summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] Add LocationContext as a parameter to checkRegionChangesAnna Zaks2017-01-1311-48/+60
| | | | | | | | | | | This patch adds LocationContext to checkRegionChanges and removes wantsRegionChangeUpdate as it was unused. A patch by Krzysztof Wiśniewski! Differential Revision: https://reviews.llvm.org/D27090 llvm-svn: 291869
* [analyzer] Support inlining of '[self classMethod]' and '[[self class] ↵Anna Zaks2017-01-131-2/+60
| | | | | | | | classMethod]' Differential Revision: https://reviews.llvm.org/D28495 llvm-svn: 291867
* [analyzer] Fix false positives in Keychain API checkerAnna Zaks2017-01-131-83/+89
| | | | | | | | | | | | | | The checker has several false positives that this patch addresses: - Do not check if the return status has been compared to error (or no error) at the time when leaks are reported since the status symbol might no longer be alive. Instead, pattern match on the assume and stop tracking allocated symbols on error paths. - The checker used to report error when an unknown symbol was freed. This could lead to false positives, let's not repot those. This leads to loss of coverage in double frees. - Do not enforce that we should only call free if we are sure that error was not returned and the pointer is not null. That warning is too noisy and we received several false positive reports about it. (I removed: "Only call free if a valid (non-NULL) buffer was returned") - Use !isDead instead of isLive in leak reporting. Otherwise, we report leaks for objects we loose track of. This change triggered change #1. This also adds checker specific dump to the state. Differential Revision: https://reviews.llvm.org/D28330 llvm-svn: 291866
* [analyzer] Don't dereference the array value when binding it to a reference.Artem Dergachev2017-01-122-8/+3
| | | | | | | | | | This replaces the hack in r291754, which was fixing pr31592, which was caused by r291754, with a more appropriate solution. rdar://problem/28832541 Differential revision: https://reviews.llvm.org/D28602 llvm-svn: 291781
* [analyzer] Avoid a crash in DereferenceChecker on string literal initializers.Artem Dergachev2017-01-121-0/+6
| | | | | | | | | | | | A hotfix for pr31592 that fixes the crash but not the root cause of the problem. We need to update the analyzer engine further to account for AST changes introduced in r289618. At the moment we're erroneously performing a redundant lvalue-to-rvalue cast in this scenario, and squashing the rvalue of the object bound to the reference into the reference itself. rdar://problem/28832541 llvm-svn: 291754
* [analyzer] Treat pointers to static member functions as function pointersDevin Coughlin2017-01-101-0/+12
| | | | | | | | | | | | Sema treats pointers to static member functions as having function pointer type, so treat treat them as function pointer values in the analyzer as well. This prevents an assertion failure in SValBuilder::evalBinOp caused by code that expects function pointers to be Locs (in contrast, PointerToMember values are nonlocs). Differential Revision: https://reviews.llvm.org/D28033 llvm-svn: 291581
* [OpenMP] Sema and parsing for 'target teams distribute simd’ pragmaKelvin Li2017-01-101-0/+1
| | | | | | | | This patch is to implement sema and parsing for 'target teams distribute simd’ pragma. Differential Revision: https://reviews.llvm.org/D28252 llvm-svn: 291579
* [analyzer] Add checker for iterators dereferenced beyond their range.Gabor Horvath2017-01-093-1/+851
| | | | | | | | Patch by: Adam Balogh! Differential Revision: https://reviews.llvm.org/D25660 llvm-svn: 291430
* Reapply "IntrusiveRefCntPtr -> std::shared_ptr for CompilerInvocationBase ↵David Blaikie2017-01-061-3/+2
| | | | | | | | | | | | | | and CodeCompleteConsumer" Aleksey Shlypanikov pointed out my mistake in migrating an explicit unique_ptr to auto - I was expecting the function returned a unique_ptr, but instead it returned a raw pointer - introducing a leak. Thanks Aleksey! This reapplies r291184, reverted in r291249. llvm-svn: 291270
* Revert "IntrusiveRefCntPtr -> std::shared_ptr for CompilerInvocationBase and ↵David Blaikie2017-01-061-2/+3
| | | | | | | | | | CodeCompleteConsumer" Caused a memory leak reported by asan. Reverting while I investigate. This reverts commit r291184. llvm-svn: 291249
* IntrusiveRefCntPtr -> std::shared_ptr for CompilerInvocationBase and ↵David Blaikie2017-01-051-3/+2
| | | | | | CodeCompleteConsumer llvm-svn: 291184
* Move Preprocessor over to std::shared_ptr rather than IntrusiveRefCntPtrDavid Blaikie2017-01-051-1/+1
| | | | llvm-svn: 291166
* Migrate PathDiagnosticPiece to std::shared_ptrDavid Blaikie2017-01-0517-400/+369
| | | | | | | Simplifies and makes explicit the memory ownership model rather than implicitly passing/acquiring ownership. llvm-svn: 291143
* Remove use of intrusive ref count ownership acquisitionDavid Blaikie2017-01-041-1/+1
| | | | | | | | | | | The one use of CheckerManager (AnalysisConsumer, calling createCheckerManager) keeps a strong reference to the AnalysisOptions anyway, so this ownership wasn't necessary. (I'm not even sure AnalysisOptions needs ref counting at all - but that's more involved) llvm-svn: 291017
* [OpenMP] Sema and parsing for 'target teams distribute parallel for simd’ ↵Kelvin Li2017-01-031-0/+1
| | | | | | | | | | pragma This patch is to implement sema and parsing for 'target teams distribute parallel for simd’ pragma. Differential Revision: https://reviews.llvm.org/D28202 llvm-svn: 290862
* [OpenMP] Sema and parsing for 'target teams distribute parallel for’ pragmaKelvin Li2016-12-291-0/+1
| | | | | | | | This patch is to implement sema and parsing for 'target teams distribute parallel for’ pragma. Differential Revision: https://reviews.llvm.org/D28160 llvm-svn: 290725
* [OpenMP] Sema and parsing for 'target teams distribute' pragmaKelvin Li2016-12-251-0/+1
| | | | | | | | This patch is to implement sema and parsing for 'target teams distribute' pragma. Differential Revision: https://reviews.llvm.org/D28015 llvm-svn: 290508
* Fix for PR15623 (corrected r290413 reverted at 290415). The patch eliminates ↵Anton Yartsev2016-12-252-18/+20
| | | | | | | | | unwanted ProgramState checker data propagation from an operand of the logical operation to operation result. The patch also simplifies an assume of a constraint of the form: "(exp comparison_op expr) != 0" to true into an assume of "exp comparison_op expr" to true. (And similarly, an assume of the form "(exp comparison_op expr) == 0" to true as an assume of exp comparison_op expr to false.) which improves precision overall. https://reviews.llvm.org/D22862 llvm-svn: 290505
* Fix problems in "[OpenCL] Enabling the usage of CLK_NULL_QUEUE as compare ↵Egor Churaev2016-12-231-0/+1
| | | | | | | | | | | | | | operand." Summary: Fixed warnings in commit: https://reviews.llvm.org/rL290171 Reviewers: djasper, Anastasia Subscribers: yaxunl, cfe-commits, bader Differential Revision: https://reviews.llvm.org/D27981 llvm-svn: 290431
* Revert changes made by r290413 until regression is fixed.Anton Yartsev2016-12-232-22/+18
| | | | llvm-svn: 290415
* Fix for PR15623. The patch eliminates unwanted ProgramState checker data ↵Anton Yartsev2016-12-232-18/+22
| | | | | | | | | propagation from an operand of the logical operation to operation result. The patch also simplifies an assume of a constraint of the form: "(exp comparison_op expr) != 0" to true into an assume of "exp comparison_op expr" to true. (And similarly, an assume of the form "(exp comparison_op expr) == 0" to true as an assume of exp comparison_op expr to false.) which improves precision overall. https://reviews.llvm.org/D22862 llvm-svn: 290413
* [analyzer] Update GTestChecker to tighten API detectionDevin Coughlin2016-12-221-36/+48
| | | | | | | | | Update the GTestChecker to tighten up the API detection and make it cleaner in response to post-commit feedback. Also add tests for when temporary destructors are enabled to make sure we get the expected behavior when inlining constructors for temporaries. llvm-svn: 290352
* [analyzer] Improve suppress-on-sink behavior in incomplete analyses.Artem Dergachev2016-12-221-0/+26
| | | | | | | | | | | | | | | | | | | | | | | Warnings with suppress-on-sink are discarded during FlushReports when BugReporter notices that all paths in ExplodedGraph that pass through the warning eventually run into a sink node. However, suppress-on-sink fails to filter out false positives when the analysis terminates too early - by running into analyzer limits, such as block count limits or graph size limits - and the interruption hits the narrow window between throwing the leak report and reaching the no-return function call. In such case the report is there, however suppression-on-sink doesn't work, because the sink node was never constructed in the incomplete ExplodedGraph. This patch implements a very partial solution: also suppress reports thrown against a statement-node that corresponds to a statement that belongs to a no-return block of the CFG. rdar://problem/28832541 Differential Revision: https://reviews.llvm.org/D28023 llvm-svn: 290341
* [analyzer] Add checker modeling gtest APIs.Devin Coughlin2016-12-192-0/+288
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | gtest is a widely-used unit-testing API. It provides macros for unit test assertions: ASSERT_TRUE(p != nullptr); that expand into an if statement that constructs an object representing the result of the assertion and returns when the assertion is false: if (AssertionResult gtest_ar_ = AssertionResult(p == nullptr)) ; else return ...; Unfortunately, the analyzer does not model the effect of the constructor precisely because (1) the copy constructor implementation is missing from the the header (so it can't be inlined) and (2) the boolean-argument constructor is constructed into a temporary (so the analyzer decides not to inline it since it doesn't reliably call temporary destructors right now). This results in false positives because the analyzer does not realize that the the assertion must hold along the non-return path. This commit addresses the false positives by explicitly modeling the effects of the two un-inlined constructors on the AssertionResult state. I've added a new package, "apiModeling", for these kinds of checkers that model APIs but don't emit any diagnostics. I envision all the checkers in this package always being on by default. This addresses the false positives reported in PR30936. Differential Revision: https://reviews.llvm.org/D27773 rdar://problem/22705813 llvm-svn: 290143
* [analyzer] Add sink after construction of temporary with no-return destructor.Devin Coughlin2016-12-191-0/+24
| | | | | | | | | | | | | | | | | | | The analyzer's CFG currently doesn't have nodes for calls to temporary destructors. This causes the analyzer to explore infeasible paths in which a no-return destructor would have stopped exploration and so results in false positives when no-return destructors are used to implement assertions. To mitigate these false positives, this patch stops generates a sink after evaluating a constructor on a temporary object that has a no-return destructor. This results in a loss of coverage because the time at which the destructor is called may be after the time of construction (especially for lifetime-extended temporaries). This addresses PR15599. rdar://problem/29131566 llvm-svn: 290140
* [OpenMP] Sema and parsing for 'target teams' pragmaKelvin Li2016-12-171-0/+1
| | | | | | | | This patch is to implement sema and parsing for 'target teams' pragma. Differential Revision: https://reviews.llvm.org/D27818 llvm-svn: 290038
* [analyzer] UnixAPIChecker: Don't diagnose for functions in C++ namespacesDevin Coughlin2016-12-171-0/+6
| | | | | | | | | | Update the UnixAPIChecker to not diagnose for calls to functions that are declared in C++ namespaces. This avoids false positives when a namespaced function has the same name as a Unix API. This address PR28331. llvm-svn: 290023
* [analyzer] Extend UnixAPIChecker open() checks to handle openat().Devin Coughlin2016-12-161-11/+80
| | | | | | | | | The openat() API has similar constraints to the open() API -- it just takes an extra parameter. rdar://problem/29526458 llvm-svn: 290005
* [analyzer] Fix crash in MallocChecker.Devin Coughlin2016-12-161-2/+1
| | | | | | | | | | | | | Fix a crash in the MallocChecker when the extent size for the argument to new[] is not known. A patch by Abramo Bagnara and Dániel Krupp! https://reviews.llvm.org/D27849 Differential Revision: https://reviews.llvm.org/D27849 llvm-svn: 289970
* [analyzer] Add another exception for Qt in MallocCheckerArtem Dergachev2016-12-161-0/+5
| | | | | | | | | | Treat pointers passed to QObject::connectImpl() as escaping. rdar://problem/29550440 Differential Revision: https://reviews.llvm.org/D27717 llvm-svn: 289939
* [analyzer] Teach the analyzer that pointers can escape into __cxa_demangleAnna Zaks2016-12-151-0/+5
| | | | | | | | This fixes a reported false positive in the malloc checker. Differential Revision: https://reviews.llvm.org/D27599 llvm-svn: 289886
* [analyzer] Refine the diagnostics in the nullability checker to ↵Anna Zaks2016-12-151-5/+10
| | | | | | | | | | | | differentiate between nil and null This is a big deal for ObjC, where nullability annotations are extensively used. I've also changed "Null" -> "null" and removed "is" as this is the pattern that Sema is using. Differential Revision: https://reviews.llvm.org/D27600 llvm-svn: 289885
* [analyzer] Refer to macro names in diagnostics for macros representing a literalAnna Zaks2016-12-151-5/+49
| | | | | | | | | | | | | When a macro expending to a literal is used in a comparison, use the macro name in the diagnostic rather than the literal. This improves readability of path notes. Added tests for various macro literals that could occur. Only BOOl, Int, and NULL tests have changed behavior with this patch. Differential Revision: https://reviews.llvm.org/D27726 llvm-svn: 289884
* [analyzer] Include type name in Retain Count Checker diagnosticsAnna Zaks2016-12-151-2/+14
| | | | | | | | | The more detailed diagnostic will make identifying which object the diagnostics refer to easier. Differential Revision: https://reviews.llvm.org/D27740 llvm-svn: 289883
* [analyzer] Add a new SVal to support pointer-to-member operations.Devin Coughlin2016-12-156-42/+267
| | | | | | | | | | | Add a new type of NonLoc SVal for C++ pointer-to-member operations. This SVal supports both pointers to member functions and pointers to member data. A patch by Kirill Romanenkov! Differential Revision: https://reviews.llvm.org/D25475 llvm-svn: 289873
* Remove custom handling of array copies in lambda by-value array capture andRichard Smith2016-12-143-5/+7
| | | | | | | | | | | copy constructors of classes with array members, instead using ArrayInitLoopExpr to represent the initialization loop. This exposed a bug in the static analyzer where it was unable to differentiate between zero-initialized and unknown array values, which has also been fixed here. llvm-svn: 289618
* [analyzer] Detect ObjC properties that are both (copy) and Mutable.Artem Dergachev2016-12-132-0/+83
| | | | | | | | | | | | | | | When an Objective-C property has a (copy) attribute, the default setter for this property performs a -copy on the object assigned. Calling -copy on a mutable NS object such as NSMutableString etc. produces an immutable object, NSString in our example. Hence the getter becomes type-incorrect. rdar://problem/21022397 Differential Revision: https://reviews.llvm.org/D27535 llvm-svn: 289554
* [analyzer] Run clang-format and fix styleDominic Chen2016-12-133-213/+193
| | | | | | | | | | | | Summary: Split out formatting and style changes from D26061 Reviewers: zaks.anna, dcoughlin Subscribers: cfe-commits Differential Revision: https://reviews.llvm.org/D26691 llvm-svn: 289511
* Add two new AST nodes to represent initialization of an array in terms ofRichard Smith2016-12-121-0/+2
| | | | | | | | | | | | | | | | | | | | initialization of each array element: * ArrayInitLoopExpr is a prvalue of array type with two subexpressions: a common expression (an OpaqueValueExpr) that represents the up-front computation of the source of the initialization, and a subexpression representing a per-element initializer * ArrayInitIndexExpr is a prvalue of type size_t representing the current position in the loop This will be used to replace the creation of explicit index variables in lambda capture of arrays and copy/move construction of classes with array elements, and also C++17 structured bindings of arrays by value (which inexplicably allow copying an array by value, unlike all of C++'s other array declarations). No uses of these nodes are introduced by this change, however. llvm-svn: 289413
* [analyzer] Improve VirtualCallChecker diagnostics and move into optin package.Devin Coughlin2016-12-101-38/+83
| | | | | | | | | | | | | | | | | | The VirtualCallChecker is in alpha because its interprocedural diagnostics represent the call path textually in the diagnostic message rather than with a path sensitive diagnostic. This patch turns off the AST-based interprocedural analysis in the checker so that no call path is needed and improves with diagnostic text. With these changes, the checker is ready to be moved into the optin package. Ultimately the right fix is to rewrite this checker to be path sensitive -- but there is still value in enabling the checker for intraprocedural analysis only The interprocedural mode can be re-enabled with an -analyzer-config flag. Differential Revision: https://reviews.llvm.org/D26768 llvm-svn: 289309
* [OpenMP] Sema and parsing for 'teams distribute parallel for' pragmaKelvin Li2016-12-091-0/+1
| | | | | | | | This patch is to implement sema and parsing for 'teams distribute parallel for' pragma. Differential Revision: https://reviews.llvm.org/D27345 llvm-svn: 289179
* [analyzer] Add dispatch_data_create as a special case in RetainCountChecker.Artem Dergachev2016-12-081-1/+4
| | | | | | | | | | | | | This function receives a callback block. The analyzer suspects that this block may be used to take care of releasing the libdispatch object returned from the function. In fact, it doesn't - it only releases the raw data buffer. Inform the analyzer about that. Fixes the resulting false negatives. rdar://problem/22280098 Differential Revision: https://reviews.llvm.org/D27409 llvm-svn: 289047
* [analyzer] Fix typo in nullability checker diagnosticDevin Coughlin2016-12-071-1/+1
| | | | | | 'infered' --> 'inferred' llvm-svn: 288922
* [analyzer] Remove an unused enum value in RetainCountChecker.Artem Dergachev2016-12-071-9/+8
| | | | | | | | No functional change intended. Differential Revision: https://reviews.llvm.org/D27408 llvm-svn: 288917
* [analyzer] pr31226: Disable CastSizeChecker in C++ because it's not quite ready.Artem Dergachev2016-12-071-1/+6
| | | | | | | | Avoids a crash and a related false positive. Investigation by Daniel Krupp! llvm-svn: 288914
* [analyzer] Print type for SymbolRegionValues when dumping to streamDominic Chen2016-12-051-1/+2
| | | | | | | | | | Reviewers: NoQ, dcoughlin, zaks.anna Subscribers: cfe-commits Differential Revision: https://reviews.llvm.org/D27365 llvm-svn: 288696
* [analyzer] ObjCGenerics: Warn only on mismatch for invariant type parametersDevin Coughlin2016-12-051-0/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | On a method call, the ObjCGenerics checker uses the type tracked by DynamicTypePropagation for the receiver to to infer substituted parmeter types for the called methods and warns when the argument type does not match the parameter. Unfortunately, using the tracked type can result in false positives when the receiver has a non-invariant type parameter and has been intentionally upcast. For example, becaue NSArray's type parameter is covaraint, the following code is perfectly safe: NSArray<NSString *> *allStrings = ... NSDate *date = ...; NSArray<NSObject *> *allObjects = allStrings; NSArray<NSObject *> *moreObjects = [allObjects arrayByAddingObject:date]; but the checker currently warns that the date parameter is not an NSString *. To avoid this kind of false positive, the checker will now only warn when the class defining the called method has only invariant type parameters. rdar://problem/28803951 llvm-svn: 288677
* DR1213: element access on an array xvalue or prvalue produces an xvalue. In theRichard Smith2016-12-051-9/+1
| | | | | | | | | | | | | | latter case, a temporary array object is materialized, and can be lifetime-extended by binding a reference to the member access. Likewise, in an array-to-pointer decay, an rvalue array is materialized before being converted into a pointer. This caused IR generation to stop treating file-scope array compound literals as having static storage duration in some cases in C++; that has been rectified by modeling such a compound literal as an lvalue. This also improves clang's compatibility with GCC for those cases. llvm-svn: 288654
* [OpenMP] Sema and parsing for 'teams distribute parallel for simd' pragmaKelvin Li2016-11-301-0/+1
| | | | | | | | This patch is to implement sema and parsing for 'teams distribute parallel for simd' pragma. Differential Revision: https://reviews.llvm.org/D27084 llvm-svn: 288294
* [analyzer] Construct temporary objects of correct types, destroy them properly.Artem Dergachev2016-11-301-30/+49
| | | | | | | | | | | | | | | | | | | | | | | When constructing a temporary object region, which represents the result of MaterializeTemporaryExpr, track down the sub-expression for which the temporary is necessary with a trick similar to the approach used in CodeGen, namely by using Expr::skipRValueSubobjectAdjustments(). Then, create the temporary object region with type of that sub-expression. That type would propagate further in a path-sensitive manner. During destruction of lifetime-extened temporaries, consult the type of the temporary object region, rather than the type of the lifetime-extending variable, in order to call the correct destructor (fixes pr17001) and, at least, not to crash by trying to call a destructor of a plain type (fixes pr19539). rdar://problem/29131302 rdar://problem/29131576 Differential Revision: https://reviews.llvm.org/D26839 llvm-svn: 288263
OpenPOWER on IntegriCloud