summaryrefslogtreecommitdiffstats
path: root/clang/test/Analysis
Commit message (Collapse)AuthorAgeFilesLines
* Reapply r251621 "[Analyzer] Widening loops which do not exit"Sean Eveson2015-10-303-2/+194
| | | | | | It was not the cause of the build bot failure. llvm-svn: 251702
* Revert r251621 "[Analyzer] Widening loops which do not exit" (bot failure)Sean Eveson2015-10-303-194/+2
| | | | | | | | Seems to be causing clang-cmake-mips build bot to fail (timeout) http://lab.llvm.org:8011/builders/clang-cmake-mips/builds/10299 llvm-svn: 251697
* [Analyzer] Widening loops which do not exitSean Eveson2015-10-293-2/+194
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: Dear All, We have been looking at the following problem, where any code after the constant bound loop is not analyzed because of the limit on how many times the same block is visited, as described in bugzillas #7638 and #23438. This problem is of interest to us because we have identified significant bugs that the checkers are not locating. We have been discussing a solution involving ranges as a longer term project, but I would like to propose a patch to improve the current implementation. Example issue: ``` for (int i = 0; i < 1000; ++i) {...something...} int *p = 0; *p = 0xDEADBEEF; ``` The proposal is to go through the first and last iterations of the loop. The patch creates an exploded node for the approximate last iteration of constant bound loops, before the max loop limit / block visit limit is reached. It does this by identifying the variable in the loop condition and finding the value which is “one away” from the loop being false. For example, if the condition is (x < 10), then an exploded node is created where the value of x is 9. Evaluating the loop body with x = 9 will then result in the analysis continuing after the loop, providing x is incremented. The patch passes all the tests, with some modifications to coverage.c, in order to make the ‘function_which_gives_up’ continue to give up, since the changes allowed the analysis to progress past the loop. This patch does introduce possible false positives, as a result of not knowing the state of variables which might be modified in the loop. I believe that, as a user, I would rather have false positives after loops than do no analysis at all. I understand this may not be the common opinion and am interested in hearing your views. There are also issues regarding break statements, which are not considered. A more advanced implementation of this approach might be able to consider other conditions in the loop, which would allow paths leading to breaks to be analyzed. Lastly, I have performed a study on large code bases and I think there is little benefit in having “max-loop” default to 4 with the patch. For variable bound loops this tends to result in duplicated analysis after the loop, and it makes little difference to any constant bound loop which will do more than a few iterations. It might be beneficial to lower the default to 2, especially for the shallow analysis setting. Please let me know your opinions on this approach to processing constant bound loops and the patch itself. Regards, Sean Eveson SN Systems - Sony Computer Entertainment Group Reviewers: jordan_rose, krememek, xazax.hun, zaks.anna, dcoughlin Subscribers: krememek, xazax.hun, cfe-commits Differential Revision: http://reviews.llvm.org/D12358 llvm-svn: 251621
* [analyzer] Assume escape is possible through system functions taking void*Anna Zaks2015-10-272-0/+23
| | | | | | | | | | | | | | | | | | The analyzer assumes that system functions will not free memory or modify the arguments in other ways, so we assume that arguments do not escape when those are called. However, this may lead to false positive leak errors. For example, in code like this where the pointers added to the rb_tree are freed later on: struct alarm_event *e = calloc(1, sizeof(*e)); <snip> rb_tree_insert_node(&alarm_tree, e); Add a heuristic to assume that calls to system functions taking void* arguments allow for pointer escape. llvm-svn: 251449
* [analyzer] Fix lambdas that are capturing constants.Gabor Horvath2015-10-271-0/+15
| | | | llvm-svn: 251407
* [analyzer] Fix another crash when analyzing lambda functions.Gabor Horvath2015-10-271-0/+6
| | | | llvm-svn: 251404
* [analyzer] Added a missing test case for r251289.Gabor Horvath2015-10-261-0/+13
| | | | llvm-svn: 251313
* Attempt to fix build bot test failures.Gabor Horvath2015-10-221-1/+1
| | | | llvm-svn: 251014
* [analyzer] Bug identificationGabor Horvath2015-10-2232-8410/+11555
| | | | | | | | | | | | | | | | This patch adds hashes to the plist and html output to be able to identfy bugs for suppressing false positives or diff results against a baseline. This hash aims to be resilient for code evolution and is usable to identify bugs in two different snapshots of the same software. One missing piece however is a permanent unique identifier of the checker that produces the warning. Once that issue is resolved, the hashes generated are going to change. Until that point this feature is marked experimental, but it is suitable for early adoption. Differential Revision: http://reviews.llvm.org/D10305 Original patch by: Bence Babati! llvm-svn: 251011
* [analyzer] Don’t invalidate CXXThis when conservatively evaluating const ↵Devin Coughlin2015-10-131-0/+230
| | | | | | | | | | | | methods (PR 21606) Prevent invalidation of `this' when a method is const; fixing PR 21606. A patch by Sean Eveson! Differential Revision: http://reviews.llvm.org/D13099 llvm-svn: 250237
* Update tests touched by r249656David Majnemer2015-10-083-3/+3
| | | | | | | | | These test updates almost exclusively around the change in behavior around enum: enums without a definition are considered incomplete except when targeting MSVC ABIs. Since these tests are interested in the 'incomplete-enum' behavior, restrict them to %itanium_abi_triple. llvm-svn: 249660
* [analyzer] When memcpy'ing into a fixed-size array, do not invalidate entire ↵Devin Coughlin2015-09-241-0/+916
| | | | | | | | | | | | | | | | | | | | region. Change the analyzer's modeling of memcpy to be more precise when copying into fixed-size array fields. With this change, instead of invalidating the entire containing region the analyzer now invalidates only offsets for the array itself when it can show that the memcpy stays within the bounds of the array. This addresses false positive memory leak warnings of the kind reported by krzysztof in https://llvm.org/bugs/show_bug.cgi?id=22954 (This is the second attempt, now with assertion failures resolved.) A patch by Pierre Gousseau! Differential Revision: http://reviews.llvm.org/D12571 llvm-svn: 248516
* clang/test/Analysis/malloc-overflow2.c: Appease 32-bit targets.NAKAMURA Takumi2015-09-241-1/+1
| | | | | | size_t is not unsigned long for targeting i686 (and Windows x64). llvm-svn: 248458
* [analyzer] Discard malloc-overflow bug-report when a known size is malloc'ed.Devin Coughlin2015-09-232-1/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch ignores malloc-overflow bug in two cases: Case1: x = a/b; where n < b malloc (x*n); Then x*n will not overflow. Case2: x = a; // when 'a' is a known value. malloc (x*n); Also replaced isa with dyn_cast. Reject multiplication by zero cases in MallocOverflowSecurityChecker Currently MallocOverflowSecurityChecker does not catch cases like: malloc(n * 0 * sizeof(int)); This patch rejects such cases. Two test cases added. malloc-overflow2.c has an example inspired from a code in linux kernel where the current checker flags a warning while it should not. A patch by Aditya Kumar! Differential Revision: http://reviews.llvm.org/D9924 llvm-svn: 248446
* [analyzer] Improve localizability checks for iOS / OS X.Devin Coughlin2015-09-232-10/+154
| | | | | | | | | | | | | | | | | | | | Various improvements to the localization checker: * Adjusted copy to be consistent with diagnostic text in other Apple API checkers. * Added in ~150 UIKit / AppKit methods that require localized strings in UnlocalizedStringsChecker. * UnlocalizedStringChecker now checks for UI methods up the class hierarchy and UI methods that conform for a certain Objective-C protocol. * Added in alpha version of PluralMisuseChecker and some regression tests. False positives are still not ideal. (This is the second attempt, with the memory issues on Linux resolved.) A patch by Kulpreet Chilana! Differential Revision: http://reviews.llvm.org/D12417 llvm-svn: 248432
* Revert "[analyzer] Improve localizability checks for iOS / OS X."Devin Coughlin2015-09-232-154/+10
| | | | | | This reverts commit r248350. The pluralization checks are failing on some bots. llvm-svn: 248351
* [analyzer] Improve localizability checks for iOS / OS X.Devin Coughlin2015-09-222-10/+154
| | | | | | | | | | | | | | | | | | Various improvements to the localization checker: * Adjusted copy to be consistent with diagnostic text in other Apple API checkers. * Added in ~150 UIKit / AppKit methods that require localized strings in UnlocalizedStringsChecker. * UnlocalizedStringChecker now checks for UI methods up the class hierarchy and UI methods that conform for a certain Objective-C protocol. * Added in alpha version of PluralMisuseChecker and some regression tests. False positives are still not ideal. A patch by Kulpreet Chilana! Differential Revision: http://reviews.llvm.org/D12417 llvm-svn: 248350
* [analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).Devin Coughlin2015-09-221-3/+31
| | | | | | | | | | | | | | | | | | Currently realloc(ptr, 0) is treated as free() which seems to be not correct. C standard (N1570) establishes equivalent behavior for malloc(0) and realloc(ptr, 0): "7.22.3 Memory management functions calloc, malloc, realloc: If the size of the space requested is zero, the behavior is implementation-defined: either a null pointer is returned, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object." The patch equalizes the processing of malloc(0) and realloc(ptr,0). The patch also enables unix.Malloc checker to detect references to zero-allocated memory returned by realloc(ptr,0) ("Use of zero-allocated memory" warning). A patch by Антон Ярцев! Differential Revision: http://reviews.llvm.org/D9040 llvm-svn: 248336
* [analyzer] Create one state for a range switch case instead of multiple.Devin Coughlin2015-09-221-0/+220
| | | | | | | | | | | | | This fixes PR16833, in which the analyzer was using large amounts of memory for switch statements with large case ranges. rdar://problem/14685772 A patch by Aleksei Sidorin! Differential Revision: http://reviews.llvm.org/D5102 llvm-svn: 248318
* Analyzer: Teach analyzer how to handle TypeTraitExprIsmail Pazarbasi2015-09-221-1/+36
| | | | | | | | | | | | | | | | | | | | Summary: `TypeTraitExpr`s are not supported by the ExprEngine today. Analyzer creates a sink, and aborts the block. Therefore, certain bugs that involve type traits intrinsics cannot be detected (see PR24710). This patch creates boolean `SVal`s for `TypeTraitExpr`s, which are evaluated by the compiler. Test within the patch is a summary of PR24710. Reviewers: zaks.anna, dcoughlin, krememek Subscribers: cfe-commits Differential Revision: http://reviews.llvm.org/D12482 llvm-svn: 248314
* [Static Analyzer] Fixed a false positive case in DynamicTypeChecker when ↵Gabor Horvath2015-09-181-0/+10
| | | | | | dealing with forward declarations. llvm-svn: 248065
* Analyzer: Fix a crasher in UbigraphVizIsmail Pazarbasi2015-09-181-0/+7
| | | | | | | | | | | | | | | Summary: Name `Out` refers to the parameter. It is moved into the member `Out` in ctor-init. Dereferencing null pointer will crash clang, if user passes '-analyzer-viz-egraph-ubigraph' argument. Reviewers: zaks.anna, krememek Subscribers: cfe-commits Differential Revision: http://reviews.llvm.org/D12119 llvm-svn: 248050
* [Static Analyzer] General type checker based on dynamic type information.Gabor Horvath2015-09-182-219/+429
| | | | | | Differential Revision: http://reviews.llvm.org/D12973 llvm-svn: 248041
* [analyzer] A fix for substraction of an integer from a pointer.Gabor Horvath2015-09-181-0/+17
| | | | | | | | Patch by Artem Dergachev! Differential Revision: http://reviews.llvm.org/D12725 llvm-svn: 248021
* [Static Analyzer] Use generics related information to infer dynamic types.Gabor Horvath2015-09-181-1/+0
| | | | | | Differential Revision: http://reviews.llvm.org/D12916 llvm-svn: 248002
* [Static Analyzer] Generics Checker: When an ObjC method returns a ↵Gabor Horvath2015-09-161-575/+1103
| | | | | | | | specialized object, track it properly. Differential Revision: http://reviews.llvm.org/D12889 llvm-svn: 247861
* [analyzer] Add generateErrorNode() APIs to CheckerContext.Devin Coughlin2015-09-162-1/+100
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
* [Static Analyzer] Added an XFAIL test for inlining when the type inference ↵Gabor Horvath2015-09-151-0/+58
| | | | | | involves generic types. llvm-svn: 247739
* [analyzer] Skip Pre/Post handlers for ObjC calls when receiver is nil.Devin Coughlin2015-09-152-0/+59
| | | | | | | | | | | | | | | | | | | | | | | | | In Objective-C, method calls with nil receivers are essentially no-ops. They do not fault (although the returned value may be garbage depending on the declared return type and architecture). Programmers are aware of this behavior and will complain about a false alarm when the analyzer diagnoses API violations for method calls when the receiver is known to be nil. Rather than require each individual checker to be aware of this behavior and suppress a warning when the receiver is nil, this commit changes ExprEngineObjC so that VisitObjCMessage skips calling checker pre/post handlers when the receiver is definitely nil. Instead, it adds a new event, ObjCMessageNil, that is only called in that case. The CallAndMessageChecker explicitly cares about this case, so I've changed it to add a callback for ObjCMessageNil and moved the logic in PreObjCMessage that handles nil receivers to the new callback. rdar://problem/18092611 Differential Revision: http://reviews.llvm.org/D12123 llvm-svn: 247653
* [Static Analyzer] Moving nullability checkers out of alpha.Gabor Horvath2015-09-142-2/+2
| | | | llvm-svn: 247595
* [Static Analyzer] Moving nullability checkers to a top level package.Gabor Horvath2015-09-142-1/+88
| | | | | | Differential Revision: http://reviews.llvm.org/D12852 llvm-svn: 247590
* [Static Analyzer] Merge the Objective-C Generics Checker into Dynamic Type ↵Gabor Horvath2015-09-131-38/+38
| | | | | | | | Propagation checker. Differential Revision: http://reviews.llvm.org/D12381 llvm-svn: 247532
* [analyzer] Add -analyzer-config option for function size the inliner ↵Devin Coughlin2015-09-112-6/+22
| | | | | | | | | | | | | | | | | | | considers as large Add an option (-analyzer-config min-blocks-for-inline-large=14) to control the function size the inliner considers as large, in relation to "max-times-inline-large". The option defaults to the original hard coded behaviour, which I believe should be adjustable with the other inlining settings. The analyzer-config test has been modified so that the analyzer will reach the getMinBlocksForInlineLarge() method and store the result in the ConfigTable, to ensure it is dumped by the debug checker. A patch by Sean Eveson! Differential Revision: http://reviews.llvm.org/D12406 llvm-svn: 247463
* [Static Analyzer] Lambda support.Gabor Horvath2015-09-114-8/+392
| | | | | | Differential Revision: http://reviews.llvm.org/D12652 llvm-svn: 247426
* Revert "[Static Analyzer] BugReporter.cpp:2869: Assertion failed: ↵Devin Coughlin2015-09-082-99/+1
| | | | | | | | | | | | | | | | !RemainingNodes.empty() && "No error node found in the trimmed graph"" This is making our internal build bot fail because it results in extra warnings being emitted past what should be sink nodes. (There is actually an example of this in the updated malloc.c test in the reverted commit.) I'm working on a patch to fix the original issue by adding a new checker API to explicitly create error nodes. This API will ensure that error nodes are always tagged in order to prevent them from being reclaimed. This reverts commit r246188. llvm-svn: 247103
* [Static Analyzer] Objective-C Generics Checker improvements.Gabor Horvath2015-09-081-319/+893
| | | | | | Differential Revision: http://reviews.llvm.org/D12701 llvm-svn: 247071
* [Static Analyzer] Remove sinks from nullability checks.Gabor Horvath2015-09-031-0/+62
| | | | | | Differential Revision: http://reviews.llvm.org/D12445 llvm-svn: 246818
* Revert r246345 until an assertion is fixed.Gabor Horvath2015-08-311-697/+0
| | | | llvm-svn: 246479
* [analyzer] When memcpy'ing into a fixed-size array, do not invalidate entire ↵Devin Coughlin2015-08-281-0/+697
| | | | | | | | | | | | | | | | | | region. Change the analyzer's modeling of memcpy to be more precise when copying into fixed-size array fields. With this change, instead of invalidating the entire containing region the analyzer now invalidates only offsets for the array itself when it can show that the memcpy stays within the bounds of the array. This addresses false positive memory leak warnings of the kind reported by krzysztof in https://llvm.org/bugs/show_bug.cgi?id=22954 A patch by Pierre Gousseau! Differential Revision: http://reviews.llvm.org/D11832 llvm-svn: 246345
* [Static Analyzer] BugReporter.cpp:2869: Assertion failed: ↵Gabor Horvath2015-08-272-1/+99
| | | | | | | | | | | | | | | | | | | | | | | | | !RemainingNodes.empty() && "No error node found in the trimmed graph" The assertion is caused by reusing a “filler” ExplodedNode as an error node. The “filler” nodes are only used for intermediate processing and are not essential for analyzer history, so they can be reclaimed when the ExplodedGraph is trimmed by the “collectNode” function. When a checker finds a bug, they generate a new transition in the ExplodedGraph. The analyzer will try to reuse the existing predecessor node. If it cannot, it creates a new ExplodedNode, which always has a tag to uniquely identify the creation site. The assertion is caused when the analyzer reuses a “filler” node. In the test case, some “filler” nodes were reused and then reclaimed later when the ExplodedGraph was trimmed. This caused an assertion because the node was needed to generate the report. The “filler” nodes should not be reused as error nodes. The patch adds a constraint to prevent this happening, which solves the problem and makes the test cases pass. Differential Revision: http://reviews.llvm.org/D11433 Patch by Ying Yi! llvm-svn: 246188
* [Tests] Modified Lit Tests to be C++11 compatibileCharles Li2015-08-271-11/+21
| | | | | | | This 2nd patch should not change the test results, but it is useful if clang's default C++ language is ever changed from gnu++98. llvm-svn: 246183
* [Static Analyzer] Make NonNullParamChecker emit implicit null dereference ↵Gabor Horvath2015-08-271-4/+4
| | | | | | | | events. Differential Revision: http://reviews.llvm.org/D11433 llvm-svn: 246182
* [Static Analyzer] Checks to catch nullability related issues.Gabor Horvath2015-08-261-0/+181
| | | | | | Differential Revision: http://reviews.llvm.org/D11468 llvm-svn: 246105
* [Static Analyzer] Fix tests to reflect the change in the diagnostic message.Gabor Horvath2015-08-251-70/+70
| | | | llvm-svn: 245951
* [Static Analyzer] Add checker to catch lightweight generics related type ↵Gabor Horvath2015-08-211-0/+5265
| | | | | | | | errors in Objective-C. Differential Revision: http://reviews.llvm.org/D11427 llvm-svn: 245646
* Do not crash when static analysis encounters a FunctionDecl that has a ↵Aaron Ballman2015-08-201-0/+11
| | | | | | delayed template parse of its body. llvm-svn: 245616
* [analyzer] Add checkers for OS X / iOS localizability issuesAnna Zaks2015-08-142-0/+329
| | | | | | | | | | | | | | | Add checkers that detect code-level localizability issues for OS X / iOS: - A path sensitive checker that warns about uses of non-localized NSStrings passed to UI methods expecting localized strings. - A syntax checker that warns against not including a comment in NSLocalizedString macros. A patch by Kulpreet Chilana! (This is the second attempt with the compilation issue on Windows and the random test failures resolved.) llvm-svn: 245093
* [Static Analyzer] Warn when inner and outer conditions are identical. The ↵Daniel Marjamaki2015-08-101-0/+32
| | | | | | | | inner condition is always true. Reviewed in http://reviews.llvm.org/D10892. llvm-svn: 244435
* Revert "[analyzer] Add checkers for OS X / iOS localizability issues"Anna Zaks2015-08-082-329/+0
| | | | | | | | This reverts commit fc885033a30b6e30ccf82398ae7c30e646727b10. Revert all localization checker commits until the proper fix is implemented. llvm-svn: 244394
* [analyzer] Add checkers for OS X / iOS localizability issuesAnna Zaks2015-08-082-0/+329
| | | | | | | | | | | | Add checkers that detect code-level localizability issues for OS X / iOS: - A path sensitive checker that warns about uses of non-localized NSStrings passed to UI methods expecting localized strings. - A syntax checker that warns against not including a comment in NSLocalizedString macros. A patch by Kulpreet Chilana! llvm-svn: 244389
OpenPOWER on IntegriCloud