summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer/Core
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] Further improve suppress-on-sink behavior in incomplete analyses.Artem Dergachev2017-07-251-3/+41
| | | | | | | | | | | | | | | | | | | | | If a certain memory leak (or other similar bug) found by the analyzer is known to be happening only before abnormal termination of the program ("sink", eg. assertion failure in the code under analysis, or another bug that introduces undefined behavior), such leak warning is discarded. However, if the analysis has never reaches completion (due to complexity of the code), it may be failing to notice the sink. This commit further extends the partial solution introduced in r290341 to cover cases when a complicated control flow occurs before encountering a no-return statement (which anyway inevitably leads to such statement(s)) by traversing the respective section of the CFG in a depth-first manner. A complete solution still seems elusive. rdar://problem/28157554 Differential Revision: https://reviews.llvm.org/D35673 llvm-svn: 308957
* Revert "[StaticAnalyzer] Completely unrolling specific loops with known ↵Peter Szecsi2017-07-204-234/+1
| | | | | | | | | | bound option" Revert r308561 and r308558. Clang-ppc64be-linux seems to crash while running the test cases. llvm-svn: 308592
* [StaticAnalyzer] Completely unrolling specific loops with known bound option Peter Szecsi2017-07-201-0/+203
| | | | | | Missing files added to rL308558. llvm-svn: 308561
* This feature allows the analyzer to consider loops to completely unroll. NewPeter Szecsi2017-07-193-1/+31
| | | | | | | | | | | | | | | | requirements/rules (for unrolling) can be added easily via ASTMatchers. The current implementation is hidden behind a flag. Right now the blocks which belong to an unrolled loop are marked by the LoopVisitor which adds them to the ProgramState. Then whenever we encounter a CFGBlock in the processCFGBlockEntrance which is marked then we skip its investigating. That means, it won't be considered to be visited more than the maximal bound for visiting since it won't be checked. Differential Revision: https://reviews.llvm.org/D34260 llvm-svn: 308558
* Revert "[analyzer] Support generating and reasoning over more symbolic ↵Dominic Chen2017-07-123-38/+22
| | | | | | | | | | constraint types" Assertion `Loc::isLocType(SSE->getLHS()->getType())' failed in Analysis/PR3991.m This reverts commit e469ff2759275e67f9072b3d67fac90f647c0fe6. llvm-svn: 307853
* [analyzer] Support generating and reasoning over more symbolic constraint typesDominic Chen2017-07-123-22/+38
| | | | | | | | | | | | Summary: Generate more IntSymExpr constraints, perform SVal simplification for IntSymExpr and SymbolCast constraints, and create fully symbolic SymExprs Reviewers: zaks.anna, dcoughlin, NoQ, xazax.hun Subscribers: mgorny, cfe-commits Differential Revision: https://reviews.llvm.org/D28953 llvm-svn: 307833
* CFG: Add CFGElement for automatic variables that leave the scopeMatthias Gehre2017-07-124-1/+16
| | | | | | | | | | | | | | | | | | | | | | | | Summary: This mimics the implementation for the implicit destructors. The generation of this scope leaving elements is hidden behind a flag to the CFGBuilder, thus it should not affect existing code. Currently, I'm missing a test (it's implicitly tested by the clang-tidy lifetime checker that I'm proposing). I though about a test using debug.DumpCFG, but then I would have to add an option to StaticAnalyzer/Core/AnalyzerOptions to enable the scope leaving CFGElement, which would only be useful to that particular test. Any other ideas how I could make a test for this feature? Reviewers: krememek, jordan_rose Subscribers: cfe-commits Differential Revision: http://reviews.llvm.org/D15031 llvm-svn: 307759
* [analyzer] Start fixing modeling of bool based typesAlexander Shaposhnikov2017-07-111-5/+2
| | | | | | | | | | | | | | | | | | | This is a follow up for one of the previous diffs https://reviews.llvm.org/D32328. getTypeSize and with getIntWidth are not equivalent for bool (see https://clang.llvm.org/doxygen/ASTContext_8cpp_source.html#l08444), this causes a number of issues (for instance, if APint X representing a bool is created with the wrong bit width then X is not comparable against Min/Max (because of the different bit width), that results in crashes (triggered asserts) inside assume* methods), for examples see the newly added test cases. Test plan: make check-all Differential revision: https://reviews.llvm.org/D35041 llvm-svn: 307604
* [analyzer] Bump a few default performance thresholds.Artem Dergachev2017-06-211-2/+2
| | | | | | | | | | | | | | This makes the analyzer around 10% slower by default, allowing it to find deeper bugs. Default values for the following -analyzer-config change: max-nodes: 150000 -> 225000; max-inlinable-size: 50 -> 100. rdar://problem/32539666 Differential Revision: https://reviews.llvm.org/D34277 llvm-svn: 305900
* [analyzer] Fix logical not for pointers with different bit widthDaniel Marjamaki2017-06-191-3/+2
| | | | | | Differential Revision: https://reviews.llvm.org/D31029 llvm-svn: 305669
* [analyzer] Fix a crash when an ObjC object is constructed in AllocaRegion.Artem Dergachev2017-06-121-0/+6
| | | | | | | | | | | | Memory region allocated by alloca() carries no implicit type information. Don't crash when resolving the init message for an Objective-C object that is being constructed in such region. rdar://problem/32517077 Differential Revision: https://reviews.llvm.org/D33828 llvm-svn: 305211
* [analyzer] Don't add arrow to the inlined function's decl when it has no body.Artem Dergachev2017-06-051-3/+9
| | | | | | | | | | | | | In plist output mode with alternate path diagnostics, when entering a function, we draw an arrow from the caller to the beginning of the callee's declaration. Upon exiting, however, we draw the arrow from the last statement in the callee function. The former makes little sense when the declaration is not a definition, i.e. has no body, which may happen in case the body is coming from a body farm, eg. Objective-C autosynthesized property accessor. Differential Revision: https://reviews.llvm.org/D33671 llvm-svn: 304713
* [analyzer] Nullability: fix notes around synthesized ObjC property accessors.Artem Dergachev2017-06-051-2/+44
| | | | | | | | | | | | | Nullable-to-nonnull checks used to crash when the custom bug visitor was trying to add its notes to autosynthesized accessors of Objective-C properties. Now we avoid this, mostly automatically outside of checker control, by moving the diagnostic to the parent stack frame where the accessor has been called. Differential revision: https://reviews.llvm.org/D32437 llvm-svn: 304710
* Added LLVM_FALLTHROUGH to address warning: this statement may fall through. NFC.Galina Kistanova2017-06-033-0/+3
| | | | llvm-svn: 304644
* [analyzer] Fix immutable map factory lifetime for partial taint.Artem Dergachev2017-05-291-13/+10
| | | | | | | | | This should fix the leaks found by asan buildbot in r304162. Also don't store a reference to the factory with every map value, which is the only difference between ImmutableMap and ImmutableMapRef. llvm-svn: 304170
* [analyzer] Support partially tainted records.Artem Dergachev2017-05-292-21/+87
| | | | | | | | | | | | | | | | The analyzer's taint analysis can now reason about structures or arrays originating from taint sources in which only certain sections are tainted. In particular, it also benefits modeling functions like read(), which may read tainted data into a section of a structure, but RegionStore is incapable of expressing the fact that the rest of the structure remains intact, even if we try to model read() directly. Patch by Vlad Tsyrklevich! Differential revision: https://reviews.llvm.org/D28445 llvm-svn: 304162
* [Statistics] Use the new Statistic::updateMax to atomically calculate a ↵Craig Topper2017-05-181-4/+2
| | | | | | maximum value statistic. llvm-svn: 303320
* [StaticAnalyzer] Move inline counter increaser to inlineCall functionPeter Szecsi2017-05-161-2/+1
| | | | | | | | | | | Even though the shouldInlineCall function returns true, it can happen that the function is not going to be inlined (as it can be seen at line 913 and below). Moved the bumpNumTimesInlined(D) (the counter increaser) call to the inlineCall function where it logically belongs. Differential Revision: https://reviews.llvm.org/D32179 llvm-svn: 303158
* [analyzer] Fix memory error bug category capitalization.Artem Dergachev2017-05-031-0/+1
| | | | | | | | | | | | It was written as "Memory Error" in most places and as "Memory error" in a few other places, however it is the latter that is more consistent with other categories (such as "Logic error"). rdar://problem/31718115 Differential Revision: https://reviews.llvm.org/D32702 llvm-svn: 302016
* [analyzer] Improve subscripting null arrays for catching null dereferences.Artem Dergachev2017-04-242-10/+12
| | | | | | | | | | | | | Array-to-pointer cast now works correctly when the pointer to the array is concrete, eg. null, which allows further symbolic calculations involving such values. Inlined defensive checks are now detected correctly when the resulting null symbol is being array-subscripted before dereference. Differential Revision: https://reviews.llvm.org/D32291 llvm-svn: 301251
* [analyzer] Improve suppression for inlined defensive checks before operator &.Artem Dergachev2017-04-242-3/+29
| | | | | | | | | | | | | | | | | | | Null dereferences are suppressed if the lvalue was constrained to 0 for the first time inside a sub-function that was inlined during analysis, because such constraint is a valid defensive check that does not, by itself, indicate that null pointer case is anyhow special for the caller. If further operations on the lvalue are performed, the symbolic lvalue is collapsed to concrete null pointer, and we need to track where does the null pointer come from. Improve such tracking for lvalue operations involving operator &. rdar://problem/27876009 Differential Revision: https://reviews.llvm.org/D31982 llvm-svn: 301224
* [analyzer] Fix assert in ExprEngine::processSwitchAlexander Shaposhnikov2017-04-211-2/+2
| | | | | | | | | | | | | | | This diff replaces getTypeSize(CondE->getType())) with getIntWidth(CondE->getType())) in ExprEngine::processSwitch. These calls are not equivalent for bool, see ASTContext.cpp Add a test case. Test plan: make check-clang-analysis make check-clang Differential revision: https://reviews.llvm.org/D32328 llvm-svn: 300936
* [analyzer] Enforce super-region classes for various memory regions.Artem Dergachev2017-04-135-49/+56
| | | | | | | | | | | | We now check the type of the super-region pointer for most SubRegion classes in compile time; some checks are run-time though. This is an API-breaking change (we now require explicit casts to specific region sub-classes), but in practice very few checkers are affected. Differential Revision: https://reviews.llvm.org/D26838 llvm-svn: 300189
* [analyzer] Add numerous assertions to SVal, SymExpr, and MemRegion classes.Artem Dergachev2017-04-131-4/+2
| | | | | | | | | | | | | | Clean up vtable anchors (remove anchors for regions that have regular out-of-line virtual methods, add anchors for regions that don't have those). Fix private/public methods (all constructors should now be private for leaf classes, protected for abstract classes). No functional change intended, only extra sanity checks and cleanups. Differential Revision: https://reviews.llvm.org/D26837 llvm-svn: 300187
* [analyzer] Simplify values in binary operations a bit more aggressively.Artem Dergachev2017-04-131-5/+82
| | | | | | | | | | | | | | | | | SValBuilder tries to constant-fold symbols in the left-hand side of the symbolic expression whenever it fails to evaluate the expression directly. However, it only constant-folds them when they are atomic expressions, not when they are complicated expressions themselves. This patch adds recursive constant-folding to the left-hand side subexpression (there's a lack of symmetry because we're trying to have symbols on the left and constants on the right). As an example, we'd now be able to handle operations similar to "$x + 1 < $y", when $x is constrained to a constant. rdar://problem/31354676 Differential Revision: https://reviews.llvm.org/D31886 llvm-svn: 300178
* [analyzer] Add a check for IvarRegion in getExtraInvalidatedValuesAlexander Shaposhnikov2017-04-121-5/+7
| | | | | | | | | | | | This diff adds a defensive check in getExtraInvalidatedValues for the case when there are no regions for the ivar associated with a property. Corresponding test case added. Test plan: make check-clang make check-clang-analysis llvm-svn: 300114
* [analyzer] Add new Z3 constraint manager backendDominic Chen2017-04-042-0/+1634
| | | | | | | | | | | | Summary: Implement new Z3 constraint manager backend. Reviewers: zaks.anna, dcoughlin, NoQ, xazax.hun Subscribers: mgorny, cfe-commits Differential Revision: https://reviews.llvm.org/D28952 llvm-svn: 299463
* Spelling mistakes in comments. NFCI. (PR27635)Simon Pilgrim2017-03-302-5/+5
| | | | llvm-svn: 299083
* [analyzer] Fix symbolication for unknown unary increment/decrement results.Artem Dergachev2017-03-282-1/+10
| | | | | | | | | | | | | | | If the value is known, but we cannot increment it, conjure a symbol to represent the result of the operation based on the operator expression, not on the sub-expression. In particular, no longer crash on comparing a result of a LocAsInteger increment to a constant integer. rdar://problem/31067356 Differential Revision: https://reviews.llvm.org/D31289 llvm-svn: 298927
* [analyzer] When creating a temporary object, properly copy the value into it.Artem Dergachev2017-03-281-14/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adjustments should be considered properly; we should copy the unadjusted object over the whole temporary base region. If the unadjusted object is no longer available in the Environment, invalidate the temporary base region, and then copy the adjusted object into the adjusted sub-region of the temporary region. This fixes a regression introduced by r288263, that caused various false positives, due to copying only adjusted object into the adjusted region; the rest of the base region therefore remained undefined. Before r288263, the adjusted value was copied over the unadjusted region, which is incorrect, but accidentally worked better due to how region store disregards compound value bindings to non-base regions. An additional test machinery is introduced to make sure that despite making two binds, we only notify checkers once for both of them, without exposing the partially copied objects. This fix is a hack over a hack. The proper fix would be to model C++ temporaries in the CFG, and after that dealing with adjustments would no longer be necessary, and the values we need would no longer disappear from the Environment. rdar://problem/30658168 Differential Revision: https://reviews.llvm.org/D30534 llvm-svn: 298924
* [analyzer] Turn suppress-c++-stdlib on by defaultAnna Zaks2017-03-101-1/+1
| | | | | | | | | | | | | | | | | We have several reports of false positives coming from libc++. For example, there are reports of false positives in std::regex, std::wcout, and also a bunch of issues are reported in https://reviews.llvm.org/D30593. In many cases, the analyzer trips over the complex libc++ code invariants. Let's turn off the reports coming from these headers until we can re-evalate the support. We can turn this back on once we individually suppress all known false positives and perform deeper evaluation on large codebases that use libc++. We'd also need to commit to doing these evaluations regularly as libc++ headers change. Differential Revision: https://reviews.llvm.org/D30798 llvm-svn: 297429
* [analyzer] Extend taint propagation and checking to support LazyCompoundValAnna Zaks2017-03-091-0/+5
| | | | | | | | A patch by Vlad Tsyrklevich! Differential Revision: https://reviews.llvm.org/D28445 llvm-svn: 297326
* [coroutines] Add DependentCoawaitExpr and fix re-building CoroutineBodyStmt.Eric Fiselier2017-03-061-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Summary: The changes contained in this patch are: 1. Defines a new AST node `CoawaitDependentExpr` for representing co_await expressions while the promise type is still dependent. 2. Correctly detect and transform the 'co_await' operand to `p.await_transform(<expr>)` when possible. 3. Change the initial/final suspend points to build during the initial parse, so they have the correct operator co_await lookup results. 4. Fix transformation of the CoroutineBodyStmt so that it doesn't re-build the final/initial suspends. @rsmith: This change is a little big, but it's not trivial for me to split it up. Please let me know if you would prefer this submitted as multiple patches. Reviewers: rsmith, GorNishanov Reviewed By: rsmith Subscribers: ABataev, rsmith, mehdi_amini, cfe-commits Differential Revision: https://reviews.llvm.org/D26057 llvm-svn: 297093
* [Analyzer] Terminate analysis on OpenMP code instead of assertion crashAleksei Sidorin2017-03-031-31/+32
| | | | | | | | | | | | | | * ExprEngine assumes that OpenMP statements should never appear in CFG. However, current CFG doesn't know anything about OpenMP and passes such statements as CFG nodes causing "UNREACHABLE executed!" crashes. Since there is no OpenMP implementation in ExprEngine or CFG, we stop the analysis on OpenMP statements to avoid crashes. This fixes PR31835. Differential Revision: https://reviews.llvm.org/D30565 llvm-svn: 296884
* [analyzer] pr32088: Don't destroy the temporary if its initializer causes ↵Devin Coughlin2017-03-011-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | return. In the following code involving GNU statement-expression extension: struct S { ~S(); }; void foo() { const S &x = ({ return; S(); }); } function 'foo()' returns before reference x is initialized. We shouldn't call the destructor for the temporary object lifetime-extended by 'x' in this case, because the object never gets constructed in the first place. The real problem is probably in the CFG somewhere, so this is a quick-and-dirty hotfix rather than the perfect solution. A patch by Artem Dergachev! rdar://problem/30759076 Differential Revision: https://reviews.llvm.org/D30499 llvm-svn: 296646
* [analyzer] Refactor and simplify SimpleConstraintManagerDominic Chen2017-02-256-289/+321
| | | | | | | | | | | | Summary: SimpleConstraintManager is difficult to use, and makes assumptions about capabilities of the constraint manager. This patch refactors out those portions into a new RangedConstraintManager, and also fixes some issues with camel case, formatting, and confusing naming. Reviewers: zaks.anna, dcoughlin Subscribers: mgorny, xazax.hun, NoQ, rgov, cfe-commits Differential Revision: https://reviews.llvm.org/D26061 llvm-svn: 296242
* [analyzer] Proper caching in CallDescription objects.Gabor Horvath2017-02-151-2/+5
| | | | | | | | During the review of D29567 it turned out the caching in CallDescription is not implemented properly. In case an identifier does not exist in a translation unit, repeated identifier lookups will be done which might have bad impact on the performance. This patch guarantees that the lookup is only executed once. Moreover this patch fixes a corner case when the identifier of CallDescription does not exist in the translation unit and the called function does not have an identifier (e.g.: overloaded operator in C++). Differential Revision: https://reviews.llvm.org/D29884 llvm-svn: 295186
* [analyzer] Fix MacOSXAPIChecker fp with static locals seen from nested blocks.Artem Dergachev2017-01-252-2/+6
| | | | | | | | | | | | | | This is an attempt to avoid new false positives caused by the reverted r292800, however the scope of the fix is significantly reduced - some variables are still in incorrect memory spaces. Relevant test cases added. rdar://problem/30105546 rdar://problem/30156693 Differential revision: https://reviews.llvm.org/D28946 llvm-svn: 293043
* Revert "[analyzer] Fix memory space of static locals seen from nested blocks."Devin Coughlin2017-01-241-35/+19
| | | | | | | | | This reverts commit r292800. It is causing null pointer dereference false positives when a block that captures a static local is evaluated at the top level. llvm-svn: 292874
* [analyzer] Fix memory space of static locals seen from nested blocks.Artem Dergachev2017-01-231-19/+35
| | | | | | | | | | | | | | | When a block within a function accesses a function's static local variable, this local is captured by reference rather than copied to the heap. Therefore this variable's memory space is known: StaticGlobalSpaceRegion. Used to be UnknownSpaceRegion, same as for stack locals. Fixes a false positive in MacOSXAPIChecker. rdar://problem/30105546 Differential revision: https://reviews.llvm.org/D28946 llvm-svn: 292800
* [analyzer] Add LocationContext as a parameter to checkRegionChangesAnna Zaks2017-01-136-27/+39
| | | | | | | | | | | This patch adds LocationContext to checkRegionChanges and removes wantsRegionChangeUpdate as it was unused. A patch by Krzysztof Wiśniewski! Differential Revision: https://reviews.llvm.org/D27090 llvm-svn: 291869
* [analyzer] Support inlining of '[self classMethod]' and '[[self class] ↵Anna Zaks2017-01-131-2/+60
| | | | | | | | classMethod]' Differential Revision: https://reviews.llvm.org/D28495 llvm-svn: 291867
* [analyzer] Don't dereference the array value when binding it to a reference.Artem Dergachev2017-01-121-2/+3
| | | | | | | | | | This replaces the hack in r291754, which was fixing pr31592, which was caused by r291754, with a more appropriate solution. rdar://problem/28832541 Differential revision: https://reviews.llvm.org/D28602 llvm-svn: 291781
* [analyzer] Treat pointers to static member functions as function pointersDevin Coughlin2017-01-101-0/+12
| | | | | | | | | | | | Sema treats pointers to static member functions as having function pointer type, so treat treat them as function pointer values in the analyzer as well. This prevents an assertion failure in SValBuilder::evalBinOp caused by code that expects function pointers to be Locs (in contrast, PointerToMember values are nonlocs). Differential Revision: https://reviews.llvm.org/D28033 llvm-svn: 291581
* [OpenMP] Sema and parsing for 'target teams distribute simd’ pragmaKelvin Li2017-01-101-0/+1
| | | | | | | | This patch is to implement sema and parsing for 'target teams distribute simd’ pragma. Differential Revision: https://reviews.llvm.org/D28252 llvm-svn: 291579
* [analyzer] Add checker for iterators dereferenced beyond their range.Gabor Horvath2017-01-091-1/+8
| | | | | | | | Patch by: Adam Balogh! Differential Revision: https://reviews.llvm.org/D25660 llvm-svn: 291430
* Migrate PathDiagnosticPiece to std::shared_ptrDavid Blaikie2017-01-055-304/+267
| | | | | | | Simplifies and makes explicit the memory ownership model rather than implicitly passing/acquiring ownership. llvm-svn: 291143
* [OpenMP] Sema and parsing for 'target teams distribute parallel for simd’ ↵Kelvin Li2017-01-031-0/+1
| | | | | | | | | | pragma This patch is to implement sema and parsing for 'target teams distribute parallel for simd’ pragma. Differential Revision: https://reviews.llvm.org/D28202 llvm-svn: 290862
* [OpenMP] Sema and parsing for 'target teams distribute parallel for’ pragmaKelvin Li2016-12-291-0/+1
| | | | | | | | This patch is to implement sema and parsing for 'target teams distribute parallel for’ pragma. Differential Revision: https://reviews.llvm.org/D28160 llvm-svn: 290725
* [OpenMP] Sema and parsing for 'target teams distribute' pragmaKelvin Li2016-12-251-0/+1
| | | | | | | | This patch is to implement sema and parsing for 'target teams distribute' pragma. Differential Revision: https://reviews.llvm.org/D28015 llvm-svn: 290508
OpenPOWER on IntegriCloud