summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer
Commit message (Collapse)AuthorAgeFilesLines
* [analyzer]Revert part of r161511; suppresses leak false positives in C++Anna Zaks2013-02-061-0/+6
| | | | | | | | | | | This is a "quick fix". The underlining issue is that when a const pointer to a struct is passed into a function, we do not invalidate the pointer fields. This results in false positives that are common in C++ (since copy constructors are prevalent). (Silences two llvm false positives.) llvm-svn: 174468
* Change subexpressions to be visited in the CFG from left-to-right.Ted Kremenek2013-02-052-19/+52
| | | | | | | | | | | | | | | | | This is a more natural order of evaluation, and it is very important for visualization in the static analyzer. Within Xcode, the arrows will not jump from right to left, which looks very visually jarring. It also provides a more natural location for dataflow-based diagnostics. Along the way, we found a case in the analyzer diagnostics where we needed to indicate that a variable was "captured" by a block. -fsyntax-only timings on sqlite3.c show no visible performance change, although this is just one test case. Fixes <rdar://problem/13016513> llvm-svn: 174447
* [analyzer] Teach the analyzer to use a symbol for p when evaluatingAnna Zaks2013-02-051-11/+16
| | | | | | | | (void*)p. Addresses the false positives similar to the test case. llvm-svn: 174436
* Revert "[analyzer] Model trivial copy/move ctors with an aggregate bind."Jordan Rose2013-02-022-75/+14
| | | | | | | | | | | ...again. The problem has not been fixed and our internal buildbot is still getting hangs. This reverts r174212, originally applied in r173951, then reverted in r174069. Will not re-apply until the entire project analyzes successfully on my local machine. llvm-svn: 174265
* [analyzer] Always inline functions with bodies generated by BodyFarm.Anna Zaks2013-02-021-1/+15
| | | | | | | | Inlining these functions is essential for correctness. We often have cases where we do not inline calls. For example, the shallow mode and when reanalyzing previously inlined ObjC methods as top level. llvm-svn: 174245
* [analyzer] Print Inline mode with -analyzer-display-progress.Anna Zaks2013-02-021-4/+15
| | | | llvm-svn: 174244
* [analyzer] Fix typo.Anna Zaks2013-02-021-1/+1
| | | | llvm-svn: 174243
* Re-apply "[analyzer] Model trivial copy/move ctors with an aggregate bind."Jordan Rose2013-02-012-14/+75
| | | | | | | | With the optimization in the previous commit, this should be safe again. Originally applied in r173951, then reverted in r174069. llvm-svn: 174212
* [analyzer] Reuse a LazyCompoundVal if its type matches the new region.Jordan Rose2013-02-012-35/+26
| | | | | | | | | | | | | | | | | This allows us to keep from chaining LazyCompoundVals in cases like this: CGRect r = CGRectMake(0, 0, 640, 480); CGRect r2 = r; CGRect r3 = r2; Previously we only made this optimization if the struct did not begin with an aggregate member, to make sure that we weren't picking up an LCV for the first field of the struct. But since LazyCompoundVals are typed, we can make that inference directly by comparing types. This is a pure optimization; the test changes are to guard against possible future regressions. llvm-svn: 174211
* [analyzer]RetainCount: Fix an autorelease related false positive.Anna Zaks2013-01-311-1/+1
| | | | | | | The Cnt variable is adjusted (incremented) for simplification of checking logic. The increment should not be stored in the state. llvm-svn: 174104
* [analyzer] Don't track autorelease pools created by +new.Jordan Rose2013-01-311-14/+2
| | | | | | | | | | | | | This matches our behavior for autorelease pools created by +alloc. Some people like to create autorelease pools in one method and release them somewhere else. If you want safe autorelease pool semantics, use the new ARC-compatible syntax: @autoreleasepool { ... } <rdar://problem/13121353> llvm-svn: 174096
* Revert "[analyzer] Model trivial copy/move ctors with an aggregate bind."Jordan Rose2013-01-312-75/+14
| | | | | | | | | It's causing hangs on our internal analyzer buildbot. Will restore after investigating. This reverts r173951 / baa7ca1142990e1ad6d4e9d2c73adb749ff50789. llvm-svn: 174069
* [analyzer] If a lazy binding is undefined, pretend that it's unknown instead.Jordan Rose2013-01-311-2/+24
| | | | | | | | | | | | | | | | | | | | | | | | This is a hack to work around the fact that we don't track extents for our default bindings: CGPoint p; p.x = 0.0; p.y = 0.0; rectParam.origin = p; use(rectParam.size); // warning: uninitialized value in rectParam.size.width In this case, the default binding for 'p' gets copied into 'rectParam', because the 'origin' field is at offset 0 within CGRect. From then on, rectParam's old default binding (in this case a symbol) is lost. This patch silences the warning by pretending that lazy bindings are never made from uninitialized memory, but not only is that not true, the original default binding is still getting overwritten (see FIXME test cases). The long-term solution is tracked in <rdar://problem/12701038> PR14765 and <rdar://problem/12875012> llvm-svn: 174031
* [analyzer] Fix a bug in region store that lead to undefined value falseAnna Zaks2013-01-311-16/+8
| | | | | | | | | | positives. The includeSuffix was only set on the first iteration through the function, resulting in invalid regions being produced by getLazyBinding (ex: zoomRegion.y). llvm-svn: 174016
* [analyzer] Make shallow mode more shallow.Anna Zaks2013-01-302-4/+39
| | | | | | | | | | | | | | | | Redefine the shallow mode to inline all functions for which we have a definite definition (ipa=inlining). However, only inline functions that are up to 4 basic blocks large and cut the max exploded nodes generated per top level function in half. This makes shallow faster and allows us to keep inlining small functions. For example, we would keep inlining wrapper functions and constructors/destructors. With the new shallow, it takes 104s to analyze sqlite3, whereas the deep mode is 658s and previous shallow is 209s. llvm-svn: 173958
* [analyzer] Use analyzer config for max-inlinable-size option.Anna Zaks2013-01-302-1/+7
| | | | llvm-svn: 173957
* [analyzer] Move report false positive suppression to report visitors.Anna Zaks2013-01-302-34/+38
| | | | llvm-svn: 173956
* [analyzer] Remove further references to analyzer-ipa.Anna Zaks2013-01-301-2/+2
| | | | | | Thanks Jordan! llvm-svn: 173955
* [analyzer] Model trivial copy/move ctors with an aggregate bind.Jordan Rose2013-01-302-14/+75
| | | | | | | | | | | | | | | | | | | | | | This is faster for the analyzer to process than inlining the constructor and performing a member-wise copy, and it also solves the problem of warning when a partially-initialized POD struct is copied. Before: CGPoint p; p.x = 0; CGPoint p2 = p; <-- assigned value is garbage or undefined After: CGPoint p; p.x = 0; CGPoint p2 = p; // no-warning This matches our behavior in C, where we don't see a field-by-field copy. <rdar://problem/12305288> llvm-svn: 173951
* [analyzer] C++ initializers may require cleanups; look through these.Jordan Rose2013-01-261-1/+1
| | | | | | | | | | | | | | When the analyzer sees an initializer, it checks if the initializer contains a CXXConstructExpr. If so, it trusts that the CXXConstructExpr does the necessary work to initialize the object, and performs no further initialization. This patch looks through any implicit wrapping expressions like ExprWithCleanups to find the CXXConstructExpr inside. Fixes PR15070. llvm-svn: 173557
* [analyzer] Track null object lvalues back through C++ method calls.Jordan Rose2013-01-261-0/+2
| | | | | | | | | | The expression 'a->b.c()' contains a call to the 'c' method of 'a->b'. We emit an error if 'a' is NULL, but previously didn't actually track the null value back through the 'a->b' expression, which caused us to miss important false-positive-suppression cases, including <rdar://problem/12676053>. llvm-svn: 173547
* [analyzer] bugreporter::getDerefExpr now takes a Stmt, not an ExplodedNode.Jordan Rose2013-01-262-16/+12
| | | | | | | This allows it to be used in places where the interesting statement doesn't match up with the current node. No functionality change. llvm-svn: 173546
* [analyzer] Add 'prune-paths' config option to disable path pruning.Jordan Rose2013-01-262-1/+6
| | | | | | This should be used for testing only. Path pruning is still on by default. llvm-svn: 173545
* [analyzer] Rename PruneNullReturnPaths to SuppressNullReturnPaths.Jordan Rose2013-01-262-3/+3
| | | | | | | "Prune" is the term for eliminating pieces of a path that are not relevant to the user. "Suppress" means don't show that path at all. llvm-svn: 173544
* [analyzer] Add "-analyzer-config mode=[deep|shallow] ".Anna Zaks2013-01-241-2/+24
| | | | | | | | | | | | | The idea is to introduce a higher level "user mode" option for different use scenarios. For example, if one wants to run the analyzer for a small project each time the code is built, they would use the "shallow" mode. The user mode option will influence the default settings for the lower-level analyzer options. For now, this just influences the ipa modes, but we plan to find more optimal settings for them. llvm-svn: 173386
* [analyzer] Replace "-analyzer-ipa" with "-analyzer-config ipa".Anna Zaks2013-01-242-5/+27
| | | | | | | | | The idea is to eventually place all analyzer options under "analyzer-config". In addition, this lays the ground for introduction of a high-level analyzer mode option, which will influence the default setting for IPAMode. llvm-svn: 173385
* [analyzer] refactor: access IPAMode through the accessor.Anna Zaks2013-01-242-5/+8
| | | | llvm-svn: 173384
* Add missing null check. Not sure why my tests passed before.Ted Kremenek2013-01-231-4/+6
| | | | llvm-svn: 173292
* Honor attribute 'analyzer_noreturn' on Objective-C methods.Ted Kremenek2013-01-231-0/+7
| | | | | | | | | This isn't likely a full solution, but it catches the common cases and can be refined over time. Fixes <rdar://problem/11634353>. llvm-svn: 173291
* [analyzer] Show notes inside implicit calls at the last explicit call site.Jordan Rose2013-01-211-3/+6
| | | | | | | | | | | | | | | | | | | Before: struct Wrapper { <-- 2. Calling default constructor for 'NonTrivial'. NonTrivial m; }; Wrapper w; <-- 1. Calling implicit default constructor for 'Wrapper'. After: struct Wrapper { NonTrivial m; }; Wrapper w; <-- 1. Calling implicit default constructor for 'Wrapper'. ^-- 2. Calling default constructor for 'NonTrivial'. llvm-svn: 173067
* Implement OpenCL event_t as Clang builtin type, including event_t related ↵Guy Benyei2013-01-201-1/+2
| | | | | | OpenCL restrictions (OpenCL 1.2 spec 6.9) llvm-svn: 172973
* [analyzer] Don't show "Entered 'foo'" if 'foo' is implicit.Jordan Rose2013-01-191-0/+5
| | | | | | | | | | | | | | | | Before: Calling implicit default constructor for 'Foo' (where Foo is constructed) Entered call from 'test' (at "=default" or 'Foo' declaration) Calling default constructor for 'Bar' (at "=default" or 'Foo' declaration) After: Calling implicit default constructor for 'Foo' (where Foo is constructed) Calling default constructor for 'Bar' (at "=default" or 'Foo' declaration) This only affects the plist diagnostics; this note is never shown in the other diagnostics. llvm-svn: 172915
* [analyzer] Suppress warnings coming out of macros defined in sys/queue.hAnna Zaks2013-01-191-0/+25
| | | | | | | | | | | | | | | | | | | | | | | | | Suppress the warning by just not emitting the report. The sink node would get generated, which is fine since we did reach a bad state. Motivation Due to the way code is structured in some of these macros, we do not reason correctly about it and report false positives. Specifically, the following loop reports a use-after-free. Because of the way the code is structured inside of the macro, the analyzer assumes that the list can have cycles, so you end up with use-after-free in the loop, that is safely deleting elements of the list. (The user does not have a way to teach the analyzer about shape of data structures.) SLIST_FOREACH_SAFE(item, &ctx->example_list, example_le, tmpitem) { if (item->index == 3) { // if you remove each time, no complaints assert((&ctx->example_list)->slh_first == item); SLIST_REMOVE(&ctx->example_list, item, example_s, example_le); free(item); } } llvm-svn: 172883
* [analyzer] Special path notes for C++ special member functions.Jordan Rose2013-01-181-14/+56
| | | | | | | | | | | | Examples: Calling implicit default constructor for Foo Calling defaulted move constructor for Foo Calling copy constructor for Foo Calling implicit destructor for Foo Calling defaulted move assignment operator for Foo Calling copy assignment operator for Foo llvm-svn: 172833
* [analyzer] Do a better job describing C++ member functions in the call stack.Jordan Rose2013-01-181-21/+51
| | | | | | | | Examples: Calling constructor for 'Foo' Entered call from 'Foo::create' llvm-svn: 172832
* [analyzer] DirectIvarAssignment: allow suppression annotation on Ivars.Anna Zaks2013-01-171-7/+17
| | | | llvm-svn: 172766
* Implement C++11 semantics for [[noreturn]] attribute. This required splittingRichard Smith2013-01-171-1/+1
| | | | | | | | it apart from [[gnu::noreturn]] / __attribute__((noreturn)), since their semantics are not equivalent (for instance, we treat [[gnu::noreturn]] as affecting the function type, whereas [[noreturn]] does not). llvm-svn: 172691
* Rework the traversal of Objective-C categories and extensions toDouglas Gregor2013-01-162-7/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | consider (sub)module visibility. The bulk of this change replaces myriad hand-rolled loops over the linked list of Objective-C categories/extensions attached to an interface declaration with loops using one of the four new category iterator kinds: visible_categories_iterator: Iterates over all visible categories and extensions, hiding any that have their "hidden" bit set. This is by far the most commonly used iterator. known_categories_iterator: Iterates over all categories and extensions, ignoring the "hidden" bit. This tends to be used for redeclaration-like traversals. visible_extensions_iterator: Iterates over all visible extensions, hiding any that have their "hidden" bit set. known_extensions_iterator: Iterates over all extensions, whether they are visible to normal name lookup or not. The effect of this change is that any uses of the visible_ iterators will respect module-import visibility. See the new tests for examples. Note that the old accessors for categories and extensions are gone; there are *Raw() forms for some of them, for those (few) areas of the compiler that have to manipulate the linked list of categories directly. This is generally discouraged. Part two of <rdar://problem/10634711>. llvm-svn: 172665
* [analyzer] Add an annotation to allow suppression of direct ivarAnna Zaks2013-01-161-0/+18
| | | | | | assignment llvm-svn: 172597
* [analyzer] Fix warning typo.Anna Zaks2013-01-161-2/+2
| | | | llvm-svn: 172596
* [analyzer] Refactor: parameter rename.Anna Zaks2013-01-162-2/+2
| | | | llvm-svn: 172595
* Fix CastDavid Greene2013-01-151-1/+2
| | | | | | Properly use const_cast to fix a cast-away-const error. llvm-svn: 172561
* [analyzer] Add ProgramStatePartialTrait<const void *>.Jordan Rose2013-01-141-2/+2
| | | | | | This should fix cast-away-const warnings reported by David Greene. llvm-svn: 172446
* [analyzer] -drain is not an alias for -release.Jordan Rose2013-01-141-4/+0
| | | | | | | | | | | This was previously added to support -[NSAutoreleasePool drain], which behaves like -release under non-GC and "please collect" under GC. We're not currently modeling the autorelease pool stack, though, so we can just take this out entirely. Fixes PR14927. llvm-svn: 172444
* Remove useless 'llvm::' qualifier from names like StringRef and others that areDmitri Gribenko2013-01-1216-25/+25
| | | | | | brought into 'clang' namespace by clang/Basic/LLVM.h llvm-svn: 172323
* Refine analyzer's handling of unary '!' and floating types to not assert.Ted Kremenek2013-01-111-1/+4
| | | | | | Fixes PR 14634 and <rdar://problem/12903080>. llvm-svn: 172274
* Correctly propagate uninitialized values within logical expressions.Ted Kremenek2013-01-111-14/+18
| | | | | | | Fixes assertion failure reported in PR 14635 and <rdar://problem/12902945> respectively. llvm-svn: 172263
* [analyzer] Rename the warning: state the issue before the hint of how itAnna Zaks2013-01-111-6/+5
| | | | | | can be fixed llvm-svn: 172170
* [analyzer]Recognize ivar invalidation protocol even if it was redeclaredAnna Zaks2013-01-111-2/+2
| | | | | | This will get rid of some false positives as well as false negatives. llvm-svn: 172169
* [analyzer] Ivar invalidation: track ivars declared in categories.Anna Zaks2013-01-111-7/+15
| | | | llvm-svn: 172168
OpenPOWER on IntegriCloud