| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Also, move the REGISTER_*_WITH_PROGRAMSTATE macros to ProgramStateTrait.h.
This doesn't get rid of /all/ explicit uses of ProgramStatePartialTrait,
but it does get a lot of them.
llvm-svn: 167276
|
| |
|
|
|
|
| |
No functionality change.
llvm-svn: 167275
|
| |
|
|
| |
llvm-svn: 167189
|
| |
|
|
|
|
| |
No functionality change.
llvm-svn: 167187
|
| |
|
|
|
|
|
|
| |
(and the same for isFalse)
No functionality change.
llvm-svn: 167186
|
| |
|
|
|
|
| |
Thanks Ted.
llvm-svn: 167176
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, every call to a ConstraintManager's isNull would do a full
assumeDual to test feasibility. Now, ConstraintManagers can override
checkNull if they have a cheaper way to do the same thing.
RangeConstraintManager can do this in less than half the work.
<rdar://problem/12608209>
llvm-svn: 167138
|
| |
|
|
| |
llvm-svn: 167099
|
| |
|
|
|
|
|
| |
IdentifierInfo.
Ee: C++ copy constructors.
llvm-svn: 167092
|
| |
|
|
| |
llvm-svn: 167002
|
| |
|
|
| |
llvm-svn: 167001
|
| |
|
|
|
|
|
|
|
|
|
| |
The ImmutableMap should not be the key into the GDM map as there could
be several entries with the same map type. Thanks, Jordan.
This complicates the usage of the macro a bit. When we want to retrieve
the whole map, we need to use another name. Currently, I set it to be
Name ## Ty as in "type of the map we are storing in the ProgramState".
llvm-svn: 167000
|
| |
|
|
| |
llvm-svn: 166999
|
| |
|
|
|
|
| |
Patch by Sean McBride!
llvm-svn: 166995
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is a syntactic checker aimed at helping iOS programmers correctly
subclass and override the methods of UIViewController. While this should
eventually be covered by the 'objc_requires_super' attribute, this
checker can be used with the existing iOS SDKs without any header changes.
This new checker is currently named 'alpha.osx.cocoa.MissingSuperCall'.
Patch by Julian Mayer!
llvm-svn: 166993
|
| |
|
|
|
|
|
| |
No need for the auxiliary flag. No need to generate a leak node when
there is no error.
llvm-svn: 166977
|
| |
|
|
|
|
| |
This is an example checker for catching fopen fclose API misuses.
llvm-svn: 166976
|
| |
|
|
|
|
| |
- Adding Immutable Map to GDM and getIdentifierInfo helper method.
llvm-svn: 166975
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Our one basic suppression heuristic is to assume that functions do not
usually return NULL. However, when one of the arguments is NULL it is
suddenly much more likely that NULL is a valid return value. In this case,
we don't suppress the report here, but we do attach /another/ visitor to
go find out if this NULL argument also comes from an inlined function's
error path.
This new behavior, controlled by the 'avoid-suppressing-null-argument-paths'
analyzer-config option, is turned off by default. Turning it on produced
two false positives and no new true positives when running over LLVM/Clang.
This is one of the possible refinements to our suppression heuristics.
<rdar://problem/12350829>
llvm-svn: 166941
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Additionally, don't collect PostStore nodes -- they are often used in
path diagnostics.
Previously, we tried to track null arguments in the same way as any other
null values, but in many cases the necessary nodes had already been
collected (a memory optimization in ExplodedGraph). Now, we fall back to
using the value of the argument at the time of the call, which may not
always match the actual contents of the region, but often will.
This is a precursor to improving our suppression heuristic.
<rdar://problem/12350829>
llvm-svn: 166940
|
| |
|
|
|
|
| |
Jordan's feedback.
llvm-svn: 166778
|
| |
|
|
|
|
|
|
|
|
|
|
| |
path notes for cases where a value may be assumed to be null, etc.
Instead of having redundant diagnostics, do a pass over the generated
PathDiagnostic pieces and remove notes from TrackConstraintBRVisitor
that are already covered by ConditionBRVisitor, whose notes tend
to be better.
Fixes <rdar://problem/12252783>
llvm-svn: 166728
|
| |
|
|
|
|
|
|
| |
This caused assertion failures analyzing LLVM.
<rdar://problem/12560282>
llvm-svn: 166529
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
After every 1000 CFGElements processed, the ExplodedGraph trims out nodes
that satisfy a number of criteria for being "boring" (single predecessor,
single successor, and more). Rather than controlling this with a cc1 option,
which can only disable this behavior, we now have an analyzer-config option,
'graph-trim-interval', which can change this interval from 1000 to something
else. Setting the value to 0 disables reclamation.
The next commit relies on this behavior to actually test anything.
llvm-svn: 166528
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is actually required by the C++ standard in
[basic.stc.dynamic.allocation]p3:
If an allocation function declared with a non-throwing
exception-specification fails to allocate storage, it shall return a
null pointer. Any other allocation function that fails to allocate
storage shall indicate failure only by throwing an exception of a type
that would match a handler of type std::bad_alloc.
We don't bother checking for the specific exception type, but just go off
the operator new prototype. This should help with a certain class of lazy
initalization false positives.
<rdar://problem/12115221>
llvm-svn: 166363
|
| |
|
|
| |
llvm-svn: 166211
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This actually looks through several kinds of expression, such as
OpaqueValueExpr and ExprWithCleanups. The idea is that binding and lookup
should be consistent, and so if the environment needs to be modified later,
the code doing the modification will not have to manually look through these
"transparent" expressions to find the real binding to change.
This is necessary for proper updating of struct rvalues as described in
the previous commit.
llvm-svn: 166121
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In C++, rvalues that need to have their address taken (for example, to be
passed to a function by const reference) will be wrapped in a
MaterializeTemporaryExpr, which lets CodeGen know to create a temporary
region to store this value. However, MaterializeTemporaryExprs are /not/
created when a method is called on an rvalue struct, even though the 'this'
pointer needs a valid value. CodeGen works around this by creating a
temporary region anyway; now, so does the analyzer.
The analyzer also does this when accessing a field of a struct rvalue.
This is a little unfortunate, since the rest of the struct will soon be
thrown away, but it does make things consistent with the rest of the
analyzer.
This allows us to bring back the assumption that all known 'this' values
are Locs. This is a revised version of r164828-9, reverted in r164876-7.
<rdar://problem/12137950>
llvm-svn: 166120
|
| |
|
|
|
|
| |
@implementation.
llvm-svn: 166047
|
| |
|
|
|
|
| |
Follow-up to r165838, which fixed a potential crash.
llvm-svn: 166002
|
| |
|
|
| |
llvm-svn: 165994
|
| |
|
|
| |
llvm-svn: 165993
|
| |
|
|
| |
llvm-svn: 165992
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This was only used by OSAtomicChecker and makes it more
difficult to update values for expressions that the environment
may look through instead (it's not the same as IgnoreParens).
With this gone, we can have bindExpr bind to the inner
expression that getSVal will find.
Groundwork for <rdar://problem/12137950>
llvm-svn: 165866
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
I believe the removed assert in CheckerManager says it best:
InlineCall is a special hacky callback to allow intrusive
evaluation of the call (which simulates inlining). It is
currently only used by OSAtomicChecker and should go away
at some point.
OSAtomicChecker has gone away; inlineCall can now go away as well!
llvm-svn: 165865
|
| |
|
|
| |
llvm-svn: 165842
|
| |
|
|
|
|
|
| |
that a DeclRefExpr can never return a null decl. We possibly should
hoist this into getDecl() itself.
llvm-svn: 165841
|
| |
|
|
|
|
| |
invariants using assertions.
llvm-svn: 165840
|
| |
|
|
|
|
| |
the number of arguments.
llvm-svn: 165838
|
| |
|
|
| |
llvm-svn: 165744
|
| |
|
|
|
|
| |
objc_atomicCompareAndSwap.
llvm-svn: 165743
|
| |
|
|
|
|
|
|
| |
This time, actually uncomment the code that's supposed to fix the problem.
This reverts r165671 / 8ceb837585ed973dc36fba8dfc57ef60fc8f2735.
llvm-svn: 165676
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
offsets."
Author: Jordan Rose <jordan_rose@apple.com>
Date: Wed Oct 10 21:31:21 2012 +0000
[analyzer] Treat fields of unions as having symbolic offsets.
This allows only one field to be active at a time in RegionStore.
This isn't quite the correct behavior for unions, but it at least
would handle the case of "value goes in, value comes out" from the
same field.
RegionStore currently has a number of places where any access to a union
results in UnknownVal being returned. However, it is clearly missing
some cases, or the original issue wouldn't have occurred. It is probably
now safe to remove those changes, but that's a potentially destabilizing
change that should wait for more thorough testing.
Fixes PR14054.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165660 91177308-0d34-0410-b5e6-96231b3b80d8
This reverts commit cf9030e480f77ab349672f00ad302e216c26c92c.
llvm-svn: 165671
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows only one field to be active at a time in RegionStore.
This isn't quite the correct behavior for unions, but it at least
would handle the case of "value goes in, value comes out" from the
same field.
RegionStore currently has a number of places where any access to a union
results in UnknownVal being returned. However, it is clearly missing
some cases, or the original issue wouldn't have occurred. It is probably
now safe to remove those changes, but that's a potentially destabilizing
change that should wait for more thorough testing.
Fixes PR14054.
llvm-svn: 165660
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
...but do run them on user headers.
Previously, we were inconsistent here: non-path-sensitive checks on code
/bodies/ were only run in the main source file, but checks on
/declarations/ were run in /all/ headers. Neither of those is the
behavior we want.
Thanks to Sujit for pointing this out!
<rdar://problem/12454226>
llvm-svn: 165635
|
| |
|
|
|
|
| |
No functionality change.
llvm-svn: 165634
|
| |
|
|
|
|
|
|
|
|
|
| |
Some implicit statements, such as the implicit 'self' inserted for "free"
Objective-C ivar access, have invalid source locations. If one of these
statements is the location where an issue is reported, we'll now look at
the enclosing statements for a valid source location.
<rdar://problem/12446776>
llvm-svn: 165354
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In C++, overriding virtual methods are allowed to specify a covariant
return type -- that is, if the return type of the base method is an
object pointer type (or reference type), the overriding method's return
type can be a pointer to a subclass of the original type. The analyzer
was failing to take this into account when devirtualizing a method call,
and anything that relied on the return value having the proper type later
would crash.
In Objective-C, overriding methods are allowed to specify ANY return type,
meaning we can NEVER be sure that devirtualizing will give us a "safe"
return value. Of course, a program that does this will most likely crash
at runtime, but the analyzer at least shouldn't crash.
The solution is to check and see if the function/method being inlined is
the function that static binding would have picked. If not, check that
the return value has the same type. If the types don't match, see if we
can fix it with a derived-to-base cast (the C++ case). If we can't,
return UnknownVal to avoid crashing later.
<rdar://problem/12409977>
llvm-svn: 165079
|
| |
|
|
|
|
|
|
|
| |
These functions are store-agnostic, and would benefit from information in
DynamicTypeInfo but gain nothing from the store type.
No intended functionality change.
llvm-svn: 165078
|
| |
|
|
|
|
|
|
|
| |
Then, rename it getPointeeCXXRecordDecl and give it a nice doc comment,
and actually use it.
No intended functionality change.
llvm-svn: 165077
|
