| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
It should now produce valid HTML again.
Differential Revision: https://reviews.llvm.org/D73993
(cherry picked from commit 482e236e569e8324f70778af1eb756923cd490dc)
|
| |
|
|
| |
Differential revision: https://reviews.llvm.org/D70689
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
This checker verifies if default placement new is provided with pointers
to sufficient storage capacity.
Noncompliant Code Example:
#include <new>
void f() {
short s;
long *lp = ::new (&s) long;
}
Based on SEI CERT rule MEM54-CPP
https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM54-CPP.+Provide+placement+new+with+properly+aligned+pointe
This patch does not implement checking of the alignment.
Reviewers: NoQ, xazax.hun
Subscribers: mgorny, whisperity, xazax.hun, baloghadamsoftware, szepet,
rnkovacs, a.sidorin, mikhail.ramalho, donat
Tags: #clang
Differential Revision: https://reviews.llvm.org/D71612
|
| |
|
|
|
|
|
| |
- Lower to the memcpy intrinsic
- Raise warnings when size/bounds are known
Differential Revision: https://reviews.llvm.org/D71374
|
| |
|
|
| |
Differential Revision: https://reviews.llvm.org/D70725
|
| |
|
|
|
|
|
| |
The checker can diagnose handle use after releases, double releases, and
handle leaks.
Differential Revision: https://reviews.llvm.org/D70470
|
| |
|
|
|
|
|
| |
Method '-[NSCoder decodeValueOfObjCType:at:]' is not only deprecated
but also a security hazard, hence a loud check.
Differential Revision: https://reviews.llvm.org/D71728
|
| |
|
|
| |
Canonicalization was accidentally omitted in 6d3f43ec.
|
| |
|
|
|
|
|
|
| |
MallocChecker warns when memory is passed into -[NSData initWithBytesNoCopy]
but isn't allocated by malloc(), because it will be deallocated by free().
However, initWithBytesNoCopy has an overload that takes an arbitrary block
for deallocating the object. If such overload is used, it is no longer
necessary to make sure that the memory is allocated by malloc().
|
| |
|
|
| |
It's a singleton in CoreFoundation that always contains a non-null CFNullRef.
|
| |
|
|
|
|
|
|
|
|
| |
This is useful for clients that are relying on linearized CFGs for evaluating
subexpressions and want the default initializer to be evaluated properly.
The upcoming lifetime analysis is using this but it might also be useful
for the static analyzer at some point.
Differential Revision: https://reviews.llvm.org/D71642
|
| |
|
|
|
|
|
|
|
| |
This canonicalizes the representation of unknown pointer symbols,
which reduces the overall confusion in pointer cast representation.
Patch by Vince Bridgers!
Differential Revision: https://reviews.llvm.org/D70836
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces the namespaces for the configured functions and
also enables the use of the member functions.
I added an optional Scope field for every configured function. Functions
without Scope match for every function regardless of the namespace.
Functions with Scope will match if the full name of the function starts
with the Scope.
Multiple functions can exist with the same name.
Differential Revision: https://reviews.llvm.org/D70878
|
| |
|
|
|
|
| |
Checkers should always account for unknown values.
Also use a slightly more high-level API that naturally avoids the problem.
|
| |
|
|
|
|
|
|
|
|
|
| |
Some AST nodes which stands for implicit initialization is shared. The analyzer
will do the same evaluation on the same nodes resulting in the same state. The
analyzer will "cache out", i.e. it thinks that it visited an already existing
node in the exploded graph. This is not true in this case and we lose coverage.
Since these nodes do not really require any processing from the analyzer
we just omit them from the CFG.
Differential Revision: https://reviews.llvm.org/D71371
|
| |
|
|
|
|
|
|
|
|
| |
conservative EvalCall
This patch introduced additional PointerEscape callbacks after conservative
calls for output parameters. This should not really affect the current
checkers but the upcoming FuchsiaHandleChecker relies on this heavily.
Differential Revision: https://reviews.llvm.org/D71224
|
| |
|
|
|
|
| |
The checker was trying to analyze the body of every method in Objective-C
@implementation clause but the sythesized accessor stubs that were introduced
into it by 2073dd2d have no bodies.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While analyzing code `memcmp(a, NULL, n);', where `a' has an unconstrained
symbolic value, the analyzer was emitting a warning about the *first* argument
being a null pointer, even though we'd rather have it warn about the *second*
argument.
This happens because CStringChecker first checks whether the two argument
buffers are in fact the same buffer, in order to take the fast path.
This boils down to assuming `a == NULL' to true. Then the subsequent check
for null pointer argument "discovers" that `a' is null.
Don't take the fast path unless we are *sure* that the buffers are the same.
Otherwise proceed as normal.
Differential Revision: https://reviews.llvm.org/D71322
|
| |
|
|
| |
Differential Revision: https://reviews.llvm.org/D71321
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
conjured value
Sometimes the return value of a comparison operator call is
`UnkownVal`. Since no assumptions can be made on `UnknownVal`,
this leeds to keeping impossible execution paths in the
exploded graph resulting in poor performance and false
positives. To overcome this we replace unknown results of
iterator comparisons by conjured symbols.
Differential Revision: https://reviews.llvm.org/D70244
|
| |
|
|
|
|
|
|
|
|
|
|
| |
when printing the Program State
Debugging the Iterator Modeling checker or any of the iterator checkers
is difficult without being able to see the relations between the
iterator variables and their abstract positions, as well as the abstract
symbols denoting the begin and the end of the container.
This patch adds the checker-specific part of the Program State printing
to the Iterator Modeling checker.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was a step in the right direction but it is not clear how can this
fit into the checker API at this point. The pre-escape happens in the
analyzer core and the checker has no control over it. If the checker
is not interestd in a pre-escape it would need to do additional work
on each escape to check if the escaped symbol is originated from an
"uninteresting" pre-escaped memory region. In order to keep the
checker API simple we abandoned this solution for now.
We will reland this once we have a better answer for what to do on the
checker side.
This reverts commit f3a28202ef58551db15818f8f51afd21e0f3e231.
|
| |
|
|
|
|
|
|
| |
We want to escape all symbols that are stored into escaped regions.
The problem is, we did not know which local regions were escaped. Until now.
This should fix some false positives like the one in the tests.
Differential Revision: https://reviews.llvm.org/D71152
|
| |
|
|
|
|
| |
When implementation of the block runtime is available, we should not
warn that block layout fields are uninitialized simply because they're
on the stack.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: Extend StreamChecker with a new evaluation function for API call 'freopen'.
Reviewers: NoQ, baloghadamsoftware, Szelethus, martong
Reviewed By: baloghadamsoftware, martong
Subscribers: martong, rnkovacs, dkrupp, Szelethus, gamesh411, cfe-commits
Tags: #clang
Differential Revision: https://reviews.llvm.org/D69948
|
| |
|
|
|
|
|
|
| |
Fix a crash when constructing a body farm for accessors of a property
that is declared and @synthesize'd in different (but related) interfaces
with the explicit ivar syntax.
This is a follow-up for 0b58b80e.
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch is the last of the series of patches which allow the user to
annotate their functions with taint propagation rules.
I implemented the use of the configured filtering functions. These
functions can remove taintedness from the symbols which are passed at
the specified arguments to the filters.
Differential Revision: https://reviews.llvm.org/D59516
|
| |
|
|
|
|
|
| |
Using an end iterator of an empty CFG block was causing
a garbage pointer dereference.
Differential Revision: https://reviews.llvm.org/D69962
|
| |
|
|
|
|
|
|
|
|
| |
Fix a canonicalization problem for the newly added property accessor stubs that
was causing a wrong decl to be used for 'self' in the accessor's body farm.
Fix a crash when constructing a body farm for accessors of a property
that is declared and @synthesize'd in different (but related) interfaces.
Differential Revision: https://reviews.llvm.org/D70158
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Push the test separately ahead of time in order to find out whether
our Memory Sanitizer bots will be able to find the problem.
If not, I'll add a much more expensive test that repeats the current
test multiple times in order to show up on normal buildbots.
I really apologize for the potential temporary inconvenience!
I'll commit the fix as soon as I get the signal.
Differential Revision: https://reviews.llvm.org/D69962
|
| |
|
|
|
|
|
|
|
|
|
| |
iterator checker tests
The recently committed debug.IteratorDebugging checker enables
standalone white-box testing of the modelling of containers and
iterators. For the three checkers based on iterator modelling only
simple tests are needed.
Differential Revision: https://reviews.llvm.org/D70123
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: I agree with https://easyaspi314.github.io/gcc-vs-clang.html?fbclid=IwAR1VA0qxiWVUusOQUv5z7JESS7ZpeJy-UqAI5mnJscofGLqXcqeErIUB2gU, current warning message is not very good. We should try to improve it..
Reviewers: rsmith, aaron.ballman, easyaspi314
Reviewed By: aaron.ballman
Subscribers: arphaman, Quuxplusone, mehdi_amini, hiraditya, cfe-commits, llvm-commits
Tags: #clang, #llvm
Differential Revision: https://reviews.llvm.org/D69762
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When bugreporter::trackExpressionValue() is invoked on a DeclRefExpr,
it tries to do most of its computations over the node in which
this DeclRefExpr is computed, rather than on the error node (or whatever node
is stuffed into it). One reason why we can't simply use the error node is
that the binding to that variable might have already disappeared from the state
by the time the bug is found.
In case of the inlined defensive checks visitor, the DeclRefExpr node
is in fact sometimes too *early*: the call in which the inlined defensive check
has happened might have not been entered yet.
Change the visitor to be fine with tracking dead symbols (which it is totally
capable of - the collapse point for the symbol is still well-defined), and fire
it up directly on the error node. Keep using "LVState" to find out which value
should we be tracking, so that there weren't any problems with accidentally
loading an ill-formed value from a dead variable.
Differential Revision: https://reviews.llvm.org/D67932
|
| |
|
|
| |
You can't really infer anything from that.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
they are synthesized.
This patch is motivated by (and factored out from)
https://reviews.llvm.org/D66121 which is a debug info bugfix. Starting
with DWARF 5 all Objective-C methods are nested inside their
containing type, and that patch implements this for synthesized
Objective-C properties.
1. SemaObjCProperty populates a list of synthesized accessors that may
need to inserted into an ObjCImplDecl.
2. SemaDeclObjC::ActOnEnd inserts forward-declarations for all
accessors for which no override was provided into their
ObjCImplDecl. This patch does *not* synthesize AST function
*bodies*. Moving that code from the static analyzer into Sema may
be a good idea though.
3. Places that expect all methods to have bodies have been updated.
I did not update the static analyzer's inliner for synthesized
properties to point back to the property declaration (see
test/Analysis/Inputs/expected-plists/nullability-notes.m.plist), which
I believed to be more bug than a feature.
Differential Revision: https://reviews.llvm.org/D68108
rdar://problem/53782400
|
| |
|
|
|
|
|
|
|
| |
For white-box testing correct container and iterator modelling it is essential
to access the internal data structures stored for container and iterators. This
patch introduces a simple debug checkers called debug.IteratorDebugging to
achieve this.
Differential Revision: https://reviews.llvm.org/D67156
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Namely, for the following items:
- Handle constructors within new[];
- Handle constructors for default arguments.
Update the open projects page with a link to the newly added tests
and more hints for potential contributors.
Patch by Daniel Krupp!
Differential Revision: https://reviews.llvm.org/D69308
|
| |
|
|
|
|
|
|
|
|
|
| |
- Fix false positive reports of strlcat.
- The return value of strlcat and strlcpy is now correctly calculated.
- The resulting string length of strlcat and strlcpy is now correctly
calculated.
Patch by Daniel Krupp!
Differential Revision: https://reviews.llvm.org/D66049
|
| |
|
|
|
|
|
|
| |
This reverts commit 0aba69eb1a01c44185009f50cc633e3c648e9950 with
subsequent changes to test files.
It caused test failures on GreenDragon, e.g.,
http://green.lab.llvm.org/green/job/clang-stage1-cmake-RA-incremental/
|
| |
|
|
|
| |
Let's at least get some coverage from these tests. We can generalize to
other platforms later.
|
| |
|
|
|
| |
This is a fix to 0aba69eb1a01c44185009f50cc633e3c648e9950 to
address failing bots.
|
| |
|
|
|
|
|
|
|
|
| |
The static analyzer's scan-build script is critical infrastructure but
is not well tested. To start to address this, add a new test directory under
tests/Analysis for scan-build lit tests and seed it with several tests. The
goal is that future scan-build changes will be accompanied by corresponding
tests.
Differential Revision: https://reviews.llvm.org/D69781
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
Recognization of function names is done now with the CallDescription
class instead of using IdentifierInfo. This means function name and
argument count is compared too.
A new check for filtering not global-C-functions was added.
Test was updated.
Reviewers: Szelethus, NoQ, baloghadamsoftware, Charusso
Reviewed By: Szelethus, NoQ, Charusso
Subscribers: rnkovacs, xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, donat.nagy, Charusso, dkrupp, Szelethus, gamesh411, cfe-commits
Tags: #clang
Differential Revision: https://reviews.llvm.org/D67706
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Member operator declarations and member operator expressions
have different numbering of parameters and arguments respectively:
one of them includes "this", the other does not.
Account for this inconsistency when figuring out whether
the parameter needs to be manually rebound from the Environment
to the Store when entering a stack frame of an operator call,
as opposed to being constructed with a constructor and as such
already having the necessary Store bindings.
Differential Revision: https://reviews.llvm.org/D69155
|
| |
|
|
|
|
|
|
| |
Patch by Kristóf Umann!
Differential Revision: https://reviews.llvm.org/D68591
llvm-svn: 375329
|
| |
|
|
|
|
|
| |
'self' was previously never tracked, but now it can be tracked
because it may be part of a condition.
llvm-svn: 375328
|
| |
|
|
|
|
| |
Makes life easier for downstream developers with different default standard.
llvm-svn: 375308
|
| |
|
|
|
|
|
|
| |
They're not stable across machines.
Fixes buildbots after r375278.
llvm-svn: 375286
|
