no longer assumes the casted-to specialized type because the invariant the programmer specifies in the cast may only hold at a particular program point and not later ones. This prevents a suppressing cast from requiring a cascade of casts down the line. rdar://problem/33603303 Differential Revision: https://reviews.llvm.org/D39711 llvm-svn: 318054
* [analyzer] pr34779: CStringChecker: Accept non-standard headers.Artem Dergachev2017-11-071-2/+4
| | | | | | | | | | | Do not crash when trying to define and call a non-standard strcpy(unsigned char *, unsigned char *) during analysis. At the same time, do not try to actually evaluate the call. Differential Revision: https://reviews.llvm.org/D39422 llvm-svn: 317565
* [analyzer] Left shifting a negative value is undefinedGabor Horvath2017-10-301-0/+4
| | | | | | | | | | The analyzer did not return an UndefVal in case a negative value was left shifted. I also altered the UndefResultChecker to emit a clear warning in this case. Differential Revision: https://reviews.llvm.org/D39423 llvm-svn: 316924
* [analyzer] Make issue hash related tests more conciseGabor Horvath2017-10-302-35/+16
| | | | | | | | | | Extend ExprInspection checker to make it possible to dump the issue hash of arbitrary expressions. This change makes it possible to make issue hash related tests more concise and also makes debugging issue hash related problems easier. Differential Revision: https://reviews.llvm.org/D38844 llvm-svn: 316899
* [analyzer] lock_guard and unique_lock extension for BlockInCriticalSection ↵Gabor Horvath2017-10-301-11/+43
| | | | | | | | | | checker A patch by zdtorok (Zoltán Dániel Török)! Differential Revision: https://reviews.llvm.org/D33729 llvm-svn: 316892
* [analyzer] MisusedMovedObjectChecker: More precise warning messagePeter Szecsi2017-10-281-9/+23
| | | | | | | | | | | | Added new enum in order to differentiate the warning messages on "misusing" into 3 categories: function calls, moving an object, copying an object. (At the moment the checker gives the same message in case of copying and moving.) Additional test cases added as well. Differential Revision: https://reviews.llvm.org/D38674 llvm-svn: 316852
* [analyzer] MisusedMovedObjectChecker: Fix false positive on state-resetting, ↵Peter Szecsi2017-10-281-12/+15
| | | | | | | | | | | | | | | | | | | | handling method calls on base-class sub-objects An earlier solution from Artem r315301 solves the reset problem, however, the reports should be handled the same way in case of method calls. We should not just report the base class of the object where the method was defined but the whole object. Fixed false positive which came from not removing the subobjects in case of a state-resetting function. (Just replaced the State->remove(...) call to removeFromState(..) which was defined exactly for that purpose.) Some minor typos fixed in this patch as well which did not worth a whole new patch in my opinion, so included them here. Differential Revision: https://reviews.llvm.org/D31538 llvm-svn: 316850
* [analyzer] CStringChecker: pr34460: Avoid a crash when a cast is not modeled.Artem Dergachev2017-10-131-23/+14
| | | | | | | | | | | | | | | | | The checker used to crash when a mempcpy's length argument is symbolic. In this case the cast from 'void *' to 'char *' failed because the respective ElementRegion that represents cast is hard to add on top of the existing ElementRegion that represents the offset to the last copied byte, while preseving a sane memory region structure. Additionally, a few test cases are added (to casts.c) which demonstrate problems caused by existing sloppy work we do with multi-layer ElementRegions. If said cast would be modeled properly in the future, these tests would need to be taken into account. Differential Revision: https://reviews.llvm.org/D38797 llvm-svn: 315742
* [analyzer] RetainCount: Ignore annotations on user-made CFRetain wrappers.Artem Dergachev2017-10-131-0/+5
| | | | | | | | | | | | | It is not uncommon for the users to make their own wrappers around CoreFoundation's CFRetain and CFRelease functions that are defensive against null references. In such cases CFRetain is often incorrectly marked as CF_RETURNS_RETAINED. Ignore said annotation and treat such wrappers similarly to the regular CFRetain. rdar://problem/31699502 Differential Revision: https://reviews.llvm.org/D38877 llvm-svn: 315736
* [Analyzer] Assume that CFBooleanRef const globals are non-nullGeorge Karpenkov2017-10-132-18/+23
| | | | | | Differential Revision: https://reviews.llvm.org/D38867 llvm-svn: 315655
* [Analyzer] Fix introduced regression: properly check for nullable attribute.George Karpenkov2017-10-111-1/+2
| | | | llvm-svn: 315492
* [Analyzer] Assume that string-like const globals are non-nil.George Karpenkov2017-10-112-0/+135
| | | | | | Differential Revision: https://reviews.llvm.org/D38764 llvm-svn: 315488
* [Analyzer] Clarify error messages for undefined resultDaniel Marjamaki2017-10-112-61/+43
| | | | | | Differential Revision: https://reviews.llvm.org/D30295 llvm-svn: 315462
* [analyzer] MisusedMovedObject: Fix state-resetting a base-class sub-object.Artem Dergachev2017-10-101-1/+8
| | | | | | | | | | | If a method is resetting the state of an object that was moved from, it should be safe to use this object again. However if the method was defined in a parent class, but used in a child class, the reset didn't happen from the checker's perspective. Differential Revision: https://reviews.llvm.org/D31538 llvm-svn: 315301
* [analyzer] MisusedMovedObject: Add printState() method for self-debugging.Artem Dergachev2017-10-101-0/+21
| | | | | | | | | This method injects additional information into program state dumps, describing which objects have been moved from. Differential Revision: https://reviews.llvm.org/D31541 llvm-svn: 315300
* [analyzer] PthreadLockChecker: Add printState() method for self-debugging.Artem Dergachev2017-10-101-0/+35
| | | | | | | | | This method injects additional information into program state dumps, describing states of mutexes tracked by the checker. Differential Revision: https://reviews.llvm.org/D37805 llvm-svn: 315298
* [Analyzer] Re-apply r314820 with a fix for StringRef lifetime.George Karpenkov2017-10-031-3/+6
| | | | | | | | | Fixes the test failure: temporary is now bound to std::string, tests fully pass on Linux. This reverts commit b36ee0924038e1d95ea74230c62d46e05f80587e. llvm-svn: 314859
* Revert r314820 "[Analyzer] More granular special casing in RetainCountChecker"Tim Shen2017-10-031-6/+3
| | | | | | | | The test retain-release.m fails with this patch. Differential Revision: https://reviews.llvm.org/D38487 llvm-svn: 314831
* [Analyzer] More granular special casing in RetainCountCheckerGeorge Karpenkov2017-10-031-3/+6
| | | | | | | | | Only assume that IOBSDNameMatching and friends increment a reference counter if their return type is a CFMutableDictionaryRef. Differential Revision: https://reviews.llvm.org/D38487 llvm-svn: 314820
OpenPOWER on IntegriCloud