summaryrefslogtreecommitdiffstats
path: root/clang/lib/StaticAnalyzer
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] Exploration strategy prioritizing unexplored nodes firstGeorge Karpenkov2018-02-262-0/+66
| | | | | | | | | | | | | | See D42775 for discussion. Turns out, just exploring nodes which weren't explored first is not quite enough, as e.g. the first quick traversal resulting in a report can mark everything as "visited", and then subsequent traversals of the same region will get all the pitfalls of DFS. Priority queue-based approach in comparison shows much greater increase in coverage and even performance, without sacrificing memory. Differential Revision: https://reviews.llvm.org/D43354 llvm-svn: 326136
* [analyzer] Do not analyze bison-generated filesGeorge Karpenkov2018-02-261-37/+61
| | | | | | | | | | | | | | | | | | | | | Bison/YACC generated files result in a very large number of (presumably) false positives from the analyzer. These false positives are "true" in a sense of the information analyzer sees: assuming that the lexer can return any token at any point a number of uninitialized reads does occur. (naturally, the analyzer can not capture a complex invariant that certain tokens can only occur under certain conditions). Current fix simply stops analysis on those files. I have examined a very large number of such auto-generated files, and they do all start with such a comment. Conversely, user code is very unlikely to contain such a comment. rdar://33608161 Differential Revision: https://reviews.llvm.org/D43421 llvm-svn: 326135
* Revert "[analyzer] Quickfix: do not overflow in calculating offset in ↵George Karpenkov2018-02-261-46/+0
| | | | | | | | | | RegionManager" This reverts commit df306c4c5ab4a6b8d3c47432346d1f9b90c328b4. Reverting until I can figured out the reasons for failures. llvm-svn: 326131
* [analyzer] Quickfix: do not overflow in calculating offset in RegionManagerGeorge Karpenkov2018-02-261-0/+46
| | | | | | | | | | | | | | Addresses https://bugs.llvm.org/show_bug.cgi?id=36206 rdar://37159026 A proper fix would be much harder, and would involve changing the appropriate code in ExprEngine to be aware of the size limitations of the type used for addressing. Differential Revision: https://reviews.llvm.org/D43218 llvm-svn: 326122
* Remove unused variable. We should be warning-free.Daniel Jasper2018-02-241-1/+1
| | | | llvm-svn: 326024
* [analyzer] Relax the assert used when traversing the node graph.George Karpenkov2018-02-231-1/+5
| | | | | | | | | | | | | | The assertion gets exposed when changing the exploration order. This is a quick hacky fix, but the intention is that if the nodes do merge, it should not matter which predecessor should be traverse. A proper fix would be not to traverse predecessors at all, as all information relevant for any decision should be avilable locally. rdar://37540480 Differential Revision: https://reviews.llvm.org/D42773 llvm-svn: 325977
* [analyzer] mark returns of functions where the region passed as parameter ↵George Karpenkov2018-02-231-0/+272
| | | | | | | | | | | | | | | | | | was not initialized In the wild, many cases of null pointer dereference, or uninitialized value read occur because the value was meant to be initialized by the inlined function, but did not, most often due to error condition in the inlined function. This change highlights the return branch taken by the inlined function, in order to help user understand the error report and see why the value was uninitialized. rdar://36287652 Differential Revision: https://reviews.llvm.org/D41848 llvm-svn: 325976
* [analyzer] Consider switch- and goto- labels when constructing the set of ↵George Karpenkov2018-02-231-6/+24
| | | | | | | | | | | | executed lines When viewing the report in the collapsed mode the label signifying where did the execution go is often necessary for properly understanding the context. Differential Revision: https://reviews.llvm.org/D43145 llvm-svn: 325975
* [analyzer] Prevent AnalyzerStatsChecker from crashPeter Szecsi2018-02-211-0/+2
| | | | | | | | | | | | The checker marks the locations where the analyzer creates sinks. However, it can happen that the sink was created because of a loop which does not contain condition statement, only breaks in the body. The exhausted block is the block which should contain the condition but empty, in this case. This change only emits this marking in order to avoid the undefined behavior. Differential Revision: https://reviews.llvm.org/D42266 llvm-svn: 325693
* [Analyzer] Move UnexploredFirstStack into an anonymous namespace.Benjamin Kramer2018-02-181-0/+2
| | | | | | No functionality change intended. llvm-svn: 325468
* Silence a -Wparentheses warning; NFC.Aaron Ballman2018-02-151-1/+1
| | | | llvm-svn: 325293
* Silence some -Wunused-variable warnings; NFC.Aaron Ballman2018-02-151-2/+2
| | | | llvm-svn: 325292
* [analyzer] Suppress temporary destructors for temporary arrays.Artem Dergachev2018-02-151-3/+16
| | | | | | | | | | | | | | | Array destructors, like constructors, need to be called for each element of the array separately. We do not have any mechanisms to do this in the analyzer, so for now all we do is evaluate a single constructor or destructor conservatively and give up. It automatically causes the necessary invalidation and pointer escape for the whole array, because this is how RegionStore works. Implement this conservative behavior for temporary destructors. This fixes the crash on the provided test. Differential Revision: https://reviews.llvm.org/D43149 llvm-svn: 325286
* [analyzer] Implement path notes for temporary destructors.Artem Dergachev2018-02-151-2/+8
| | | | | | | | | | | | | | Temporary destructors fire at the end of the full-expression. It is reasonable to attach the path note for entering/leaving the temporary destructor to its CXXBindTemporaryExpr. This would not affect lifetime-extended temporaries with their automatic destructors which aren't temporary destructors. The path note may be confusing in the case of destructors after elidable copy constructors. Differential Revision: https://reviews.llvm.org/D43144 llvm-svn: 325284
* [analyzer] Compute the correct this-region for temporary destructors.Artem Dergachev2018-02-155-88/+147
| | | | | | | | | | | | | | | | | | | Inline them if possible - a separate flag is added to control this. The whole thing is under the cfg-temporary-dtors flag, off by default so far. Temporary destructors are called at the end of full-expression. If the temporary is lifetime-extended, automatic destructors kick in instead, which are not addressed in this patch, and normally already work well modulo the overally broken support for lifetime extension. The patch operates by attaching the this-region to the CXXBindTemporaryExpr in the program state, and then recalling it during destruction that was triggered by that CXXBindTemporaryExpr. It has become possible because CXXBindTemporaryExpr is part of the construction context since r325210. Differential revision: https://reviews.llvm.org/D43104 llvm-svn: 325282
* [analyzer] NFC: Eliminate ParentMap lookup in mayInlineCallKind().Artem Dergachev2018-02-152-9/+3
| | | | | | | | Don't look at the parent statement to figure out if the cxx-allocator-inlining flag should kick in and prevent us from inlining the constructor within a new-expression. We now have construction contexts for that purpose. llvm-svn: 325278
* [analyzer] Inline constructors for destroyable temporaries.Artem Dergachev2018-02-151-0/+3
| | | | | | | | | | | | | | | | | | | | | Since r325210, in cfg-temporary-dtors mode, we can rely on the CFG to tell us that we're indeed constructing a temporary, so we can trivially construct a temporary region and inline the constructor. Much like r325202, this is only done under the off-by-default cfg-temporary-dtors flag because the temporary destructor, even if available, will not be inlined and won't have the correct object value (target region). Unless this is fixed, it is quite unsafe to inline the constructor. If the temporary is lifetime-extended, the destructor would be an automatic destructor, which would be evaluated with a "correct" target region - modulo the series of incorrect relocations performed during the lifetime extension. It means that at least, values within the object are guaranteed to be properly escaped or invalidated. Differential Revision: https://reviews.llvm.org/D43062 llvm-svn: 325211
* [analyzer] Decide on inlining destructors via EvalCallOptions.Artem Dergachev2018-02-153-55/+59
| | | | | | | | | | | | | | | | | | | | EvalCallOptions were introduced in r324018 for allowing various parts of ExprEngine to notify the inlining mechanism, while preparing for evaluating a function call, of possible difficulties with evaluating the call that they foresee. Then mayInlineCall() would still be a single place for making the decision. Use that mechanism for destructors as well - pass the necessary flags from the CFG-element-specific destructor handlers. Part of this patch accidentally leaked into r324018, which led into a change in tests; this change is reverted now, because even though the change looked correct, the underlying behavior wasn't. Both of these commits were not intended to introduce any function changes otherwise. Differential Revision: https://reviews.llvm.org/D42991 llvm-svn: 325209
* [analyzer] Allow inlining constructors into return values.Artem Dergachev2018-02-152-4/+23
| | | | | | | | | | | | | | | | | This only affects the cfg-temporary-dtors mode - in this mode we begin inlining constructors that are constructing function return values. These constructors have a correct construction context since r324952. Because temporary destructors are not only never inlined, but also don't have the correct target region yet, this change is not entirely safe. But this will be fixed in the subsequent commits, while this stays off behind the cfg-temporary-dtors flag. Lifetime extension for return values is still not modeled correctly. Differential Revision: https://reviews.llvm.org/D42875 llvm-svn: 325202
* [analyzer] NFC: Remove dead checks when computing DeclStmt construction region.Artem Dergachev2018-02-151-9/+6
| | | | | | | | | In CFG, every DeclStmt has exactly one decl, which is always a variable. It is also pointless to check that the initializer is the constructor because that's how construction contexts work now. llvm-svn: 325201
* Teach Wreturn-type, Wunreachable-code, and alpha.deadcode.UnreachableCode to ↵Nico Weber2018-02-131-1/+2
| | | | | | | | | treat __assume(0) like __builtin_unreachable. Fixes PR29134. https://reviews.llvm.org/D43221 llvm-svn: 325052
* [analyzer] Exploration strategy prioritizing unexplored coverage firstGeorge Karpenkov2018-02-122-12/+79
| | | | | | | | | | See reviews.llvm.org/M1 for evaluation, and lists.llvm.org/pipermail/cfe-dev/2018-January/056718.html for discussion. Differential Revision: https://reviews.llvm.org/D42775 llvm-svn: 324956
* [analyzer] NFC: Assert that our fix for noreturn destructors keeps working.Artem Dergachev2018-02-101-5/+15
| | | | | | | | | | | | | | | | Massive false positives were known to be caused by continuing the analysis after a destructor with a noreturn attribute has been executed in the program but not modeled in the analyzer due to being missing in the CFG. Now that work is being done on enabling the modeling of temporary constructors and destructors in the CFG, we need to make sure that the heuristic that suppresses these false positives keeps working when such modeling is disabled. In particular, different code paths open up when the corresponding constructor is being inlined during analysis. Differential Revision: https://reviews.llvm.org/D42779 llvm-svn: 324802
* [analyzer] NFC: Use CFG construction contexts instead of homemade lookahead.Artem Dergachev2018-02-101-59/+11
| | | | | | | | | | | | | | | The analyzer was relying on peeking the next CFG element during analysis whenever it was trying to figure out what object is being constructed by a given constructor. This information is now available in the current CFG element in all cases that were previously supported by the analyzer, so no complicated lookahead is necessary anymore. No functional change intended - the context in the CFG should for now be available if and only if it was previously discoverable via CFG lookahead. Differential Revision: https://reviews.llvm.org/D42721 llvm-svn: 324800
* [analyzer] Serialize statistics to plist when serialize-stats=true is setGeorge Karpenkov2018-02-103-14/+34
| | | | | | Differential Revision: https://reviews.llvm.org/D43131 llvm-svn: 324793
* [analyzer] Add missing pre-post-statement callbacks for OffsetOfExpr.Artem Dergachev2018-02-102-3/+22
| | | | | | | | | | | | | This expression may or may not be evaluated in compile time, so tracking the result symbol is of potential interest. However, run-time offsetof is not yet supported by the analyzer, so for now this callback is only there to assist future implementation. Patch by Henry Wong! Differential Revision: https://reviews.llvm.org/D42300 llvm-svn: 324790
* [analyzer] Add support for __builtin_constant_p.Artem Dergachev2018-02-101-1/+2
| | | | | | | | | | | This builtin is evaluated in compile time. But in the analyzer we don't yet automagically evaluate all calls that can be evaluated in compile time. Patch by Felix Kostenzer! Differential Revision: https://reviews.llvm.org/D42745 llvm-svn: 324789
* [analyzer] Introduce statistics for the total number of visited basic blocksGeorge Karpenkov2018-02-091-0/+4
| | | | | | Differential Revision: https://reviews.llvm.org/D43133 llvm-svn: 324785
* [analyzer] MallocChecker: Fix one more bug category.Artem Dergachev2018-02-081-2/+2
| | | | | | | | | | | Even though most of the inconsistencies in MallocChecker's bug categories were fixed in r302016, one more was introduced in r301913 which was later missed. Patch by Henry Wong! Differential Revision: https://reviews.llvm.org/D43074 llvm-svn: 324680
* [CFG] Add extra context to C++ constructor statement elements.Artem Dergachev2018-02-084-12/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a new CFGStmt sub-class, CFGConstructor, which replaces the regular CFGStmt with CXXConstructExpr in it whenever the CFG has additional information to provide regarding what sort of object is being constructed. It is useful for figuring out what memory is initialized in client of the CFG such as the Static Analyzer, which do not operate by recursive AST traversal, but instead rely on the CFG to provide all the information when they need it. Otherwise, the statement that triggers the construction and defines what memory is being initialized would normally occur after the construct-expression, and the client would need to peek to the next CFG element or use statement parent map to understand the necessary facts about the construct-expression. As a proof of concept, CFGConstructors are added for new-expressions and the respective test cases are provided to demonstrate how it works. For now, the only additional data contained in the CFGConstructor element is the "trigger statement", such as new-expression, which is the parent of the constructor. It will be significantly expanded in later commits. The additional data is organized as an auxiliary structure - the "construction context", which is allocated separately from the CFGElement. Differential Revision: https://reviews.llvm.org/D42672 llvm-svn: 324668
* [analyzer] Self-debug: Dump the core's internal state traits to the egraph.Artem Dergachev2018-02-082-2/+56
| | | | | | | | It is useful for debugging problems with C++ operator new() or temporaries. Differential Revision: https://reviews.llvm.org/D42560 llvm-svn: 324663
* [analyzer] Self-debug: Dump environment frame-by-frame.Artem Dergachev2018-02-083-65/+39
| | | | | | | | | | | It makes it easier to discriminate between values of similar expressions in different stack frames. It also makes the separate backtrace section in ExplodedGraph dumps redundant. Differential Revision: https://reviews.llvm.org/D42552 llvm-svn: 324660
* [analyzer] [NFC] Factor out generating path diagnostics for a statement into ↵George Karpenkov2018-02-071-636/+648
| | | | | | | | a function Differential Revision: https://reviews.llvm.org/D42558 llvm-svn: 324507
* Revert r324166 "[analyzer] Add a checker for mmap()...".Artem Dergachev2018-02-032-76/+0
| | | | | | | | Due to Buildbot failures - most likely that's because target triples were not specified in the tests, even though the checker behaves differently with different target triples. llvm-svn: 324167
* [analyzer] Add a checker for mmap()s which are both writable and executable.Artem Dergachev2018-02-032-0/+76
| | | | | | | | | | | | | | This is a security check which is disabled by default but will be enabled whenever the user consciously enables the security package. If mmap()ed memory is both writable and executable, it makes it easier for the attacker to execute arbitrary code when contents of this memory are compromised. Some applications require such mmap()s though, such as different sorts of JIT. Patch by David Carlier! Differential Revision: https://reviews.llvm.org/D42645 llvm-svn: 324166
* [analyzer] Do not infer nullability inside function-like macros, even when ↵George Karpenkov2018-02-031-7/+103
| | | | | | | | | | | | | | | | | | | | | macro is explicitly returning NULL We already suppress such reports for inlined functions, we should then get the same behavior for macros. The underlying reason is that the same macro, can be called from many different contexts, and nullability can only be expected in _some_ of them. Assuming that the macro can return null in _all_ of them sometimes leads to a large number of false positives. E.g. consider the test case for the dynamic cast implementation in macro: in such cases, the bug report is unwanted. Tracked in rdar://36304776 Differential Revision: https://reviews.llvm.org/D42404 llvm-svn: 324161
* [analyzer] Fix transitions in check::PreStmt<MemberExpr> checker callback.Artem Dergachev2018-02-021-5/+4
| | | | | | | | | | | No in-tree checkers use this callback so far, hence no tests. But better fix this now than remember to fix this when the checkers actually appear. Patch by Henry Wong! Differential Revision: https://reviews.llvm.org/D42785 llvm-svn: 324053
* [analyzer] Expose return statement from CallExit program pointGeorge Karpenkov2018-02-023-5/+11
| | | | | | | | | | | | | | | | If the return statement is stored, we might as well allow querying against it. Also fix the bug where the return statement is not stored if there is no return value. This change un-merges two ExplodedNodes during call exit when the state is otherwise identical - the CallExitBegin node itself and the "Bind Return Value"-tagged node. And expose the return statement through getStatement helper function. Differential Revision: https://reviews.llvm.org/D42130 llvm-svn: 324052
* Remove the change which accidentally crept in into the cherry-pickGeorge Karpenkov2018-02-021-1/+0
| | | | llvm-svn: 324050
* [analyzer] Expose exploration strategy through analyzer options.George Karpenkov2018-02-023-5/+50
| | | | | | Differential Revision: https://reviews.llvm.org/D42774 llvm-svn: 324049
* [analyzer] Don't communicate evaluation failures through memregion hierarchy.Artem Dergachev2018-02-012-45/+42
| | | | | | | | | | | | | | | | | | | | | | | We use CXXTempObjectRegion exclusively as a bailout value for construction targets when we are unable to find the correct construction region. Sometimes it works correctly, but rather accidentally than intentionally. Now that we want to increase the amount of situations where it works correctly, the first step is to introduce a different way of communicating our failure to find the correct construction region. EvalCallOptions are introduced for this purpose. For now EvalCallOptions are communicating two kinds of problems: - We have been completely unable to find the correct construction site. - We have found the construction site correctly, and there's more than one of them (i.e. array construction which we currently don't support). Accidentally find and fix a test in which the new approach to communicating failures produces better results. Differential Revision: https://reviews.llvm.org/D42457 llvm-svn: 324018
* [analyzer] Extend SuppressInlineDefensiveChecksVisitor to all macros, ↵George Karpenkov2018-01-301-13/+7
| | | | | | | | | | | | including non-function-like ones No reason to treat function-like macros differently here. Tracked in rdar://29907377 Differential Revision: https://reviews.llvm.org/D42444 llvm-svn: 323827
* [analyzer] [NFC] Remove unused method visitItemsInWorkListGeorge Karpenkov2018-01-291-33/+0
| | | | | | Differential Revision: https://reviews.llvm.org/D42562 llvm-svn: 323696
* [NFC] fix trivial typos in comments and documentsHiroshi Inoue2018-01-261-1/+1
| | | | | | "in in" -> "in", "on on" -> "on" etc. llvm-svn: 323509
* [analyzer] Do not attempt to get the pointee of void*Alexander Shaposhnikov2018-01-241-0/+3
| | | | | | | | | | | | Do not attempt to get the pointee of void* while generating a bug report (otherwise it will trigger an assert inside RegionStoreManager::getBinding assert(!T->isVoidType() && "Attempting to dereference a void pointer!")). Test plan: make check-all Differential revision: https://reviews.llvm.org/D42396 llvm-svn: 323382
* [analyzer] Enable c++-allocator-inlining by default.Artem Dergachev2018-01-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | This allows the analyzer to analyze ("inline") custom operator new() calls and, even more importantly, inline constructors of objects that were allocated by any operator new() - not necessarily a custom one. All changes in the tests in the current commit are intended improvements, even if they didn't carry any explicit FIXME flag. It is possible to restore the old behavior via -analyzer-config c++-allocator-inlining=false (this flag is supported by scan-build as well, and it can be into a clang --analyze invocation via -Xclang .. -Xclang ..). There is no intention to remove the old behavior for now. Differential Revision: https://reviews.llvm.org/D42219 rdar://problem/12180598 llvm-svn: 323373
* [analyzer] Assume that the allocated value is non-null before construction.Artem Dergachev2018-01-241-17/+32
| | | | | | | | | | | | | | | | | | I.e. not after. In the c++-allocator-inlining=true mode, we need to make the assumption that the conservatively evaluated operator new() has returned a non-null value. Previously we did this on CXXNewExpr, but now we have to do that before calling the constructor, because some clever constructors are sometimes assuming that their "this" is null and doing weird stuff. We would also crash upon evaluating CXXNewExpr when the allocator was inlined and returned null and had a throw specification; this is UB even for custom allocators, but we still need not to crash. Added more FIXME tests to ensure that eventually we fix calling the constructor for null return values. Differential Revision: https://reviews.llvm.org/D42192 llvm-svn: 323370
* [analyzer] Mark lines as relevant even if they weren't executed but have a ↵George Karpenkov2018-01-231-92/+113
| | | | | | | | label attached Differential Revision: https://reviews.llvm.org/D42320 llvm-svn: 323251
* [analyzer] Show full analyzer invocation for reproducibility in HTML reportsGeorge Karpenkov2018-01-231-1/+6
| | | | | | | | | | | | Analyzing problems which appear in scan-build results can be very difficult, as after the launch no exact invocation is stored, and it's super-hard to launch the debugger. With this patch, the exact analyzer invocation appears in the footer, and can be copied to debug/check reproducibility/etc. rdar://35980230 llvm-svn: 323245
* [analyzer] Protect against dereferencing a null pointerAlexander Shaposhnikov2018-01-221-3/+3
| | | | | | | | | | | | | The check (inside StackHintGeneratorForSymbol::getMessage) if (!N) return getMessageForSymbolNotFound() is moved to the beginning of the function. Differential revision: https://reviews.llvm.org/D42388 Test plan: make check-all llvm-svn: 323146
OpenPOWER on IntegriCloud