| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Array-to-pointer cast now works correctly when the pointer to the array
is concrete, eg. null, which allows further symbolic calculations involving
such values.
Inlined defensive checks are now detected correctly when the resulting null
symbol is being array-subscripted before dereference.
Differential Revision: https://reviews.llvm.org/D32291
llvm-svn: 301251
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Null dereferences are suppressed if the lvalue was constrained to 0 for the
first time inside a sub-function that was inlined during analysis, because
such constraint is a valid defensive check that does not, by itself,
indicate that null pointer case is anyhow special for the caller.
If further operations on the lvalue are performed, the symbolic lvalue is
collapsed to concrete null pointer, and we need to track where does the null
pointer come from.
Improve such tracking for lvalue operations involving operator &.
rdar://problem/27876009
Differential Revision: https://reviews.llvm.org/D31982
llvm-svn: 301224
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This diff replaces getTypeSize(CondE->getType()))
with getIntWidth(CondE->getType())) in ExprEngine::processSwitch.
These calls are not equivalent for bool, see ASTContext.cpp
Add a test case.
Test plan:
make check-clang-analysis
make check-clang
Differential revision: https://reviews.llvm.org/D32328
llvm-svn: 300936
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SValBuilder tries to constant-fold symbols in the left-hand side of the symbolic
expression whenever it fails to evaluate the expression directly. However, it
only constant-folds them when they are atomic expressions, not when they are
complicated expressions themselves. This patch adds recursive constant-folding
to the left-hand side subexpression (there's a lack of symmetry because we're
trying to have symbols on the left and constants on the right). As an example,
we'd now be able to handle operations similar to "$x + 1 < $y", when $x is
constrained to a constant.
rdar://problem/31354676
Differential Revision: https://reviews.llvm.org/D31886
llvm-svn: 300178
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This diff adds a defensive check in getExtraInvalidatedValues
for the case when there are no regions for the ivar associated with
a property. Corresponding test case added.
Test plan:
make check-clang
make check-clang-analysis
llvm-svn: 300114
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Move the test format into a standalone .py file and add it to the site
module search path. This allows us to run the test on Windows, and it
makes it compatible with the multiprocessing.Pool lit test execution
strategy.
I think this test was only passing everywhere else because
multiprocessing uses 'fork' to spawn workers, so the test format never
needs to be pickled.
llvm-svn: 299577
|
| |
|
|
|
|
|
|
|
|
|
| |
expression, that is not unsafe
Summary:
The alpha.core.Conversion was too strict about compound assignments and could warn even though there is no problem.
Differential Revision: https://reviews.llvm.org/D25596
llvm-svn: 299523
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: Implement new Z3 constraint manager backend.
Reviewers: zaks.anna, dcoughlin, NoQ, xazax.hun
Subscribers: mgorny, cfe-commits
Differential Revision: https://reviews.llvm.org/D28952
llvm-svn: 299463
|
| |
|
|
| |
llvm-svn: 299094
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the value is known, but we cannot increment it, conjure a symbol to
represent the result of the operation based on the operator expression,
not on the sub-expression.
In particular, no longer crash on comparing a result of a LocAsInteger increment
to a constant integer.
rdar://problem/31067356
Differential Revision: https://reviews.llvm.org/D31289
llvm-svn: 298927
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adjustments should be considered properly; we should copy the unadjusted object
over the whole temporary base region. If the unadjusted object is no longer
available in the Environment, invalidate the temporary base region, and then
copy the adjusted object into the adjusted sub-region of the temporary region.
This fixes a regression introduced by r288263, that caused various
false positives, due to copying only adjusted object into the adjusted region;
the rest of the base region therefore remained undefined.
Before r288263, the adjusted value was copied over the unadjusted region,
which is incorrect, but accidentally worked better due to how region store
disregards compound value bindings to non-base regions.
An additional test machinery is introduced to make sure that despite making
two binds, we only notify checkers once for both of them, without exposing
the partially copied objects.
This fix is a hack over a hack. The proper fix would be to model C++ temporaries
in the CFG, and after that dealing with adjustments would no longer be
necessary, and the values we need would no longer disappear from the
Environment.
rdar://problem/30658168
Differential Revision: https://reviews.llvm.org/D30534
llvm-svn: 298924
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The checker currently warns on copying, moving, or calling methods on an object
that was recently std::move'd from. It understands a set of "state reset"
methods that bring a moved-from object back to a well-specified state.
Patch by Peter Szecsi!
Differential Revision: https://reviews.llvm.org/D24246
llvm-svn: 298698
|
| |
|
|
|
|
|
|
|
| |
It looks like on some host-triples the result of a valist related expr can be
a LazyCompoundVal. Handle that case in the check.
Patch by Abramo Bagnara!
llvm-svn: 297619
|
| |
|
|
|
|
|
|
| |
Patch by Zoltan Daniel Torok!
Differential Revision: https://reviews.llvm.org/D29567
llvm-svn: 297461
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have several reports of false positives coming from libc++. For example,
there are reports of false positives in std::regex, std::wcout, and also
a bunch of issues are reported in https://reviews.llvm.org/D30593. In many
cases, the analyzer trips over the complex libc++ code invariants. Let's turn
off the reports coming from these headers until we can re-evalate the support.
We can turn this back on once we individually suppress all known false
positives and perform deeper evaluation on large codebases that use libc++.
We'd also need to commit to doing these evaluations regularly as libc++
headers change.
Differential Revision: https://reviews.llvm.org/D30798
llvm-svn: 297429
|
| |
|
|
|
|
|
|
| |
A patch by Vlad Tsyrklevich!
Differential Revision: https://reviews.llvm.org/D28445
llvm-svn: 297326
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some of the magic functions take arguments of arbitrary type. However,
for semantic correctness, the compiler still requires a declaration
of these functions with the correct type. Since C does not have
argument-type-overloaded function, this made those functions hard to
use in C code. Improve this situation by allowing arbitrary suffixes
in the affected magic functions' names, thus allowing the user to
create different declarations for different types.
A patch by Keno Fischer!
Differential Revision: https://reviews.llvm.org/D30589
llvm-svn: 297325
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a bug visitor to the taint checker to make it easy to distinguish where
the tainted value originated. This is especially useful when the original
taint source is obscured by complex data flow.
A patch by Vlad Tsyrklevich!
Differential Revision: https://reviews.llvm.org/D30289
llvm-svn: 297324
|
| |
|
|
|
|
|
|
| |
A patch by Leslie Zhai!
Differential Revision: https://reviews.llvm.org/D28348
llvm-svn: 297323
|
| |
|
|
|
|
| |
Differential Revision: https://reviews.llvm.org/D30341
llvm-svn: 297283
|
| |
|
|
|
|
|
|
| |
This crash was reported in https://bugs.llvm.org//show_bug.cgi?id=31173
Differential Revision: https://reviews.llvm.org/D28297
llvm-svn: 297187
|
| |
|
|
|
|
|
|
|
| |
This patch makes the valist check more robust to the different AST variants on
different platforms and also fixes a FIXME.
Differential Revision: https://reviews.llvm.org/D30157
llvm-svn: 297153
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
constraint managers
Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.
Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin
Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits
Differential Revision: https://reviews.llvm.org/D30373
llvm-svn: 296895
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ExprEngine assumes that OpenMP statements should never appear in CFG.
However, current CFG doesn't know anything about OpenMP and passes
such statements as CFG nodes causing "UNREACHABLE executed!" crashes.
Since there is no OpenMP implementation in ExprEngine or CFG,
we stop the analysis on OpenMP statements to avoid crashes.
This fixes PR31835.
Differential Revision: https://reviews.llvm.org/D30565
llvm-svn: 296884
|
| |
|
|
|
|
|
|
| |
multiple constraint managers"
This reverts commit ea36f1406e1f36bf456c3f3929839b024128e468.
llvm-svn: 296841
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
constraint managers
Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.
Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin
Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits
Differential Revision: https://reviews.llvm.org/D30373
llvm-svn: 296837
|
| |
|
|
|
|
|
|
| |
multiple constraint managers"
This reverts commit f93343c099fff646a2314cc7f4925833708298b1.
llvm-svn: 296836
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
constraint managers
Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.
Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin
Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits
Differential Revision: https://reviews.llvm.org/D30373
llvm-svn: 296835
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
return.
In the following code involving GNU statement-expression extension:
struct S {
~S();
};
void foo() {
const S &x = ({ return; S(); });
}
function 'foo()' returns before reference x is initialized. We shouldn't call
the destructor for the temporary object lifetime-extended by 'x' in this case,
because the object never gets constructed in the first place.
The real problem is probably in the CFG somewhere, so this is a quick-and-dirty
hotfix rather than the perfect solution.
A patch by Artem Dergachev!
rdar://problem/30759076
Differential Revision: https://reviews.llvm.org/D30499
llvm-svn: 296646
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a crash in the ObjCPropertyChecker when analyzing a 'copy' property of an
NSMutable* type in a protocol.
rdar://problem/30766684
Differential Revision: https://reviews.llvm.org/D30482
llvm-svn: 296562
|
| |
|
|
|
|
|
|
| |
multiple constraint managers"
This reverts commit 1b28d0b10e1c8feccb971abb6ef7a18bee589830.
llvm-svn: 296422
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
constraint managers
Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.
Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin
Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits
Differential Revision: https://reviews.llvm.org/D30373
llvm-svn: 296414
|
| |
|
|
|
|
| |
Differential Revision: https://reviews.llvm.org/D28278
llvm-svn: 296326
|
| |
|
|
|
|
|
|
| |
constraint managers"
This reverts commit 8e7780b9e59ddaad1800baf533058d2c064d4787.
llvm-svn: 296317
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
managers
Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.
Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin
Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits
Differential Revision: https://reviews.llvm.org/D30373
llvm-svn: 296312
|
| |
|
|
|
|
|
|
|
|
| |
definition and forward declaration
Patch by Ivan Sidorenko!
Differential Revision: https://reviews.llvm.org/D29643
llvm-svn: 295644
|
| |
|
|
| |
llvm-svn: 295548
|
| |
|
|
|
|
|
|
| |
This crash was reported in https://bugs.llvm.org//show_bug.cgi?id=31173
Differential Revision: https://reviews.llvm.org/D28297
llvm-svn: 295545
|
| |
|
|
|
|
| |
Differential Revision: https://reviews.llvm.org/D29384
llvm-svn: 293874
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
In VirtualCallChecker, handle indirect calls.
getDirectCallee() can be nullptr, and dyn_cast(nullptr) is UB
Reviewers: bkramer
Subscribers: cfe-commits
Differential Revision: https://reviews.llvm.org/D29303
llvm-svn: 293604
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function call can appear in the arguments of another function call, eg.:
foo(bar());
This patch adds support for such cases.
Patch by Ivan Sidorenko!
Differential revision: https://reviews.llvm.org/D28905
llvm-svn: 293280
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the new llvm_canonicalize_cmake_booleans() function to canonicalize
booleans for lit tests. Replace the duplicate ENABLE_CLANG* variables
used to hold canonicalized values with in-place canonicalization. Use
implicit logic in Python code to avoid overrelying on exact 0/1 values.
Differential Revision: https://reviews.llvm.org/D28529
llvm-svn: 293052
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an attempt to avoid new false positives caused by the reverted r292800,
however the scope of the fix is significantly reduced - some variables are still
in incorrect memory spaces.
Relevant test cases added.
rdar://problem/30105546
rdar://problem/30156693
Differential revision: https://reviews.llvm.org/D28946
llvm-svn: 293043
|
| |
|
|
|
|
|
|
|
| |
This reverts commit r292800.
It is causing null pointer dereference false positives when a block that
captures a static local is evaluated at the top level.
llvm-svn: 292874
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a block within a function accesses a function's static local variable,
this local is captured by reference rather than copied to the heap.
Therefore this variable's memory space is known: StaticGlobalSpaceRegion.
Used to be UnknownSpaceRegion, same as for stack locals.
Fixes a false positive in MacOSXAPIChecker.
rdar://problem/30105546
Differential revision: https://reviews.llvm.org/D28946
llvm-svn: 292800
|
| |
|
|
|
|
|
|
| |
classMethod]'
Differential Revision: https://reviews.llvm.org/D28495
llvm-svn: 291867
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The checker has several false positives that this patch addresses:
- Do not check if the return status has been compared to error (or no error) at the time when leaks are reported since the status symbol might no longer be alive. Instead, pattern match on the assume and stop tracking allocated symbols on error paths.
- The checker used to report error when an unknown symbol was freed. This could lead to false positives, let's not repot those. This leads to loss of coverage in double frees.
- Do not enforce that we should only call free if we are sure that error was not returned and the pointer is not null. That warning is too noisy and we received several false positive reports about it. (I removed: "Only call free if a valid (non-NULL) buffer was returned")
- Use !isDead instead of isLive in leak reporting. Otherwise, we report leaks for objects we loose track of. This change triggered change #1.
This also adds checker specific dump to the state.
Differential Revision: https://reviews.llvm.org/D28330
llvm-svn: 291866
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A hotfix for pr31592 that fixes the crash but not the root cause of the problem.
We need to update the analyzer engine further to account for AST changes
introduced in r289618. At the moment we're erroneously performing a redundant
lvalue-to-rvalue cast in this scenario, and squashing the rvalue of the object
bound to the reference into the reference itself.
rdar://problem/28832541
llvm-svn: 291754
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix a crash in body farm when synthesizing a getter for a property
synthesized for a property declared in a protocol on a class extension
that shadows a declaration of the property in a category.
In this case, Sema doesn't fill in the implicit 'self' parameter for the getter
in the category, which leads to a crash when trying to synthesize the getter
for it.
To avoid the crash, skip getter synthesis in body farm if the self parameter is
not filled int.
rdar://problem/29938138
llvm-svn: 291635
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Sema treats pointers to static member functions as having function pointer
type, so treat treat them as function pointer values in the analyzer as well.
This prevents an assertion failure in SValBuilder::evalBinOp caused by code
that expects function pointers to be Locs (in contrast, PointerToMember values
are nonlocs).
Differential Revision: https://reviews.llvm.org/D28033
llvm-svn: 291581
|
