summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer
Commit message (Collapse)AuthorAgeFilesLines
* [analyzer] Skip casts when determining taint dependencies + prettyAnna Zaks2012-01-201-0/+25
| | | | | | printing. llvm-svn: 148517
* [analyzer] Add a utility method that allows to find the macro name usedAnna Zaks2012-01-201-0/+13
| | | | | | | | | at the given location. This could be useful when checkers' logic depends on whether a function is called with a given macro argument. llvm-svn: 148516
* [analyzer] Refactor: prePropagateTaint ->Anna Zaks2012-01-181-43/+27
| | | | | | | | | TaintPropagationRule::process(). Also remove the "should be a pointer argument" warning - should be handled elsewhere. llvm-svn: 148372
* [analyzer] Taint: warn when tainted data is used to specify a bufferAnna Zaks2012-01-181-4/+62
| | | | | | | | | | size (Ex: in malloc, memcpy, strncpy..) (Maybe some of this could migrate to the CString checker. One issue with that is that we might want to separate security issues from regular API misuse.) llvm-svn: 148371
* [analyzer] Taint: add taint propagation rules for string and memory copyAnna Zaks2012-01-182-57/+136
| | | | | | functions. llvm-svn: 148370
* Remove unreachable code in Clang. (replace with llvm_unreachable where ↵David Blaikie2012-01-171-6/+1
| | | | | | appropriate or when GCC requires it) llvm-svn: 148292
* Remove unnecessary default cases in switches over enums.David Blaikie2012-01-175-10/+0
| | | | | | This allows -Wswitch-enum to find switches that need updating when these enums are modified. llvm-svn: 148281
* [analyzer] Taint: generalize taint propagation to simplify adding moreAnna Zaks2012-01-171-4/+128
| | | | | | taint propagation functions. llvm-svn: 148266
* Some improvements to the handling of C11 atomic types:David Chisnall2012-01-161-0/+5
| | | | | | | | | | | | | | | | | | - Add atomic-to/from-nonatomic cast types - Emit atomic operations for arithmetic on atomic types - Emit non-atomic stores for initialisation of atomic types, but atomic stores and loads for every other store / load - Add a __atomic_init() intrinsic which does a non-atomic store to an _Atomic() type. This is needed for the corresponding C11 stdatomic.h function. - Enables the relevant __has_feature() checks. The feature isn't 100% complete yet, but it's done enough that we want people testing it. Still to do: - Make the arithmetic operations on atomic types (e.g. Atomic(int) foo = 1; foo++;) use the correct LLVM intrinsic if one exists, not a loop with a cmpxchg. - Add a signal fence builtin - Properly set the fenv state in atomic operations on floating point values - Correctly handle things like _Atomic(_Complex double) which are too large for an atomic cmpxchg on some platforms (this requires working out what 'correctly' means in this context) - Fix the many remaining corner cases llvm-svn: 148242
* Refactor variables unused under non-assert builds.David Blaikie2012-01-161-2/+1
| | | | llvm-svn: 148229
* [analyzer] Taint: add system and popen as undesirable sinks for taintAnna Zaks2012-01-141-20/+77
| | | | | | data. llvm-svn: 148176
* [analyzer] Unwrap the pointers when ignoring the const cast.Anna Zaks2012-01-131-1/+28
| | | | | | radar://10686991 llvm-svn: 148081
* [analyzer] Taint: when looking up a binding, provide the type.Anna Zaks2012-01-131-1/+4
| | | | llvm-svn: 148080
* [analyzer] RegionStoreManager::getBinding() should not crash whenAnna Zaks2012-01-131-2/+6
| | | | | | looking up value at a CodeTextRegion even when the type is not provided. llvm-svn: 148079
* [analyzer] Fix a typo in a warning message.Anna Zaks2012-01-131-1/+1
| | | | llvm-svn: 148078
* [analyzer] fix inlining's handling of mapping actual to formal arguments and ↵Ted Kremenek2012-01-124-17/+42
| | | | | | limit the call stack depth. The analyzer can now accurately simulate factorial for limited depths. llvm-svn: 148036
* [analyzer] Rename Store::Retrieve() -> getBinding().Anna Zaks2012-01-123-64/+69
| | | | | | + all the other Retrieve..() methods + a comment for ElementRegion. llvm-svn: 148011
* [analyzer] Add taint transfer by strcpy & others (part 1).Anna Zaks2012-01-121-89/+100
| | | | | | | | | | | | To simplify the process: Refactor taint generation checker to simplify passing the information on which arguments need to be tainted from pre to post visit. Todo: We need to factor out the code that sema is using to identify the string and memcpy functions and use it here and in the CString checker. llvm-svn: 148010
* "This change adds alloca/valloc checks to UnixAPIChecker. It includes a ↵Ted Kremenek2012-01-111-48/+61
| | | | | | | | | | | | small refactoring for the common *alloc functions as well as a few tiny wibbles (adds a note to CWE/CERT advisory numbers in the bug output, and fixes a couple 80-column-wide violations.)" Patch by Austin Seipp! llvm-svn: 147931
* Remove '#if 0' from ExprEngine::InlineCall(), and start fresh by wiring up ↵Ted Kremenek2012-01-114-115/+89
| | | | | | | | | | inlining for straight C calls. My hope is to reimplement this from first principles based on the simplifications of removing unneeded node builders and re-evaluating how C++ calls are handled in the CFG. The hope is to turn inlining "on-by-default" as soon as possible with a core set of things working well, and then expand over time. llvm-svn: 147904
* Make PathDiagnosticLocation more resilient to null Stmt pointers.Ted Kremenek2012-01-101-0/+6
| | | | llvm-svn: 147854
* Remove unused variable.Rafael Espindola2012-01-071-1/+0
| | | | llvm-svn: 147744
* [analyzer] Fix use-after-free in HandleTranslationUnit.Anna Zaks2012-01-071-6/+9
| | | | | | | | | | | | | A patch by Dmitri Gribenko! The attached patch fixes a use-after-free in AnalysisConsumer::HandleTranslationUnit. The problem is that BugReporter's destructor runs after AnalysisManager has been already deleted. The fix introduces a scope to force correct destruction order. A crash happens only when reports have been added in AnalysisConsumer::HandleTranslationUnit's BugReporter. We don't have such checkers in clang so no test. llvm-svn: 147732
* [analyzer] Add basic format string vulnerability checking.Anna Zaks2012-01-072-7/+93
| | | | | | | | | We already have a more conservative check in the compiler (if the format string is not a literal, we warn). Still adding it here for completeness and since this check is stronger - only triggered if the format string is tainted. llvm-svn: 147714
* [analyzer] Remove CallEnterNodeBuilder and simplify ↵Ted Kremenek2012-01-073-82/+30
| | | | | | | | ExprEngine::processCallEnter(). This removes analysis of other translation units, but that was an experimental feature anyway that we will revisit later. llvm-svn: 147705
* Correctly enqueue successors in ExprEngine::processCallExit().Ted Kremenek2012-01-071-2/+6
| | | | llvm-svn: 147698
* [analyzer] Remove CallExitNodeBuilder, and have ↵Ted Kremenek2012-01-072-22/+18
| | | | | | | | ExprEngine::processCallExit() do the work manually. This is a nice simplification. Along the way, fix Exprengine::processCallExit() to also perform the postStmt callback for checkers for CallExprs. llvm-svn: 147697
* [analyzer] Make the entries in 'Environment' context-sensitive by making ↵Ted Kremenek2012-01-0649-428/+544
| | | | | | | | | | | | | | | | | | entries map from (Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals. This is needed to support basic IPA via inlining. Without this, we cannot tell if a Stmt* binding is part of the current analysis scope (StackFrameContext) or part of a parent context. This change introduces an uglification of the use of getSVal(), and thus takes two steps forward and one step back. There are also potential performance implications of enlarging the Environment. Both can be addressed going forward by refactoring the APIs and optimizing the internal representation of Environment. This patch mainly introduces the functionality upon when we want to build upon (and clean up). llvm-svn: 147688
* [analyzer] Be less pessimistic about invalidation of global variablesAnna Zaks2012-01-048-73/+128
| | | | | | | | | | | | | | | | | | | | | | | | | | | | as a result of a call. Problem: Global variables, which come in from system libraries should not be invalidated by all calls. Also, non-system globals should not be invalidated by system calls. Solution: The following solution to invalidation of globals seems flexible enough for taint (does not invalidate stdin) and should not lead to too many false positives. We split globals into 3 classes: * immutable - values are preserved by calls (unless the specific global is passed in as a parameter): A : Most system globals and const scalars * invalidated by functions defined in system headers: B: errno * invalidated by all other functions (note, these functions may in turn contain system calls): B: errno C: all other globals (which are not in A nor B) llvm-svn: 147569
* Fix 80 col violations.Ted Kremenek2012-01-041-13/+27
| | | | llvm-svn: 147566
* Extend ConditionBRVisitor to handle condition variable assignments.Ted Kremenek2012-01-041-4/+39
| | | | llvm-svn: 147526
* Minor code formatting cleanups.Ted Kremenek2012-01-041-17/+17
| | | | llvm-svn: 147505
* Enhance UnixAPIChecker to also warn about zero-sized allocations to calloc() ↵Ted Kremenek2012-01-031-25/+113
| | | | | | and realloc(). Patch by Cyril Roelandt! llvm-svn: 147500
* Add initial version of checker to check if virtual member functions are ↵Ted Kremenek2012-01-033-0/+243
| | | | | | | | called transitively from C++ constructors or destructors. Checker by Lei Zhang with a few tweaks by Ted Kremenek. llvm-svn: 147494
* Fix cmake build with -DBUILD_SHARED_LIBS=ON.Rafael Espindola2011-12-292-2/+3
| | | | llvm-svn: 147338
* Small refactoring and simplification of constant evaluation and some of itsRichard Smith2011-12-281-6/+4
| | | | | | clients. No functionality change. llvm-svn: 147318
* Colorize and condense CFG pretty-printing.Ted Kremenek2011-12-221-1/+3
| | | | llvm-svn: 147203
* Fix typos in analyzer diagnostics pointed out by Matt Beaumont-Gay and ↵Ted Kremenek2011-12-221-2/+2
| | | | | | Robert Purves. llvm-svn: 147139
* [analyzer] Do not invalidate arguments when the parameter'sAnna Zaks2011-12-202-3/+70
| | | | | | | | | | | | | type is a pointer to const. (radar://10595327) The regions corresponding to the pointer and reference arguments to a function get invalidated by the calls since a function call can possibly modify the pointed to data. With this change, we are not going to invalidate the data if the argument is a pointer to const. This change makes the analyzer more optimistic in reporting errors. (Support for C, C++ and Obj C) llvm-svn: 147002
* Fix inversion of static analyzer path diagnostics for path conditions.Ted Kremenek2011-12-201-1/+1
| | | | llvm-svn: 146993
* Update the CMake build for r146959's new files.Chandler Carruth2011-12-201-0/+1
| | | | llvm-svn: 146967
* Unweaken vtables as per ↵David Blaikie2011-12-2012-0/+64
| | | | | | http://llvm.org/docs/CodingStandards.html#ll_virtual_anch llvm-svn: 146959
* [analyzer] Add support for taint flowing through a function (atoi).Anna Zaks2011-12-171-43/+140
| | | | | | | | | | Check if the input parameters are tainted (or point to tainted data) on a checkPreStmt<CallExpr>. If the output should be tainted, record it in the state. On post visit (checkPostStmt<CallExpr>), use the state to make decisions (in addition to the existing logic). Use this logic for atoi and fscanf. llvm-svn: 146793
* [analyzer] Minor: Simplify & assert.Anna Zaks2011-12-171-2/+2
| | | | llvm-svn: 146792
* [analyzer] Better stdin support.Anna Zaks2011-12-162-22/+34
| | | | llvm-svn: 146748
* [analyzer] Address Jordy's comments for r145985.Anna Zaks2011-12-153-8/+4
| | | | llvm-svn: 146683
* [analyzer] Ensure that the order in which checker callbacks are calledAnna Zaks2011-12-151-2/+3
| | | | | | | | | is deterministic. Non-determinism was the reason for the test which caused the earlier buildbot failures, so re-enable the test. llvm-svn: 146628
* [analyzer] Treat stdin as a source of taint.Anna Zaks2011-12-141-6/+44
| | | | | | | | Some of the test cases do not currently work because the analyzer core does not seem to call checkers for pre/post DeclRefExpr visits. (Opened radar://10573500. To be fixed later on.) llvm-svn: 146536
* [analyzer] Minor refactor to addTaint.Anna Zaks2011-12-141-2/+8
| | | | llvm-svn: 146535
* [analyzer] Mark output of fscanf and fopen as tainted.Anna Zaks2011-12-141-1/+30
| | | | llvm-svn: 146533
OpenPOWER on IntegriCloud