| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
llvm-svn: 165059
|
| |
|
|
|
|
| |
an intermediate helper method to query and populate the Optional value.
llvm-svn: 165043
|
| |
|
|
|
|
|
|
|
| |
table, making it printable with the ConfigDump checker. Along the
way, fix a really serious bug where the value was getting parsed
from the string in code that was in an assert() call. This means
in a Release-Asserts build this code wouldn't work as expected.
llvm-svn: 165041
|
| |
|
|
|
|
|
| |
the config string table. Also setup a test for dumping the analyzer
configuration for C++.
llvm-svn: 165040
|
| |
|
|
| |
llvm-svn: 164966
|
| |
|
|
| |
llvm-svn: 164965
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
By analogy with C structs, this seems to be legal, if probably discouraged.
It's only if the ivar is read from or written to that there's a problem.
Running a program that gets the "address" of an instance variable does in
fact return the offset when the base "object" is nil.
This isn't a full revert because r164442 includes some diagnostic tweaks
as well; those have been kept.
This partially reverts r164442 / 08965091770c9b276c238bac2f716eaa4da2dca4.
llvm-svn: 164960
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
an lvalue."
The original intent of this commit was to catch potential null dereferences
early, but it breaks the common "home-grown offsetof" idiom (PR13927):
(((struct Foo *)0)->member - ((struct foo *)0))
As it turns out, this appears to be legal in C, per a footnote in
C11 6.5.3.2: "Thus, &*E is equivalent to E (even if E is a null pointer)".
In C++ this issue is still open:
http://www.open-std.org/jtc1/sc22/wg21/docs/cwg_active.html#232
We'll just have to make sure we have good path notes in the future.
This reverts r164441 / 9be016dcd1ca3986873a7b66bd4bc027309ceb59.
llvm-svn: 164958
|
| |
|
|
|
|
|
|
| |
string in the config table so that it can be dumped as part of the
config dumper. Add a test to show that these options are sticking
and can be cross-checked using FileCheck.
llvm-svn: 164954
|
| |
|
|
|
|
|
| |
The format of this output is a WIP; largely I'm bringing it up now
for regression testing. We can evolve the output format over time.
llvm-svn: 164953
|
| |
|
|
|
|
|
|
|
|
|
| |
correctly."
This is related to but not blocked by <rdar://problem/12137950>
("Return-by-value structs do not have associated regions")
This reverts r164875 / 3278d41e17749dbedb204a81ef373499f10251d7.
llvm-svn: 164952
|
| |
|
|
|
|
|
|
|
| |
It is possible and valid to have a state manager and associated objects
without having a SubEngine or checkers.
Patch by Olaf Krzikalla!
llvm-svn: 164947
|
| |
|
|
|
|
|
|
| |
accessing fields"
This reverts commit 6f61df3e7256413dcb99afb9673f4206e3c4992c.
llvm-svn: 164877
|
| |
|
|
|
|
|
|
| |
rvalue."
This reverts commit 0006ba445962621ed82ec84400a6b978205a3fbc.
llvm-svn: 164876
|
| |
|
|
|
|
|
|
| |
correctly."
This reverts commit 580cd17f256259f39a382e967173f34d68e73859.
llvm-svn: 164875
|
| |
|
|
| |
llvm-svn: 164869
|
| |
|
|
|
|
|
|
|
|
|
| |
the validation occurred.
The original implementation was pessimistic - we assumed that ivars
which escape are invalidated. This version is optimistic, it assumes
that the ivars will always be explicitly invalidated: either set to nil
or sent an invalidation message.
llvm-svn: 164868
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the analyzer treated all inlined constructors like lvalues,
setting the value of the CXXConstructExpr to the newly-constructed
region. However, some CXXConstructExprs behave like rvalues -- in
particular, the implicit copy constructor into a pass-by-value argument.
In this case, we want only the /contents/ of a temporary object to be
passed, so that we can use the same "copy each argument into the
parameter region" algorithm that we use for scalar arguments.
This may change when we start modeling destructors of temporaries,
but for now this is the last part of <rdar://problem/12137950>.
llvm-svn: 164830
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
An rvalue has no address, but calling a C++ member function requires a
'this' pointer. This commit makes the analyzer create a temporary region
in which to store the struct rvalue and use as a 'this' pointer whenever
a member function is called on an rvalue, which is essentially what
CodeGen does.
More of <rdar://problem/12137950>. The last part is tracking down the
C++ FIXME in array-struct-region.cpp.
llvm-svn: 164829
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Struct rvalues are represented in the analyzer by CompoundVals,
LazyCompoundVals, or plain ConjuredSymbols -- none of which have associated
regions. If the entire structure is going to persist, this is not a
problem -- either the rvalue will be assigned to an existing region, or
a MaterializeTemporaryExpr will be present to create a temporary region.
However, if we just need a field from the struct, we need to create the
temporary region ourselves.
This is inspired by the way CodeGen handles calls to temporaries;
support for that in the analyzer is coming next.
Part of <rdar://problem/12137950>
llvm-svn: 164828
|
| |
|
|
| |
llvm-svn: 164803
|
| |
|
|
|
|
| |
through property getters.
llvm-svn: 164802
|
| |
|
|
|
|
| |
(fixup for r164790)
llvm-svn: 164791
|
| |
|
|
| |
llvm-svn: 164790
|
| |
|
|
| |
llvm-svn: 164788
|
| |
|
|
|
|
| |
See: http://en.wikipedia.org/wiki/If_and_only_if Commit 164766
llvm-svn: 164769
|
| |
|
|
| |
llvm-svn: 164766
|
| |
|
|
|
|
| |
[-Wunused-private-field]
llvm-svn: 164745
|
| |
|
|
|
|
|
|
|
|
|
| |
This checker is annotation driven. It checks that the annotated
invalidation method accesses all ivars of the enclosing objects that are
objects of type, which in turn contains an invalidation method.
This is driven by
__attribute((annotation("objc_instance_variable_invalidator")).
llvm-svn: 164716
|
| |
|
|
|
|
| |
This isn't correct, as Jordan correctly points out.
llvm-svn: 164711
|
| |
|
|
| |
llvm-svn: 164709
|
| |
|
|
| |
llvm-svn: 164661
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
removeDeadBindings."
Previously, we'd just keep constraints around forever, which means we'd
never be able to merge paths that differed only in constraints on dead
symbols.
Because we now allow constraints on symbolic expressions, not just single
symbols, this requires changing SymExpr::symbol_iterator to include
intermediate symbol nodes in its traversal, not just the SymbolData leaf
nodes.
This depends on the previous commit to be correct. Originally applied in
r163444, reverted in r164275, now being re-applied.
llvm-svn: 164622
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
No tests, but this allows the optimization of removing dead constraints.
We can then add tests that we don't do this prematurely.
<rdar://problem/12333297>
Note: the added FIXME to investigate SymbolRegionValue liveness is
tracked by <rdar://problem/12368183>. This patch does not change the
existing behavior.
llvm-svn: 164621
|
| |
|
|
|
|
| |
dispatch.
llvm-svn: 164579
|
| |
|
|
|
|
| |
(Unfortunately, I do not have a good reduced test case for this.)
llvm-svn: 164541
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a heuristic intended to greatly reduce the number of false
positives resulting from inlining, particularly inlining of generic,
defensive C++ methods that live in header files. The suppression is
triggered in the cases where we ask to track where a null pointer came
from, and it turns out that the source of the null pointer was an inlined
function call.
This change brings the number of bug reports in LLVM from ~1500 down to
around ~300, a much more manageable number. Yes, some true positives may
be hidden as well, but from what I looked at the vast majority of silenced
reports are false positives, and many of the true issues found by the
analyzer are still reported.
I'm hoping to improve this heuristic further by adding some exceptions
next week (cases in which a bug should still be reported).
llvm-svn: 164449
|
| |
|
|
|
|
|
| |
Also, tidy up the other tracking visitors so that they mark the right
things as interesting and don't do extra work.
llvm-svn: 164448
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before, PathDiagnosticConsumers that did not support actual path output
would (sensibly) cause the generation of the full path to be skipped.
However, BugReporterVisitors may want to see the path in order to mark a
BugReport as invalid.
Now, even for a path generation scheme of 'None' we will still create a
trimmed graph and walk backwards through the bug path, doing no work other
than passing the nodes to the BugReporterVisitors. This isn't cheap, but
it's necessary to properly do suppression when the first path consumer does
not support path notes.
In the future, we should try only generating the path and visitor-provided
path notes once, or at least only creating the trimmed graph once.
llvm-svn: 164447
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is intended to allow visitors to make decisions about whether a
BugReport is likely a false positive. Currently there are no visitors
making use of this feature, so there are no tests.
When a BugReport is marked invalid, the invalidator must provide a key
that identifies the invaliation (intended to be the visitor type and a
context pointer of some kind). This allows us to reverse the decision
later on. Being able to reverse a decision about invalidation gives us more
flexibility, and allows us to formulate conditions like "this report is
invalid UNLESS the original argument is 'foo'". We can use this to
fine-tune our false-positive suppression (coming soon).
llvm-svn: 164446
|
| |
|
|
|
|
|
| |
This allows us to show /why/ a particular object is nil, even when it is
wrapped in an OpaqueValueExpr.
llvm-svn: 164445
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than saying "Null pointer value stored to 'foo'", we now say
"Passing null pointer value via Nth parameter 'foo'", which is much better.
The note is also now on the argument expression as well, rather than the
entire call.
This paves the way for continuing to track arguments back to their sources.
<rdar://problem/12211490>
llvm-svn: 164444
|
| |
|
|
|
|
| |
Just a refactoring of common infrastructure. No intended functionality change.
llvm-svn: 164443
|
| |
|
|
|
|
|
|
|
|
|
| |
Like with struct fields, we want to catch cases like this early,
so that we can produce better diagnostics and path notes:
PointObj *p = nil;
int *px = &p->_x; // should warn here
*px = 1;
llvm-svn: 164442
|
| |
|
|
|
|
|
|
|
|
|
| |
We want to catch cases like this early, so that we can produce better
diagnostics and path notes:
Point *p = 0;
int *px = &p->x; // should warn here
*px = 1;
llvm-svn: 164441
|
| |
|
|
|
|
| |
Try this again, now that r164392 is in place.
llvm-svn: 164393
|
| |
|
|
|
|
|
|
| |
out bugs."
It crashed test/Analysis/Output/blocks.m on some hosts.
llvm-svn: 164368
|
| |
|
|
| |
llvm-svn: 164364
|
| |
|
|
| |
llvm-svn: 164363
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when
their implementations are unavailable. Start by simulating dispatch_sync().
This change is largely a bunch of plumbing around something very simple. We
use AnalysisDeclContext to conjure up a fake function body (using the
current ASTContext) when one does not exist. This is controlled
under the analyzer-config option "faux-bodies", which is off by default.
The plumbing in this patch is largely to pass the necessary machinery
around. CallEvent needs the AnalysisDeclContextManager to get
the function definition, as one may get conjured up lazily.
BugReporter and PathDiagnosticLocation needed to be relaxed to handle
invalid locations, as the conjured body has no real source locations.
We do some primitive recovery in diagnostic generation to generate
some reasonable locations (for arrows and events), but it can be
improved.
llvm-svn: 164339
|
