summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Core
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] Add a CXXDestructorCall CallEvent.Jordan Rose2012-07-103-23/+31
| | | | | | | | While this work is still fairly tentative (destructors are still left out of the CFG by default), we now handle destructors in the same way as any other calls, instead of just automatically trying to inline them. llvm-svn: 160020
* [analyzer] Add new PreImplicitCall and PostImplicitCall ProgramPoints.Jordan Rose2012-07-105-35/+70
| | | | | | | | | | | | | | | | | These are currently unused, but are intended to be used in lieu of PreStmt and PostStmt when the call is implicit (e.g. an automatic object destructor). This also modifies the Data1 field of ProgramPoints to allow storing any pointer-sized value, as opposed to only aligned pointers. This is necessary to store SourceLocations. There is currently no BugReporter support for these; they should be skipped over in any diagnostic output. This commit also tags checkers that currently rely on function calls only occurring at StmtPoints. llvm-svn: 160019
* [analyzer] When inlining, make sure we use the definition decl.Jordan Rose2012-07-091-6/+7
| | | | | | | | | | | This was a regression introduced during the CallEvent changes; a call to FunctionDecl::hasBody was also being used to replace the decl found by lookup with the actual definition. To keep from making this mistake again (particularly if/when we start inlining Objective-C methods), this commit adds a "getDefinition()" method to CallEvent, which should do the right thing under any circumstances. llvm-svn: 159940
* [analyzer] Be careful about LazyCompoundVals, which may be for the first field.Jordan Rose2012-07-061-15/+31
| | | | | | | | | | | | | | | We use LazyCompoundVals to avoid copying the contents of structs and arrays around in the store, and when we need to pass a struct around that already has a LazyCompoundVal we just use the original one. However, it's possible that the first field of a struct may have a LazyCompoundVal of its own, and we currently can't distinguish a LazyCompoundVal for the first element of a struct from a LazyCompoundVal for the entire struct. In this case we should just drop the optimization and make a new LazyCompoundVal that encompasses the old one. PR13264 / <rdar://problem/11802440> llvm-svn: 159866
* Implement AST classes for comments, a real parser for Doxygen comments and aDmitri Gribenko2012-07-061-0/+1
| | | | | | | | | | | | | | very simple semantic analysis that just builds the AST; minor changes for lexer to pick up source locations I didn't think about before. Comments AST is modelled along the ideas of HTML AST: block and inline content. * Block content is a paragraph or a command that has a paragraph as an argument or verbatim command. * Inline content is placed within some block. Inline content includes plain text, inline commands and HTML as tag soup. llvm-svn: 159790
* Drop the ASTContext.h include from Stmt.h and fix up transitive users.Benjamin Kramer2012-07-041-0/+1
| | | | | | | | | | | | | | This required moving the ctors for IntegerLiteral and FloatingLiteral out of line which shouldn't change anything as they are usually called through Create methods that are already out of line. ASTContext::Deallocate has been a nop for a long time, drop it from ASTVector and make it independent from ASTContext.h Pass the StorageAllocator directly to AccessedEntity so it doesn't need to have a definition of ASTContext around. llvm-svn: 159718
* [analyzer] For now, don't inline non-static member overloaded operators.Jordan Rose2012-07-032-8/+50
| | | | | | | | | | | | | | Our current inlining support (specifically RegionStore::enterStackFrame) doesn't know that calls to overloaded operators may be calls to non-static member functions, and that in these cases the first argument should be treated as 'this'. This caused incorrect results and sometimes crashes. The long-term fix will be to rewrite RegionStore::enterStackFrame to use CallEvent and its subclasses, but for now we can just disable these problematic calls by classifying them under a new CallEvent, CXXMemberOperatorCall. llvm-svn: 159692
* [analyzer] Introduce CXXAllocatorCall to handle placement arg invalidation.Jordan Rose2012-07-022-165/+27
| | | | | | | This is NOT full-blown support for operator new, but removes some nasty duplicated code introduced in r158784. llvm-svn: 159608
* Revert "Remove unused member (& consequently unused parameter) in SA's Call ↵Jordan Rose2012-07-021-2/+3
| | | | | | | | | | | | | code." ...and instead add an accessor. We're not using this today, but it's something that should probably stay in the source for potential clients, and it doesn't cost a lot. (ObjCPropertyAccess is only created on the stack, and right now there's only ever one alive at a time.) This reverts r159581 / commit 8e674e1da34a131faa7d43dc3fcbd6e49120edbe. llvm-svn: 159595
* Remove unused member (& consequently unused parameter) in SA's Call code.David Blaikie2012-07-021-3/+2
| | | | | | This member became unused in r159559. llvm-svn: 159581
* Bail out the LiveVariables analysis when the CFG is very large, asTed Kremenek2012-07-021-0/+6
| | | | | | | | | we are encountering some scalability issues with memory usage. The appropriate long term fix is to make the analysis more scalable, but this will at least prevent the analyzer swapping when analyzing very large functions. llvm-svn: 159578
* [analyzer] Add generic preCall and postCall checks.Jordan Rose2012-07-024-11/+93
| | | | llvm-svn: 159562
* [analyzer] Convert CXXConstructExpr over to use CallEvent for evaluation.Jordan Rose2012-07-021-83/+13
| | | | llvm-svn: 159561
* [analyzer] Use CallEvent for inlining and call default-evaluation.Jordan Rose2012-07-023-131/+122
| | | | llvm-svn: 159560
* [analyzer] Finish replacing ObjCMessage with ObjCMethodDecl and friends.Jordan Rose2012-07-024-9/+8
| | | | | | | | The preObjCMessage and postObjCMessage callbacks now take an ObjCMethodCall argument, which can represent an explicit message send (ObjCMessageSend) or an implicit message generated by a property access (ObjCPropertyAccess). llvm-svn: 159559
* [analyzer] Begin replacing ObjCMessage with ObjCMethodCall and friends.Jordan Rose2012-07-023-35/+38
| | | | | | | | | | | | Previously, the CallEvent subclass ObjCMessageInvocation was just a wrapper around the existing ObjCMessage abstraction (over message sends and property accesses). Now, we have abstract CallEvent ObjCMethodCall with subclasses ObjCMessageSend and ObjCPropertyAccess. In addition to removing yet another wrapper object, this should make it easy to add a ObjCSubscriptAccess call event soon. llvm-svn: 159558
* [analyzer] Move the last bits of CallOrObjCMessage over to CallEvent.Jordan Rose2012-07-025-222/+75
| | | | | | | | | | | | | This involved refactoring some common pointer-escapes code onto CallEvent, then having MallocChecker use those callbacks for whether or not to consider a pointer's /ownership/ as escaping. This still needs to be pinned down, and probably we want to make the new argumentsMayEscape() function a little more discerning (content invalidation vs. ownership/metadata invalidation), but this is a good improvement. As a bonus, also remove CallOrObjCMessage from the source completely. llvm-svn: 159557
* [analyzer] Add a new abstraction over all types of calls: CallEventJordan Rose2012-07-029-191/+386
| | | | | | | | | | This is intended to replace CallOrObjCMessage, and is eventually intended to be used for anything that cares more about /what/ is being called than /how/ it's being called. For example, inlining destructors should be the same as inlining blocks, and checking __attribute__((nonnull)) should apply to the allocator calls generated by operator new. llvm-svn: 159554
* [analyzer] Add a test that we are, in fact, doing a DFS on the ExplodedGraph.Jordan Rose2012-06-291-1/+1
| | | | | | | | | | | | | | | | | | | | Previously: ...the comment said DFS... ...the WorkList being instantiated said BFS... ...and the implementation was actually DFS... ...due to an unintentional change in 2010... ...and everything kept working anyway. This fixes our std::deque implementation of BFS, but switches back to a SmallVector-based implementation of DFS. We should probably still investigate the ramifications of DFS vs. BFS, especially for large functions (and especially when we hit our block path limit), since this might completely change our memory use. It can also mask some bugs and reveal others depending on when we halt analysis. But at least we will not have this kind of little mistake creep in again. llvm-svn: 159397
* [analyzer] Remove unneeded helper function (it's in ASTContext.h)Jordan Rose2012-06-271-9/+0
| | | | llvm-svn: 159244
* Implement initial static analysis inlining support for C++ methods.Ted Kremenek2012-06-225-50/+68
| | | | llvm-svn: 159047
* [analyzer] Remove a statistic - it's too expensive.Anna Zaks2012-06-221-6/+0
| | | | | | (Committed in r159038 by mistake.) llvm-svn: 159040
* [analyzer]scan-build: report the total number of steps analyzer performsAnna Zaks2012-06-221-0/+7
| | | | | | This would be useful to investigate performance issues. llvm-svn: 159038
* [analyzer] Report the cumulative number of steps the analyzer performs.Anna Zaks2012-06-221-0/+4
| | | | llvm-svn: 159036
* [analyzer] Check for +raise:format: on subclasses of NSException as well.Jordan Rose2012-06-221-36/+47
| | | | | | | | | | | We don't handle exceptions yet, so we treat them as sinks. ExprEngine hardcodes messages that are known to raise Objective-C exceptions like -raise, but it was only checking for +raise:format: and +raise:format:arguments: on NSException itself, not subclasses. <rdar://problem/11724201> llvm-svn: 159010
* Remove a goofy CMake hack and use the standard CMake facilities toChandler Carruth2012-06-211-4/+14
| | | | | | | | | express library-level dependencies within Clang. This is no more verbose really, and plays nicer with the rest of the CMake facilities. It should also have no change in functionality. llvm-svn: 158888
* [analyzer] Invalidate placement args; return the pointer given to placement newJordan Rose2012-06-201-4/+104
| | | | | | | | | | | | | | | | | | | | | | | | | The default global placement new just returns the pointer it is given. Note that other custom 'new' implementations with placement args are not guaranteed to do this. In addition, we need to invalidate placement args, since they may be updated by the allocator function. (Also, right now we don't properly handle the constructor inside a CXXNewExpr, so we need to invalidate the placement args just so that callers know something changed!) This invalidation is not perfect because CallOrObjCMessage doesn't support CXXNewExpr, and all of our invalidation callbacks expect that if there's no CallOrObjCMessage, the invalidation is happening manually (e.g. by a direct assignment) and shouldn't affect checker-specific metadata (like malloc state); hence the malloc test case in new-fail.cpp. But region values are now properly invalidated, at least. The long-term solution to this problem is to rework CallOrObjCMessage into something more general, rather than the morass of branches it is today. <rdar://problem/11679031> llvm-svn: 158784
* [analyzer] Add a comment: why we treat array compound literals as lvalues.Jordan Rose2012-06-181-1/+9
| | | | llvm-svn: 158681
* [analyzer] Array CompoundLiteralExprs need to be treated like lvalues.Jordan Rose2012-06-161-1/+1
| | | | llvm-svn: 158588
* [analyzer] Return an UnknownVal when we try to get the binding for a VLA.Jordan Rose2012-06-161-2/+6
| | | | | | | | | This happens in C++ mode right at the declaration of a struct VLA; MallocChecker sees a bind and tries to get see if it's an escaping bind. It's likely that our handling of this is still incomplete, but it fixes a crash on valid without disturbing anything else for now. llvm-svn: 158587
* Documentation cleanup: fix a type, LocatioinE -> LocationEJames Dennett2012-06-151-2/+2
| | | | llvm-svn: 158566
* Revert "[analyzer] Treat LValueBitCasts like regular pointer bit casts."Jordan Rose2012-06-123-12/+7
| | | | | | | | | This does not actually give us the right behavior for reinterpret_cast of references. Reverting so I can think about it some more. This reverts commit 50a75a6e26a49011150067adac556ef978639fe6. llvm-svn: 158341
* [analyzer] Treat LValueBitCasts like regular pointer bit casts.Jordan Rose2012-06-113-7/+12
| | | | | | | | | | | | | These casts only appear in very well-defined circumstances, in which the target of a reinterpret_cast or a function formal parameter is an lvalue reference. According to the C++ standard, the following are equivalent: reinterpret_cast<T&>( x) *reinterpret_cast<T*>(&x) [expr.reinterpret.cast]p11 llvm-svn: 158338
* Etch out the code path for MS-style inline assembly.Chad Rosier2012-06-111-0/+12
| | | | llvm-svn: 158325
* [analyzer] Add ObjCLoopChecker: objects from NSArray et al are non-nil.Jordan Rose2012-06-111-4/+8
| | | | | | | | | | | | While collections containing nil elements can still be iterated over in an Objective-C for-in loop, the most common Cocoa collections -- NSArray, NSDictionary, and NSSet -- cannot contain nil elements. This checker adds that assumption to the analyzer state. This was the cause of some minor false positives concerning CFRelease calls on objects in an NSArray. llvm-svn: 158319
* [analyzer] Add experimental "issue hash" to the plist diagnostic.Anna Zaks2012-06-081-0/+11
| | | | | | | | | | | | | | CmpRuns.py can be used to compare issues from different analyzer runs. Since it uses the issue line number to unique 2 issues, adding a new line to the beginning of a file makes all issues in the file reported as new. The hash will be an opaque value which could be used (along with the function name) by CmpRuns to identify the same issues. This way, we only fail to identify the same issue from two runs if the function it appears in changes (not perfect, but much better than nothing). llvm-svn: 158180
* [analyzer] Fixit for r158136.Anna Zaks2012-06-071-1/+1
| | | | | | | | | I falsely assumed that the memory spaces are equal when we reach this point, they might not be when memory space of one or more is stack or Unknown. We don't want a region from Heap space alias something with another memory space. llvm-svn: 158165
* [analyzer] Anti-aliasing: different heap allocations do not aliasAnna Zaks2012-06-073-20/+39
| | | | | | | | | | | | Add a concept of symbolic memory region belonging to heap memory space. When comparing symbolic regions allocated on the heap, assume that they do not alias. Use symbolic heap region to suppress a common false positive pattern in the malloc checker, in code that relies on malloc not returning the memory aliased to other malloc allocations, stack. llvm-svn: 158136
* [analyzer] Provide debug descriptions for all memory space regions.Jordan Rose2012-06-061-4/+16
| | | | | | Patch by Guillem Marpons! llvm-svn: 158106
* Revert Decl's iterators back to pointer value_type rather than reference ↵David Blaikie2012-06-063-4/+4
| | | | | | | | | | | | | | value_type In addition, I've made the pointer and reference typedef 'void' rather than T* just so they can't get misused. I would've omitted them entirely but std::distance likes them to be there even if it doesn't use them. This rolls back r155808 and r155869. Review by Doug Gregor incorporating feedback from Chandler Carruth. llvm-svn: 158104
* Remove unused private member variables found by clang's new ↵Benjamin Kramer2012-06-061-2/+1
| | | | | | -Wunused-private-field. llvm-svn: 158086
* PlistDiagnostics: force the ranges for control-flow edges to be single ↵Ted Kremenek2012-06-051-2/+10
| | | | | | | | locations, forcing adjacent edges to have compatible ranges. This simplifies the layout logic for some clients. llvm-svn: 158028
* [analyzer] Fix a diagnostics bug which lead to a crash on the buildbot.Anna Zaks2012-06-041-0/+5
| | | | | | | This bug was triggered by r157851. It only happens in the case where we don't perform optimal diagnostic pruning. llvm-svn: 157950
* [analyzer] Rely on canBeInlined utility instead of checking CallExprAnna Zaks2012-06-022-2/+3
| | | | | | | | explicitly. This will make it easier to add inlining support to more expressions. llvm-svn: 157870
* [analyzer] Fix a spurious undef value warning.Anna Zaks2012-06-011-1/+9
| | | | | | | | | | | | When we timeout or exceed a max number of blocks within an inlined function, we retry with no inlining starting from a node right before the CallEnter node. We assume the state of that node is the state of the program before we start evaluating the call. However, the node pruning removes this node as unimportant. Teach the node pruning to keep the predecessors of the call enter nodes. llvm-svn: 157860
* [analyzer] Fix lack of coverage after empty inlined function.Anna Zaks2012-06-011-0/+2
| | | | | | | We should not stop exploring the path after we return from an empty function. llvm-svn: 157859
* static analyzer: add inlining support for directly called blocks.Ted Kremenek2012-06-014-55/+153
| | | | llvm-svn: 157833
* Allow some BugReports to opt-out of PathDiagnostic callstack pruning until ↵Ted Kremenek2012-05-311-3/+5
| | | | | | | | | we have significantly improved the pruning heuristics. The current heuristics are pretty good, but they make diagnostics for uninitialized variables warnings particularly useless in some cases. llvm-svn: 157734
* [analyzer] Don't crash on LValBitCastAnna Zaks2012-05-251-2/+2
| | | | llvm-svn: 157478
* [analyzer] Treat cast of array to reference in the same way as array toAnna Zaks2012-05-241-1/+1
| | | | | | | | pointer. Fixes one of the crashes reported in PR12874. llvm-svn: 157401
OpenPOWER on IntegriCloud