summaryrefslogtreecommitdiffstats
path: root/clang/test/Analysis/malloc.c
Commit message (Collapse)AuthorAgeFilesLines
...
* [analyzer] Construct a SymExpr even when the constraint solver cannotAnna Zaks2012-05-011-0/+7
| | | | | | | | | | | | | | | | | | | | | | reason about the expression. This essentially keeps more history about how symbolic values were constructed. As an optimization, previous to this commit, we only kept the history if one of the symbols was tainted, but it's valuable keep the history around for other purposes as well: it allows us to avoid constructing conjured symbols. Specifically, we need to identify the value of ptr as ElementRegion (result of pointer arithmetic) in the following code. However, before this commit '(2-x)' evaluated to Unknown value, and as the result, 'p + (2-x)' evaluated to Unknown value as well. int *p = malloc(sizeof(int)); ptr = p + (2-x); This change brings 2% slowdown on sqlite. Fixes radar://11329382. llvm-svn: 155944
* [analyzer] check lazy bindings in RegionStore first before looking for ↵Ted Kremenek2012-04-261-0/+16
| | | | | | default values. Fixes <rdar://problem/11269741>. llvm-svn: 155615
* [analyzer] Malloc: Utter the name of the leaked variable.Anna Zaks2012-03-211-16/+16
| | | | | | | | | | | | | | | Specifically, we use the last store of the leaked symbol in the leak diagnostic. (No support for struct fields since the malloc checker doesn't track those yet.) + Infrastructure to track the regions used in store evaluations. This approach is more precise than iterating the store to obtain the region bound to the symbol, which is used in RetainCount checker. The region corresponds to what is uttered in the code in the last store and we do not rely on the store implementation to support this functionality. llvm-svn: 153212
* Teach SimpleSValBuilder that (in the absence of more information) stack ↵Ted Kremenek2012-03-051-0/+32
| | | | | | memory doesn't alias symbolic memory. This is a heuristic/hack, but works well in practice. Fixes <rdar://problem/10978247>. llvm-svn: 152065
* [analyzer] Malloc: A pointer might escape through CFContainers APIs,Anna Zaks2012-02-291-0/+43
| | | | | | | | | | | | funopen, setvbuf. Teach the checker and the engine about these APIs to resolve malloc false positives. As I am adding more of these APIs, it is clear that all this should be factored out into a separate callback (for example, region escapes). Malloc, KeyChainAPI and RetainRelease checkers could all use it. llvm-svn: 151737
* [analyzer] Malloc: unique leak reports by allocation site.Anna Zaks2012-02-231-2/+2
| | | | | | | | | When we find two leak reports with the same allocation site, report only one of them. Provide a helper method to BugReporter to facilitate this. llvm-svn: 151287
* [analyzer] Invalidate the region passed to pthread_setspecific() call.Anna Zaks2012-02-231-0/+10
| | | | | | | | | | | | | | | | | | Make this call an exception in ExprEngine::invalidateArguments: 'int pthread_setspecific(ptheread_key k, const void *)' stores a value into thread local storage. The value can later be retrieved with 'void *ptheread_getspecific(pthread_key)'. So even thought the parameter is 'const void *', the region escapes through the call. (Here we just blacklist the call in the ExprEngine's default logic. Another option would be to add a checker which evaluates the call and triggers the call to invalidate regions.) Teach the Malloc Checker, which treats all system calls as safe about the API. llvm-svn: 151220
* [analyzer] Malloc cleanup:Anna Zaks2012-02-221-0/+6
| | | | | | | | | | | | - We should not evaluate strdup in the Malloc Checker, it's the job of CString checker, so just update the RefState to reflect allocated memory. - Refactor to reduce LOC: remove some wrapper auxiliary functions, make all functions return the state and add the transition in one place (instead of in each auxiliary function). llvm-svn: 151188
* [analyzer] Malloc checker: mark 'strdup' and 'strndup' as allocators.Anna Zaks2012-02-221-0/+19
| | | | llvm-svn: 151124
* [analyzer] Malloc: fix another false positive.Anna Zaks2012-02-221-14/+31
| | | | | | | , when we return a symbol reachable to the malloced one via pointer arithmetic. llvm-svn: 151121
* [analyzer] Turn on by default the Malloc Checker and a couple of CStringAnna Zaks2012-02-201-1/+1
| | | | | | | | | | | | checks: - unix.Malloc - Checks for memory leaks, double free, use-after-free. - unix.cstring.NullArg - Checks for null pointers passed as arguments to CString functions + evaluates CString functions. - unix.cstring.BadSizeArg - Checks for common anti-patterns in strncat size argument. llvm-svn: 150988
* [analyzer] Malloc Checker more tests.Anna Zaks2012-02-171-0/+17
| | | | llvm-svn: 150847
* [analyzer] Fix another false positive in the Malloc Checker, by makingAnna Zaks2012-02-171-7/+20
| | | | | | | | | | | | it aware of CString APIs that return the input parameter. Malloc Checker needs to know how the 'strcpy' function is evaluated. Introduce the dependency on CStringChecker for that. CStringChecker knows all about these APIs. Addresses radar://10864450 llvm-svn: 150846
* [analyzer] MallocChecker: more tests.Anna Zaks2012-02-161-0/+15
| | | | llvm-svn: 150734
* [analyzer] Malloc Checker: Clean up bug naming:Anna Zaks2012-02-161-29/+29
| | | | | | | - Rename the category "Logic Error" -> "Memory Error". - Shorten all the messages. llvm-svn: 150733
* [analyzer] Malloc Checker: Give up when a pointer escapes into a struct.Anna Zaks2012-02-161-0/+35
| | | | | | | | We are not properly handling the memory regions that escape into struct fields, which led to a bunch of false positives. Be conservative here and give up when a pointer escapes into a struct. llvm-svn: 150658
* [analyzer] Malloc Checker: Add another false positive as a todo test.Anna Zaks2012-02-151-0/+14
| | | | llvm-svn: 150534
* [analyzer] Malloc Checker: add support for reallocf, which always freesAnna Zaks2012-02-151-0/+34
| | | | | | the passed in pointer on failure. llvm-svn: 150533
* [analyzer] Malloc Checker: add support for valloc + minor codeAnna Zaks2012-02-151-0/+13
| | | | | | hardening. llvm-svn: 150532
* [analyzer] Malloc Checker: realloc: add dependency between the symbolsAnna Zaks2012-02-141-0/+41
| | | | | | | | | | | | | in realloc map. If there is no dependency, the reallocated ptr will get garbage collected before we know that realloc failed, which would lead us to missing a memory leak warning. Also added new test cases, which we can handle now. Plus minor cleanups. llvm-svn: 150446
* [analyzer] Malloc Checker: realloc: correct the way we are handing theAnna Zaks2012-02-131-0/+51
| | | | | | case when size is 0. llvm-svn: 150412
* [analyzer] Malloc checker: rework realloc handling:Anna Zaks2012-02-131-11/+26
| | | | | | | | | | | | | | | | | | | 1) Support the case when realloc fails to reduce False Positives. (We essentially need to restore the state of the pointer being reallocated.) 2) Realloc behaves differently under special conditions (from pointer is null, size is 0). When detecting these cases, we should consider under-constrained states (size might or might not be 0). The old version handled this in a very hacky way. The code did not differentiate between definite and possible (no consideration for under-constrained states). Further, after processing each special case, the realloc processing function did not return but chained to the next special case processing. So you could end up in an execution in which you first see the states in which size is 0 and realloc ~ free(), followed by the states corresponding to size is not 0 followed by the evaluation of the regular realloc behavior. llvm-svn: 150402
* [analyzer] Malloc Checker: reduce false negatives rate by assuming thatAnna Zaks2012-02-111-0/+13
| | | | | | | a pointer cannot escape through calls to system functions. Also, stop after reporting the first use-after-free. llvm-svn: 150315
* [analyzer] Malloc Checker: Report a leak when we are returning freedAnna Zaks2012-02-111-0/+14
| | | | | | | | | memory. (As per one test case, the existing checker thought that this could cause a lot of false positives - not sure if that's valid, to be verified.) llvm-svn: 150313
* [analyzer] Malloc checker: Leak bugs should be suppressed by sinks.Anna Zaks2012-02-111-9/+5
| | | | | | | Resolves a common false positive, where we were reporting a leak inside asserts llvm-svn: 150312
* [analyzer] MallocChecker: refactor/improve the symbol escape logic.Anna Zaks2012-02-111-11/+53
| | | | | | We use the same logic here as the RetainRelease checker. llvm-svn: 150311
* [analyzer] MallocChecker: add a list of false positives based on runningAnna Zaks2012-02-101-0/+82
| | | | | | the checker over postgres and sqlite. llvm-svn: 150216
* [analyzer] MallocChecker Cleanup - harden against crashes, fix an errorAnna Zaks2012-02-101-6/+18
| | | | | | (use of return instead of continue), wording. llvm-svn: 150215
* [analyzer] Add custom path diagnostic to the Malloc Checker.Anna Zaks2012-02-091-0/+8
| | | | | | | Very simple so far - we just highlight every allocation and release site. llvm-svn: 150156
* [analyzer] MallocChecker cleanup, more tests.Anna Zaks2012-02-091-1/+26
| | | | llvm-svn: 150155
* [analyzer] MallocChecker: implement pessimistic version of the checker,Anna Zaks2012-02-081-118/+97
| | | | | | | | | | | | which allows values to escape through unknown calls. Assumes all calls but the malloc family are unknown. Also, catch a use-after-free when a pointer is passed to a function after a call to free (previously, you had to explicitly dereference the pointer value). llvm-svn: 150112
* If size was equal to 0, either NULL or a pointer suitable to be passed to Zhongxing Xu2011-09-011-1/+1
| | | | | | | | free() is returned by realloc(). Most code expect NULL. And we only need to transfer one final ProgramState. llvm-svn: 138937
* [analyzer] rename all experimental checker packages to have 'experimental' ↵Ted Kremenek2011-08-031-1/+1
| | | | | | be the common root package. llvm-svn: 136835
* More accurately model realloc() when the size argument is 0. realloc() with ↵Lenny Maiorani2011-04-271-0/+26
| | | | | | | | a size of 0 is equivalent to free(). The memory region should be marked as free and not used again. Unit tests f2_realloc_0(), f6_realloc(), and f7_realloc() contributed by Marshall Clow <mclow.lists@gmail.com>. Thanks! llvm-svn: 130303
* Rework checker "packages" and groups to be more hierarchical.Ted Kremenek2011-03-241-1/+1
| | | | llvm-svn: 128187
* [analyzer] Remove '-analyzer-check-objc-mem' flag, the nominee for best ↵Argyrios Kyrtzidis2011-02-281-1/+1
| | | | | | misnomer award. llvm-svn: 126676
* [analyzer] Migrate UndefinedAssignmentChecker to CheckerV2.Argyrios Kyrtzidis2011-02-281-1/+1
| | | | llvm-svn: 126617
* [analyzer] Remove '-analyzer-experimental-checks' flag.Argyrios Kyrtzidis2011-02-281-1/+1
| | | | llvm-svn: 126607
* [analyzer] Migrate MallocChecker to CheckerV2.Argyrios Kyrtzidis2011-02-281-1/+1
| | | | llvm-svn: 126606
* [analyzer] Remove '-analyzer-experimental-internal-checks' flag, it doesn't ↵Argyrios Kyrtzidis2011-02-241-1/+1
| | | | | | have any checkers associated with it anymore. llvm-svn: 126440
* [analyzer] Migrate CastSizeChecker to CheckerV2.Argyrios Kyrtzidis2011-02-241-1/+1
| | | | llvm-svn: 126438
* [analyzer] Use the new registration mechanism on some of the experimental ↵Argyrios Kyrtzidis2011-02-151-1/+1
| | | | | | | | | | | | | | | checks. These are: CStringChecker ChrootChecker MallocChecker PthreadLockChecker StreamChecker UnreachableCodeChecker MallocChecker creates implicit dependencies between checkers and needs to be handled differently. llvm-svn: 125598
* After a lengthy design discussion, add support for "ownership attributes" ↵Ted Kremenek2010-07-311-4/+118
| | | | | | for malloc/free checking. Patch by Andrew McGregor! llvm-svn: 109939
* Added an path-sensitive unreachable code checker to the experimental ↵Tom Care2010-07-231-1/+1
| | | | | | | | | | analyzer checks. - Created a new class to do post-analysis - Updated several test cases with unreachable code to expect a warning - Added some general tests llvm-svn: 109286
* Casting to void* or any other pointer-to-sizeless type (e.g. function ↵Jordy Rose2010-06-201-0/+12
| | | | | | pointers) causes a divide-by-zero error. Simple fix: check if the pointee type size is 0 and bail out early if it is. llvm-svn: 106401
* Add support for calloc() in MallocChecker. Patch by Jordy Rose, with my Zhongxing Xu2010-06-011-0/+32
| | | | | | modification. llvm-svn: 105264
* CastSizeChecker checks when casting a malloc'ed symbolic region to type T,Zhongxing Xu2010-05-251-7/+17
| | | | | | | whether the size of the symbolic region is a multiple of the size of T. Fixes PR6123 and PR7217. llvm-svn: 104584
* Add use-after-free check to MallocChecker.Zhongxing Xu2010-03-101-0/+6
| | | | llvm-svn: 98136
* Fix pr6293. If ptr is NULL, no operation is preformed.Zhongxing Xu2010-02-141-0/+4
| | | | llvm-svn: 96154
* Rename -cc1 option '-checker-cfref' to '-analyzer-check-objc-mem'.Ted Kremenek2010-02-051-1/+1
| | | | llvm-svn: 95348
OpenPOWER on IntegriCloud