summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Revert "[analyzer] Keep track of escaped locals"Gabor Horvath2019-12-101-9/+1
| | | | | | | | | | | | | | | It was a step in the right direction but it is not clear how can this fit into the checker API at this point. The pre-escape happens in the analyzer core and the checker has no control over it. If the checker is not interestd in a pre-escape it would need to do additional work on each escape to check if the escaped symbol is originated from an "uninteresting" pre-escaped memory region. In order to keep the checker API simple we abandoned this solution for now. We will reland this once we have a better answer for what to do on the checker side. This reverts commit f3a28202ef58551db15818f8f51afd21e0f3e231.
* [analyzer] Keep track of escaped localsGabor Horvath2019-12-101-1/+9
| | | | | | | | We want to escape all symbols that are stored into escaped regions. The problem is, we did not know which local regions were escaped. Until now. This should fix some false positives like the one in the tests. Differential Revision: https://reviews.llvm.org/D71152
* [analyzer] NFC: Don't clean up range constraints twice.Artem Dergachev2019-11-211-6/+4
| | | | | | Slightly improves static analysis speed. Differential Revision: https://reviews.llvm.org/D70150
* [analyzer] CastValueChecker: Store the dynamic types and castsCsaba Dabis2019-08-221-1/+1
| | | | | | | | | | | | | | Summary: This patch introduces `DynamicCastInfo` similar to `DynamicTypeInfo` which is stored in `CastSets` which are storing the dynamic cast informations of objects based on memory regions. It could be used to store and check the casts and prevent infeasible paths. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D66325 llvm-svn: 369605
* [analyzer] print() JSONify: Program state implementationCsaba Dabis2019-05-291-8/+15
| | | | | | | | | | | | | | | | | Summary: - Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp Tags: #clang Differential Revision: https://reviews.llvm.org/D62087 llvm-svn: 361983
* [analyzer] print() JSONify: Constructing objects implementationCsaba Dabis2019-05-291-1/+1
| | | | | | | | | | | | | | | | | Summary: - Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp Tags: #clang Differential Revision: https://reviews.llvm.org/D62085 llvm-svn: 361980
* [analyzer] print() JSONify: Type information implementationCsaba Dabis2019-05-291-1/+1
| | | | | | | | | | | | | | | | | Summary: - Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp Tags: #clang Differential Revision: https://reviews.llvm.org/D62083 llvm-svn: 361979
* [analyzer] print() JSONify: Constraints implementationCsaba Dabis2019-05-291-1/+1
| | | | | | | | | | | | | | | | | Summary: - Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp Tags: #clang Differential Revision: https://reviews.llvm.org/D62082 llvm-svn: 361978
* [analyzer] print() JSONify: Environment implementationCsaba Dabis2019-05-291-2/+2
| | | | | | | | | | | | | | | | | Summary: - Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp Tags: #clang Differential Revision: https://reviews.llvm.org/D62081 llvm-svn: 361976
* [analyzer] print() JSONify: Store implementationCsaba Dabis2019-05-291-10/+10
| | | | | | | | | | | | | | | | | Summary: - Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus Reviewed By: NoQ Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp Tags: #clang Differential Revision: https://reviews.llvm.org/D61912 llvm-svn: 361972
* [analyzer] Move taint API from ProgramState to a separate header. NFC.Artem Dergachev2019-03-291-183/+0
| | | | | | | | | | It is now an inter-checker communication API, similar to the one that connects MallocChecker/CStringChecker/InnerPointerChecker: simply a set of setters and getters for a state trait. Differential Revision: https://reviews.llvm.org/D59861 llvm-svn: 357326
* Update the file headers across all of the LLVM projects in the monorepoChandler Carruth2019-01-191-4/+3
| | | | | | | | | | | | | | | | | to reflect the new license. We understand that people may be surprised that we're moving the header entirely to discuss the new license. We checked this carefully with the Foundation's lawyer and we believe this is the correct approach. Essentially, all code in the project is now made available by the LLVM project under our new license, so you will see that the license headers include that license only. Some of our contributors have contributed code under our old license, and accordingly, we have retained a copy of our old license notice in the top-level files in each project and repository. llvm-svn: 351636
* [analyzer] Assume that we always have a SubEngine availableGabor Horvath2018-12-151-35/+24
| | | | | | | | The removed codepath was dead. Differential Revision: https://reviews.llvm.org/D55697 llvm-svn: 349266
* [AST] [analyzer] NFC: Reuse code in stable ID dumping methods.Artem Dergachev2018-12-031-4/+1
| | | | | | | | Use the new fancy method introduced in r348197 to simplify some code. Differential Revision: https://reviews.llvm.org/D54488 llvm-svn: 348199
* [analyzer] [NFC] Change scanReachableSymbols to use rangesGeorge Karpenkov2018-10-231-16/+5
| | | | | | | | Remove unused overload. Clean up some usages. Differential Revision: https://reviews.llvm.org/D53615 llvm-svn: 345101
* [analyzer] [NFC] Remove unused parameters, as found by -Wunused-parameterGeorge Karpenkov2018-09-281-4/+4
| | | | | | Differential Revision: https://reviews.llvm.org/D52640 llvm-svn: 343353
* [analyzer] Dump reproducible identifiers for statements in exploded graph in ↵George Karpenkov2018-09-151-3/+6
| | | | | | | | store Differential Revision: https://reviews.llvm.org/D51826 llvm-svn: 342313
* [analyzer] Dump a reproducible, deterministic ID of program state to ↵George Karpenkov2018-09-061-0/+7
| | | | | | | | exploded graph Differential Revision: https://reviews.llvm.org/D51395 llvm-svn: 341600
* [analyzer] [NFC] Simplify some visitors by giving a convenient getter from ↵George Karpenkov2018-07-301-0/+5
| | | | | | | | state to analysis manager Differential Revision: https://reviews.llvm.org/D49772 llvm-svn: 338315
* [analyzer] Use sufficiently large types for index bounds calculation.Artem Dergachev2018-06-281-2/+1
| | | | | | | | | | | | | | | | | The ProgramState::assumeInBound() API is used by checkers to make an assumption that a certain array index is within the array's bounds (i.e. is greater than or equal to 0 and is less than the length of the array). When the type of the index was unspecified by the caller, it assumed that the type is 'int', which caused some indices and sizes to truncate during calculations. Use ArrayIndexTy by default instead, which is used by the analyzer to represent index types and is currently hardcoded to long long. Patch by Bevin Hansson! Differential Revision: https://reviews.llvm.org/D46944 llvm-svn: 335803
* [analyzer] pr18953: Split C++ zero-initialization from default initialization.Artem Dergachev2018-05-041-7/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | The bindDefault() API of the ProgramState allows setting a default value for reads from memory regions that were not preceded by writes. It was used for implementing C++ zeroing constructors (i.e. default constructors that boil down to setting all fields of the object to 0). Because differences between zeroing consturctors and other forms of default initialization have been piling up (in particular, zeroing constructors can be called multiple times over the same object, probably even at the same offset, requiring a careful and potentially slow cleanup of previous bindings in the RegionStore), we split the API in two: bindDefaultInitial() for modeling initial values and bindDefaultZero() for modeling zeroing constructors. This fixes a few assertion failures from which the investigation originated. The imperfect protection from both inability of the RegionStore to support binding extents and lack of information in ASTRecordLayout has been loosened because it's, well, imperfect, and it is unclear if it fixing more than it was breaking. Differential Revision: https://reviews.llvm.org/D46368 llvm-svn: 331561
* Remove redundant casts. NFCGeorge Burgess IV2018-03-011-1/+1
| | | | | | | | | | | | | | | | | | | So I wrote a clang-tidy check to lint out redundant `isa`, `cast`, and `dyn_cast`s for fun. This is a portion of what it found for clang; I plan to do similar cleanups in LLVM and other subprojects when I find time. Because of the volume of changes, I explicitly avoided making any change that wasn't highly local and obviously correct to me (e.g. we still have a number of foo(cast<Bar>(baz)) that I didn't touch, since overloading is a thing and the cast<Bar> did actually change the type -- just up the class hierarchy). I also tried to leave the types we were cast<>ing to somewhere nearby, in cases where it wasn't locally obvious what we were dealing with before. llvm-svn: 326416
* [analyzer] Self-debug: Dump dynamic type info and taint with the program state.Artem Dergachev2018-02-271-1/+8
| | | | | | | | Useful for debugging problems with dynamic type info and taint. Differential Revision: https://reviews.llvm.org/D43657 llvm-svn: 326239
* [analyzer] Self-debug: Dump the core's internal state traits to the egraph.Artem Dergachev2018-02-081-1/+1
| | | | | | | | It is useful for debugging problems with C++ operator new() or temporaries. Differential Revision: https://reviews.llvm.org/D42560 llvm-svn: 324663
* [analyzer] Self-debug: Dump environment frame-by-frame.Artem Dergachev2018-02-081-5/+5
| | | | | | | | | | | It makes it easier to discriminate between values of similar expressions in different stack frames. It also makes the separate backtrace section in ExplodedGraph dumps redundant. Differential Revision: https://reviews.llvm.org/D42552 llvm-svn: 324660
* [analyzer] a few helper methods for getting and comparing symbolic valuesGeorge Karpenkov2018-01-181-0/+11
| | | | | | | | API calls should express intent, and that's a motivation behind this patch. Differential Revision: https://reviews.llvm.org/D42218 llvm-svn: 322809
* [analyzer] Make isSubRegionOf reflexiveGeorge Karpenkov2018-01-171-2/+1
| | | | | | | | | All usages of isSubRegionOf separately check for reflexive case, and in any case, set theory tells us that each set is a subset of itself. Differential Revision: https://reviews.llvm.org/D42140 llvm-svn: 322752
* [analyzer] do not crash when trying to convert an APSInt to an unexpected typeGeorge Karpenkov2017-11-091-1/+3
| | | | | | | | | | | | | | | | | | | | This is the issue breaking the postgresql bot, purely by chance exposed through taint checker, somehow appearing after https://reviews.llvm.org/D38358 got committed. The backstory is that the taint checker requests SVal for the value of the pointer, and analyzer has a "fast path" in the getter to return a constant when we know that the value is constant. Unfortunately, the getter requires a cast to get signedness correctly, and for the pointer `void *` the cast crashes. This is more of a band-aid patch, as I am not sure what could be done here "correctly", but it should be applied in any case to avoid the crash. Differential Revision: https://reviews.llvm.org/D39862 llvm-svn: 317839
* [analyzer] Fix immutable map factory lifetime for partial taint.Artem Dergachev2017-05-291-13/+10
| | | | | | | | | This should fix the leaks found by asan buildbot in r304162. Also don't store a reference to the factory with every map value, which is the only difference between ImmutableMap and ImmutableMapRef. llvm-svn: 304170
* [analyzer] Support partially tainted records.Artem Dergachev2017-05-291-20/+83
| | | | | | | | | | | | | | | | The analyzer's taint analysis can now reason about structures or arrays originating from taint sources in which only certain sections are tainted. In particular, it also benefits modeling functions like read(), which may read tainted data into a section of a structure, but RegionStore is incapable of expressing the fact that the rest of the structure remains intact, even if we try to model read() directly. Patch by Vlad Tsyrklevich! Differential revision: https://reviews.llvm.org/D28445 llvm-svn: 304162
* [analyzer] Add LocationContext as a parameter to checkRegionChangesAnna Zaks2017-01-131-5/+10
| | | | | | | | | | | This patch adds LocationContext to checkRegionChanges and removes wantsRegionChangeUpdate as it was unused. A patch by Krzysztof Wiśniewski! Differential Revision: https://reviews.llvm.org/D27090 llvm-svn: 291869
* [analyzer] Refactor recursive symbol reachability check to use symbol_iteratorDominic Chen2016-11-181-24/+9
| | | | | | | | | | Reviewers: zaks.anna, dcoughlin Subscribers: cfe-commits Differential Revision: https://reviews.llvm.org/D26773 llvm-svn: 287380
* Annotate dump() methods with LLVM_DUMP_METHOD, addressing Richard Smith ↵Yaron Keren2016-01-291-1/+1
| | | | | | r259192 post commit comment. llvm-svn: 259232
* [analyzer] Fix SVal/SymExpr/MemRegion class and enum names for consistency.Artem Dergachev2016-01-131-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The purpose of these changes is to simplify introduction of definition files for the three hierarchies. 1. For every sub-class C of these classes, its kind in the relevant enumeration is changed to "CKind" (or C##Kind in preprocessor-ish terms), eg: MemRegionKind -> MemRegionValKind RegionValueKind -> SymbolRegionValueKind CastSymbolKind -> SymbolCastKind SymIntKind -> SymIntExprKind 2. MemSpaceRegion used to be inconsistently used as both an abstract base and a particular region. This region class is now an abstract base and no longer occupies GenericMemSpaceRegionKind. Instead, a new class, CodeSpaceRegion, is introduced for handling the unique use case for MemSpaceRegion as "the generic memory space" (when it represents a memory space that holds all executable code). 3. BEG_ prefixes in memory region kind ranges are renamed to BEGIN_ for consisitency with symbol kind ranges. 4. FunctionTextRegion and BlockTextRegion are renamed to FunctionCodeRegion and BlockCodeRegion, respectively. The term 'code' is less jargony than 'text' and we already refer to BlockTextRegion as a 'code region' in BlockDataRegion. Differential Revision: http://reviews.llvm.org/D16062 llvm-svn: 257598
* [Static Analyzer] Properly clean up the dynamic type information for dead ↵Gabor Horvath2015-09-111-33/+0
| | | | | | | | regions. Differential Revision: http://reviews.llvm.org/D12767 llvm-svn: 247430
* [analyzer] Apply whitespace cleanups by Honggyu Kim.Ted Kremenek2015-09-081-21/+21
| | | | llvm-svn: 246978
* Revert r240270 ("Fixed/added namespace ending comments using clang-tidy").Alexander Kornienko2015-06-221-2/+1
| | | | llvm-svn: 240353
* Fixed/added namespace ending comments using clang-tidy. NFCAlexander Kornienko2015-06-221-1/+2
| | | | | | | | | | | | The patch is generated using this command: $ tools/extra/clang-tidy/tool/run-clang-tidy.py -fix \ -checks=-*,llvm-namespace-comment -header-filter='llvm/.*|clang/.*' \ work/llvm/tools/clang To reduce churn, not touching namespaces spanning less than 10 lines. llvm-svn: 240270
* unique_ptrify the result of ConstraintManagerCreator and StoreManagerCreatorDavid Blaikie2014-09-041-2/+2
| | | | llvm-svn: 217206
* [C++11] Use 'nullptr'. StaticAnalyzer edition.Craig Topper2014-05-271-2/+2
| | | | llvm-svn: 209642
* Remove a whole lot of unused variablesAlp Toker2013-11-271-1/+0
| | | | | | | There are about 30 removed in this patch, generated by a new FixIt I haven't got round to submitting yet. llvm-svn: 195814
* [analyzer] This patch removes passing around of const-invalidation vs ↵Anton Yartsev2013-09-241-55/+35
| | | | | | | | | | regular-invalidation info by passing around a datastructure that maps regions and symbols to the type of invalidation they experience. This simplifies the code and would allow to associate more different invalidation types in the future. With this patch things like preserving contents of regions (either hi- or low-level ones) or processing of the only top-level region can be implemented easily without passing around extra parameters. This patch is a first step towards adequate modeling of memcpy() by the CStringChecker checker and towards eliminating of majority of false-positives produced by the NewDeleteLeaks checker. llvm-svn: 191342
* [analyzer] Fix inefficiency in dead symbol removalPavel Labath2013-08-191-17/+19
| | | | | | | | | | | | | | | | | Summary: ScanReachableSymbols uses a "visited" set to avoid scanning the same object twice. However, it did not use the optimization for LazyCompoundVal objects, which resulted in exponential complexity for long chains of temporary objects. Adding this resulted in a decrease of analysis time from >3h to 3 seconds for some files. Reviewers: jordan_rose CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D1398 llvm-svn: 188677
* [analyzer] Remove now-unused bindCompoundLiteral helper function.Jordan Rose2013-05-061-8/+0
| | | | | | | | The one user has been changed to use getLValue on the compound literal expression and then use the normal bindLoc to assign a value. No need to special case this in the StoreManager. llvm-svn: 181214
* [analyzer] Ensure BugReporterTracking works on regions with pointer arithmeticAnna Zaks2013-04-201-1/+1
| | | | | | | | | | Introduce a new helper function, which computes the first symbolic region in the base region chain. The corresponding symbol has been used for assuming that a pointer is null. Now, it will also be used for checking if it is null. This ensures that we are tracking a null pointer correctly in the BugReporter. llvm-svn: 179916
* [analyzer] Replace isIntegerType() with isIntegerOrEnumerationType().Jordan Rose2013-04-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Previously, the analyzer used isIntegerType() everywhere, which uses the C definition of "integer". The C++ predicate with the same behavior is isIntegerOrUnscopedEnumerationType(). However, the analyzer is /really/ using this to ask if it's some sort of "integrally representable" type, i.e. it should include C++11 scoped enumerations as well. hasIntegerRepresentation() sounds like the right predicate, but that includes vectors, which the analyzer represents by its elements. This commit audits all uses of isIntegerType() and replaces them with the general isIntegerOrEnumerationType(), except in some specific cases where it makes sense to exclude scoped enumerations, or any enumerations. These cases now use isIntegerOrUnscopedEnumerationType() and getAs<BuiltinType>() plus BuiltinType::isInteger(). isIntegerType() is hereby banned in the analyzer - lib/StaticAnalysis and include/clang/StaticAnalysis. :-) Fixes real assertion failures. PR15703 / <rdar://problem/12350701> llvm-svn: 179081
* [analyzer] Properly handle the ternary operator in trackNullOrUndefValueAnna Zaks2013-04-031-1/+5
| | | | | | | | | | | | 1) Look for the node where the condition expression is live when checking if it is constrained to true or false. 2) Fix a bug in ProgramState::isNull, which was masking the problem. When the expression is not a symbol (,which is the case when it is Unknown) return unconstrained value, instead of value constrained to “false”! (Thankfully other callers of isNull have not been effected by the bug.) llvm-svn: 178684
* Silencing warnings in MSVC due to duplicate identifiers.Aaron Ballman2013-04-021-2/+2
| | | | llvm-svn: 178591
* [analyzer] Teach invalidateRegions that regions within LazyCompoundVal need ↵Anna Zaks2013-04-021-17/+56
| | | | | | | | | | | | to be invalidated Refactor invalidateRegions to take SVals instead of Regions as input and teach RegionStore about processing LazyCompoundVal as a top-level “escaping” value. This addresses several false positives that get triggered by the NewDelete checker, but the underlying issue is reproducible with other checkers as well (for example, MallocChecker). llvm-svn: 178518
* [analyzer] Add support for escape of const pointers and use it to allow ↵Anna Zaks2013-03-281-5/+14
| | | | | | | | | | | | | “newed” pointers to escape Add a new callback that notifies checkers when a const pointer escapes. Currently, this only works for const pointers passed as a top level parameter into a function. We need to differentiate the const pointers escape from regular escape since the content pointed by const pointer will not change; if it’s a file handle, a file cannot be closed; but delete is allowed on const pointers. This should suppress several false positives reported by the NewDelete checker on llvm codebase. llvm-svn: 178310
OpenPOWER on IntegriCloud