summaryrefslogtreecommitdiffstats
path: root/clang/test/Analysis/diagnostics
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] Check for NULL passed to CFAutorelease.Jordan Rose2014-06-211-1/+1
| | | | | | Patch by Sean McBride, tests adjusted by me. llvm-svn: 211453
* [analyzer] Suppress warnings coming out of std::basic_string.Anna Zaks2013-11-041-1/+1
| | | | | | The analyzer cannot reason about the internal invariances of the data structure (radar://15194597). llvm-svn: 194004
* [analyzer] Merge TextPathDiagnostics and ClangDiagPathDiagConsumer.Jordan Rose2013-08-161-0/+21
| | | | | | | | | | | | | | | | | | | | This once again restores notes to following their associated warnings in -analyzer-output=text mode. (This is still only intended for use as a debugging aid.) One twist is that the warning locations in "regular" analysis output modes (plist, multi-file-plist, html, and plist-html) are reported at a different location on the command line than in the output file, since the command line has no path context. This commit makes -analyzer-output=text behave like a normal output format, which means that the *command line output will be different* in -analyzer-text mode. Again, since -analyzer-text is a debugging aid and lo-fi stand-in for a regular output mode, this change makes sense. Along the way, remove a few pieces of stale code related to the path diagnostic consumers. llvm-svn: 188514
* [analyzer] Treat std::initializer_list as opaque rather than aborting.Jordan Rose2013-07-171-1/+1
| | | | | | | | | | | | | | Previously, the use of a std::initializer_list (actually, a CXXStdInitializerListExpr) would cause the analyzer to give up on the rest of the path. Now, it just uses an opaque symbolic value for the initializer_list and continues on. At some point in the future we can add proper support for initializer_list, with access to the elements in the InitListExpr. <rdar://problem/14340207> llvm-svn: 186519
* [analyzer] Enable the new edge algorithm by default.Jordan Rose2013-06-035-5/+5
| | | | | | | | | ...but don't yet migrate over the existing plist tests. Some of these would be trivial to migrate; others could use a bit of inspection first. In any case, though, the new edge algorithm seems to have proven itself, and we'd like more coverage (and more usage) of it going forwards. llvm-svn: 183165
* [analyzer] Do not assert on reports ending in calls within macros.Anna Zaks2013-05-222-12/+698
| | | | | | | | | The crash is triggered by the newly added option (-analyzer-config report-in-main-source-file=true) introduced in r182058. Note, ideally, we’d like to report the issue within the main source file here as well. For now, just do not crash. llvm-svn: 182445
* [analyzer] Address Jordan's review comments for r182058Anna Zaks2013-05-171-4/+4
| | | | llvm-svn: 182156
* [analyzer] Add an option to use the last location in the main source file as ↵Anna Zaks2013-05-162-0/+1113
| | | | | | | | | | | | | the report location. Previously, we’ve used the last location of the analyzer issue path as the location of the report. This might not provide the best user experience, when one analyzer a source file and the issue appears in the header. Introduce an option to use the last location of the path that is in the main source file as the report location. New option can be enabled with -analyzer-config report-in-main-source-file=true. llvm-svn: 182058
* [analyzer] Do not check if sys/queue.h file is a system header.Anna Zaks2013-05-101-1/+0
| | | | | | | In most cases it is, by just looking at the name. Also, this check prevents the heuristic from working in strange user settings. radar://13839692 llvm-svn: 181615
* [analyzer] Refactor BugReport::getLocation and ↵Anna Zaks2013-04-231-76/+8
| | | | | | | | | | | | | | | PathDiagnosticLocation::createEndOfPath for greater code reuse The 2 functions were computing the same location using different logic (each one had edge case bugs that the other one did not). Refactor them to rely on the same logic. The location of the warning reported in text/command line output format will now match that of the plist file. There is one change in the plist output as well. When reporting an error on a BinaryOperator, we use the location of the operator instead of the beginning of the BinaryOperator expression. This matches our output on command line and looks better in most cases. llvm-svn: 180165
* [analyzer] Allow TrackConstraintBRVisitor to work when the value it’s ↵Anna Zaks2013-04-171-2/+352
| | | | | | | | | | tracking is not live in the last node of the path We always register the visitor on a node in which the value we are tracking is live and constrained. However, the visitation can restart at a node, later on the path, in which the value is under constrained because it is no longer live. Previously, we just silently stopped tracking in that case. llvm-svn: 179731
* Extended VerifyDiagnosticConsumer to also verify source file for diagnostic.Andy Gibbs2013-04-171-64/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | VerifyDiagnosticConsumer previously would not check that the diagnostic and its matching directive referenced the same source file. Common practice was to create directives that referenced other files but only by line number, and this led to problems such as when the file containing the directive didn't have enough lines to match the location of the diagnostic in the other file, leading to bizarre file formatting and other oddities. This patch causes VerifyDiagnosticConsumer to match source files as well as line numbers. Therefore, a new syntax is made available for directives, for example: // expected-error@file:line {{diagnostic message}} This extends the @line feature where "file" is the file where the diagnostic is generated. The @line syntax is still available and uses the current file for the diagnostic. "file" can be specified either as a relative or absolute path - although the latter has less usefulness, I think! The #include search paths will be used to locate the file and if it is not found an error will be generated. The new check is not optional: if the directive is in a different file to the diagnostic, the file must be specified. Therefore, a number of test-cases have been updated with regard to this. This closes out PR15613. llvm-svn: 179677
* [analyzer] Show "Returning from ..." note at caller's depth, not callee's.Jordan Rose2013-04-122-99/+100
| | | | | | | | | | | | | | | | | | | | | | | | Before: 1. Calling 'foo' 2. Doing something interesting 3. Returning from 'foo' 4. Some kind of error here After: 1. Calling 'foo' 2. Doing something interesting 3. Returning from 'foo' 4. Some kind of error here The location of the note is already in the caller, not the callee, so this just brings the "depth" attribute in line with that. This only affects plist diagnostic consumers (i.e. Xcode). It's necessary for Xcode to associate the control flow arrows with the right stack frame. <rdar://problem/13634363> llvm-svn: 179351
* [analyzer] For now, don't inline [cd]tors of C++ containers.Jordan Rose2013-04-021-1/+10
| | | | | | | | | | | | | | | | | | | | | This is a heuristic to make up for the fact that the analyzer doesn't model C++ containers very well. One example is modeling that 'std::distance(I, E) == 0' implies 'I == E'. In the future, it would be nice to model this explicitly, but for now it just results in a lot of false positives. The actual heuristic checks if the base type has a member named 'begin' or 'iterator'. If so, we treat the constructors and destructors of that type as opaque, rather than inlining them. This is intended to drastically reduce the number of false positives reported with experimental destructor support turned on. We can tweak the heuristic in the future, but we'd rather err on the side of false negatives for now. <rdar://problem/13497258> llvm-svn: 178516
* [analyzer] Allow suppressing diagnostics reported within the 'std' namespaceJordan Rose2013-04-021-0/+71
| | | | | | | | | | | | This is controlled by the 'suppress-c++-stdlib' analyzer-config flag. It is currently off by default. This is more suppression than we'd like to do, since obviously there can be user-caused issues within 'std', but it gives us the option to wield a large hammer to suppress false positives the user likely can't work around. llvm-svn: 178513
* [analyzer] Add a test case for diagnostic suppression on a graph with cycles.Jordan Rose2013-03-191-0/+19
| | | | | | (see previous commit) llvm-svn: 177449
* [analyzer] BugReporter - more precise tracking of C++ referencesAnna Zaks2013-03-131-0/+15
| | | | | | | | | | | | | | | | When BugReporter tracks C++ references involved in a null pointer violation, we want to differentiate between a null reference and a reference to a null pointer. In the first case, we want to track the region for the reference location; in the second, we want to track the null pointer. In addition, the core creates CXXTempObjectRegion to represent the location of the C++ reference, so teach FindLastStoreBRVisitor about it. This helps null pointer suppression to kick in. (Patch by Anna and Jordan.) llvm-svn: 176969
* [analyzer] Add test case for reference to null pointer param checkAnna Zaks2013-03-091-0/+12
| | | | | | This tests that we track the original Expr if getDerefExpr fails. llvm-svn: 176754
* [analyzer] Simple inline defensive checks suppressionAnna Zaks2013-03-021-152/+45
| | | | | | | | | | | | | | | | | | | | | Inlining brought a few "null pointer use" false positives, which occur because the callee defensively checks if a pointer is NULL, whereas the caller knows that the pointer cannot be NULL in the context of the given call. This is a first attempt to silence these warnings by tracking the symbolic value along the execution path in the BugReporter. The new visitor finds the node in which the symbol was first constrained to NULL. If the node belongs to a function on the active stack, the warning is reported, otherwise, it is suppressed. There are several areas for follow up work, for example: - How do we differentiate the cases where the first check is followed by another one, which does happen on the active stack? Also, this only silences a fraction of null pointer use warnings. For example, it does not do anything for the cases where NULL was assigned inside a callee. llvm-svn: 176402
* [analyzer] Fix test for previous commit.Jordan Rose2013-02-271-423/+0
| | | | llvm-svn: 176202
* [analyzer] Teach FindLastStoreBRVisitor to understand stores of the same value.Jordan Rose2013-02-271-4/+886
| | | | | | | | | | | | | | | | | | | | | | | | | | Consider this case: int *p = 0; p = getPointerThatMayBeNull(); *p = 1; If we inline 'getPointerThatMayBeNull', we might know that the value of 'p' is NULL, and thus emit a null pointer dereference report. However, we usually want to suppress such warnings as error paths, and we do so by using FindLastStoreBRVisitor to see where the NULL came from. In this case, though, because 'p' was NULL both before and after the assignment, the visitor would decide that the "last store" was the initialization, not the re-assignment. This commit changes FindLastStoreBRVisitor to consider all PostStore nodes that assign to this region. This still won't catches changes made directly by checkers if they re-assign the same value, but it does handle the common case in user-written code and will trigger ReturnVisitor's suppression machinery as expected. <rdar://problem/13299738> llvm-svn: 176201
* [analyzer] Use 'MemRegion::printPretty()' instead of assuming the region is ↵Ted Kremenek2013-02-264-159/+153
| | | | | | | | | | | | a VarRegion. Fixes PR15358 and <rdar://problem/13295437>. Along the way, shorten path diagnostics that say "Variable 'x'" to just be "'x'". By the context, it is obvious that we have a variable, and so this just consumes text space. llvm-svn: 176115
* [analyzer] tracking stores/constraints now works for ObjC ivars or struct ↵Ted Kremenek2013-02-242-447/+569
| | | | | | | | | | | | | | | | | | | | | | | fields. This required more changes than I originally expected: - ObjCIvarRegion implements "canPrintPretty" et al - DereferenceChecker indicates the null pointer source is an ivar - bugreporter::trackNullOrUndefValue() uses an alternate algorithm to compute the location region to track by scouring the ExplodedGraph. This allows us to get the actual MemRegion for variables, ivars, fields, etc. We only hand construct a VarRegion for C++ references. - ExplodedGraph no longer drops nodes for expressions that are marked 'lvalue'. This is to facilitate the logic in the previous bullet. This may lead to a slight increase in size in the ExplodedGraph, which I have not measured, but it is likely not to be a big deal. I have validated each of the changed plist output. Fixes <rdar://problem/12114812> llvm-svn: 175988
* [analyzer] Add 'prune-paths' config option to disable path pruning.Jordan Rose2013-01-261-0/+21
| | | | | | This should be used for testing only. Path pruning is still on by default. llvm-svn: 173545
* Move an input header file under an Inputs directory to be consistentChandler Carruth2013-01-192-1/+1
| | | | | | | with other auxilliary test inputs and simplify the identification of inputs to tests. llvm-svn: 172890
* [analyzer] Suppress warnings coming out of macros defined in sys/queue.hAnna Zaks2013-01-192-0/+28
| | | | | | | | | | | | | | | | | | | | | | | | | Suppress the warning by just not emitting the report. The sink node would get generated, which is fine since we did reach a bad state. Motivation Due to the way code is structured in some of these macros, we do not reason correctly about it and report false positives. Specifically, the following loop reports a use-after-free. Because of the way the code is structured inside of the macro, the analyzer assumes that the list can have cycles, so you end up with use-after-free in the loop, that is safely deleting elements of the list. (The user does not have a way to teach the analyzer about shape of data structures.) SLIST_FOREACH_SAFE(item, &ctx->example_list, example_le, tmpitem) { if (item->index == 3) { // if you remove each time, no complaints assert((&ctx->example_list)->slh_first == item); SLIST_REMOVE(&ctx->example_list, item, example_s, example_le); free(item); } } llvm-svn: 172883
* [analyzer] Plist: change the type of issue_hash from int to string.Anna Zaks2013-01-084-6/+6
| | | | | | This gives more flexibility to what could be stored as issue_hash. llvm-svn: 171824
* [analyzer] Check that the argument to CFMakeCollectable is non-NULL.Jordan Rose2012-11-071-1/+1
| | | | | | Patch by Sean McBride! llvm-svn: 167537
* TrackConstraintBRVisitor and ConditionBRVisitor can emit similarTed Kremenek2012-10-251-2/+1
| | | | | | | | | | | | path notes for cases where a value may be assumed to be null, etc. Instead of having redundant diagnostics, do a pass over the generated PathDiagnostic pieces and remove notes from TrackConstraintBRVisitor that are already covered by ConditionBRVisitor, whose notes tend to be better. Fixes <rdar://problem/12252783> llvm-svn: 166728
* [analyzer] Teach UndefOrNullArgVisitor to track parent regions.Anna Zaks2012-09-121-423/+1155
| | | | llvm-svn: 163748
* Fix bug in ConditionBRVisitor where for C++ (and not C) we were not ignoringTed Kremenek2012-09-071-0/+1
| | | | | | | | | | | | | | | | implicit pointer-to-boolean conversions in condition expressions. This would result in inconsistent diagnostic emission between C and C++. A consequence of this is now ConditionBRVisitor and TrackConstraintBRVisitor may emit redundant diagnostics, for example: "Assuming pointer value is null" (TrackConstraintBRVisitor) "Assuming 'p' is null" (ConditionBRVisitor) We need to reconcile the two, and perhaps prefer one over the other in some cases. llvm-svn: 163372
* [analyzer] Enhance the member expr tracking to account for references.Anna Zaks2012-09-051-0/+16
| | | | | | As per Jordan's suggestion. (Came out of code review for r163261.) llvm-svn: 163269
* [analyzer] NullOrUndef diagnostics: track symbols binded to regions.Anna Zaks2012-09-051-0/+354
| | | | | | | | | If a region is binded to a symbolic value, we should track the symbol. (The code I changed was not previously exercised by the regression tests.) llvm-svn: 163261
* [analyzer] Fixup 162863.Anna Zaks2012-08-291-2/+2
| | | | | | Thanks Jordan. llvm-svn: 162875
* [analyzer] Improved diagnostic pruning for calls initializing values.Anna Zaks2012-08-293-226/+1080
| | | | | | | | | | | | | | | | | | | | This heuristic addresses the case when a pointer (or ref) is passed to a function, which initializes the variable (or sets it to something other than '0'). On the branch where the inlined function does not set the value, we report use of undefined value (or NULL pointer dereference). The access happens in the caller and the path through the callee would get pruned away with regular path pruning. To solve this issue, we previously disabled diagnostic pruning completely on undefined and null pointer dereference checks, which entailed very verbose diagnostics in most cases. Furthermore, not all of the undef value checks had the diagnostic pruning disabled. This patch implements the following heuristic: if we pass a pointer (or ref) to the region (on which the error is reported) into a function and it's value is either undef or 'NULL' (and is a pointer), do not prune the function. llvm-svn: 162863
* PlistDiagnostics: force the ranges for control-flow edges to be single ↵Ted Kremenek2012-06-051-223/+226
| | | | | | | | locations, forcing adjacent edges to have compatible ranges. This simplifies the layout logic for some clients. llvm-svn: 158028
* [analyzer] Fixup for r157950. Unbreak the bots.Anna Zaks2012-06-041-2/+0
| | | | llvm-svn: 157954
* [analyzer] Fix a diagnostics bug which lead to a crash on the buildbot.Anna Zaks2012-06-042-0/+241
This bug was triggered by r157851. It only happens in the case where we don't perform optimal diagnostic pruning. llvm-svn: 157950
OpenPOWER on IntegriCloud