summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer
Commit message (Collapse)AuthorAgeFilesLines
...
* Add NDEBUG checks around LLVM_DUMP_METHOD functions for Wunused-function ↵Eric Christopher2017-11-162-1/+4
| | | | | | warnings. llvm-svn: 318371
* [clang] Remove redundant return [NFC]Mandeep Singh Grang2017-11-131-2/+0
| | | | | | | | | | | | | | Reviewers: rsmith, sfantao, mcrosier Reviewed By: mcrosier Subscribers: jholewinski, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D39915 llvm-svn: 318074
* [analyzer] ObjCGenerics: Don't warn on cast conversions involving explicit castDevin Coughlin2017-11-131-16/+16
| | | | | | | | | | | | | | | | | | | | | | The ObjCGenerics checker warns on a cast when there is no subtyping relationship between the tracked type of the value and the destination type of the cast. It does this even if the cast was explicitly written. This means the user can't write an explicit cast to silence the diagnostic. This commit treats explicit casts involving generic types as an indication from the programmer that the Objective-C type system is not rich enough to express the needed invariant. On explicit casts, the checker now removes any existing information inferred about the type arguments. Further, it no longer assumes the casted-to specialized type because the invariant the programmer specifies in the cast may only hold at a particular program point and not later ones. This prevents a suppressing cast from requiring a cascade of casts down the line. rdar://problem/33603303 Differential Revision: https://reviews.llvm.org/D39711 llvm-svn: 318054
* [analyzer] [NFC] Minor ExprEngineC refactoringGeorge Karpenkov2017-11-091-15/+22
| | | | | | | | Move a repeated block of code into a function. Differential Revision: https://reviews.llvm.org/D39584 llvm-svn: 317849
* [analyzer] do not crash when trying to convert an APSInt to an unexpected typeGeorge Karpenkov2017-11-091-1/+3
| | | | | | | | | | | | | | | | | | | | This is the issue breaking the postgresql bot, purely by chance exposed through taint checker, somehow appearing after https://reviews.llvm.org/D38358 got committed. The backstory is that the taint checker requests SVal for the value of the pointer, and analyzer has a "fast path" in the getter to return a constant when we know that the value is constant. Unfortunately, the getter requires a cast to get signedness correctly, and for the pointer `void *` the cast crashes. This is more of a band-aid patch, as I am not sure what could be done here "correctly", but it should be applied in any case to avoid the crash. Differential Revision: https://reviews.llvm.org/D39862 llvm-svn: 317839
* [analyzer] assume bitwise arithmetic axiomsGeorge Karpenkov2017-11-091-6/+54
| | | | | | | | | | | | | | | Patches the solver to assume that bitwise OR of an unsigned value with a constant always produces a value larger-or-equal than the constant, and bitwise AND with a constant always produces a value less-or-equal than the constant. This patch is especially useful in the context of using bitwise arithmetic for error code encoding: the analyzer would be able to state that the error code produced using a bitwise OR is non-zero. Differential Revision: https://reviews.llvm.org/D39707 llvm-svn: 317820
* [analyzer] Fix a crash on logical operators with vectors.Artem Dergachev2017-11-081-0/+10
| | | | | | | | | | | | | | | | | Do not crash when trying to compute x && y or x || y where x and y are of a vector type. For now we do not seem to properly model operations with vectors. In particular, operations && and || on a pair of vectors are not short-circuit, unlike regular logical operators, so even our CFG is incorrect. Avoid the crash, add respective FIXME tests for later. Differential Revision: https://reviews.llvm.org/D39682 rdar://problem/34317663 llvm-svn: 317700
* [analyzer] pr34779: CStringChecker: Accept non-standard headers.Artem Dergachev2017-11-071-2/+4
| | | | | | | | | | | Do not crash when trying to define and call a non-standard strcpy(unsigned char *, unsigned char *) during analysis. At the same time, do not try to actually evaluate the call. Differential Revision: https://reviews.llvm.org/D39422 llvm-svn: 317565
* [analyzer] [NFC] very minor ExprEngineC refactoringGeorge Karpenkov2017-11-031-4/+2
| | | | | | Differential Revision: https://reviews.llvm.org/D39577 llvm-svn: 317294
* [analyzer] Use the same filename for the header and the implementation of ↵George Karpenkov2017-10-301-1/+1
| | | | | | | | BugReporterVisitor Differential Revision: https://reviews.llvm.org/D37935 llvm-svn: 316963
* [analyzer] Left shifting a negative value is undefinedGabor Horvath2017-10-302-0/+6
| | | | | | | | | | The analyzer did not return an UndefVal in case a negative value was left shifted. I also altered the UndefResultChecker to emit a clear warning in this case. Differential Revision: https://reviews.llvm.org/D39423 llvm-svn: 316924
* [analyzer] Use the signature of the primary template for issue hash calculationGabor Horvath2017-10-301-0/+7
| | | | | | | | | | | | | Now when a template is instantiated more times and there is a bug found in the instantiations the issue hash will be different for each instantiation even if every other property of the bug (path, message, location) is the same. This patch aims to resolve this issue. Note that explicit specializations still generate different hashes but that is intended. Differential Revision: https://reviews.llvm.org/D38728 llvm-svn: 316900
* [analyzer] Make issue hash related tests more conciseGabor Horvath2017-10-302-35/+16
| | | | | | | | | | Extend ExprInspection checker to make it possible to dump the issue hash of arbitrary expressions. This change makes it possible to make issue hash related tests more concise and also makes debugging issue hash related problems easier. Differential Revision: https://reviews.llvm.org/D38844 llvm-svn: 316899
* [analyzer] lock_guard and unique_lock extension for BlockInCriticalSection ↵Gabor Horvath2017-10-301-11/+43
| | | | | | | | | | checker A patch by zdtorok (Zoltán Dániel Török)! Differential Revision: https://reviews.llvm.org/D33729 llvm-svn: 316892
* [analyzer] Handle ObjC messages conservatively in CallDescriptionGabor Horvath2017-10-301-1/+3
| | | | | | Differential Revision: https://reviews.llvm.org/D37470 llvm-svn: 316885
* [analyzer] MisusedMovedObjectChecker: More precise warning messagePeter Szecsi2017-10-281-9/+23
| | | | | | | | | | | | Added new enum in order to differentiate the warning messages on "misusing" into 3 categories: function calls, moving an object, copying an object. (At the moment the checker gives the same message in case of copying and moving.) Additional test cases added as well. Differential Revision: https://reviews.llvm.org/D38674 llvm-svn: 316852
* [analyzer] MisusedMovedObjectChecker: Fix false positive on state-resetting, ↵Peter Szecsi2017-10-281-12/+15
| | | | | | | | | | | | | | | | | | | | handling method calls on base-class sub-objects An earlier solution from Artem r315301 solves the reset problem, however, the reports should be handled the same way in case of method calls. We should not just report the base class of the object where the method was defined but the whole object. Fixed false positive which came from not removing the subobjects in case of a state-resetting function. (Just replaced the State->remove(...) call to removeFromState(..) which was defined exactly for that purpose.) Some minor typos fixed in this patch as well which did not worth a whole new patch in my opinion, so included them here. Differential Revision: https://reviews.llvm.org/D31538 llvm-svn: 316850
* [analyzer] LoopUnrolling: check the bitwidth of the used numbers (pr34943)Peter Szecsi2017-10-281-2/+9
| | | | | | | | | | | | | | | The loop unrolling feature aims to track the maximum possible steps a loop can make. In order to implement this, it investigates the initial value of the counter variable and the bound number. (It has to be known.) These numbers are used as llvm::APInts, however, it was not checked if their bitwidths are the same which lead to some crashes. This revision solves this problem by extending the "shorter" one (to the length of the "longer" one). For the detailed bug report, see: https://bugs.llvm.org/show_bug.cgi?id=34943 Differential Revision: https://reviews.llvm.org/D38922 llvm-svn: 316830
* [Analyzer] Do not use static storage to for implementations created in ↵George Karpenkov2017-10-231-27/+19
| | | | | | | | BodyFarm.cpp Differential Revision: https://reviews.llvm.org/D39208 llvm-svn: 316400
* [analyzer] Fix handling of labels in getLValueElementAlexander Shaposhnikov2017-10-231-1/+4
| | | | | | | | | | | In getLValueElement Base may represent the address of a label (as in the newly-added test case), in this case it's not a loc::MemRegionVal and Base.castAs<loc::MemRegionVal>() triggers an assert, this diff makes getLValueElement return UnknownVal instead. Differential revision: https://reviews.llvm.org/D39174 llvm-svn: 316399
* [analyzer] Dump signed integers in SymIntExpr and IntSymExpr correctlyGabor Horvath2017-10-191-3/+9
| | | | | | | | Patch by: Adam Balogh! Differential Revision: https://reviews.llvm.org/D39048 llvm-svn: 316157
* [analyzer] pr28449: Fix support for various array initializers.Artem Dergachev2017-10-131-8/+5
| | | | | | | | | | | | | | | | | | In some cases the analyzer didn't expect an array-type variable to be initialized with anything other than a string literal. The patch essentially removes the assertion, and ensures relatively sane behavior. There is a bigger problem with these initializers. Currently our memory model (RegionStore) is being ordered to initialize the array with a region that is assumed to be storing the initializer rvalue, and it guesses to copy the contents of that region to the array variable. However, it would make more sense for RegionStore to receive the correct initializer in the first place. This problem isn't addressed with this patch. rdar://problem/27248428 Differential Revision: https://reviews.llvm.org/D23963 llvm-svn: 315750
* [analyzer] CStringChecker: pr34460: Avoid a crash when a cast is not modeled.Artem Dergachev2017-10-131-23/+14
| | | | | | | | | | | | | | | | | The checker used to crash when a mempcpy's length argument is symbolic. In this case the cast from 'void *' to 'char *' failed because the respective ElementRegion that represents cast is hard to add on top of the existing ElementRegion that represents the offset to the last copied byte, while preseving a sane memory region structure. Additionally, a few test cases are added (to casts.c) which demonstrate problems caused by existing sloppy work we do with multi-layer ElementRegions. If said cast would be modeled properly in the future, these tests would need to be taken into account. Differential Revision: https://reviews.llvm.org/D38797 llvm-svn: 315742
* [analyzer] RetainCount: Ignore annotations on user-made CFRetain wrappers.Artem Dergachev2017-10-131-0/+5
| | | | | | | | | | | | | It is not uncommon for the users to make their own wrappers around CoreFoundation's CFRetain and CFRelease functions that are defensive against null references. In such cases CFRetain is often incorrectly marked as CF_RETURNS_RETAINED. Ignore said annotation and treat such wrappers similarly to the regular CFRetain. rdar://problem/31699502 Differential Revision: https://reviews.llvm.org/D38877 llvm-svn: 315736
* [Analyzer] Assume that CFBooleanRef const globals are non-nullGeorge Karpenkov2017-10-132-18/+23
| | | | | | Differential Revision: https://reviews.llvm.org/D38867 llvm-svn: 315655
* SVal::getAsSymbol(bool IncludeBaseRegions): Follow ↵NAKAMURA Takumi2017-10-121-2/+2
| | | | | | clang/StaticAnalyzer/Core/PathSensitive/SVals.h, s/IncludeBaseRegion/IncludeBaseRegions/g [-Wdocumentation] llvm-svn: 315572
* [Analyzer] Fix introduced regression: properly check for nullable attribute.George Karpenkov2017-10-111-1/+2
| | | | llvm-svn: 315492
* [Analyzer] Assume that string-like const globals are non-nil.George Karpenkov2017-10-112-0/+135
| | | | | | Differential Revision: https://reviews.llvm.org/D38764 llvm-svn: 315488
* [Analyzer] Clarify error messages for undefined resultDaniel Marjamaki2017-10-113-61/+75
| | | | | | Differential Revision: https://reviews.llvm.org/D30295 llvm-svn: 315462
* [analyzer] MisusedMovedObject: Fix state-resetting a base-class sub-object.Artem Dergachev2017-10-101-1/+8
| | | | | | | | | | | If a method is resetting the state of an object that was moved from, it should be safe to use this object again. However if the method was defined in a parent class, but used in a child class, the reset didn't happen from the checker's perspective. Differential Revision: https://reviews.llvm.org/D31538 llvm-svn: 315301
* [analyzer] MisusedMovedObject: Add printState() method for self-debugging.Artem Dergachev2017-10-101-0/+21
| | | | | | | | | This method injects additional information into program state dumps, describing which objects have been moved from. Differential Revision: https://reviews.llvm.org/D31541 llvm-svn: 315300
* [analyzer] PthreadLockChecker: Add printState() method for self-debugging.Artem Dergachev2017-10-101-0/+35
| | | | | | | | | This method injects additional information into program state dumps, describing states of mutexes tracked by the checker. Differential Revision: https://reviews.llvm.org/D37805 llvm-svn: 315298
* [analyzer] Implement pointer arithmetic on constantsGabor Horvath2017-10-101-0/+6
| | | | | | | | Patch by: Rafael Stahl! Differential Revision: https://reviews.llvm.org/D37478 llvm-svn: 315296
* [analyzer] Fix leak false positives on stuff put in C++/ObjC initializer lists.Artem Dergachev2017-10-051-17/+38
| | | | | | | | | | | | | | | The analyzer now realizes that C++ std::initializer_list objects and Objective-C boxed structure/array/dictionary expressions can potentially maintain a reference to the objects that were put into them. This avoids false memory leak posivites and a few other issues. This is a conservative behavior; for now, we do not model what actually happens to the objects after being passed into such initializer lists. rdar://problem/32918288 Differential Revision: https://reviews.llvm.org/D35216 llvm-svn: 314975
* [analyzer] Fix autodetection of binding types.Artem Dergachev2017-10-041-8/+11
| | | | | | | | | | | | | | | | | | | | | | | In ProgramState::getSVal(Location, Type) API which dereferences a pointer value, when the optional Type parameter is not supplied and the Location is not typed, type should have been guessed on a best-effort basis by inspecting the Location more deeply. However, this never worked; the auto-detected type was instead a pointer type to the correct type. Fixed the issue and added various test cases to demonstrate which parts of the analyzer were affected (uninitialized pointer argument checker, C++ trivial copy modeling, Google test API modeling checker). Additionally, autodetected void types are automatically replaced with char, in order to simplify checker APIs. Which means that if the location is a void pointer, getSVal() would read the first byte through this pointer and return its symbolic value. Fixes pr34305. Differential Revision: https://reviews.llvm.org/D38358 llvm-svn: 314910
* [Analyzer] Re-apply r314820 with a fix for StringRef lifetime.George Karpenkov2017-10-031-3/+6
| | | | | | | | | Fixes the test failure: temporary is now bound to std::string, tests fully pass on Linux. This reverts commit b36ee0924038e1d95ea74230c62d46e05f80587e. llvm-svn: 314859
* Revert r314820 "[Analyzer] More granular special casing in RetainCountChecker"Tim Shen2017-10-031-6/+3
| | | | | | | | The test retain-release.m fails with this patch. Differential Revision: https://reviews.llvm.org/D38487 llvm-svn: 314831
* [Analyzer] More granular special casing in RetainCountCheckerGeorge Karpenkov2017-10-031-3/+6
| | | | | | | | | Only assume that IOBSDNameMatching and friends increment a reference counter if their return type is a CFMutableDictionaryRef. Differential Revision: https://reviews.llvm.org/D38487 llvm-svn: 314820
* [analyzer] Match more patterns in bugreporter::getDerefExpr() API.Artem Dergachev2017-09-271-5/+17
| | | | | | | | | | This function can now track null pointer through simple pointer arithmetic, such as '*&*(p + 2)' => 'p' and so on, displaying intermediate diagnostic pieces for the user to understand where the null pointer is coming from. Differential Revision: https://reviews.llvm.org/D37025 llvm-svn: 314290
* [analyzer] Fix and refactor bugreporter::getDerefExpr() API.Artem Dergachev2017-09-271-30/+50
| | | | | | | | | | | | | | | | | | | | This API is used by checkers (and other entities) in order to track where does a value originate from, by jumping from an expression value of which is equal to that value to the expression from which this value has "appeared". For example, it may be an lvalue from which the rvalue was loaded, or a function call from which the dereferenced pointer was returned. The function now avoids incorrectly unwrapping implicit lvalue-to-rvalue casts, which caused crashes and incorrect intermediate diagnostic pieces. It also no longer relies on how the expression is written when guessing what it means. Fixes pr34373 and pr34731. rdar://problem/33594502 Differential Revision: https://reviews.llvm.org/D37023 llvm-svn: 314287
* [analyzer] Fix crash on modeling of pointer arithmeticAlexander Shaposhnikov2017-09-251-3/+5
| | | | | | | | | | | | | | | | | | | This patch fixes analyzer's crash on the newly added test case (see also https://bugs.llvm.org/show_bug.cgi?id=34374). Pointers subtraction appears to be modeled incorrectly in the following example: char* p; auto n = p - reinterpret_cast<char*>((unsigned long)1); In this case the analyzer (built without this patch) tries to create a symbolic value for the difference treating reinterpret_cast<char*>((unsigned long)1) as an integer, that is not correct. Differential revision: https://reviews.llvm.org/D38214 Test plan: make check-all llvm-svn: 314141
* [analyzer] Add new delete with non-virtual destructor checkGabor Horvath2017-09-222-0/+154
| | | | | | | | Patch by: Reka Nikolett Kovacs Differential Revision: https://reviews.llvm.org/D35796 llvm-svn: 313973
* [Analyzer] Log when auto-synthesized body is used.George Karpenkov2017-09-221-3/+14
| | | | | | Differential Revision: https://reviews.llvm.org/D37910 llvm-svn: 313944
* [analyzer] Fix an assertion fail in VirtualCallCheckerGabor Horvath2017-09-211-1/+1
| | | | | | Differential Revision: https://reviews.llvm.org/D37978 llvm-svn: 313866
* [Analyzer] Check function name size before indexing.George Karpenkov2017-09-151-1/+2
| | | | | | https://reviews.llvm.org/D37908 llvm-svn: 313385
* Update users of llvm::sys::ExecuteAndWait etc.Alexander Kornienko2017-09-131-2/+1
| | | | | | | | | | | | Summary: Clang part of https://reviews.llvm.org/D37563 Reviewers: bkramer Subscribers: vsk, cfe-commits Differential Revision: https://reviews.llvm.org/D37564 llvm-svn: 313156
* [CSA] [NFC] Move AnalysisContext.h to AnalysisDeclContext.hGeorge Karpenkov2017-09-067-7/+7
| | | | | | | | | | | | | | The implementation is in AnalysisDeclContext.cpp and the class is called AnalysisDeclContext. Making those match up has numerous benefits, including: - Easier jump from header to/from implementation. - Easily identify filename from class. Differential Revision: https://reviews.llvm.org/D37500 llvm-svn: 312671
* [NFC] [CSA] Move AnyFunctionCall::getRuntimeDefinition implementation to cpp.George Karpenkov2017-09-061-0/+16
| | | | | | Differential Revision: https://reviews.llvm.org/D37499 llvm-svn: 312670
* Removed dead code (PR34467). NFCI.Simon Pilgrim2017-09-051-3/+0
| | | | | | The for loop already checks that Idx < NumOfArgs. llvm-svn: 312525
* [analyzer] Increase minimum complexity filter of the CloneChecker.Raphael Isemann2017-09-041-1/+1
| | | | | | | | | | | | | | | Summary: So far we used a value of 10 which was useful for testing but produces many false-positives in real programs. The usual suspicious clones we find seem to be at around a complexity value of 70 and for normal clone-reporting everything above 50 seems to be a valid normal clone for users, so let's just go with 50 for now and set this as the new default value. This patch also explicitly sets the complexity value for the regression tests as they serve more of a regression testing/debugging purpose and shouldn't really be reported by default in real programs. I'll add more tests that reflect actual found bugs that then need to pass with the default setting in the future. Reviewers: NoQ Subscribers: cfe-commits, javed.absar, xazax.hun, v.g.vassilev Differential Revision: https://reviews.llvm.org/D34178 llvm-svn: 312468
OpenPOWER on IntegriCloud