summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Core
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove "range_iterator" from PathDiagnosticPiece and just use ↵Ted Kremenek2012-08-163-18/+23
| | | | | | | | | ArrayRef<SourceRange> for ranges. This removes conceptual clutter, and can allow us to easy migrate to C++11 style for-range loops if we ever move to using C++11 in Clang. llvm-svn: 162029
* Allow multiple PathDiagnosticConsumers to be used with a BugReporter at the ↵Ted Kremenek2012-08-166-192/+153
| | | | | | | | | | | | | | | | | | | | | | | | | | | same time. This fixes several issues: - removes egregious hack where PlistDiagnosticConsumer would forward to HTMLDiagnosticConsumer, but diagnostics wouldn't be generated consistently in the same way if PlistDiagnosticConsumer was used by itself. - emitting diagnostics to the terminal (using clang's diagnostic machinery) is no longer a special case, just another PathDiagnosticConsumer. This also magically resolved some duplicate warnings, as we now use PathDiagnosticConsumer's diagnostic pruning, which has scope for the entire translation unit, not just the scope of a BugReporter (which is limited to a particular ExprEngine). As an interesting side-effect, diagnostics emitted to the terminal also have their trailing "." stripped, just like with diagnostics emitted to plists and HTML. This required some tests to be updated, but now the tests have higher fidelity with what users will see. There are some inefficiencies in this patch. We currently generate the report graph (from the ExplodedGraph) once per PathDiagnosticConsumer, which is a bit wasteful, but that could be pulled up higher in the logic stack. There is some intended duplication, however, as we now generate different PathDiagnostics (for the same issue) for different PathDiagnosticConsumers. This is necessary to produce the diagnostics that a particular consumer expects. llvm-svn: 162028
* Store SourceManager pointer on PrintingPolicy in the case where we're dumping,Richard Smith2012-08-161-2/+1
| | | | | | | | | and remove ASTContext reference (which was frequently bound to a dereferenced null pointer) from the recursive lump of printPretty functions. In so doing, fix (at least) one case where we intended to use the 'dump' mode, but that failed because a null ASTContext reference had been passed in. llvm-svn: 162011
* [analyzer] Look through all casts when trying to track constraints.Jordan Rose2012-08-161-1/+1
| | | | | | | Previously, we were losing path notes (in both text and plist form) because the interesting DeclRefExpr was buried in a cast. llvm-svn: 161999
* [analyzer] Even if we are not inlining a virtual call, still invalidate!Jordan Rose2012-08-151-1/+3
| | | | | | Fixes a mistake introduced in r161916. llvm-svn: 161987
* [analyzer] Correctly devirtualize virtual method calls in constructors.Jordan Rose2012-08-152-10/+15
| | | | | | | | | This is the other half of C++11 [class.cdtor]p4 (the destructor side was added in r161915). This also fixes an issue with post-call checks where the 'this' value was already being cleaned out of the state, thus being omitted from a reconstructed CXXConstructorCall. llvm-svn: 161981
* [analyzer] Don't try to devirtualize if the class is incomplete.Jordan Rose2012-08-151-1/+1
| | | | | | A similar issue to the previous commit, introduced by r161915. llvm-svn: 161961
* [analyzer] Only adjust the type of 'this' when we devirtualize a method call.Jordan Rose2012-08-152-9/+7
| | | | | | | | | | | | With reinterpret_cast, we can get completely unrelated types in a region hierarchy together; this was resulting in CXXBaseObjectRegions being layered directly on an (untyped) SymbolicRegion, whose symbol was from a completely different type hierarchy. This was what was causing the internal buildbot to fail. Reverts r161911, which merely masked the problem. llvm-svn: 161960
* [analyzer] Don't inline dynamic-dispatch methods unless -analyzer-ipa=dynamic.Jordan Rose2012-08-151-5/+12
| | | | | | | | Previously we were checking -analyzer-ipa=dynamic-bifurcate only, and unconditionally inlining everything else that had an available definition, even under -analyzer-ipa=inlining (but not under -analyzer-ipa=none). llvm-svn: 161916
* [analyzer] Correctly devirtualize virtual method calls in destructors.Jordan Rose2012-08-152-32/+37
| | | | | | | | | | | | C++11 [class.cdtor]p4: When a virtual function is called directly or indirectly from a constructor or from a destructor, including during the construction or destruction of the class’s non-static data members, and the object to which the call applies is the object under construction or destruction, the function called is the final overrider in the constructor's or destructor's class and not one overriding it in a more-derived class. llvm-svn: 161915
* [analyzer] A base class needs a complete definition to provide offsets.Jordan Rose2012-08-151-1/+1
| | | | | | No test case yet; trying to reduce one from a failing internal buildbot. llvm-svn: 161911
* [analyzer]Assume that the properties cannot be overridden when dotAnna Zaks2012-08-141-0/+3
| | | | | | syntax is used. llvm-svn: 161889
* Do NOT use inline functions with LLVM_ATTRIBUTE_USED.Benjamin Kramer2012-08-141-0/+4
| | | | | | The function will be emitted into every single TU including the header! llvm-svn: 161872
* [analyzer] Look up DynamicTypeInfo by region instead of symbol.Jordan Rose2012-08-131-18/+14
| | | | | | | | This allows us to store type info for non-symbolic regions. No functionality change. llvm-svn: 161811
* [analyzer] Reduce code duplication: make CXXDestructorCall a CXXInstanceCall.Jordan Rose2012-08-133-46/+18
| | | | | | | | | | | | | | | | | While there is now some duplication between SimpleCall and the CXXInstanceCall sub-hierarchy, this is much better than copy-and-pasting the devirtualization logic shared by both instance methods and destructors. An unfortunate side effect is that there is no longer a single CallEvent type that corresponds to "calls written as CallExprs". For the most part this is a good thing, but the checker callback eval::Call still takes a CallExpr rather than a CallEvent (since we're not sure if we want to allow checkers to evaluate other kinds of calls). A mistake here will be caught by a cast<> in CheckerManager::runCheckersForEvalCall. No functionality change. llvm-svn: 161809
* [analyzer] Be more careful when downcasting for devirtualization.Jordan Rose2012-08-131-12/+9
| | | | | | | | | Virtual base regions are never layered, so simply stripping them off won't necessarily get you to the correct casted class. Instead, what we want is the same logic for evaluating dynamic_cast: strip off base regions if possible, but add new base regions if necessary. llvm-svn: 161808
* [analyzer] Handle dynamic_casts that turn out to be upcasts.Jordan Rose2012-08-131-13/+11
| | | | | | | | | | | This can occur with multiple inheritance, which jumps from one parent to the other, and with virtual inheritance, since virtual base regions always wrap the actual object and can't be nested within other base regions. This also exposed some incorrect logic for multiple inheritance: even if B is known not to derive from C, D might still derive from both of them. llvm-svn: 161798
* [analyzer] Don't strip CXXBaseObjectRegions when checking dynamic_casts.Jordan Rose2012-08-134-21/+53
| | | | | | | | | | | | | | | ...and /do/ strip CXXBaseObjectRegions when casting to a virtual base class. This allows us to enforce the invariant that a CXXBaseObjectRegion can always provide an offset for its base region if its base region has a known class type, by only allowing virtual bases and direct non-virtual bases to form CXXBaseObjectRegions. This does mean some slight problems for our modeling of dynamic_cast, which needs to be resolved by finding a path from the current region to the class we're trying to cast to. llvm-svn: 161797
* [analyzer] Strip CXXBaseObjectRegions when devirtualizing method calls.Jordan Rose2012-08-101-1/+25
| | | | | | | | | This was causing a crash when we tried to re-apply a base object region to itself. It probably also caused incorrect offset calculations in RegionStore. PR13569 / <rdar://problem/12076683> llvm-svn: 161710
* [analyzer] Try to devirtualize even if the static callee has no definition.Jordan Rose2012-08-101-2/+2
| | | | | | | This mostly affects pure virtual methods, but would also affect parent methods defined inline in the header when analyzing the child's source file. llvm-svn: 161709
* [analyzer] Track if a region can be a subclass in the dynamic type info.Anna Zaks2012-08-101-4/+13
| | | | | | | When object is allocated with alloc or init, we assume it cannot be a subclass (currently used only for bifurcation purposes). llvm-svn: 161682
* [analyzer] Optimize dynamic dispatch bifurcation by detecting the casesAnna Zaks2012-08-101-2/+59
| | | | | | | | | | | | | | | | when we don't need to split. In some cases we know that a method cannot have a different implementation in a subclass: - the class is declared in the main file (private) - all the method declarations (including the ones coming from super classes) are in the main file. This can be improved further, but might be enough for the heuristic. (When we are too aggressive splitting the state, efficiency suffers. When we fail to split the state coverage might suffer.) llvm-svn: 161681
* Fix a couple of pedantic gcc warnings.Benjamin Kramer2012-08-101-1/+1
| | | | llvm-svn: 161656
* [analyzer] Merge RegionStore's KillStruct and CopyLazyBindings: BindAggregate.Jordan Rose2012-08-091-40/+21
| | | | | | | | | | | Both methods need to clear out existing bindings and provide a new default binding. Originally KillStruct always provided UnknownVal as the default, but it's allowed symbolic values for quite some time (for handling returned structs in C). No functionality change. llvm-svn: 161637
* [analyzer] Cluster bindings in RegionStore by base region.Jordan Rose2012-08-092-181/+237
| | | | | | | | | | | | This should speed up activities that need to access bindings by cluster, such as invalidation and dead-bindings cleaning. In some cases all we save is the cost of building the region cluster map, but other times we can actually avoid traversing the rest of the store. In casual testing, this produced a speedup of nearly 10% analyzing SQLite, with /less/ memory used. llvm-svn: 161636
* [analyzer] Cache the "concrete offset base" for regions with symbolic offsets.Jordan Rose2012-08-092-45/+63
| | | | | | | | | This makes it faster to access and invalidate bindings with symbolic offsets by only computing this information once. No intended functionality change. llvm-svn: 161635
* [analyzer] A CXXBaseObjectRegion should correspond to a DIRECT base.Jordan Rose2012-08-092-1/+12
| | | | | | | | | | | An ASTContext's RecordLayoutInfo can only be used to look up offsets of direct base classes, and we need the offset to make non-symbolic bindings in RegionStore. This change makes sure that we have one layer of CXXBaseObjectRegion for each base we are casting through. This was causing crashes on an internal buildbot. llvm-svn: 161621
* [analyzer] Rename the function to better reflect what it actually does.Anna Zaks2012-08-091-3/+1
| | | | llvm-svn: 161617
* [analyzer] Clarify the values in Dyn. Dispatch Bifurcation map.Anna Zaks2012-08-091-5/+12
| | | | llvm-svn: 161616
* [analyzer] Improve readability of the dyn. dispatch bifurcation patchAnna Zaks2012-08-092-27/+26
| | | | | | | | r161552. As per Jordan's feedback. llvm-svn: 161603
* Unbreak the build.Anna Zaks2012-08-092-4/+4
| | | | | | Declaring "const Decl *Decl" is not a good idea. llvm-svn: 161567
* [analyzer] Bifurcate the path with dynamic dispatch.Anna Zaks2012-08-092-39/+124
| | | | | | | | | | | | | This is an initial (unoptimized) version. We split the path when inlining ObjC instance methods. On one branch we always assume that the type information for the given memory region is precise. On the other we assume that we don't have the exact type info. It is important to check since the class could be subclassed and the method can be overridden. If we always inline we can loose coverage. Had to refactor some of the call eval functions. llvm-svn: 161552
* [analyzer] Clean up the printing of FieldRegions for leaks.Jordan Rose2012-08-081-5/+17
| | | | | | | | | | | | | | Unfortunately, generalized region printing is very difficult: - ElementRegions are used both for casting and as actual elements. - Accessing values through a pointer means going through an intermediate SymbolRegionValue; symbolic regions are untyped. - Referring to implicitly-defined variables like 'this' and 'self' could be very confusing if they come from another stack frame. We fall back to simply not printing the region name if we can't be sure it will print well. This will allow us to improve in the future. llvm-svn: 161512
* [analyzer] Track malloc'd regions stored in structs.Jordan Rose2012-08-081-0/+3
| | | | | | | | | | | The main blocker on this (besides the previous commit) was that ScanReachableSymbols was not looking through LazyCompoundVals. Once that was fixed, it's easy enough to clear out malloc data on return, just like we do when we bind to a global region. <rdar://problem/10872635> llvm-svn: 161511
* [analyzer] Revamp RegionStore to distinguish regions with symbolic offsets.Jordan Rose2012-08-084-167/+182
| | | | | | | | | | | | | | | | | RegionStore currently uses a (Region, Offset) pair to describe the locations of memory bindings. However, this representation breaks down when we have regions like 'array[index]', where 'index' is unknown. We used to store this as (SubRegion, 0); now we mark them specially as (SubRegion, SYMBOLIC). Furthermore, ProgramState::scanReachableSymbols depended on the existence of a sub-region map, but RegionStore's implementation doesn't provide for such a thing. Moving the store-traversing logic of scanReachableSymbols into the StoreManager allows us to eliminate the notion of SubRegionMap altogether. This fixes some particularly awkward broken test cases, now in array-struct-region.c. llvm-svn: 161510
* [analyzer] Address Jordan's review of DynamicTypePropagation.Anna Zaks2012-08-071-2/+2
| | | | llvm-svn: 161391
* [analyzer] Add a checker to manage dynamic type propagation.Anna Zaks2012-08-063-10/+6
| | | | | | | | | | | | Instead of sprinkling dynamic type info propagation throughout ExprEngine, the added checker would add the more precise type information on known APIs (Ex: ObjC alloc, new) and propagate the type info in other cases (ex: ObjC init method, casts (the second is not implemented yet)). Add handling of ObjC alloc, new and init to the checker. llvm-svn: 161357
* [analyzer] Update initializer assertion for delegating constructors.Jordan Rose2012-08-032-2/+12
| | | | | | | | | | Like base constructors, delegating constructors require no further processing in the CFGInitializer node. Also, add PrettyStackTraceLoc to the initializer and destructor logic so we can get better stack traces in the future. llvm-svn: 161283
* [analyzer] When a symbol is null, we should track its constraints.Jordan Rose2012-08-031-12/+21
| | | | | | | | Because of this, we would previously emit NO path notes when a parameter is constrained to null (because there are no stores). Now we show where we made the assumption, which is much more useful. llvm-svn: 161280
* [analyzer] Flatten path diagnostics for text output like we do for HTML.Jordan Rose2012-08-034-34/+50
| | | | llvm-svn: 161279
* [analyzer] Track null/uninitialized C++ objects used in method calls.Jordan Rose2012-08-031-12/+4
| | | | llvm-svn: 161278
* [analyzer] Provide useful PathDiagnosticLocations for CallEnter/Exit events.Jordan Rose2012-08-031-37/+51
| | | | llvm-svn: 161277
* [analyzer] FindLastStoreBRVisitor was not actually finding stores.Jordan Rose2012-08-031-11/+11
| | | | | | | | | | | The visitor walks back through the ExplodedGraph as expected, but it wasn't actually keeping track of when a value was assigned. This meant that it only worked when the value was assigned when the variable was defined. Tests in the next commit (dependent on another change). llvm-svn: 161276
* [analyzer] Fixup: remove the extra whitespaceAnna Zaks2012-08-031-26/+0
| | | | llvm-svn: 161265
* [analyzer] ObjC Inlining: Start tracking dynamic type info in the GDMAnna Zaks2012-08-032-3/+65
| | | | | | | | | | | In the following code, find the type of the symbolic receiver by following it and updating the dynamic type info in the state when we cast the symbol from id to MyClass *. MyClass *a = [[self alloc] init]; return 5/[a testSelf]; llvm-svn: 161264
* [analyzer] Fix a typo. Thanks Jordan.Anna Zaks2012-08-031-1/+1
| | | | llvm-svn: 161249
* [analyzer] Solve another source of non-determinism in the diagnosticAnna Zaks2012-08-022-14/+7
| | | | | | | | | | | | engine. The code that was supposed to split the tie in a deterministic way is not deterministic. Most likely one of the profile methods uses a pointer. After this change we do finally get the consistent diagnostic output. Testing this requires running the analyzer on large code bases and diffing the results. llvm-svn: 161224
* [analyzer] Also emit Prev/Next links for macros in HTML output. Oops.Jordan Rose2012-08-021-2/+15
| | | | llvm-svn: 161154
* [analyzer] Add Prev/Next links to the HTML output.Jordan Rose2012-08-021-2/+24
| | | | llvm-svn: 161153
* [analyzer] Flush bug reports in deterministic order.Anna Zaks2012-08-021-3/+4
| | | | | | | | | | This makes the diagnostic output order deterministic. 1) This makes order of text diagnostics consistent from run to run. 2) Also resulted in different bugs being reported (from one run to another) with plist-html output. llvm-svn: 161151
OpenPOWER on IntegriCloud