summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] LoopUnrolling: update the matched assignment operatorsPeter Szecsi2018-03-271-3/+1
| | | | | | | | | Extended the matched assignment operators when checking for bound changes in a body of the loop by using the freshly added isAssignmentOperator matcher. This covers all the (current) possible assignments, tests added as well. Differential Revision: https://reviews.llvm.org/D38921 llvm-svn: 328619
* [analyzer] Do not crash in CallEvent.getReturnType()George Karpenkov2018-03-241-3/+5
| | | | | | When the call expression is not available. llvm-svn: 328406
* [analyzer] Trust _Nonnull annotations for system frameworkGeorge Karpenkov2018-03-234-34/+81
| | | | | | | | | | | Changes the analyzer to believe that methods annotated with _Nonnull from system frameworks indeed return non null objects. Local methods with such annotation are still distrusted. rdar://24291919 Differential Revision: https://reviews.llvm.org/D44341 llvm-svn: 328282
* [analyzer] Extend GCDAntipatternChecker to match group_enter/group_leave patternGeorge Karpenkov2018-03-231-43/+104
| | | | | | | | rdar://38480416 Differential Revision: https://reviews.llvm.org/D44653 llvm-svn: 328281
* [analyzer] [NFC] Move worklist implementation to WorkList.cppGeorge Karpenkov2018-03-233-230/+253
| | | | | | | | | | Current location is very confusing, especially because there is already WorkList.h, and other code in CoreEngine.cpp is not related to work list implementation. Differential Revision: https://reviews.llvm.org/D44759 llvm-svn: 328280
* [analyzer] Enable temporary object destructor inlining by default.Artem Dergachev2018-03-221-1/+1
| | | | | | | | | | | | When a temporary is constructed with a proper construction context, it should be safe to inline the destructor. We have added suppressions for some of the common false positives caused by such inlining, so there should be - and from my observations there indeed is - more benefit than harm from enabling destructor inlining. Differential Revision: https://reviews.llvm.org/D44721 llvm-svn: 328258
* [CFG] [analyzer] Add C++17-specific ctor-initializer construction contexts.Artem Dergachev2018-03-221-1/+2
| | | | | | | | | | CXXCtorInitializer-based constructors are also affected by the C++17 mandatory copy elision, like variable constructors and return value constructors. Extend r328248 to support those. Differential Revision: https://reviews.llvm.org/D44763 llvm-svn: 328255
* [analyzer] Remove an assertion that doesn't hold in C++17.Artem Dergachev2018-03-222-16/+42
| | | | | | | | | | | | Function return values can be constructed directly in variables or passed directly into return statements, without even an elidable copy in between. This is how the C++17 mandatory copy elision AST behaves. The behavior we'll have in such cases is the "old" behavior that we've had before we've implemented destructor inlining and proper lifetime extension support. Differential Revision: https://reviews.llvm.org/D44755 llvm-svn: 328253
* [CFG] [analyzer] Add C++17-specific variable and return construction contexts.Artem Dergachev2018-03-221-1/+5
| | | | | | | | | | | | | | | | | | | In C++17 copy elision is mandatory for variable and return value constructors (as long as it doesn't involve type conversion) which results in AST that does not contain elidable constructors in their usual places. In order to provide construction contexts in this scenario we need to cover more AST patterns. This patch makes the CFG prepared for these scenarios by: - Fork VariableConstructionContext and ReturnedValueConstructionContext into two different sub-classes (each) one of which indicates the C++17 case and contains a reference to an extra CXXBindTemporaryExpr. - Allow CFGCXXRecordTypedCall element to accept VariableConstructionContext and ReturnedValueConstructionContext as its context. Differential Revision: https://reviews.llvm.org/D44597 llvm-svn: 328248
* Revert r326782 "[analyzer] CStringChecker.cpp: Remove the duplicated check...".Artem Dergachev2018-03-211-0/+21
| | | | | | | It seems that the refactoring was causing a functional change and some warnings have disappeared. llvm-svn: 328067
* [analyzer] Suppress more MallocChecker positives in smart pointer destructors.Artem Dergachev2018-03-211-14/+39
| | | | | | | | | | | | | | | | | r326249 wasn't quite enough because we often run out of inlining stack depth limit and for that reason fail to see the atomics we're looking for. Add a more straightforward false positive suppression that is based on the name of the class. I.e. if we're releasing a pointer in a destructor of a "something shared/intrusive/reference/counting something ptr/pointer something", then any use-after-free or double-free that occurs later would likely be a false positive. rdar://problem/38013606 Differential Revision: https://reviews.llvm.org/D44281 llvm-svn: 328066
* [analyzer] Fix the crash in IteratorChecker.cpp when 'SymbolConjured' has a ↵Henry Wong2018-03-201-1/+1
| | | | | | | | | | null Stmt. When the loop has a null terminator statement and sets 'widen-loops=true', 'invalidateRegions' will constructs the 'SymbolConjured' with null 'Stmt'. And this will lead to a crash in 'IteratorChecker.cpp'. This patch use 'dyn_cast_or_null<>' instead of 'dyn_cast<>' in IteratorChecker.cpp. Differential Revision: https://reviews.llvm.org/D44606 llvm-svn: 327962
* [analyzer] Improve performance of NoStoreFuncVisitorGeorge Karpenkov2018-03-201-19/+50
| | | | | | | | Compute modifying frames lazily on demand. Differential Revision: https://reviews.llvm.org/D44503 llvm-svn: 327935
* [analyzer] Fix the assertion failure when static globals are used in lambda ↵George Karpenkov2018-03-201-15/+13
| | | | | | | | | | | | by reference Also use the opportunity to clean up the code and remove unnecessary duplication. rdar://37625895 Differential Revision: https://reviews.llvm.org/D44594 llvm-svn: 327926
* Resolve unused variable 'VR' warning in RetainCountChecker.cppBjorn Pettersson2018-03-181-1/+1
| | | | | | | | | Getting rid of error: unused variable 'VR' [-Werror,-Wunused-variable] warning/error at lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp:1933 llvm-svn: 327802
* [analyzer] Fix crashes in RetainCountChecker when underlying region is not a varGeorge Karpenkov2018-03-161-8/+12
| | | | | | | | | | | | For other regions, the error message contains a good indication of the problem, and there, in general, nothing helpful we can print. Error pointer to the problematic expression seems enough. rdar://37323555 Differential Revision: https://reviews.llvm.org/D44409 llvm-svn: 327727
* StaticAnalyzer: fix compiler warning. NFCPavel Labath2018-03-141-1/+1
| | | | | | | | | | | | My compiler (clang-3.8) complains that the RCC variable is unused. That's not really true, as it's checked by the if-declaration, but it's also kinda true, because we don't need to declaration if we only check it in the if statement. In reality, all this means that the dyn_cast<> can be replaced by isa<>, so that's what I do here. llvm-svn: 327491
* [analyzer] Fix the matcher for GCDAntipattern to look for "signal" call in ↵George Karpenkov2018-03-131-2/+2
| | | | | | | | all parameters rdar://38405904 llvm-svn: 327426
* Reland "[Attr] Fix parameter indexing for several attributes"Joel E. Denny2018-03-132-8/+10
| | | | | | | | | Relands r326602 (reverted in r326862) with new test and fix for PR36620. Differential Revision: https://reviews.llvm.org/D43248 llvm-svn: 327405
* [analyzer] Support temporaries conjured by conservatively evaluated functions.Artem Dergachev2018-03-121-14/+30
| | | | | | | | | | | | | | Properly perform destruction and lifetime extension of such temporaries. C++ object-type return values of conservatively evaluated functions are now represented as compound values of well-defined temporary object regions. The function creates a region that represents the temporary object and will later be used for destruction or materialization, invalidates it, and returns the invalidated compound value of the object. Differential Revision: https://reviews.llvm.org/D44131 llvm-svn: 327348
* [analyzer] NFC: Move the code for setting temp object lifetime into method.Artem Dergachev2018-03-122-61/+61
| | | | | | Differential Revision: https://reviews.llvm.org/D44129 llvm-svn: 327347
* [analyzer] Destroy and lifetime-extend inlined function return values properly.Artem Dergachev2018-03-121-29/+58
| | | | | | | | | | | | | | | This patch uses the newly added CFGCXXRecordTypedCall element at the call site of the caller to construct the return value within the callee directly into the caller's stack frame. This way it is also capable of populating the temporary destructor and lifetime extension maps for the temporary, which allows temporary destructors and lifetime extension to work correctly. This patch does not affect temporaries that were returned from conservatively evaluated functions. Differential Revision: https://reviews.llvm.org/D44124 llvm-svn: 327345
* [CFG] [analyzer] Add construction context to C++ return-by-value call elements.Artem Dergachev2018-03-122-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a new CFGStmt sub-class, CFGCXXRecordTypedCall, which replaces the regular CFGStmt for the respective CallExpr whenever the CFG has additional information to provide regarding the lifetime of the returned value. This additional call site information is represented by a ConstructionContext (which was previously used for CFGConstructor elements) that provides references to CXXBindTemporaryExpr and MaterializeTemporaryExpr that surround the call. This corresponds to the common C++ calling convention solution of providing the target address for constructing the return value as an auxiliary implicit argument during function call. One of the use cases for such extra context at the call site would be to perform any sort of inter-procedural analysis over the CFG that involves functions returning objects by value. In this case the elidable constructor at the return site would construct the object explained by the context at the call site, and its lifetime would also be managed by the caller, not the callee. The extra context would also be useful for properly handling the return-value temporary at the call site, even if the callee is not being analyzed inter-procedurally. Differential Revision: https://reviews.llvm.org/D44120 llvm-svn: 327343
* [analyzer] Move the GCDAsyncSemaphoreChecker to optin.performanceGeorge Karpenkov2018-03-122-19/+26
| | | | | | | | rdar://38383753 Differential Revision: https://reviews.llvm.org/D44228 llvm-svn: 327309
* [analyzer] Add scope information to CFGMaxim Ostapenko2018-03-124-0/+12
| | | | | | | | | | | This patch adds two new CFG elements CFGScopeBegin and CFGScopeEnd that indicate when a local scope begins and ends respectively. We use first VarDecl declared in a scope to uniquely identify it and add CFGScopeBegin and CFGScopeEnd elements into corresponding basic blocks. Differential Revision: https://reviews.llvm.org/D16403 llvm-svn: 327258
* [analyzer] MmapWriteExecChecker: Add support for mprotect().Artem Dergachev2018-03-091-3/+4
| | | | | | | | | | | mprotect() allows setting memory access flags similarly to mmap(), causing similar security issues if these flags are needlessly broad. Patch by David Carlier! Differential Revision: https://reviews.llvm.org/D44250 llvm-svn: 327098
* [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use ↵Eugene Zelenko2018-03-082-188/+200
| | | | | | warnings; other minor fixes (NFC). llvm-svn: 327074
* [analyzer] Correctly model iteration through "nil" objectsGeorge Karpenkov2018-03-081-39/+55
| | | | | | | | | | | | | | | | | | | | Previously, iteration through nil objects which resulted from objc-messages being set to nil were modeled incorrectly. There are a couple of notes about this patch: In principle, ExprEngineObjC might be left untouched IFF osx.loops checker is enabled. I however think that we should not do something completely incorrect depending on what checkers are left on. We should evaluate and potentially remove altogether the isConsumedExpr performance heuristic, as it seems very fragile. rdar://22205149 Differential Revision: https://reviews.llvm.org/D44178 llvm-svn: 326982
* Fix an unused variable warning; NFCGeorge Burgess IV2018-03-081-1/+1
| | | | llvm-svn: 326980
* [analyzer] [PointerArithChecker] do not warn on indexes into vector typesGeorge Karpenkov2018-03-071-0/+4
| | | | | | | | rdar://35041502 Differential Revision: https://reviews.llvm.org/D44172 llvm-svn: 326952
* [analyzer] Don't crash with assertion failure on structured bindingsGeorge Karpenkov2018-03-071-1/+6
| | | | | | | | | | | | Proper modeling still remains to be done. Note that BindingDecl#getHoldingVar() is almost always null, and this should probably be handled by dealing with DecompositionDecl beforehand. rdar://36852163 Differential Revision: https://reviews.llvm.org/D44183 llvm-svn: 326951
* [analyzer] [NFC] Minor refactoring of NonNullParamCheckerGeorge Karpenkov2018-03-071-68/+65
| | | | | | Differential Revision: https://reviews.llvm.org/D43917 llvm-svn: 326935
* [analyzer] Fix the checker for the performance anti-pattern to accept messagesGeorge Karpenkov2018-03-071-11/+14
| | | | | | | | send to ObjC objects. Differential Revision: https://reviews.llvm.org/D44170 llvm-svn: 326868
* Revert r326602, it caused PR36620.Nico Weber2018-03-072-10/+8
| | | | llvm-svn: 326862
* [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use ↵Eugene Zelenko2018-03-072-188/+190
| | | | | | warnings; other minor fixes (NFC). llvm-svn: 326856
* [analyzer] CStringChecker.cpp: Remove the duplicated check about null ↵Henry Wong2018-03-061-21/+0
| | | | | | | | | | | | | | | | dereference on dest-buffer or src-buffer. Summary: `CheckBufferAccess()` calls `CheckNonNull()`, so there are some calls to `CheckNonNull()` that are useless. Reviewers: dcoughlin, NoQ, xazax.hun, cfe-commits, george.karpenkov Reviewed By: NoQ Subscribers: szepet, rnkovacs, MTC, a.sidorin Differential Revision: https://reviews.llvm.org/D44075 llvm-svn: 326782
* [Analyzer] More accurate modeling about the increment operator of the ↵Henry Wong2018-03-061-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | operand with type bool. Summary: There is a problem with analyzer that a wrong value is given when modeling the increment operator of the operand with type bool. After `rL307604` is applied, a unsigned overflow may occur. Example: ``` void func() { bool b = true; // unsigned overflow occur, 2 -> 0 U1b b++; } ``` The use of an operand of type bool with the ++ operators is deprecated but valid untill C++17. And if the operand of the increment operator is of type bool, it is set to true. This patch includes two parts: - If the operand of the increment operator is of type bool or type _Bool, set to true. - Modify `BasicValueFactory::getTruthValue()`, use `getIntWidth()` instead `getTypeSize()` and use `unsigned` instead `signed`. Reviewers: alexshap, NoQ, dcoughlin, george.karpenkov Reviewed By: NoQ Subscribers: xazax.hun, szepet, a.sidorin, cfe-commits, MTC Differential Revision: https://reviews.llvm.org/D43741 llvm-svn: 326776
* [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use ↵Eugene Zelenko2018-03-063-53/+84
| | | | | | warnings; other minor fixes (NFC). llvm-svn: 326757
* [analyzer] [quickfix] Prevent a crash in NamedDecl::getName()George Karpenkov2018-03-061-2/+4
| | | | llvm-svn: 326755
* [analyzer] AST-matching checker to detect global central dispatch ↵George Karpenkov2018-03-052-0/+155
| | | | | | | | | | | | | performance anti-pattern rdar://37312818 NB: The checker does not care about the ordering of callbacks, see the relevant FIXME in tests. Differential Revision: https://reviews.llvm.org/D44059 llvm-svn: 326746
* [analyzer] Improves the logic of GenericTaintChecker identifying stdin.Henry Wong2018-03-051-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: GenericTaintChecker can't recognize stdin in some cases. The reason is that `if (PtrTy->getPointeeType() == C.getASTContext().getFILEType()` does not hold when stdin is encountered. My platform is ubuntu16.04 64bit, gcc 5.4.0, glibc 2.23. The definition of stdin is as follows: ``` __BEGIN_NAMESPACE_STD /* The opaque type of streams. This is the definition used elsewhere. */ typedef struct _IO_FILE FILE; ___END_NAMESPACE_STD ... /* The opaque type of streams. This is the definition used elsewhere. */ typedef struct _IO_FILE __FILE; ... /* Standard streams. */ extern struct _IO_FILE *stdin; /* Standard input stream. */ extern struct _IO_FILE *stdout; /* Standard output stream. */ extern struct _IO_FILE *stderr; /* Standard error output stream. */ ``` The type of stdin is as follows AST: ``` ElaboratedType 0xc911170'struct _IO_FILE'sugar `-RecordType 0xc911150'struct _IO_FILE' `-CXXRecord 0xc923ff0'_IO_FILE' ``` `C.getASTContext().GetFILEType()` is as follows AST: ``` TypedefType 0xc932710 'FILE' sugar |-Typedef 0xc9111c0 'FILE' `-ElaboratedType 0xc911170 'struct _IO_FILE' sugar `-RecordType 0xc911150 'struct _IO_FILE' `-CXXRecord 0xc923ff0 '_IO_FILE' ``` So I think it's better to use `getCanonicalType()`. Reviewers: zaks.anna, NoQ, george.karpenkov, a.sidorin Reviewed By: zaks.anna, a.sidorin Subscribers: a.sidorin, cfe-commits, xazax.hun, szepet, MTC Differential Revision: https://reviews.llvm.org/D39159 llvm-svn: 326709
* [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use ↵Eugene Zelenko2018-03-023-136/+149
| | | | | | warnings; other minor fixes (NFC). llvm-svn: 326633
* [analyzer] Don't throw NSNumberObjectConversion warning on object ↵George Karpenkov2018-03-021-2/+4
| | | | | | | | | | | | | | | initialization in if-expression ``` if (NSNumber* x = ...) ``` is a reasonable pattern in objc++, we should not warn on it. rdar://35152234 Differential Revision: https://reviews.llvm.org/D44044 llvm-svn: 326619
* [Attr] Fix parameter indexing for several attributesJoel E. Denny2018-03-022-8/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The patch fixes a number of bugs related to parameter indexing in attributes: * Parameter indices in some attributes (argument_with_type_tag, pointer_with_type_tag, nonnull, ownership_takes, ownership_holds, and ownership_returns) are specified in source as one-origin including any C++ implicit this parameter, were stored as zero-origin excluding any this parameter, and were erroneously printing (-ast-print) and confusingly dumping (-ast-dump) as the stored values. * For alloc_size, the C++ implicit this parameter was not subtracted correctly in Sema, leading to assert failures or to silent failures of __builtin_object_size to compute a value. * For argument_with_type_tag, pointer_with_type_tag, and ownership_returns, the C++ implicit this parameter was not added back to parameter indices in some diagnostics. This patch fixes the above bugs and aims to prevent similar bugs in the future by introducing careful mechanisms for handling parameter indices in attributes. ParamIdx stores a parameter index and is designed to hide the stored encoding while providing accessors that require each use (such as printing) to make explicit the encoding that is needed. Attribute declarations declare parameter index arguments as [Variadic]ParamIdxArgument, which are exposed as ParamIdx[*]. This patch rewrites all attribute arguments that are processed by checkFunctionOrMethodParameterIndex in SemaDeclAttr.cpp to be declared as [Variadic]ParamIdxArgument. The only exception is xray_log_args's argument, which is encoded as a count not an index. Differential Revision: https://reviews.llvm.org/D43248 llvm-svn: 326602
* [analyzer] Prevent crashing in NonNullParamCheckerGeorge Karpenkov2018-03-021-0/+2
| | | | | | | | | | | | | https://bugs.llvm.org/show_bug.cgi?id=36381 rdar://37543426 Turns out, the type passed for the lambda capture was incorrect. One more argument to abandon the getSVal overload which does not require the type information. Differential Revision: https://reviews.llvm.org/D43925 llvm-svn: 326520
* [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use ↵Eugene Zelenko2018-03-021-203/+202
| | | | | | warnings; other minor fixes (NFC). llvm-svn: 326519
* [analyzer] Enable cfg-temporary-dtors by default.Artem Dergachev2018-03-011-2/+2
| | | | | | | | | | | | Don't enable c++-temp-dtor-inlining by default yet, due to this reference counting pointe problem. Otherwise the new mode seems stable and allows us to incrementally fix C++ problems in much less hacky ways. Differential Revision: https://reviews.llvm.org/D43804 llvm-svn: 326461
* Resubmit [analyzer] Support for naive cross translation unit analysisIlya Biryukov2018-03-017-12/+77
| | | | | | | | | | | Originally submitted as r326323 and r326324. Reverted in r326432. Reverting the commit was a mistake. The breakage was due to invalid build files in our internal buildsystem, CMakeLists did not have any cyclic dependencies. llvm-svn: 326439
* Revert "[analyzer] Support for naive cross translation unit analysis"Ilya Biryukov2018-03-017-77/+12
| | | | | | | | | | Also revert "[analyzer] Fix a compiler warning" This reverts commits r326323 and r326324. Reason: the commits introduced a cyclic dependency in the build graph. This happens to work with cmake, but breaks out internal integrate. llvm-svn: 326432
* Remove redundant casts. NFCGeorge Burgess IV2018-03-016-13/+13
| | | | | | | | | | | | | | | | | | | So I wrote a clang-tidy check to lint out redundant `isa`, `cast`, and `dyn_cast`s for fun. This is a portion of what it found for clang; I plan to do similar cleanups in LLVM and other subprojects when I find time. Because of the volume of changes, I explicitly avoided making any change that wasn't highly local and obviously correct to me (e.g. we still have a number of foo(cast<Bar>(baz)) that I didn't touch, since overloading is a thing and the cast<Bar> did actually change the type -- just up the class hierarchy). I also tried to leave the types we were cast<>ing to somewhere nearby, in cases where it wasn't locally obvious what we were dealing with before. llvm-svn: 326416
OpenPOWER on IntegriCloud