summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer
Commit message (Collapse)AuthorAgeFilesLines
...
* [Analyzer] Checker for Debugging Iterator CheckersAdam Balogh2019-11-081-2/+155
| | | | | | | | | For white-box testing correct container and iterator modelling it is essential to access the internal data structures stored for container and iterators. This patch introduces a simple debug checkers called debug.IteratorDebugging to achieve this. Differential Revision: https://reviews.llvm.org/D67156
* [analyzer] PR41729: CStringChecker: Improve strlcat and strlcpy modeling.Artem Dergachev2019-11-071-135/+166
| | | | | | | | | | | - Fix false positive reports of strlcat. - The return value of strlcat and strlcpy is now correctly calculated. - The resulting string length of strlcat and strlcpy is now correctly calculated. Patch by Daniel Krupp! Differential Revision: https://reviews.llvm.org/D66049
* [clang][analyzer] Using CallDescription in StreamChecker.Balázs Kéri2019-10-311-254/+146
| | | | | | | | | | | | | | | | | | | Summary: Recognization of function names is done now with the CallDescription class instead of using IdentifierInfo. This means function name and argument count is compared too. A new check for filtering not global-C-functions was added. Test was updated. Reviewers: Szelethus, NoQ, baloghadamsoftware, Charusso Reviewed By: Szelethus, NoQ, Charusso Subscribers: rnkovacs, xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, donat.nagy, Charusso, dkrupp, Szelethus, gamesh411, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D67706
* [OPENMP50]Add support for parallel master taskloop simd directive.Alexey Bataev2019-10-301-0/+1
| | | | Added full support for parallel master taskloop simd directive.
* [analyzer] Fix off-by-one in operator call parameter binding.Artem Dergachev2019-10-231-1/+1
| | | | | | | | | | | | | | Member operator declarations and member operator expressions have different numbering of parameters and arguments respectively: one of them includes "this", the other does not. Account for this inconsistency when figuring out whether the parameter needs to be manually rebound from the Environment to the Store when entering a stack frame of an operator call, as opposed to being constructed with a constructor and as such already having the necessary Store bindings. Differential Revision: https://reviews.llvm.org/D69155
* [analyzer] PR43551: Do not dereferce void* in UndefOrNullArgVisitor.Artem Dergachev2019-10-191-3/+5
| | | | | | | | Patch by Kristóf Umann! Differential Revision: https://reviews.llvm.org/D68591 llvm-svn: 375329
* [analyzer] Fix a crash on tracking Objective-C 'self' as a control dependency.Artem Dergachev2019-10-191-7/+12
| | | | | | | 'self' was previously never tracked, but now it can be tracked because it may be part of a condition. llvm-svn: 375328
* [c++20] Add CXXRewrittenBinaryOperator to represent a comparisonRichard Smith2019-10-191-0/+1
| | | | | | | | operator that is rewritten as a call to multiple other operators. No functionality change yet: nothing creates these expressions. llvm-svn: 375305
* [analyzer] Fix FieldRegion dumps.Artem Dergachev2019-10-181-1/+1
| | | | | | | | | The '->' thing has always been confusing; the actual operation '->' translates to a pointer dereference together with adding a FieldRegion, but FieldRegion on its own doesn't imply an additional pointer dereference. llvm-svn: 375281
* [analyzer] Drop the logic for collapsing the state if it's same as in preds.Artem Dergachev2019-10-181-10/+1
| | | | | | | | | | One of the first attempts to reduce the size of the exploded graph dumps was to skip the state dump as long as the state is the same as in all of the predecessor nodes. With all the new facilities in place (node joining, diff dumps), this feature doesn't do much, and when it does, it's more harmful than useful. Let's remove it. llvm-svn: 375280
* [analyzer] Fix hidden node traversal in exploded graph dumps.Artem Dergachev2019-10-181-11/+5
| | | | | | | | | The joined nodes now actually have the same state. That was intended from the start but the original implementation turned out to be buggy. Differential Revision: https://reviews.llvm.org/D69150 llvm-svn: 375278
* [OPENMP50]Add support for master taskloop simd.Alexey Bataev2019-10-181-0/+1
| | | | | | Added trsing/semantics/codegen for combined construct master taskloop simd. llvm-svn: 375255
* [analyzer] Assign truly stable identifiers to exploded nodes.Artem Dergachev2019-10-173-21/+14
| | | | | | | | | | | ExplodedGraph nodes will now have a numeric identifier stored in them which will keep track of the order in which the nodes were created and it will be fully deterministic both accross runs and across machines. This is extremely useful for debugging as it allows reliably setting conditional breakpoints by node IDs. llvm-svn: 375186
* [Concepts] Concept Specialization ExpressionsSaar Raz2019-10-151-0/+1
| | | | | | | | | | Part of C++20 Concepts implementation effort. Added Concept Specialization Expressions that are created when a concept is refe$ D41217 on Phabricator. (recommit after fixing failing Parser test on windows) llvm-svn: 374903
* Revert 374882 "[Concepts] Concept Specialization Expressions"Nico Weber2019-10-151-1/+0
| | | | | | | | | | This reverts commit ec87b003823d63f3342cf648f55a134c1522e612. The test fails on Windows, see e.g. http://lab.llvm.org:8011/builders/clang-x64-windows-msvc/builds/11533/steps/stage%201%20check/logs/stdio Also revert follow-up r374893. llvm-svn: 374899
* [Concepts] Concept Specialization ExpressionsSaar Raz2019-10-151-0/+1
| | | | | | Part of C++20 Concepts implementation effort. Added Concept Specialization Expressions that are created when a concept is referenced with arguments, and tests thereof. llvm-svn: 374882
* [OPENMP50]Add support for 'parallel master taskloop' construct.Alexey Bataev2019-10-141-0/+1
| | | | | | | | | Added parsing/sema/codegen support for 'parallel master taskloop' constructs. Some of the clauses, like 'grainsize', 'num_tasks', 'final' and 'priority' are not supported in full, only constant expressions can be used currently in these clauses. llvm-svn: 374791
* BlockInCriticalSectionChecker - silence static analyzer dyn_cast null ↵Simon Pilgrim2019-10-131-1/+1
| | | | | | | | dereference warning. NFCI. The static analyzer is warning about a potential null dereference, but we should be able to use cast<> directly and if not assert will fire for us. llvm-svn: 374717
* [OPENMP50]Support for 'master taskloop' directive.Alexey Bataev2019-10-101-0/+1
| | | | | | Added full support for master taskloop directive. llvm-svn: 374437
* Revert "[analyzer] A speculative attempt to avoid gcc-7 crashes..."Artem Dergachev2019-09-261-5/+2
| | | | | | This reverts commit r372940 which was an overreaction to a flaky buildbot. llvm-svn: 373005
* [analyzer] A speculative attempt to avoid gcc-7 crashes caused by r372942.Artem Dergachev2019-09-261-2/+5
| | | | llvm-svn: 372945
* [analyzer] Avoid small vectors of non-default-constructibles.Artem Dergachev2019-09-261-1/+1
| | | | | | Unconfuses certain compilers. llvm-svn: 372942
* [NFCI] Return PathSensitiveBugReport where appropriateAlex Langford2019-09-232-7/+10
| | | | | | | | | | Some compilers have trouble converting unique_ptr<PathSensitiveBugReport> to unique_ptr<BugReport> causing some functions to fail to compile. Changing the return type of the functions that fail to compile does not appear to have any issues. I ran into this issue building with clang 3.8 on Ubuntu 16.04. llvm-svn: 372668
* Move classes into anonymous namespaces. NFC.Benjamin Kramer2019-09-221-2/+2
| | | | llvm-svn: 372495
* Attempt to fix a windows buildbot failureKristof Umann2019-09-211-2/+2
| | | | llvm-svn: 372462
* Fix a documentation errorKristof Umann2019-09-201-1/+1
| | | | llvm-svn: 372419
* Reland '[analyzer][MallocChecker][NFC] Document and reorganize some functions'Kristof Umann2019-09-201-463/+720
| | | | | | Differential Revision: https://reviews.llvm.org/D54823 llvm-svn: 372414
* [analyzer] PR43102: Fix an assertion and an out-of-bounds error for ↵Kristof Umann2019-09-181-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | diagnostic location construction Summary: https://bugs.llvm.org/show_bug.cgi?id=43102 In today's edition of "Is this any better now that it isn't crashing?", I'd like to show you a very interesting test case with loop widening. Looking at the included test case, it's immediately obvious that this is not only a false positive, but also a very bad bug report in general. We can see how the analyzer mistakenly invalidated `b`, instead of its pointee, resulting in it reporting a null pointer dereference error. Not only that, the point at which this change of value is noted at is at the loop, rather then at the method call. It turns out that `FindLastStoreVisitor` works correctly, rather the supplied explodedgraph is faulty, because `BlockEdge` really is the `ProgramPoint` where this happens. {F9855739} So it's fair to say that this needs improving on multiple fronts. In any case, at least the crash is gone. Full ExplodedGraph: {F9855743} Reviewers: NoQ, xazax.hun, baloghadamsoftware, Charusso, dcoughlin, rnkovacs, TWeaver Subscribers: JesperAntonsson, uabelho, Ka-Ka, bjope, whisperity, szepet, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, gamesh411, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D66716 llvm-svn: 372269
* [analyzer][NFC] Fix inconsistent references to checkers as "checks"Kristof Umann2019-09-1221-92/+86
| | | | | | | | | | | | | | Traditionally, clang-tidy uses the term check, and the analyzer uses checker, but in the very early years, this wasn't the case, and code originating from the early 2010's still incorrectly refer to checkers as checks. This patch attempts to hunt down most of these, aiming to refer to checkers as checkers, but preserve references to callback functions (like checkPreCall) as checks. Differential Revision: https://reviews.llvm.org/D67140 llvm-svn: 371760
* [analyzer] NFC: Move PathDiagnostic classes to libAnalysis.Artem Dergachev2019-09-1115-1229/+13
| | | | | | | | | | | | At this point the PathDiagnostic, PathDiagnosticLocation, PathDiagnosticPiece structures no longer rely on anything specific to Static Analyzer, so we can move them out of it for everybody to use. PathDiagnosticConsumers are still to be handed off. Differential Revision: https://reviews.llvm.org/D67419 llvm-svn: 371661
* [analyzer] NFC: Move resetDiagnosticLocationToMainFile() to BugReporter.Artem Dergachev2019-09-112-65/+66
| | | | | | | | | | This method of PathDiagnostic is a part of Static Analyzer's particular path diagnostic construction scheme. As such, it doesn't belong to the PathDiagnostic class, but to the Analyzer. Differential Revision: https://reviews.llvm.org/D67418 llvm-svn: 371660
* [analyzer] NFC: Move getStmt() and createEndOfPath() out of PathDiagnostic.Artem Dergachev2019-09-1117-178/+172
| | | | | | | | | | These static functions deal with ExplodedNodes which is something we don't want the PathDiagnostic interface to know anything about, as it's planned to be moved out of libStaticAnalyzerCore. Differential Revision: https://reviews.llvm.org/D67382 llvm-svn: 371659
* [analyzer] NFC: Re-implement stack hints as a side map in BugReport.Artem Dergachev2019-09-118-110/+104
| | | | | | | | | | That's one of the few random entities in the PathDiagnostic interface that are specific to the Static Analyzer. By moving them out we could let everybody use path diagnostics without linking against Static Analyzer. Differential Revision: https://reviews.llvm.org/D67381 llvm-svn: 371658
* [analyzer] NFC: Simplify bug report equivalence classes to not be ilists.Artem Dergachev2019-09-092-12/+11
| | | | | | | | Use a vector of unique pointers instead. Differential Revision: https://reviews.llvm.org/D67024 llvm-svn: 371451
* [analyzer] NFC: Introduce sub-classes for path-sensitive and basic reports.Artem Dergachev2019-09-0971-393/+493
| | | | | | | | | | | | | Checkers are now required to specify whether they're creating a path-sensitive report or a path-insensitive report by constructing an object of the respective type. This makes BugReporter more independent from the rest of the Static Analyzer because all Analyzer-specific code is now in sub-classes. Differential Revision: https://reviews.llvm.org/D66572 llvm-svn: 371450
* Move prop-sink branch to monorepo.Gabor Borsik2019-09-081-29/+65
| | | | llvm-svn: 371342
* [analyzer] Add minimal support for fix-it hints.Artem Dergachev2019-09-065-61/+174
| | | | | | | | | | | | | | | | | | | | | | | | | | Allow attaching fixit hints to Static Analyzer BugReports. Fixits are attached either to the bug report itself or to its notes (path-sensitive event notes or path-insensitive extra notes). Add support for fixits in text output (including the default text output that goes without notes, as long as the fixit "belongs" to the warning). Add support for fixits in the plist output mode. Implement a fixit for the path-insensitive DeadStores checker. Only dead initialization warning is currently covered. Implement a fixit for the path-sensitive VirtualCall checker when the virtual method is not pure virtual (in this case the "fix" is to suppress the warning by qualifying the call). Both fixits are under an off-by-default flag for now, because they require more careful testing. Differential Revision: https://reviews.llvm.org/D65182 llvm-svn: 371257
* [analyzer] pr43179: Make CallDescription defensive against C variadic functions.Artem Dergachev2019-09-062-3/+7
| | | | | | | | | | | | | | | | | | | | | Most functions that our checkers react upon are not C-style variadic functions, and therefore they have as many actual arguments as they have formal parameters. However, it's not impossible to define a variadic function with the same name. This will crash any checker that relies on CallDescription to check the number of arguments but silently assumes that the number of parameters is the same. Change CallDescription to check both the number of arguments and the number of parameters by default. If we're intentionally trying to match variadic functions, allow specifying arguments and parameters separately (possibly omitting any of them). For now we only have one CallDescription which would make use of those, namely __builtin_va_start itself. Differential Revision: https://reviews.llvm.org/D67019 llvm-svn: 371256
* Unbreak the build after r370798Benjamin Kramer2019-09-031-1/+1
| | | | llvm-svn: 370807
* [analyzer] NonNullParamChecker and CStringChecker parameter number in ↵Kristof Umann2019-09-032-24/+35
| | | | | | | | | | | | | | | | | | | | checker message There are some functions which can't be given a null pointer as parameter either because it has a nonnull attribute or it is declared to have undefined behavior (e.g. strcmp()). Sometimes it is hard to determine from the checker message which parameter is null at the invocation, so now this information is included in the message. This commit fixes https://bugs.llvm.org/show_bug.cgi?id=39358 Reviewed By: NoQ, Szelethus, whisperity Patch by Tibor Brunner! Differential Revision: https://reviews.llvm.org/D66333 llvm-svn: 370798
* [analyzer] Add a checker option to detect nested dead storesKristof Umann2019-09-031-9/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enables the users to specify an optional flag which would warn for more dead stores. Previously it ignored if the dead store happened e.g. in an if condition. if ((X = generate())) { // dead store to X } This patch introduces the `WarnForDeadNestedAssignments` option to the checker, which is `false` by default - so this change would not affect any previous users. I have updated the code, tests and the docs as well. If I missed something, tell me. I also ran the analysis on Clang which generated 14 more reports compared to the unmodified version. All of them seemed reasonable for me. Related previous patches: rGf224820b45c6847b91071da8d7ade59f373b96f3 Reviewers: NoQ, krememek, Szelethus, baloghadamsoftware Reviewed By: Szelethus Patch by Balázs Benics! Differential Revision: https://reviews.llvm.org/D66733 llvm-svn: 370767
* [Analyzer] Iterator Checkers - Make range errors and invalidated access fatalAdam Balogh2019-08-291-8/+6
| | | | | | | | | | | | | | Range errors (dereferencing or incrementing the past-the-end iterator or decrementing the iterator of the first element of the range) and access of invalidated iterators lead to undefined behavior. There is no point to continue the analysis after such an error on the same execution path, but terminate it by a sink node (fatal error). This also improves the performance and helps avoiding double reports (e.g. in case of nested iterators). Differential Revision: https://reviews.llvm.org/D62893 llvm-svn: 370314
* [analyzer] Fix analyzer warnings on analyzer.Artem Dergachev2019-08-2817-61/+77
| | | | | | | | | Write tests for the actual crash that was found. Write comments and refactor code around 17 style bugs and suppress 3 false positives. Differential Revision: https://reviews.llvm.org/D66847 llvm-svn: 370246
* [analyzer] pr43036: Fix support for operator 'sizeof...'.Artem Dergachev2019-08-281-0/+1
| | | | | | | | | It was known to be a compile-time constant so it wasn't evaluated during symbolic execution, but it wasn't evaluated as a compile-time constant either. Differential Revision: https://reviews.llvm.org/D66565 llvm-svn: 370245
* [analyzer] Trust global initializers when analyzing main().Artem Dergachev2019-08-281-16/+58
| | | | | | | | | | | | | | | | | If the global variable has an initializer, we'll ignore it because we're usually not analyzing the program from the beginning, which means that the global variable may have changed before we start our analysis. However when we're analyzing main() as the top-level function, we can rely on global initializers to still be valid. At least in C; in C++ we have global constructors that can still break this logic. This patch allows the Static Analyzer to load constant initializers from global variables if the top-level function of the current analysis is main(). Differential Revision: https://reviews.llvm.org/D65361 llvm-svn: 370244
* Update the SARIF exporter to SARIF 2.1Joe Ranieri2019-08-271-43/+42
| | | | | | | | | | This updates the SARIF exporter to produce SARIF 2.1 output. The bulk of the diffs come from two changes to SARIF: * https://github.com/oasis-tcs/sarif-spec/issues/309 * https://github.com/oasis-tcs/sarif-spec/issues/179 Differential Revision: https://reviews.llvm.org/D65211 llvm-svn: 370068
* Fix a SARIF exporter crash with macro expansionsJoe Ranieri2019-08-271-4/+6
| | | | | | Differential Revision: https://reviews.llvm.org/D65209 llvm-svn: 370061
* Fix text range end columns in SARIF to be exclusiveJoe Ranieri2019-08-271-3/+9
| | | | | | | | According to the SARIF specification, "a text region does not include the character specified by endColumn". Differential Revision: https://reviews.llvm.org/D65206 llvm-svn: 370060
* Do a sweep of symbol internalization. NFC.Benjamin Kramer2019-08-231-4/+5
| | | | llvm-svn: 369803
* [analyzer] Avoid unnecessary enum range check on LValueToRValue castsKristof Umann2019-08-231-0/+16
| | | | | | | | | | | | | | | | Summary: EnumCastOutOfRangeChecker should not perform enum range checks on LValueToRValue casts, since this type of cast does not actually change the underlying type. Performing the unnecessary check actually triggered an assertion failure deeper in EnumCastOutOfRange for certain input (which is captured in the accompanying test code). Reviewers: #clang, Szelethus, gamesh411, NoQ Reviewed By: Szelethus, gamesh411, NoQ Subscribers: NoQ, gamesh411, xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, Charusso, bjope, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D66014 llvm-svn: 369760
OpenPOWER on IntegriCloud