• Home
  • History
  • Annotate
  • only in /external/clang/lib/StaticAnalyzer/Core/
History log of /external/clang/lib/StaticAnalyzer/Core/
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
ef8225444452a1486bd721f3285301fe84643b00 21-Jul-2014 Stephen Hines <srhines@google.com> Update Clang for rebase to r212749.

This also fixes a small issue with arm_neon.h not being generated always.

Includes a cherry-pick of:
r213450 - fixes mac-specific header issue
r213126 - removes a default -Bsymbolic on Android

Change-Id: I2a790a0f5d3b2aab11de596fc3a74e7cbc99081d
nalyzerOptions.cpp
ugReporter.cpp
ugReporterVisitors.cpp
allEvent.cpp
oreEngine.cpp
nvironment.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
TMLDiagnostics.cpp
emRegion.cpp
athDiagnostic.cpp
listDiagnostics.cpp
6bcf27bb9a4b5c3f79cb44c0e4654a6d7619ad89 29-May-2014 Stephen Hines <srhines@google.com> Update Clang for 3.5 rebase (r209713).

Change-Id: I8c9133b0f8f776dc915f270b60f94962e771bc83
nalyzerOptions.cpp
asicValueFactory.cpp
ugReporter.cpp
ugReporterVisitors.cpp
allEvent.cpp
heckerManager.cpp
heckerRegistry.cpp
oreEngine.cpp
nvironment.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
TMLDiagnostics.cpp
emRegion.cpp
athDiagnostic.cpp
listDiagnostics.cpp
rogramState.cpp
angeConstraintManager.cpp
egionStore.cpp
Vals.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
tore.cpp
ymbolManager.cpp
651f13cea278ec967336033dd032faef0e9fc2ec 24-Apr-2014 Stephen Hines <srhines@google.com> Updated to Clang 3.5a.

Change-Id: I8127eb568f674c2e72635b639a3295381fe8af82
nalyzerOptions.cpp
asicValueFactory.cpp
lockCounter.cpp
ugReporter.cpp
ugReporterVisitors.cpp
MakeLists.txt
allEvent.cpp
hecker.cpp
heckerRegistry.cpp
oreEngine.cpp
nvironment.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
TMLDiagnostics.cpp
emRegion.cpp
athDiagnostic.cpp
listDiagnostics.cpp
rettyStackTraceLocationContext.h
rogramState.cpp
angeConstraintManager.cpp
egionStore.cpp
ValBuilder.cpp
impleConstraintManager.h
impleSValBuilder.cpp
ymbolManager.cpp
229d345dd5a73ef6ba75d1d730ecf96e8dc9ecec 08-Feb-2014 Stephen Hines <srhines@google.com> Update clang for merge to LLVM 3.4.

Update TableGen rules:
- AttrExprArgs
+ AttrIdentifierArg
+ AttrParsedAttrImpl
+ AttrTypeArg

Update config.h files.

Adjust Android.mk for added/removed files:

+ TransProtectedScope.cpp

- DumpXML.cpp

+ Consumed.cpp

+ CodeGenABITypes.cpp

+ SanitizerArgs.cpp

+ AllocationDiagnostics.cpp
- CommonBugCategories.cpp
+ IdenticalExprChecker.cpp

+ CommonBugCategories.cpp
- SymbolManager.cpp
- TextPathDiagnostics.cpp
+ SymbolManager.cpp

Change-Id: I73bea10e7e73e611f678bc5bf9935e26da63be17
ndroid.mk
1fab7c3e3bd97a909a80b1bfea1909c6e7347fc0 12-Feb-2014 Stephen Hines <srhines@google.com> Merge remote-tracking branch 'upstream/release_34' into merge-20140211

Conflicts:
lib/Basic/Targets.cpp
lib/Sema/SemaDeclAttr.cpp

Change-Id: I17ca7161f32007272ee82036d237d051847dd02e
dd9e9cec6f863afa15dd91b34fbf15c66c678c02 09-Dec-2013 Bill Wendling <isanbard@gmail.com> Merging r196593:
------------------------------------------------------------------------
r196593 | zaks | 2013-12-06 10:56:29 -0800 (Fri, 06 Dec 2013) | 7 lines

Revert "[analyzer] Refactor conditional expression evaluating code"

This reverts commit r189090.

The original patch introduced regressions (see the added live-variables.* tests). The patch depends on the correctness of live variable analyses, which are not computed correctly. I've opened PR18159 to track the proper resolution to this problem.

The patch was a stepping block to r189746. This is why part of the patch reverts temporary destructor tests that started crashing. The temporary destructors feature is disabled by default.
------------------------------------------------------------------------


git-svn-id: https://llvm.org/svn/llvm-project/cfe/branches/release_34@196795 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
3eb52bb5d791630f926ff2226dae25012315ad9a 20-Nov-2013 Bill Wendling <isanbard@gmail.com> Merging r195174:
------------------------------------------------------------------------
r195174 | zaks | 2013-11-19 16:11:42 -0800 (Tue, 19 Nov 2013) | 1 line

[analyzer] Fix an infinite recursion in region invalidation by adding block count to the BlockDataRegion.
------------------------------------------------------------------------


git-svn-id: https://llvm.org/svn/llvm-project/cfe/branches/release_34@195228 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
emRegion.cpp
ValBuilder.cpp
fda9dbf1f4d15baaedffdd4b4bb529e06172f73d 15-Nov-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Silence warnings coming from allocators used by std::basic_string.

This is similar to r194004: because we can't reason about the data structure
invariants of std::basic_string, the analyzer decides it's possible for an
allocator to be used to deallocate the string's inline storage. Just ignore
this by walking up the stack, skipping past methods in classes with
"allocator" in the name, and seeing if we reach std::basic_string that way.

PR17866

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@194764 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
d0e5f6a39e4fb30b3a217ae91aecc167a94022e6 15-Nov-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Include bug column numbers in HTML output (in a comment).

This has no effect on user-visible output, but can be used by post-processing
tools that work with the generated HTML, rather than using CmpRuns.py's
interface to work with plists.

Patch by György Orbán!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@194763 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
64cc0c37f78719f905029a9099445c214cb40ce3 08-Nov-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Specialize "loop executed 0 times" for for-in and for-range loops.

The path note that says "Loop body executed 0 times" has been changed to
"Loop body skipped when range is empty" for C++11 for-range loops, and to
"Loop body skipped when collection is empty" for Objective-C for-in loops.

Part of <rdar://problem/14992886>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@194234 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
bdc0bf3f84b8771572d8401c66903c56a2e1318e 04-Nov-2013 Anna Zaks <ganna@apple.com> [analyzer] Suppress warnings coming out of std::basic_string.

The analyzer cannot reason about the internal invariances of the data structure (radar://15194597).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@194004 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
2a648169f9ad854536814515cba1780fd02586d2 31-Oct-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't crash when a path goes through a 'delete' destructor call.

This was just left unimplemnted from r191381; the fix is to report this call
location as the location of the 'delete' expr.

PR17746

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@193783 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
8686d857c5461d56852154bafc05644890a0eee0 26-Oct-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't emit an "Assuming x is <OP> y" if it's not a comparison op.

We could certainly be more precise in many of our diagnostics, but before we
were printing "Assuming x is && y", which is just ridiculous.

<rdar://problem/15167979>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@193455 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
1dc31f5ead63d7197edf6f34a7821b93ea6698a1 23-Oct-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Generate a LazyCompoundVal when loading from a union-typed region.

This ensures that variables accessible through a union are invalidated when
the union value is passed to a function. We still don't fully handle union
values, but this should at least quiet some false positives.

PR16596

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@193265 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
d3d0dcfbf784c828c2f07384fd6a3401b0cd4e9e 16-Oct-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't draw edges to C++11 in-class member initializers.

Since these aren't lexically in the constructor, drawing arrows would
be a horrible jump across the body of the class. We could still do
better here by skipping over unimportant initializers, but this at least
keeps everything within the body of the constructor.

<rdar://problem/14960554>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@192818 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
31b71f3097a338315a144067dde5b160c4e44fc9 07-Oct-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] ArrayRef-ize BugReporter::EmitBasicReport.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@192114 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
edcc199f5861dd8ad1ec3ad1b83512d2a92e515a 04-Oct-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Replace bug category magic strings with shared constants, take 2.

Re-commit r191910 (reverted in r191936) with layering violation fixed, by
moving the bug categories to StaticAnalyzerCore instead of ...Checkers.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191937 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
MakeLists.txt
ommonBugCategories.cpp
9b072b31ee2f41b8e30d1d22142c9ab72ac5ff1f 28-Sep-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Make inlining decisions based on the callee being variadic.

...rather than trying to figure it out from the call site, and having
people complain that we guessed wrong and that a prototype-less call is
the same as a variadic call on their system. More importantly, fix a
crash when there's no decl at the call site (though we could have just
returned a default value).

<rdar://problem/15037033>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191599 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
d7c47d94a55a03aeea14d411768e5593f50445da 27-Sep-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Allow pre/post-statement checkers for UnaryOperator.

Found by Arthur Yoo.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191532 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
81557223ba8d7ef8b0468a6e1dc8fc79f2de46f2 25-Sep-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle destructors for the argument to C++ 'delete'.

Now that the CFG includes nodes for the destructors in a delete-expression,
process them in the analyzer using the same common destructor interface
currently used for local, member, and base destructors. Also, check for when
the value is known to be null, in which case no destructor is actually run.

This does not yet handle destructors for deleted /arrays/, which may need
more CFG work. It also causes a slight regression in the location of
double delete warnings; the double delete is detected at the destructor
call, which is implicit, and so is reported on the first access within the
destructor instead of at the 'delete' statement. This will be fixed soon.

Patch by Karthik Bhat!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191381 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngine.cpp
xprEngineCXX.cpp
eac8c45f0d6528a21e68bf2651c3082d8e44132e 25-Sep-2013 NAKAMURA Takumi <geek4civic@gmail.com> StaticAnalyzer/Core/RegionStore.cpp: Prune one last "\param IsConst", as fixup to r191342. [-Wdocumentation]

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191360 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
da8d37ce42d2db4e1e76ee6f7f38f10f6b0ef0f8 25-Sep-2013 Anton Yartsev <anton.yartsev@gmail.com> [analyzer] This patch removes passing around of const-invalidation vs regular-invalidation info by passing around a datastructure that maps regions and symbols to the type of invalidation they experience. This simplifies the code and would allow to associate more different invalidation types in the future.
With this patch things like preserving contents of regions (either hi- or low-level ones) or processing of the only top-level region can be implemented easily without passing around extra parameters.

This patch is a first step towards adequate modeling of memcpy() by the CStringChecker checker and towards eliminating of majority of false-positives produced by the NewDeleteLeaks checker.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191342 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerManager.cpp
xprEngine.cpp
emRegion.cpp
rogramState.cpp
egionStore.cpp
7c98f9f5c3202a0b11eda7f30b4edd8cb4d1139c 20-Sep-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Use getParentIgnoreParenCasts instead of doing it by hand.

Apart from being more compact and already implemented, this also handles the
case where the parent is null. (It does also ignore all casts, not just
implicit ones, but this is more efficient to test and in the case we care
about---a message in a PseudoObjectExpr---there should only be implicit casts
anyway.

This should fix our internal buildbot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191094 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
d76cec5567cb5b04cb5cc48a477a0c71b910053c 18-Sep-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't even try to convert floats to booleans for now.

We now have symbols with floating-point type to make sure that
(double)x == (double)x comes out true, but we still can't do much with
these. For now, don't even bother trying to create a floating-point zero
value; just give up on conversion to bool.

PR14634, C++ edition.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190953 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
414a1bdbdaf250e0488589f12865c8961831b65d 18-Sep-2013 Hal Finkel <hfinkel@anl.gov> Add the intrinsic __builtin_convertvector

LLVM supports applying conversion instructions to vectors of the same number of
elements (fptrunc, fptosi, etc.) but there had been no way for a Clang user to
cause such instructions to be generated when using builtin vector types.

C-style casting on vectors is already defined in terms of bitcasts, and so
cannot be used for these conversions as well (without leading to a very
confusing set of semantics). As a result, this adds a __builtin_convertvector
intrinsic (patterned after the OpenCL __builtin_astype intrinsic). This is
intended to aid the creation of vector intrinsic headers that create generic IR
instead of target-dependent intrinsics (in other words, this is a generic
_mm_cvtepi32_ps). As noted in the documentation, the action of
__builtin_convertvector is defined in terms of the action of a C-style cast on
each vector element.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190915 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
de940da033aa46c50c7d07c61f455e7c5053e90a 17-Sep-2013 Anna Zaks <ganna@apple.com> [analyzer] More reliably detect property accessors.

This has a side effect of preventing a crash, which occurs because we get a
property getter declaration, which is overriding but is declared inside
@protocol. Will file a bug about this inconsistency internally. Getting a
small test case is very challenging.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190836 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
c07cad8364e7fb0e8cb0d5181edb7db718271b65 13-Sep-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Run post-stmt checks for DeclStmt.

No tests because no in-tree checkers use this, but that shouldn't stop
out-of-tree checkers.

Found by Aemon Cannon!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190650 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
d8dfae602d7b2e42b0eef6b1e7779c96833f83c1 11-Sep-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle zeroing constructors for fields of structs with empty bases.

RegionStore tries to protect against accidentally initializing the same
region twice, but it doesn't take subregions into account very well. If
the outer region being initialized is a struct with an empty base class,
the offset of the first field in the struct will be 0. When we initialize
the base class, we may invalidate the contents of the struct by providing
a default value of Unknown (or some new symbol). We then go to initialize
the member with a zeroing constructor, only to find that the region at
that offset in the struct already has a value. The best we can do here is
to invalidate that value and continue; neither the old default value nor
the new 0 is correct for the entire struct after the member constructor call.

The correct solution for this is to track region extents in the store.

<rdar://problem/14914316>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190530 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
36d558d85653315edb389677e995ec9ccdbfbf3d 03-Sep-2013 Jordan Rose <jordan_rose@apple.com> Add an implicit dtor CFG node just before C++ 'delete' expressions.

This paves the way for adding support for modeling the destructor of a
region before it is deleted. The statement "delete <expr>" now generates
this series of CFG elements:

1. <expr>
2. [B1.1]->~Foo() (Implicit destructor)
3. delete [B1.1]

Patch by Karthik Bhat!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189828 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
athDiagnostic.cpp
95ab9e306f4deefeabd89ea61987f4a8d67e0890 02-Sep-2013 Pavel Labath <labath@google.com> [analyzer] Add very limited support for temporary destructors

This is an improved version of r186498. It enables ExprEngine to reason about
temporary object destructors. However, these destructor calls are never
inlined, since this feature is still broken. Still, this is sufficient to
properly handle noreturn temporary destructors.

Now, the analyzer correctly handles expressions like "a || A()", and executes the
destructor of "A" only on the paths where "a" evaluted to false.

Temporary destructor processing is still off by default and one has to
explicitly request it by setting cfg-temporary-dtors=true.

Reviewers: jordan_rose

CC: cfe-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D1259

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189746 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
bf3d71e85f7449161a414c2ec3410e60394bf38a 30-Aug-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Treat the rvalue of a forward-declared struct as Unknown.

This will never happen in the analyzed code code, but can happen for checkers
that over-eagerly dereference pointers without checking that it's safe.
UnknownVal is a harmless enough value to get back.

Fixes an issue added in r189590, caught by our internal buildbot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189688 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
3c114f704a882f6923d6107f22aab89ba3d0a6b5 29-Aug-2013 Pavel Labath <labath@google.com> [analyzer] Fix handling of "empty" structs with base classes

Summary:
RegionStoreManager had an optimization which replaces references to empty
structs with UnknownVal. Unfortunately, this check didn't take into account
possible field members in base classes.

To address this, I changed this test to "is empty and has no base classes". I
don't consider it worth the trouble to go through base classes and check if all
of them are empty.

Reviewers: jordan_rose

CC: cfe-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D1547

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189590 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
3aa6f431897edf5fec32cbede8fcddbfb8fa16f7 28-Aug-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Add support for testing the presence of weak functions.

When casting the address of a FunctionTextRegion to bool, or when adding
constraints to such an address, use a stand-in symbol to represent the
presence or absence of the function if the function is weakly linked.
This is groundwork for possible simple availability testing checks, and
can already catch mistakes involving inverted null checks for
weakly-linked functions.

Currently, the implementation reuses the "extent" symbols, originally created
for tracking the size of a malloc region. Since FunctionTextRegions cannot
be dereferenced, the extent symbol will never be used for anything else.
Still, this probably deserves a refactoring in the future.

This patch does not attempt to support testing the presence of weak
/variables/ (global variables), which would likely require much more of
a change and a generalization of "region structure metadata", like the
current "extents", vs. "region contents metadata", like CStringChecker's
"string length".

Patch by Richard <tarka.t.otter@googlemail.com>!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189492 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
impleConstraintManager.cpp
impleConstraintManager.h
impleSValBuilder.cpp
ymbolManager.cpp
f18bfd44c4fe4ab28c44eecb7aeed618bcf8f627 28-Aug-2013 Pavel Labath <labath@google.com> [analyzer] Assume new returns non-null even under -fno-exceptions

Summary:
-fno-exceptions does not implicitly attach a nothrow specifier to every operator
new. Even in this mode, non-nothrow new must not return a null pointer. Failure
to allocate memory can be signalled by other means, or just by killing the
program. This behaviour is consistent with the compiler - even with
-fno-exceptions, the generated code never tests for null (and would segfault if
the opeator actually happened to return null).

Reviewers: jordan_rose

CC: cfe-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D1528

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189452 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
344472ebeded2fca2ed5013b9e87f81d09bfa908 23-Aug-2013 Robert Wilhelm <robert.wilhelm@gmx.net> Use pop_back_val() instead of both back() and pop_back().
No functionality change intended.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189112 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
athDiagnostic.cpp
listDiagnostics.cpp
ymbolManager.cpp
6a556a42d48cc098fb8dcb5d4ecdd0e03e32c0ec 23-Aug-2013 Pavel Labath <labath@google.com> [analyzer] Refactor conditional expression evaluating code

Summary:
Instead of digging through the ExplodedGraph, to figure out which edge brought
us here, I compute the value of conditional expression by looking at the
sub-expression values.

To do this, I needed to change the liveness algorithm a bit -- now, the full
conditional expression also depends on all atomic sub-expressions, not only the
outermost ones.

Reviewers: jordan_rose

CC: cfe-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D1340

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189090 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
24146975f1af8c1b4b14e8545f218129d0e7dfeb 22-Aug-2013 Eli Friedman <eli.friedman@gmail.com> Split isFromMainFile into two functions.

Basically, isInMainFile considers line markers, and isWrittenInMainFile
doesn't. Distinguishing between the two is useful when dealing with
files which are preprocessed files or rewritten with -frewrite-includes
(so we don't, for example, print useless warnings).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188968 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
allEvent.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
d207f55cd58054aab77edca35b3e7f645738dfe2 19-Aug-2013 Pavel Labath <labath@google.com> [analyzer] Fix inefficiency in dead symbol removal

Summary:
ScanReachableSymbols uses a "visited" set to avoid scanning the same object
twice. However, it did not use the optimization for LazyCompoundVal objects,
which resulted in exponential complexity for long chains of temporary objects.
Adding this resulted in a decrease of analysis time from >3h to 3 seconds for
some files.

Reviewers: jordan_rose

CC: cfe-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D1398

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188677 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
e9a906b99286b44dcf5eb896f17df74d588e4ce9 16-Aug-2013 Benjamin Kramer <benny.kra@googlemail.com> Replace some DenseMap keys with simpler structures that don't need another DenseMapInfo specialization.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188580 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
5fba5a789a238c29ef811a39a39be722443ec1b1 16-Aug-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Merge TextPathDiagnostics and ClangDiagPathDiagConsumer.

This once again restores notes to following their associated warnings
in -analyzer-output=text mode. (This is still only intended for use as a
debugging aid.)

One twist is that the warning locations in "regular" analysis output modes
(plist, multi-file-plist, html, and plist-html) are reported at a different
location on the command line than in the output file, since the command
line has no path context. This commit makes -analyzer-output=text behave
like a normal output format, which means that the *command line output
will be different* in -analyzer-text mode. Again, since -analyzer-text is
a debugging aid and lo-fi stand-in for a regular output mode, this change
makes sense.

Along the way, remove a few pieces of stale code related to the path
diagnostic consumers.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188514 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
listDiagnostics.cpp
extPathDiagnostics.cpp
6ebe9df900b79fd56a4db03b4f8aa6a180307a9d 09-Aug-2013 Pavel Labath <labath@google.com> [analyzer] Enable usage of temporaries in InitListExprs

Summary:
ExprEngine had code which specificaly disabled using CXXTempObjectRegions in
InitListExprs. This was a hack put in r168757 to silence a false positive.

The underlying problem seems to have been fixed in the mean time, as removing
this code doesn't seem to break anything. Therefore I propose to remove it and
solve PR16629 in the process.

Reviewers: jordan_rose

CC: cfe-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D1325

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188059 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
4ac73c7514f9e836b4d9781738f333c5cb91cb63 08-Aug-2013 Stephen Hines <srhines@google.com> Merge commit '51e75aecf4fb303b91c9e54fd88e3509e5acc7a6' into merge-20130807

Conflicts:
lib/Basic/Targets.cpp
lib/Sema/SemaDeclAttr.cpp

Change-Id: If457223ecbee9e43c73d15333bf10d36590d05c4
edc45d5a91f83d1135bc218f3c377e347ab0251f 05-Aug-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Clarify that r187624 is a hack and should be fixed better later.

Tracked by <rdar://problem/14648821>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187729 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
cd007b18ba218925923a82ad4462fecf903f4a93 02-Aug-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Silently drop all reports within synthesized bodies.

Much of our diagnostic machinery is set up to assume that the report
end path location is valid. Moreover, the user may be quite confused
when something goes wrong in our BodyFarm-synthesized function bodies,
which may be simplified or modified from the real implementations.
Rather than try to make this all work somehow, just drop the report so
that we don't try to go on with an invalid source location.

Note that we still handle reports whose /paths/ go through invalid
locations, just not those that are reported in one.

We do have to be careful not to lose warnings because of this.
The impetus for this change was an autorelease being processed within
the synthesized body, and there may be other possible issues that are
worth reporting in some way. We'll take these as they come, however.

<rdar://problem/14611722>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187624 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
b6d0f4c8dd162b019681b60d06f7ad33500f4146 27-Jul-2013 Aaron Ballman <aaron@aaronballman.com> Using the function pointer instead of the function type; this allows us to re-enable a warning in MSVC by default.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187292 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
76b5dd48c9dbf2ed3e5830060ea55b81b7d1cca0 26-Jul-2013 Pavel Labath <labath@google.com> [analyzer] Fix FP warnings when binding a temporary to a local static variable

Summary:
When binding a temporary object to a static local variable, the analyzer would
complain about a dangling reference even though the temporary's lifetime should
be extended past the end of the function. This commit tries to detect these
cases and construct them in a global memory region instead of a local one.

Reviewers: jordan_rose

CC: cfe-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D1133

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187196 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
emRegion.cpp
b2c405eb22b2b4844ded1f865675329c2d9793ed 26-Jul-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove dead optimization for MaterializeTemporaryExpr.

Previously, we tried to avoid creating new temporary object regions if
the value to be materialized itself came from a temporary object region.
However, once we became more strict about lvalues vs. rvalues (months
ago), this optimization became dead code, because the input to this
function will always be an rvalue (i.e. a symbolic value or compound
value rather than a region, at least for structs).

This would be a nice optimization to keep, but removing it makes it
simpler to reason about temporary regions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187160 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
0aaa57d19c23165d5e422c706084799d97eabe97 25-Jul-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Weaken assertion to account for pointer-to-integer casts.

PR16690

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187132 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
fee16225a103ee1459af4f3ecb89fa2804e81ac3 23-Jul-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Enable pseudo-destructor expressions.

These are cases where a scalar type is "destructed", usually due to
template instantiation (e.g. "obj.~T()", where 'T' is 'int'). This has
no actual effect and the analyzer should just skip over it.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186927 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
9815ec0a00fe04db92e51a4160fc905f6cd48f30 23-Jul-2013 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Add very limited support for temporary destructors"

The analyzer doesn't currently expect CFG blocks with terminators to be
empty, but this can happen when generating conditional destructors for
a complex logical expression, such as (a && (b || Temp{})). Moreover,
the branch conditions for these expressions are not persisted in the
state. Even for handling noreturn destructors this needs more work.

This reverts r186498.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186925 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
4fa7eab771ab8212e1058bd1a91061ff120c8fbb 19-Jul-2013 Alexey Bataev <a.bataev@hotmail.com> OpenMP: basic support for #pragma omp parallel


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186647 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
ac7cc2d37e82181e73fcc265c1d0a619d18b7605 19-Jul-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Include analysis stack in crash traces.

Sample output:

0. Program arguments: ...
1. <eof> parser at end of file
2. While analyzing stack:
#0 void inlined()
#1 void test()
3. crash-trace.c:6:3: Error evaluating statement

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186639 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCallAndReturn.cpp
rettyStackTraceLocationContext.h
bccda13aa3fc2a4c674a8c0a7003a7e6b1ff17b0 17-Jul-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle C++11 member initializer expressions.

Previously, we would simply abort the path when we saw a default member
initialization; now, we actually attempt to evaluate it. Like default
arguments, the contents of these expressions are not actually part of the
current function, so we fall back to constant evaluation.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186521 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
df70700f5aa5744d7f70fb3e6610ff434f643a71 17-Jul-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle C string default values for const char * arguments.

Previously, SValBuilder knew how to evaluate StringLiterals, but couldn't
handle an array-to-pointer decay for constant values. Additionally,
RegionStore was being too strict about loading from an array, refusing to
return a 'char' value from a 'const char' array. Both of these have been
fixed.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186520 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ValBuilder.cpp
be2e1b11e3350e3a6e632c71beaab83aae3824d2 17-Jul-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Treat std::initializer_list as opaque rather than aborting.

Previously, the use of a std::initializer_list (actually, a
CXXStdInitializerListExpr) would cause the analyzer to give up on the rest
of the path. Now, it just uses an opaque symbolic value for the
initializer_list and continues on.

At some point in the future we can add proper support for initializer_list,
with access to the elements in the InitListExpr.

<rdar://problem/14340207>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186519 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
046e79a425bfa82b480b8a07ce11d96391fa0a9b 17-Jul-2013 Pavel Labath <labath@google.com> [analyzer] Add very limited support for temporary destructors

Summary:
This patch enables ExprEndgine to reason about temporary object destructors.
However, these destructor calls are never inlined, since this feature is still
broken. Still, this is sufficient to properly handle noreturn temporary
destructors and close bug #15599. I have also enabled the cfg-temporary-dtors
analyzer option by default.

Reviewers: jordan_rose

CC: cfe-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D1131

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186498 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
0a9350f2411926f4faaeb2ce7d7a9bc1f27751e9 16-Jul-2013 Craig Topper <craig.topper@gmail.com> Fix formatting. No functional change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186437 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
6afc66dc25f9b28d129f8bc842d43af0b0c71196 16-Jul-2013 Craig Topper <craig.topper@gmail.com> Add 'const' qualifiers to static const char* variables.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186383 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
8f6134c308951a72642eebb65a44408ea1e237a8 10-Jul-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove bogus assert: in C++11, 'new' can do list-initialization.

Previously, we asserted that whenever 'new' did not include a constructor
call, the type must be a non-record type. In C++11, however, uniform
initialization syntax (braces) allow 'new' to construct records with
list-initialization: "new Point{1, 2}".

Removing this assertion should be perfectly safe; the code here matches
what VisitDeclStmt does for regions allocated on the stack.

<rdar://problem/14403437>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186028 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
e600d4be7d01661ab7601f9ef9c4d3236c377385 09-Jul-2013 Anna Zaks <ganna@apple.com> [analyzer] Fixup for r185609: actually do suppress warnings coming out of std::list.

list is the name of a class, not a namespace. Change the test as well - the previous
version did not test properly.

Fixes radar://14317928.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185898 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
70e7aeccbf5856a84f81366c6c1a0c0c01e70063 05-Jul-2013 Rafael Espindola <rafael.espindola@gmail.com> Use llvm::sys::fs::createUniqueFile.

Include a test that clang now produces output files with permissions matching
the umask.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185727 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
38d7c34f75eed2089802e209fb29bc2dfbf1b7a7 05-Jul-2013 Rafael Espindola <rafael.espindola@gmail.com> Fix PR16547.

We should not be asking unique_file to prepend the system temporary directory
when creating the html report. Unfortunately I don't think we can test this
with the current infrastructure since unique_file ignores MakeAbsolute if the
directory is already absolute and the paths provided by lit are.

I will take a quick look at making this api a bit less error prone.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185707 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
09d19efaa147762f84aed55efa7930bb3616a4e5 04-Jul-2013 Craig Topper <craig.topper@gmail.com> Use SmallVectorImpl instead of SmallVector for iterators and references to avoid specifying the vector size unnecessarily.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185610 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
8b625a3f7764959d0a2ac3cd860ce1e168e0fc9b 04-Jul-2013 Anna Zaks <ganna@apple.com> [analyzer] Suppress reports reported in std::list

The motivation is to suppresses false use-after-free reports that occur when calling
std::list::pop_front() or std::list::pop_back() twice. The analyzer does not
reason about the internal invariants of the list implementation, so just do not report
any of warnings in std::list.

Fixes radar://14317928.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185609 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
7f79b78351af03a392ee16d8ec557d47746c33c6 04-Jul-2013 Anna Zaks <ganna@apple.com> [analyzer] Make sure that inlined defensive checks work on div by zero.

This suppresses a false positive in std::hash_map.
Fixes radar://14255587.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185608 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
330231537010ab1d77affcbcaffd4bbe358b4cfa 02-Jul-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Pointers-to-members are (currently) Locs, not NonLocs.

While we don't model pointers-to-members besides "null" and "non-null",
we were using Loc symbols for valid pointers and NonLoc integers for the
null case. This hit the assert committed in r185401.

Fixed by using a true (Loc) null for null member pointers.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185444 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
ed2e2de580f840385f25a188ed48d2a14948af76 02-Jul-2013 Pavel Labath <labath@google.com> Teach static analyzer about AttributedStmts

Summary:
Static analyzer used to abort when encountering AttributedStmts, because it
asserted that the statements should not appear in the CFG. This is however not
the case, since at least the clang::fallthrough annotation makes it through.

This commit simply makes the analyzer ignore the statement attributes.

CC: cfe-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D1030

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185417 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
f4af9d37510320f5d9b415020440926528900eef 02-Jul-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Explicitly disallow mixed Loc-NonLoc comparisons.

The one bit of code that was using this is gone, and neither C nor C++
actually allows this. Add an assertion and remove dead code.

Found by Matthew Dempsky!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185401 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
be35df19cf9540c03048942ecafc6811643073ec 25-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle zeroing CXXConstructExprs.

Re-apply r184511, reverted in r184561, with the trivial default constructor
fast path removed -- it turned out not to be necessary here.

Certain expressions can cause a constructor invocation to zero-initialize
its object even if the constructor itself does no initialization. The
analyzer now handles that before evaluating the call to the constructor,
using the same "default binding" mechanism that calloc() uses, rather
than simply ignoring the zero-initialization flag.

<rdar://problem/14212563>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184815 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
1fc9111d85c3929018cd5c85dd14f3dbb5d23d68 25-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't initialize virtual base classes more than once.

In order to make sure virtual base classes are always initialized once,
the AST contains initializers for the base class in /all/ of its
descendents, not just the immediate descendents. However, at runtime,
the most-derived object is responsible for initializing all the virtual
base classes; all the other initializers will be ignored.

The analyzer now checks to see if it's being called from another base
constructor, and if so does not perform virtual base initialization.

<rdar://problem/14236851>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184814 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
053c88bd93e6b2f4e498fd835155f955127d3489 21-Jun-2013 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Handle zeroing CXXConstructExprs."

Per review from Anna, this really should have been two commits, and besides
it's causing problems on our internal buildbot. Reverting until these have
been worked out.

This reverts r184511 / 98123284826bb4ce422775563ff1a01580ec5766.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184561 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
98123284826bb4ce422775563ff1a01580ec5766 21-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle zeroing CXXConstructExprs.

Certain expressions can cause a constructor invocation to zero-initialize
its object even if the constructor itself does no initialization. The
analyzer now handles that before evaluating the call to the constructor,
using the same "default binding" mechanism that calloc() uses, rather
than simply ignoring the zero-initialization flag.

As a bonus, trivial default constructors are now no longer inlined; they
are instead processed explicitly by ExprEngine. This has a (positive)
effect on the generated path edges: they no longer stop at a default
constructor call unless there's a user-provided implementation.

<rdar://problem/14212563>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184511 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
9122025df6682a29ba4bdfc4330d2caebb8ea4de 20-Jun-2013 Pavel Labath <labath@google.com> Fix static analyzer crash when casting from an incomplete type

Summary:
When doing a reinterpret+dynamic cast from an incomplete type, the analyzer
would crash (bug #16308). This fix makes the dynamic cast evaluator ignore
incomplete types, as they can never be used in a dynamic_cast. Also adding a
regression test.

CC: cfe-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D1006

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184403 91177308-0d34-0410-b5e6-96231b3b80d8
tore.cpp
37926da411d5a0047240b3ffd4dad0c4838aac57 19-Jun-2013 Pavel Labath <labath@google.com> Fix a crash in the static analyzer (bug #16307)

Summary:
When processing a call to a function, which got passed less arguments than it
expects, the analyzer would crash.

I've also added a test for that and a analyzer warning which detects these
cases.

CC: cfe-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D994

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184288 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
bd34520a8c4fe689cca8afaa8114e50bd6bad8f8 19-Jun-2013 Anna Zaks <ganna@apple.com> [analyzer] Do not create a CompoundVal for lvalue InitListExprs.

These should be treated like scalars. This fixes a crash reported in radar://14164698.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184257 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
cff15128c6c089bd6fae841b80680e6f5afbf0bf 17-Jun-2013 Reid Kleckner <reid@kleckner.net> [AST] Don't include RecursiveASTVisitor.h in ASTContext.h

The untemplated implementation of getParents() doesn't need to be in a
header file.

RecursiveASTVisitor.h is full of repeated macro expansion. Moving this
include to ASTContext.cpp speeds up compilation of
LambdaMangleContext.cpp, a small C++ file with few includes, from 3.7s
to 2.8s for me locally. I haven't measured a full build, but it can't
hurt.

I had to fix a few static analyzer files that were depending on
transitive includes of C++ AST headers.

Reviewers: rsmith, klimek

Differential Revision: http://llvm-reviews.chandlerc.com/D982

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184075 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
7c3e615f01e8f9f587315800fdaf2305ed824568 13-Jun-2013 Richard Smith <richard-llvm@metafoo.co.uk> PR12086, PR15117

Introduce CXXStdInitializerListExpr node, representing the implicit
construction of a std::initializer_list<T> object from its underlying array.
The AST representation of such an expression goes from an InitListExpr with a
flag set, to a CXXStdInitializerListExpr containing a MaterializeTemporaryExpr
containing an InitListExpr (possibly wrapped in a CXXBindTemporaryExpr).

This more detailed representation has several advantages, the most important of
which is that the new MaterializeTemporaryExpr allows us to directly model
lifetime extension of the underlying temporary array. Using that, this patch
*drastically* simplifies the IR generation of this construct, provides IR
generation support for nested global initializer_list objects, fixes several
bugs where the destructors for the underlying array would accidentally not get
invoked, and provides constant expression evaluation support for
std::initializer_list objects.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183872 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
2049840b0ffe8ee4bf39051cfa8ca08440c8f667 12-Jun-2013 Stephen Hines <srhines@google.com> Merge commit '1342a4ef62dd7b839c6f09348b246a4f00282f29' into merge_20130612
1342a4ef62dd7b839c6f09348b246a4f00282f29 12-Jun-2013 Benjamin Kramer <benny.kra@googlemail.com> Port HTMLDiagnostics to PathV2. No intended functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183849 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
34392373fe25e943586de0fdbe37b806c3f7ff70 11-Jun-2013 Rafael Espindola <rafael.espindola@gmail.com> Include PathV1.h in files that use it.

This is preparation for replacing Path.h with PathV2.h.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183781 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
a3f5a5afefca7653349a88472d5ce01ba7226e27 08-Jun-2013 Anna Zaks <ganna@apple.com> [analyzer; alternate edges] Fix the edge locations in presence of macros.

We drew the diagnostic edges to wrong statements in cases the note was on a macro.
The fix is simple, but seems to work just fine for a whole bunch of test cases (plist-macros.cpp).

Also, removes an unnecessary edge in edges-new.mm, when function signature starts with a macro.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183599 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
57c8736e7dce5e63b4e1665d2c4fcf6e6ef959d0 07-Jun-2013 Anna Zaks <ganna@apple.com> [analyzer] Address Jordan’s code review for r183451

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183455 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
6838710779a23ea5dfdb5764ad7b7a7451b00bf8 07-Jun-2013 Anna Zaks <ganna@apple.com> [analyzer] Ensure that pieces with invalid locations always get removed from the BugReport

The function in which we were doing it used to be conditionalized. Add a new unconditional
cleanup step.

This fixes PR16227 (radar://14073870) - a crash when generating html output for one of the test files.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183451 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
5955c37230046e8c297f5afb9f91b7c8c1e18446 07-Jun-2013 Anna Zaks <ganna@apple.com> [analyzer] fixup the comment

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183450 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
49a246f4fad959888bb0164c624c3c2b03078e91 06-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer; new edges] Simplify edges in a C++11 for-range loop.

Previously our edges were completely broken here; now, the final result
is a very simple set of edges in most cases: one up to the "for" keyword
for context, and one into the body of the loop. This matches the behavior
for ObjC for-in loops.

In the AST, however, CXXForRangeStmts are handled very differently from
ObjCForCollectionStmts. Since they are specified in terms of equivalent
statements in the C++ standard, we actually have implicit AST nodes for
all of the semantic statements. This makes evaluation very easy, but
diagnostic locations a bit trickier. Fortunately, the problem can be
generally defined away by marking all of the implicit statements as
part of the top-level for-range statement.

One of the implicit statements in a for-range statement is the declaration
of implicit iterators __begin and __end. The CFG synthesizes two
separate DeclStmts to match each of these decls, but until now these
synthetic DeclStmts weren't in the function's ParentMap. Now, the CFG
keeps track of its synthetic statements, and the AnalysisDeclContext will
make sure to add them to the ParentMap.

<rdar://problem/14038483>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183449 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
632182d0e2011a6e21cf9abe34eef5a1f037e7ef 06-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Improve debug output for PathDiagnosticPieces.

You can now dump a single PathDiagnosticPiece or PathDiagnosticLocation.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183367 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
73b417f363a67439b30b3167ef8d9fb32e37191b 06-Jun-2013 Anna Zaks <ganna@apple.com> [analyzer] Fix a crash that occurs when processing an rvalue array.

When processing ArrayToPointerDecay, we expect the array to be a location, not a LazyCompoundVal.
Special case the rvalue arrays by using a location to represent them. This case is handled similarly
elsewhere in the code.

Fixes PR16206.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183359 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
1089a57a88051f84aca66f3d8c92bda32a3a5c49 06-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer; new edges] Don't crash if the top-level entry edge is missing.

We previously asserted that there was a top-level function entry edge, but
if the function decl's location is invalid (or within a macro) this edge
might not exist. Change the assertion to an actual check, and don't drop
the first path piece if it doesn't match.

<rdar://problem/14070304>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183358 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
574c7cf6d0c8e8f8ecda360ae271d5391c404534 06-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer; new edges] Ignore self-edges, not all edges with the same location.

The edge optimizer needs to see edges for, say, implicit casts (which have
the same source location as their operand) to uniformly simplify the
entire path. However, we still don't want to produce edges from a statement
to /itself/, which could occur when two nodes in a row have the same
statement location.

This necessitated moving the check for redundant notes to after edge
optimization, since the check relies on notes being adjacent in the path.

<rdar://problem/14061675>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183357 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
048eeea6852043990c87e52938b53b5337bd098e 04-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Enable the new edge algorithm by default.

...but don't yet migrate over the existing plist tests. Some of these
would be trivial to migrate; others could use a bit of inspection first.
In any case, though, the new edge algorithm seems to have proven itself,
and we'd like more coverage (and more usage) of it going forwards.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183165 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
e624524705ab660eb8d1feb9870ef2989fb2bdf4 04-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer; new edges] Omit subexpression back-edges that span multiple lines.

A.1 -> A -> B
becomes
A.1 -> B

This only applies if there's an edge from a subexpression to its parent
expression, and that is immediately followed by another edge from the
parent expression to a subsequent expression. Normally this is useful for
bringing the edges back to the left side of the code, but when the
subexpression is on a different line the backedge ends up looking strange,
and may even obscure code. In these cases, it's better to just continue
to the next top-level statement.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183164 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
22b0ad2d2a9c723bcdc94525a091fdbfbaa480fa 04-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer; new edges] Don't eliminate subexpr edge cycles if the line is long.

Specifically, if the line is over 80 characters, or if the top-level
statement spans mulitple lines, we should preserve sub-expression edges
even if they form a simple cycle as described in the last commit, because
it's harder to infer what's going on than it is for shorter lines.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183163 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
3b5977e690b3d4476938a548bbd6f66c4a4a6dcd 04-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer; new edges] Eliminate "cycle edges" for a single subexpression.

Generating context arrows can result in quite a few arrows surrounding a
relatively simple expression, often containing only a single path note.

|
1 +--2---+
v/ v
auto m = new m // 3 (the path note)
|\ |
5 +--4---+
v

Note also that 5 and 1 are two ends of the "same" arrow, i.e. they go from
event to event. 3 is not an arrow but the path note itself.

Now, if we see a pair of edges like 2 and 4---where 4 is the reverse of 2
and there is optionally a single path note between them---we will
eliminate /both/ edges. Anything more complicated will be left as is
(more edges involved, an inlined call, etc).

The next commit will refine this to preserve the arrows in a larger
expression, so that we don't lose all context.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183162 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
9d9b494aa36ceeb823c48acf04d2d7677174be88 04-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer; new edges] Improve enclosing contexts for logical expressions.

The old edge builder didn't have a notion of nested statement contexts,
so there was no special treatment of a logical operator inside an if
(or inside another logical operator). The new edge builder always tries
to establish the full context up to the top-level statement, so it's
important to know how much context has been established already rather
than just checking the innermost context.

This restores some of the old behavior for the old edge generation:
the context of a logical operator's non-controlling expression is the
subexpression in the old edge algorithm, but the entire operator
expression in the new algorithm.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183160 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
96f1061fbe59faff5b266a3a04061cefcfe03e2f 04-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer; new edges] Include context for edges to sub-expressions.

The current edge-generation algorithm sometimes creates edges from a
top-level statement A to a sub-expression B.1 that's not at the start of B.
This creates a "swoosh" effect where the arrow is drawn on top of the
text at the start of B. In these cases, the results are clearer if we see
an edge from A to B, then another one from B to B.1.

Admittedly, this does create a /lot/ of arrows, some of which merely hop
into a subexpression and then out again for a single note. The next commit
will eliminate these if the subexpression is simple enough.

This updates and reuses some of the infrastructure from the old edge-
generation algorithm to find the "enclosing statement" context for a
given expression. One change in particular marks the context of the
LHS or RHS of a logical binary operator (&&, ||) as the entire operator
expression, rather than the subexpression itself. This matches our behavior
for ?:, and allows us to handle nested context information.

<rdar://problem/13902816>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183159 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
01f1ff79f70b3e042995a43b29ccbf0fffc77d5f 04-Jun-2013 Jordan Rose <jordan_rose@apple.com> [analyzer; new edges] Include a top-level function entry edge while optimizing.

Although we don't want to show a function entry edge for a top-level path,
having it makes optimizing edges a little more uniform.

This does not affect any edges now, but will affect context edge generation
(next commit).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183158 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
f94cb007d03031bcf3d1b02f6a683a189e934953 31-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; new edges] add simplifySimpleBranches() to reduce edges for branches.

In many cases, the edge from the "if" to the condition, followed by an edge from the branch condition to the target code, is uninteresting.

In such cases, we should fold the two edges into one from the "if" to the target.

This also applies to loops.

Implements <rdar://problem/14034763>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183018 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
042ca3de1e8d723cb73ee4d9984509e4489a6bb7 31-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; new edges] in splitBranchConditionEdges() do not check that predecessor edge has source in the same lexical scope as the target branch.

Fixes <rdar://problem/14031292>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182987 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
34d1a0a1522c7bcc7bf431f5b9a92cde3f2315fd 31-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer;alternate arrows] Rename 'adjustBranchEdges' to 'splitBranchConditionEdges'.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182986 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
904fd08edbedeb18b16875dd54b3f1edb049e9b9 30-May-2013 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer; alternate edges] don't add an edge incoming from the start of a function"

...and make this work correctly in the current codebase.

After living on this for a while, it turns out to look very strange for
inlined functions that have only a single statement, and somewhat strange
for inlined functions in general (since they are still conceptually in the
middle of the path, and there is a function-entry path note).

It's worth noting that this only affects inlined functions; in the new
arrow generation algorithm, the top-level function still starts at the
first real statement in the function body, not the enclosing CompoundStmt.

This reverts r182078 / dbfa950abe0e55b173286a306ee620eff5f72ea.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182963 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
b347c76054a0a4b8e6d1fce44314f6daf3294c69 30-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't crash if a block's signature just has the return type.

It is okay to declare a block without an argument list: ^ {} or ^void {}.
In these cases, the BlockDecl's signature-as-written will just contain
the return type, rather than the entire function type. It is unclear if
this is intentional, but the analyzer shouldn't crash because of it.

<rdar://problem/14018351>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182948 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
3e8a85fcfc3d264e4c5b21fbdd741bbc0c24a266 30-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer; new edges] In for(;;), use the ForStmt itself for loop notes.

Most loop notes (like "entering loop body") are attached to the condition
expression guarding a loop or its equivalent. For loops may not have a
condition expression, though. Rather than crashing, just use the entire
ForStmt as the location. This is probably the best we can do.

<rdar://problem/14016063>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182904 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
1acb394679b6e644044a0f6c358229759009b1a6 29-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Accept references to variables declared "extern void" (C only).

In C, 'void' is treated like any other incomplete type, and though it is
never completed, you can cast the address of a void-typed variable to do
something useful. (In C++ it's illegal to declare a variable with void type.)

Previously we asserted on this code; now we just treat it like any other
incomplete type.

And speaking of incomplete types, we don't know their extent. Actually
check that in TypedValueRegion::getExtent, though that's not being used
by any checkers that are on by default.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182880 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
emRegion.cpp
7f1fd2f182717d5ce6cde60398128910c90f98be 29-May-2013 Anna Zaks <ganna@apple.com> [analyzer] Use the expression’s type instead of region’s type in ArrayToPointer decay evaluation

This gives slightly better precision, specifically, in cases where a non-typed region represents the array
or when the type is a non-array type, which can happen when an array is a result of a reinterpret_cast.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182810 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ValBuilder.cpp
3056439bb175db8c46b89fb4385de8b3a8e42d0d 29-May-2013 Anna Zaks <ganna@apple.com> [analyzer] Re-enable reasoning about CK_LValueBitCast

It’s important for us to reason about the cast as it is used in std::addressof. The reason we did not
handle the cast previously was a crash on a test case (see commit r157478). The crash was in
processing array to pointer decay when the region type was not an array. Address the issue, by
just returning an unknown in that case.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182808 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
egionStore.cpp
4e9179a3d0ec612a4d540281020b200254348a6b 28-May-2013 Anna Zaks <ganna@apple.com> [analyzer] Use a more generic MemRegion.getAsOffset to evaluate bin operators on MemRegions

In addition to enabling more code reuse, this suppresses some false positives by allowing us to
compare an element region to its base. See the ptr-arith.cpp test cases for an example.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182780 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
d474da062565596015558856333423199aed5eb1 24-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Treat analyzer-synthesized function bodies like implicit bodies.

When generating path notes, implicit function bodies are shown at the call
site, so that, say, copying a POD type in C++ doesn't jump you to a header
file. This is especially important when the synthesized function itself
calls another function (or block), in which case we should try to jump the
user around as little as possible.

By checking whether a called function has a body in the AST, we can tell
if the analyzer synthesized the body, and if we should therefore collapse
the call down to the call site like a true implicitly-defined function.

<rdar://problem/13978414>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182677 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
5a6fb20841220488f8be7254fbea8ba7233ebcd3 24-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer; new edges] Properly set location after exiting an inlined call.

The new edge algorithm would keep track of the previous location in each
location context, so that it could draw arrows coming in and out of each
inlined call. However, it tried to access the location of the call before
it was actually set (at the CallEnter node). This only affected
unterminated calls at the end of a path; calls with visible exit nodes
already had a valid location.

This patch ditches the location context map, since we're processing the
nodes in order anyway, and just unconditionally updates the PrevLoc
variable after popping out of an inlined call.

<rdar://problem/13983470>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182676 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
b1a4d37c0549501fe12907bc6ffa81bc5d04b98a 23-May-2013 Benjamin Kramer <benny.kra@googlemail.com> Make helper functions static.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182589 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
0fa3504acfc7c20a87973c58ad3474adc94dd97d 23-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer;alternate edges] fix type that was causing the wrong path piece to get removed.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182562 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
34bd3331b5ed34cc9027ee00e1aaabfecff8f742 22-May-2013 Pete Cooper <peter_cooper@apple.com> Insert explicit casts to try appease overload resolution in the buildbots

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182514 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
13feb9201e3a44d5e6159c67914c76d583a12769 22-May-2013 Ted Kremenek <kremenek@apple.com> Use scope-resolution operator to hopefully unbreak Windows builds.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182509 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
a705980a7c3315b7c72d99ce675342ad91b50642 22-May-2013 Ted Kremenek <kremenek@apple.com> Simplifiy code using return value of erase().

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182506 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
1d85a9e8fb4e6ac513467b5fa825bd53e6fcba56 22-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate edges] remove redundant adjacent "events" with the same text.

Fixes <rdar://problem/13949982>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182505 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
de7bc0d997cc69bd5c337ab82665c2f7ed989138 22-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer;alternate edges] remove puny edges on the same line that span less than 3 columns.

These are legitimate control-flow edges, but visually they add
no value.

Implements <rdar://problem/13941325>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182502 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ddf6e840ca0678c305d5d1c493a66d4cda554e5e 22-May-2013 Ted Kremenek <kremenek@apple.com> Remove unnecessary assignment.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182501 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
eb41640fb417e25eb3218c2662a0dd512cdab04a 22-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't crash if a block doesn't have a type signature.

Currently, blocks instantiated in templates lose their "signature as
written"; it's not clear if this is intentional. Change the analyzer's
use of BlockDecl::getSignatureAsWritten to check whether or not the
signature is actually there.

<rdar://problem/13954714>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182497 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
emRegion.cpp
61dfd6f160f7501e140704990db9c449d29f8649 22-May-2013 Anna Zaks <ganna@apple.com> [analyzer] Do not assert on reports ending in calls within macros.

The crash is triggered by the newly added option (-analyzer-config report-in-main-source-file=true) introduced in r182058.

Note, ideally, we’d like to report the issue within the main source file here as well.
For now, just do not crash.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182445 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
52f926cc32e4f4969f767e98d98f0137358d5f12 21-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer;alternate edges] prune out extra edges to a subexpression where we dive-in and out of a subexpression.

Fixes <rdar://problem/13941891>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182426 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
a327bb12b1cd0c142eb06e30b4f6018b96d5babf 21-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternated edges] look through expressions just like Environment does.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182425 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
e86ee1a213d244bb66b7eef3e9ab2266908cf4af 21-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate edges] optimize edges for ObjC fast enumeration loops.

Fixes <rdar://problem/13942300>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182342 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
6d0da608c144eb57b7dd22f71b363191a4a1b2c0 18-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] New edges: include an edge to the end-of-path location.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182188 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
d1913d89e2ff3b38bb6293833cfd9d8ead76348e 18-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Add a debug dump for PathPieces, a list of PathDiagnosticPieces.

Originally implemented by Ted, extended by me.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182186 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
bb518991ce4298d8662235fc8cb13813f011c18d 18-May-2013 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer; alternate edges] improve support for edges with PseudoObjectExprs."

Ted and I spent a long time discussing this today and found out that neither
the existing code nor the new code was doing what either of us thought it
was, which is never good. The good news is we found a much simpler way to
fix the motivating test case (an ObjCSubscriptExpr).

This reverts r182083, but pieces of it will come back in subsequent commits.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182185 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
5a8e1ad062420ef74707bf093889403d07664b17 17-May-2013 Anna Zaks <ganna@apple.com> [analyzer] Address Jordan's review comments for r182058

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182156 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
listDiagnostics.cpp
e9aae62e8bca3abfc1dc36f67845444291171e13 17-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate edges] improve support for edges with PseudoObjectExprs.

This optimizes some spurious edges resulting from PseudoObjectExprs.
This required far more changes than I anticipated. The current
ParentMap does not record any hierarchy information between
a PseudoObjectExpr and its *semantic* expressions that may be
wrapped in OpaqueValueExprs, which are the expressions actually
laid out in the CFG. This means the arrow pruning logic could
not map from an expression to its containing PseudoObjectExprs.

To solve this, this patch adds a variant of ParentMap that
returns the "semantic" parentage of expressions (essentially
as they are viewed by the CFG). This alternate ParentMap is then
used by the arrow reducing logic to identify edges into pseudo
object expressions, and then eliminate them.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182083 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
a40983460cc3f8f583cd968ac2e4647dc30c83f5 17-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate edges] treat 'if' statements the same way we do as 'for' or 'while'.

This means adding an extra edge from the 'if' to the condition,
which aesthetically looks more pleasing.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182079 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
dbfa950abe0e55b173286a306ee620eff5f72ea8 17-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate edges] don't add an edge incoming from the start of a function
for a nested call. This matches what we do with the first stack frame.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182078 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
50fa64d4411a42e0b4f373a84d8d4f5cbf339ea3 17-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't inline ~shared_ptr.

The analyzer can't see the reference count for shared_ptr, so it doesn't
know whether a given destruction is going to delete the referenced object.
This leads to spurious leak and use-after-free warnings.

For now, just ban destructors named '~shared_ptr', which catches
std::shared_ptr, std::tr1::shared_ptr, and boost::shared_ptr.

PR15987

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182071 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
d95b70175646829c26344d5f0bda1ec3009f2a5b 17-May-2013 Anna Zaks <ganna@apple.com> [analyzer] Add an option to use the last location in the main source file as the report location.

Previously, we’ve used the last location of the analyzer issue path as the location of the
report. This might not provide the best user experience, when one analyzer a source
file and the issue appears in the header. Introduce an option to use the last location
of the path that is in the main source file as the report location.

New option can be enabled with -analyzer-config report-in-main-source-file=true.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182058 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporter.cpp
athDiagnostic.cpp
listDiagnostics.cpp
17828ca5857d5d9cadfffd339f888de58182c8f1 14-May-2013 David Blaikie <dblaikie@gmail.com> Provide operator<< for stream output of DeclarationNames

ASTDumper was already trying to do this & instead got an implicit bool
conversion by surprise (thus printing out 0 or 1 instead of the name of
the declaration). To avoid that issue & simplify call sites, simply make
it the normal/expected operator<<(raw_ostream&, ...) overload & simplify
all the existing call sites. (bonus: this function doesn't need to be a
member or friend, it's just using public API in DeclarationName)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181832 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
181e3ecc0907ae0103586a9f4db52241995a8267 13-May-2013 Rafael Espindola <rafael.espindola@gmail.com> Cleanup handling of UniqueExternalLinkage.

This patch renames getLinkage to getLinkageInternal. Only code that
needs to handle UniqueExternalLinkage specially should call this.

Linkage, as defined in the c++ standard, is provided by
getFormalLinkage. It maps UniqueExternalLinkage to ExternalLinkage.

Most places in the compiler actually want isExternallyVisible, which
handles UniqueExternalLinkage as internal.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181677 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
265448963a856bebdd0ae5abf67210054f44c64b 10-May-2013 Anna Zaks <ganna@apple.com> [analyzer] Do not check if sys/queue.h file is a system header.

In most cases it is, by just looking at the name. Also, this check prevents the heuristic from working in strange user settings.
radar://13839692

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181615 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
afde200cdae9731aa5826c6178eae9e7fef74475 09-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate arrows] for "loop back" edges add back the extra edge to the closing '}'

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181505 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
8841c532f217d938f47f4feaa3707b929cd71181 09-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer;alternate arrows] adapt 'for' loop aesthetic cleanup to 'while' loops.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181504 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
aecda966174516c0ac7c05ceb40e88fc99bcf27c 08-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate edges] insert an extra edge for 'for' statements to conditions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181385 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
8484b37a2b7720c016d27a672343b1c67bd2e731 08-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer;alternate edges] edges from subexpressions of "?:" are important to retain

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181384 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
be0b207c4916f823497d31cbf5083efb4e374163 07-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer;alternate arrows] Fix inconsistencies in recorded location context when handling interprocedural paths.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181362 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
f4bbb1d8c2aa8b6630110827361ee0655e731548 07-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate arrows] add back recording whether we visited the first edge.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181361 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
b17c2f79093317a0bf3017350347170dd1061f49 07-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate arrows] remove pruning of loop diagnostics.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181360 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
03194fb1bbf2b2d17ff7e3d61ddb9d73e9297fdc 07-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate arrows] include logical '||' and '&&' as anchors for edges.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181359 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
bc0fd8129626ff4e485388311b081e76d0f96795 07-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate arrows] include an edge from the "break" or "continue"

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181358 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
98fb1cca0eccb9cd8b40756907f0c27c9be791be 07-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate arrows] the extra edge to the closing '}' in a loop adds no value.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181357 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
96b8134337883908fcc45484486fe200d6b3e32f 07-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate arrows] the initializer of a ForStmt isn't interesting either.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181356 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
636478e288b88396d860f6b01b48b47953e3d5e9 07-May-2013 Anna Zaks <ganna@apple.com> [analyzer] Fix a crash triggered by printing a note on a default argument

Instead, use the location of the call to print the note.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181337 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
e2f7337958f21802e98777f441fe20ef7ba2adff 07-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate arrows] The ForStmt increment is not a critical anchor for arrows.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181333 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
a399f776ee29e099da33eaf7f9d585b4edc4b61d 07-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate edges] simplify optimization rules to look at control-flow conditions to prune edges.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181292 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
d0f5faf319550b0504b2f8f822d06a6b0279285b 07-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate arrows] use the terminator condition as the location for 'entering loop body'

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181291 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
b097a57f58672a825c99fdfb668b04e921e363b9 07-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate arrows] provide a diagnostic for entering a loop for the first time.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181282 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
481da5554d03271b0d87b695449963f7728c5895 06-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate arrows] don't increment the path iterator when we just deleted the next iterator.

This is an optimization. It is possible that by deleting the next
edge we will pattern match again at the current spot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181256 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
00ffb8079b14cade816d8f668675e853e613dee0 06-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove now-unused bindCompoundLiteral helper function.

The one user has been changed to use getLValue on the compound literal
expression and then use the normal bindLoc to assign a value. No need
to special case this in the StoreManager.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181214 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
egionStore.cpp
6376703eb3325fe41233aed234fde81164af42a1 06-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle CXXTemporaryObjectExprs in compound literals.

This occurs because in C++11 the compound literal syntax can trigger a
constructor call via list-initialization. That is, "Point{x, y}" and
"(Point){x, y}" end up being equivalent. If this occurs, the inner
CXXConstructExpr will have already handled the object construction; the
CompoundLiteralExpr just needs to propagate that value forwards.

<rdar://problem/13804098>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181213 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
15676bec6fa9ad9466d93c163f2d1b8a3f559b3a 04-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer;alternate edges] start experimenting with control flow "barriers" to prevent an edge being optimized away.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181088 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
e644ed5308ab22e4bcb5f821fe7ea9dae324a0a8 04-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer;alternate edges] ignore parentheses when determining edge levels.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181087 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
f468fa16e37fc8fa6a915fe36aee8f0434709789 04-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate edges] - eliminate unnecessary edges where between parents and subexpressions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181086 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
b9e13d555fc9f3e5515e2b1fa6f720e6f10bb076 04-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate edges] - merge control edges where we descend to a subexpression and pop back out.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181085 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
bb521b8f14ca29ee4e17ae1f9877586ef0bf8378 04-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer; alternate edges] prune edges whose end/begin locations have the same statement parents.

This change required some minor changes to LocationContextMap to have it map
from PathPieces to LocationContexts instead of PathDiagnosticCallPieces to
LocationContexts. These changes are in the other diagnostic
generation logic as well, but are functionally equivalent.

Interestingly, this optimize requires delaying "cleanUpLocation()" until
later; possibly after all edges have been optimized. This is because
we need PathDiagnosticLocations to refer to the semantic entity (e.g. a statement)
as long as possible. Raw source locations tell us nothing about
the semantic relationship between two locations in a path.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181084 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
cd389d8cc9abeffb1416b70dd58148e66e5d822b 04-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer;alternate edges] - add in events (loop iterations, etc)

These were being dropped due a transcription mistake from the original
algorithm.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181083 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
83eba02c2ea333015335e2f74c4d11c5315b655d 03-May-2013 Stephen Hines <srhines@google.com> Merge remote-tracking branch 'upstream/master' into merge-20130502
af2836593979d4973bec5bd21f10eb6cc0d0f3e3 03-May-2013 Ted Kremenek <kremenek@apple.com> [analyzer] Start hacking up alternate control-flow edge generation. WIP. Not guaranteed to do anything useful yet.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181040 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
2faee99ab67105e834d11df7db80a78a3e3ed37b 03-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Check the stack frame when looking for a var's initialization.

FindLastStoreBRVisitor is responsible for finding where a particular region
gets its value; if the region is a VarRegion, it's possible that value was
assigned at initialization, i.e. at its DeclStmt. However, if a function is
called recursively, the same DeclStmt may be evaluated multiple times in
multiple stack frames. FindLastStoreBRVisitor was not taking this into
account and just picking the first one it saw.

<rdar://problem/13787723>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180997 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
dcd6224911e234ab3657b7d0b79a2add1ae4fdd8 03-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Fix trackNullOrUndef when tracking args that have nil receivers.

There were actually two bugs here:
- if we decided to look for an interesting lvalue or call expression, we
wouldn't go find its node if we also knew we were at a (different) call.
- if we looked through one message send with a nil receiver, we thought we
were still looking at an argument to the original call.

Put together, this kept us from being able to track the right values, which
means sub-par diagnostics and worse false-positive suppression.

Noticed by inspection.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180996 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
e19229be18725bd856410b478c0e63d81ab8e4f5 03-May-2013 Ted Kremenek <kremenek@apple.com> Make cleanUpLocation() a self-contained function.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180986 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
d306a530fca74e40916121f5583e0545e470b3c4 03-May-2013 Ted Kremenek <kremenek@apple.com> Re-apply 180974 with the build error fixed. This was the result
of a weird merge error with git.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180981 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ae8c50552df2498130dd33a940d98e0dc4ec26b9 03-May-2013 Rafael Espindola <rafael.espindola@gmail.com> Revert "Change LocationContextMap to be a temporary instead of shared variable in BugReporter."

This reverts commit 180974. It broke the build.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180979 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
c70fac3c52092013b08163187f034b73c94bf3d0 03-May-2013 Ted Kremenek <kremenek@apple.com> Change LocationContextMap to be a temporary instead of shared variable in BugReporter.

BugReporter is used to process ALL bug reports. By using a shared map,
we are having mappings from different PathDiagnosticPieces to LocationContexts
well beyond the point where we are processing a given report. This
state is inherently error prone, and is analogous to using a global
variable. Instead, just create a temporary map, one per report,
and when we are done with it we throw it away. No extra state.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180974 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
4b75085f5669efc6407c662b5686361624c3ff2f 02-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't try to evaluate MaterializeTemporaryExpr as a constant.

...and don't consider '0' to be a null pointer constant if it's the
initializer for a float!

Apparently null pointer constant evaluation looks through both
MaterializeTemporaryExpr and ImplicitCastExpr, so we have to be more
careful about types in the callers. For RegionStore this just means giving
up a little more; for ExprEngine this means handling the
MaterializeTemporaryExpr case explicitly.

Follow-up to r180894.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180944 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
ValBuilder.cpp
e2b1246a24e8babf2f58c93713fba16b8edb8e2d 02-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Consolidate constant evaluation logic in SValBuilder.

Previously, this was scattered across Environment (literal expressions),
ExprEngine (default arguments), and RegionStore (global constants). The
former special-cased several kinds of simple constant expressions, while
the latter two deferred to the AST's constant evaluator.

Now, these are all unified as SValBuilder::getConstantVal(). To keep
Environment fast, the special cases for simple constant expressions have
been left in, but the main benefits are that (a) unusual constants like
ObjCStringLiterals now work as default arguments and global constant
initializers, and (b) we're not duplicating code between ExprEngine and
RegionStore.

This actually caught a bug in our test suite, which is awesome: we stop
tracking allocated memory if it's passed as an argument along with some
kind of callback, but not if the callback is 0. We were testing this in
a case where the callback parameter had a default value, but that value
was 0. After this change, the analyzer now (correctly) flags that as a
leak!

<rdar://problem/13773117>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180894 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
egionStore.cpp
ValBuilder.cpp
776d3bb65c90278b9c65544b235d2ac40aea1d6e 02-May-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't inline the [cd]tors of C++ iterators.

This goes with r178516, which instructed the analyzer not to inline the
constructors and destructors of C++ container classes. This goes a step
further and does the same thing for iterators, so that the analyzer won't
falsely decide we're trying to construct an iterator pointing to a
nonexistent element.

The heuristic for determining whether something is an iterator is the
presence of an 'iterator_category' member. This is controlled under the
same -analyzer-config option as container constructor/destructor inlining:
'c++-container-inlining'.

<rdar://problem/13770187>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180890 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
112344ab7f96cf482bce80530676712c282756d5 01-May-2013 Jordan Rose <jordan_rose@apple.com> Re-apply "[analyzer] Model casts to bool differently from other numbers."

This doesn't appear to be the cause of the slowdown. I'll have to try a
manual bisect to see if there's really anything there, or if it's just
the bot itself taking on additional load. Meanwhile, this change helps
with correctness.

This changes an assertion and adds a test case, then re-applies r180638,
which was reverted in r180714.

<rdar://problem/13296133> and PR15863

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180864 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
impleSValBuilder.cpp
ed866e73bab7733f5226f84c52edefe23d694b2f 30-Apr-2013 Ted Kremenek <kremenek@apple.com> Revert "[analyzer] Change PathPieces to be a wrapper around an ilist of (through indirection) PathDiagnosticPieces."

Jordan rightly pointed out that we can do the same with std::list.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180746 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
7651e53997e20f1e627ffce25ce613f79c48e3e3 30-Apr-2013 Ted Kremenek <kremenek@apple.com> [analyzer] Change PathPieces to be a wrapper around an ilist of (through indirection) PathDiagnosticPieces.

Much of this patch outside of PathDiagnostics.h are just minor
syntactic changes due to the return type for operator* and the like
changing for the iterator, so the real focus should be on
PathPieces itself.

This change is motivated so that we can do efficient insertion
and removal of individual pieces from within a PathPiece, just like
this was a kind of "IR" for static analyzer diagnostics. We
currently implement path transformations by iterating over an
entire PathPiece and making a copy. This isn't very natural for
some algorithms.

We use an ilist here instead of std::list because we want operations
to rip out/insert nodes in place, just like IR manipulation. This
isn't being used yet, but opens the door for more powerful
transformation algorithms on diagnostic paths.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180741 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
b5142359abc50e151c18bde88fbabec98b65077c 30-Apr-2013 Ted Kremenek <kremenek@apple.com> [analyzer] Remove comparePath's dependency on subscript operator.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180740 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
7e6b564d59df6c0594bc3a577f33536850290dec 29-Apr-2013 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Model casts to bool differently from other numbers."

This seems to be causing quite a slowdown on our internal analyzer bot,
and I'm not sure why. Needs further investigation.

This reverts r180638 / 9e161ea981f22ae017b6af09d660bfc3ddf16a09.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180714 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
5e6c06bc7deaaefe130b730032a9acb9cd38bf0c 26-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Model casts to bool differently from other numbers.

Casts to bool (and _Bool) are equivalent to checks against zero,
not truncations to 1 bit or 8 bits.

This improved reasoning does cause a change in the behavior of the alpha
BoolAssignment checker. Previously, this checker complained about statements
like "bool x = y" if 'y' was known not to be 0 or 1. Now it does not, since
that conversion is well-defined. It's hard to say what the "best" behavior
here is: this conversion is safe, but might be better written as an explicit
comparison against zero.

More usefully, besides improving our model of booleans, this fixes spurious
warnings when returning the address of a local variable cast to bool.

<rdar://problem/13296133>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180638 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
e0262e25206bef1d7efb0cb2f37abd1e42ada4cb 24-Apr-2013 Anton Yartsev <anton.yartsev@gmail.com> [analyzer] Refactoring + explanatory comment.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180181 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
0f8579274a010f360a371b53101859d9d6052314 24-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Refactor BugReport::getLocation and PathDiagnosticLocation::createEndOfPath for greater code reuse

The 2 functions were computing the same location using different logic (each one had edge case bugs that the other
one did not). Refactor them to rely on the same logic.

The location of the warning reported in text/command line output format will now match that of the plist file.

There is one change in the plist output as well. When reporting an error on a BinaryOperator, we use the location of the
operator instead of the beginning of the BinaryOperator expression. This matches our output on command line and
looks better in most cases.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180165 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
f2edbec1d9817df109304f9c19ae2b34fec1feea 22-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Treat reinterpret_cast like a base cast in certain cases.

The analyzer represents all pointer-to-pointer bitcasts the same way, but
this can be problematic if an implicit base cast gets layered on top of a
manual base cast (performed with reinterpret_cast instead of static_cast).
Fix this (and avoid a valid assertion) by looking through cast regions.

Using reinterpret_cast this way is only valid if the base class is at the
same offset as the derived class; this is checked by -Wreinterpret-base-class.
In the interest of performance, the analyzer doesn't repeat this check
anywhere; it will just silently do the wrong thing (use the wrong offsets
for fields of the base class) if the user code is wrong.

PR15394

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180052 91177308-0d34-0410-b5e6-96231b3b80d8
tore.cpp
c3bf52ced9652f555aa0767bb822ec4c64546212 21-Apr-2013 Richard Smith <richard-llvm@metafoo.co.uk> C++1y: Allow aggregates to have default initializers.

Add a CXXDefaultInitExpr, analogous to CXXDefaultArgExpr, and use it both in
CXXCtorInitializers and in InitListExprs to represent a default initializer.

There's an additional complication here: because the default initializer can
refer to the initialized object via its 'this' pointer, we need to make sure
that 'this' points to the right thing within the evaluation.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179958 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
8ef064d53fb33b5a8f8743bcbb0a2fd5c3e97be1 20-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Ensure BugReporterTracking works on regions with pointer arithmetic

Introduce a new helper function, which computes the first symbolic region in
the base region chain. The corresponding symbol has been used for assuming that
a pointer is null. Now, it will also be used for checking if it is null.

This ensures that we are tracking a null pointer correctly in the BugReporter.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179916 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
emRegion.cpp
rogramState.cpp
Vals.cpp
impleConstraintManager.cpp
716859df842e5a56e816d820d8326ead152dd9e4 20-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Flip printPretty and printPrettyAsExpr as per suggestion from Jordan (r179572)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179915 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
044fe23e79fff3841cc4c315f8c97e1cdccdd8dd 19-Apr-2013 Anton Yartsev <anton.yartsev@gmail.com> [analyzer] Call proper callback for const regions escaped other then on call.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179846 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
62fba4f08af16ff17b5cbe8816061349504317e4 18-Apr-2013 Ted Kremenek <kremenek@apple.com> [analyzer] Refine 'nil receiver' diagnostics to mention the name of the method not called.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179776 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
258277d5a922e06ef523f7805900689b680ddc7d 18-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] "Force" LazyCompoundVals on bind when they are simple enough.

The analyzer uses LazyCompoundVals to represent rvalues of aggregate types,
most importantly structs and arrays. This allows us to efficiently copy
around an entire struct, rather than doing a memberwise load every time a
struct rvalue is encountered. This can also keep memory usage down by
allowing several structs to "share" the same snapshotted bindings.

However, /lookup/ through LazyCompoundVals can be expensive, especially
since they can end up chaining back to the original value. While we try
to reuse LazyCompoundVals whenever it's safe, and cache information about
this transitivity, the fact is it's sometimes just not a good idea to
perpetuate LazyCompoundVals -- the tradeoffs just aren't worth it.

This commit changes RegionStore so that binding a LazyCompoundVal to struct
will do a memberwise copy if the struct is simple enough. Today's definition
of "simple enough" is "up to N scalar members" (see below), but that could
easily be changed in the future. This is enough to bring the test case in
PR15697 back down to a manageable analysis time (within 20% of its original
time, in an unfair test where the new analyzer is not compiled with LTO).

The actual value of "N" is controlled by a new -analyzer-config option,
'region-store-small-struct-limit'. It defaults to "2", meaning structs with
zero, one, or two scalar members will be considered "simple enough" for
this code path.

It's worth noting that a more straightforward implementation would do this
on load, not on bind, and make use of the structure we already have for this:
CompoundVal. A long time ago, this was actually how RegionStore modeled
aggregate-to-aggregate copies, but today it's only used for compound literals.
Unfortunately, it seems that we've special-cased LazyCompoundVal in certain
places (such as liveness checks) but failed to similarly special-case
CompoundVal in all of them. Until we're confident that CompoundVal is
handled properly everywhere, this solution is safer, since the entire
optimization is just an implementation detail of RegionStore.

<rdar://problem/13599304>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179767 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
476f41c4750421a7ead5014e75a0e790ff682754 18-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't crash if we cache out after making a temporary region.

A C++ overloaded operator may be implemented as an instance method, and
that instance method may be called on an rvalue object, which has no
associated region. The analyzer handles this by creating a temporary region
just for the evaluation of this call; however, it is possible that /by
creating the region/, the analyzer ends up in a previously-explored state.
In this case we don't need to continue along this path.

This doesn't actually show any behavioral change now, but it starts being
used with the next commit and prevents an assertion failure there.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179766 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
86f1745be24c834175e7a8a51b12f9a0063d532e 18-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Tweak getDerefExpr more to track DeclRefExprs to references.

In the committed example, we now see a note that tells us when the pointer
was assumed to be null.

This is the only case in which getDerefExpr returned null (failed to get
the dereferenced expr) throughout our regression tests. (There were multiple
occurrences of this one.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179736 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
1e1d011874340f33b807ac90609424f90f72488a 18-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Improve dereferenced expression tracking for MemberExpr with a dot and non-reference base

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179734 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
441625e6c7f8bf58e62a284ae1f855dafde31ec2 18-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Gain more precision retrieving the right SVal by specifying the type of the expression.

Thanks to Jordan for suggesting the fix.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179732 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
5b90ae7ba05a10a81f107ec1635deb1bd7292936 18-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Allow TrackConstraintBRVisitor to work when the value it’s tracking is not live in the last node of the path

We always register the visitor on a node in which the value we are tracking is live and constrained. However,
the visitation can restart at a node, later on the path, in which the value is under constrained because
it is no longer live. Previously, we just silently stopped tracking in that case.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179731 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
898be7b4a7b0a527d9bd2569eebc41a198e6e528 17-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't warn for returning void expressions in void blocks.

This was slightly tricky because BlockDecls don't currently store an
inferred return type. However, we can rely on the fact that blocks with
inferred return types will have return statements that match the inferred
type.

<rdar://problem/13665798>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179699 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
051303ce09291dfbed537fa33b0d8a4d92c82b75 16-Apr-2013 Tareq A. Siraj <tareq.a.sriaj@intel.com> Implement CapturedStmt AST

CapturedStmt can be used to implement generic function outlining as described in
http://lists.cs.uiuc.edu/pipermail/cfe-dev/2013-January/027540.html.

CapturedStmt is not exposed to the C api.

Serialization and template support are pending.

Author: Wei Pan <wei.pan@intel.com>

Differential Revision: http://llvm-reviews.chandlerc.com/D370


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179615 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
76da55d3a49e1805f51b1ced7c5da5bcd7f759d8 16-Apr-2013 John McCall <rjmccall@apple.com> Basic support for Microsoft property declarations and
references thereto.

Patch by Tong Shen!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179585 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386e 16-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Do not crash when processing binary "?:" in C++

When computing the value of ?: expression, we rely on the last expression in
the previous basic block to be the resulting value of the expression. This is
not the case for binary "?:" operator (GNU extension) in C++. As the last
basic block has the expression for the condition subexpression, which is an
R-value, whereas the true subexpression is the L-value.

Note the operator evaluation just happens to work in C since the true
subexpression is an R-value (like the condition subexpression). CFG is the
same in C and C++ case, but the AST nodes are different, which the LValue to
Rvalue conversion happening after the BinaryConditionalOperator evaluation.

Changed the logic to only use the last expression from the predecessor only
if it matches either true or false subexpression. Note, the logic needed
fortification anyway: L and R were passed but not even used by the function.

Also, change the conjureSymbolVal to correctly compute the type, when the
expression is an LG-value.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179574 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
ValBuilder.cpp
07d8470effc0b0364801adddb6ff92bd22334402 16-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Add pretty printing to CXXBaseObjectRegion.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179573 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
79d0cceb8847bfe6dc9da8eb2ea2f3c6bb73b813 16-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Address code review for r179395

Mostly refactoring + handle the nested fields by printing the innermost field only.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179572 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
82dd4396fcd2517d06382b7170f393d1b6351c7f 16-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Add more specialized error messages for corner cases as per Jordan's code review for r179396

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179571 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
28117be48de465bc2862a8f4aaab09338be5090b 16-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't assert on a temporary of pointer-to-member type.

While we don't do anything intelligent with pointers-to-members today,
it's perfectly legal to need a temporary of pointer-to-member type to, say,
pass by const reference. Tweak an assertion to allow this.

PR15742 and PR15747

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179563 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
b93fc8ebed158ed5516fd85d11e89fffaf80622b 15-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Be lazy about struct/array global invalidation too.

Structs and arrays can take advantage of the single top-level global
symbol optimization (described in the previous commit) just as well
as scalars.

No intended behavioral change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179555 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
262e0d41e49c6b823d62743535e2accb117a6ea9 15-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Re-enable using global regions as a symbolic base.

Now that we're invalidating global regions properly, we want to continue
taking advantage of a particular optimization: if all global regions are
invalidated together, we can represent the bindings of each region with
a "derived region value" symbol. Essentially, this lazily links each
global region with a single symbol created at invalidation time, rather
than binding each region with a new symbolic value.

We used to do this, but haven't been for a while; the previous commit
re-enabled this code path, and this handles the fallout.

<rdar://problem/13464044>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179554 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
e0208ff84598f48e0aafecf5b543afeff8574045 15-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Properly invalidate global regions on opaque function calls.

This fixes a regression where a call to a function we can't reason about
would not actually invalidate global regions that had explicit bindings.

void test_that_now_works() {
globalInt = 42;
clang_analyzer_eval(globalInt == 42); // expected-warning{{TRUE}}

invalidateGlobals();
clang_analyzer_eval(globalInt == 42); // expected-warning{{UNKNOWN}}
}

This has probably been around since the initial "cluster" refactoring of
RegionStore, if not longer.

<rdar://problem/13464044>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179553 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
8713e1a5c3f6658d54061e176b5baa9fadf14675 12-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Print a diagnostic note even if the region cannot be printed.

There are few cases where we can track the region, but cannot print the note,
which makes the testing limited. (Though, I’ve tested this manually by making
all regions non-printable.) Even though the applicability is limited now, the enhancement
will be more relevant as we start tracking more regions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179396 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
9e2f5977a180ae927d05e844c65b8a7873be48a4 12-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer]Print field region even when the base region is not printable

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179395 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
emRegion.cpp
7be2245487f9cd7d04f013db92280d9ccd323586 12-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Show "Returning from ..." note at caller's depth, not callee's.

Before:
1. Calling 'foo'
2. Doing something interesting
3. Returning from 'foo'
4. Some kind of error here

After:
1. Calling 'foo'
2. Doing something interesting
3. Returning from 'foo'
4. Some kind of error here

The location of the note is already in the caller, not the callee, so this
just brings the "depth" attribute in line with that.

This only affects plist diagnostic consumers (i.e. Xcode). It's necessary
for Xcode to associate the control flow arrows with the right stack frame.

<rdar://problem/13634363>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179351 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
3ea09a802f973c2726b2a489ae08a4bded93410b 12-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't emit extra context arrow after returning from an inlined call.

In this code

int getZero() {
return 0;
}

void test() {
int problem = 1 / getZero(); // expected-warning {{Division by zero}}
}

we generate these arrows:

+-----------------+
| v
int problem = 1 / getZero();
^ |
+---+

where the top one represents the control flow up to the first call, and the
bottom one represents the flow to the division.* It turns out, however, that
we were generating the top arrow twice, as if attempting to "set up context"
after we had already returned from the call. This resulted in poor
highlighting in Xcode.

* Arguably the best location for the division is the '/', but that's a
different problem.

<rdar://problem/13326040>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179350 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
a5796f87229b4aeebca71fa6ee1790ae7a5a0382 09-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Replace isIntegerType() with isIntegerOrEnumerationType().

Previously, the analyzer used isIntegerType() everywhere, which uses the C
definition of "integer". The C++ predicate with the same behavior is
isIntegerOrUnscopedEnumerationType().

However, the analyzer is /really/ using this to ask if it's some sort of
"integrally representable" type, i.e. it should include C++11 scoped
enumerations as well. hasIntegerRepresentation() sounds like the right
predicate, but that includes vectors, which the analyzer represents by its
elements.

This commit audits all uses of isIntegerType() and replaces them with the
general isIntegerOrEnumerationType(), except in some specific cases where
it makes sense to exclude scoped enumerations, or any enumerations. These
cases now use isIntegerOrUnscopedEnumerationType() and getAs<BuiltinType>()
plus BuiltinType::isInteger().

isIntegerType() is hereby banned in the analyzer - lib/StaticAnalysis and
include/clang/StaticAnalysis. :-)

Fixes real assertion failures. PR15703 / <rdar://problem/12350701>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179081 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xprEngine.cpp
xprEngineC.cpp
rogramState.cpp
egionStore.cpp
ValBuilder.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
ymbolManager.cpp
3e5ebf1a05603e08f2d0b2b2a5fa9406fe4cfb22 06-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] When creating a trimmed graph, preserve whether a node is a sink.

This is important because sometimes two nodes are identical, except the
second one is a sink.

This bug has probably been around for a while, but it wouldn't have been an
issue in the old report graph algorithm. I'm ashamed to say I actually looked
at this the first time around and thought it would never be a problem...and
then didn't include an assertion to back that up.

PR15684

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178944 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ea7b481aa8298f1e59c4cfb64e53b38f86dec92d 06-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Remove another redundancy from trackNullOrUndef

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178934 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
4b69feb6d90eb120d04f5d54f6b28cc295a46098 06-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Fix null tracking for the given test case, by using the proper state and removing redundant code.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178933 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
610f79cbab4d752349b5c81a94682a6a82b102e7 05-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Show path diagnostic for C++ initializers

Also had to modify the PostInitializer ProgramLocation to contain the field region.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178826 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xprEngine.cpp
athDiagnostic.cpp
b11a9086ebaf8e081daa8a6cd94ea99c97c027d2 05-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Enable destructor inlining by default (c++-inlining=destructors).

This turns on not only destructor inlining, but inlining of constructors
for types with non-trivial destructors. Per r178516, we will still not
inline the constructor or destructor of anything that looks like a
container unless the analyzer-config option 'c++-container-inlining' is
set to 'true'.

In addition to the more precise path-sensitive model, this allows us to
catch simple smart pointer issues:

#include <memory>

void test() {
std::auto_ptr<int> releaser(new int[4]);
} // memory allocated with 'new[]' should not be deleted with 'delete'

<rdar://problem/12295363>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178805 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
702077f14100f2d7acdb12ad49b53e64efc37d72 03-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Allow tracknullOrUndef look through the ternary operator even when condition is unknown

Improvement of r178684 and r178685.

Jordan has pointed out that I should not rely on the value of the condition to know which expression branch
has been taken. It will not work in cases the branch condition is an unknown value (ex: we do not track the constraints for floats).
The better way of doing this would be to find out if the current node is the right or left successor of the node
that has the ternary operator as a terminator (which is how this is done in other places, like ConditionBRVisitor).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178701 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
08291a937a149dbd036fd6ac8ab061eb8034343d 03-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Correctly handle destructors for lifetime-extended temporaries.

The lifetime of a temporary can be extended when it is immediately bound
to a local reference:

const Value &MyVal = Value("temporary");

In this case, the temporary object's lifetime is extended for the entire
scope of the reference; at the end of the scope it is destroyed.

The analyzer was modeling this improperly in two ways:
- Since we don't model temporary constructors just yet, we create a fake
temporary region when it comes time to "materialize" a temporary into
a real object (lvalue). This wasn't taking base casts into account when
the bindings being materialized was Unknown; now it always respects base
casts except when the temporary region is itself a pointer.
- When actually destroying the region, the analyzer did not actually load
from the reference variable -- it was basically destroying the reference
instead of its referent. Now it does do the load.

This will be more useful whenever we finally start modeling temporaries,
or at least those that get bound to local reference variables.

<rdar://problem/13552274>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178697 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
cabc3fddae63f5eb3bd44bdecce7a3fbd69421a9 03-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] make peelOffOuterExpr in BugReporterVisitors recursively peel off select Exprs

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178685 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
c1bef5671e682de5a573c7c6b66871b36de0ec61 03-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Properly handle the ternary operator in trackNullOrUndefValue

1) Look for the node where the condition expression is live when checking if
it is constrained to true or false.

2) Fix a bug in ProgramState::isNull, which was masking the problem. When
the expression is not a symbol (,which is the case when it is Unknown) return
unconstrained value, instead of value constrained to “false”!
(Thankfully other callers of isNull have not been effected by the bug.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178684 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
rogramState.cpp
3d3fb9078f0112fa51d8d9862221f5544c5c80e7 03-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Fix typo.

Thanks Jordan!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178683 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ecee1651c100342366a9417c85c6e50399039930 03-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Better model for copying of array fields in implicit copy ctors.

- Find the correct region to represent the first array element when
constructing a CXXConstructorCall.
- If the array is trivial, model the copy with a primitive load/store.
- Don't warn about the "uninitialized" subscript in the AST -- we don't use
the helper variable that Sema provides.

<rdar://problem/13091608>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178602 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
77e278880380fe9dc95a1491fe9216967d2e6d63 03-Apr-2013 Aaron Ballman <aaron@aaronballman.com> Silencing warnings in MSVC due to duplicate identifiers.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178591 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
658a28479dd775f6ff2c07fa5699a7ea01e04127 02-Apr-2013 Anna Zaks <ganna@apple.com> [analyzer] Teach invalidateRegions that regions within LazyCompoundVal need to be invalidated

Refactor invalidateRegions to take SVals instead of Regions as input and teach RegionStore
about processing LazyCompoundVal as a top-level “escaping” value.

This addresses several false positives that get triggered by the NewDelete checker, but the
underlying issue is reproducible with other checkers as well (for example, MallocChecker).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178518 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
rogramState.cpp
egionStore.cpp
c63a460d78a7625ff38d2b3580f78030c44f07db 02-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] For now, don't inline [cd]tors of C++ containers.

This is a heuristic to make up for the fact that the analyzer doesn't
model C++ containers very well. One example is modeling that
'std::distance(I, E) == 0' implies 'I == E'. In the future, it would be
nice to model this explicitly, but for now it just results in a lot of
false positives.

The actual heuristic checks if the base type has a member named 'begin' or
'iterator'. If so, we treat the constructors and destructors of that type
as opaque, rather than inlining them.

This is intended to drastically reduce the number of false positives
reported with experimental destructor support turned on. We can tweak the
heuristic in the future, but we'd rather err on the side of false negatives
for now.

<rdar://problem/13497258>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178516 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
c9092bb5eb67d859122abb69a0ef61e9249500cd 02-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Cache whether a function is generally inlineable.

Certain properties of a function can determine ahead of time whether or not
the function is inlineable, such as its kind, its signature, or its
location. We can cache this value in the FunctionSummaries map to avoid
rechecking these static properties for every call.

Note that the analyzer may still decide not to inline a specific call to
a function because of the particular dynamic properties of the call along
the current path.

No intended functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178515 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
992acb2269171b6ef68694d71a36f6b7408d8e82 02-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Use inline storage in the FunctionSummary DenseMap.

The summaries lasted for the lifetime of the map anyway; no reason to
include an extra allocation.

Also, use SmallBitVector instead of BitVector to track the visited basic
blocks -- most functions will have less than 64 basic blocks -- and
use bitfields for the other fields to reduce the size of the structure.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178514 91177308-0d34-0410-b5e6-96231b3b80d8
unctionSummary.cpp
a12643622ad3b85972dfdd80fe9006a3e8d8fb80 02-Apr-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Allow suppressing diagnostics reported within the 'std' namespace

This is controlled by the 'suppress-c++-stdlib' analyzer-config flag.
It is currently off by default.

This is more suppression than we'd like to do, since obviously there can
be user-caused issues within 'std', but it gives us the option to wield
a large hammer to suppress false positives the user likely can't work
around.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178513 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
76f7761daee0fafd7609b25c95af4e011c743873 30-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Restructure ExprEngine::VisitCXXNewExpr to do a bit less work.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178402 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
e6f2bf86288bc45060b21c4f55a6153b8ba80443 30-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle caching out while evaluating a C++ new expression.

Evaluating a C++ new expression now includes generating an intermediate
ExplodedNode, and this node could very well represent a previously-
reachable state in the ExplodedGraph. If so, we can short-circuit the
rest of the evaluation.

Caught by the assertion a few lines later.

<rdar://problem/13510065>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178401 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
84e8a960ad76b3c7ca550b4cc92a1b90ed16d5c1 29-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Address Jordan’s review of r178309 - do not register an extra visitor for nil receiver

We can check if the receiver is nil in the node that corresponds to the StmtPoint of the message send.
At that point, the receiver is guaranteed to be live. We will find at least one unreclaimed node due to
my previous commit (look for StmtPoint instead of PostStmt) and the fact that the nil receiver nodes are tagged.

+ a couple of extra tests.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178381 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
4de4715ad02aa8c9437a9e0e2854a0ccc71a3188 29-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Look for a StmtPoint node instead of PostStmt in trackNullOrUndefValue.

trackNullOrUndefValue tries to find the first node that matches the statement it is tracking.
Since we collect PostStmt nodes (in node reclamation), none of those might be on the
current path, so relax the search to look for any StmtPoint.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178380 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
0f5c5c60e9806d13f0907cd99d7204ffab0e08f7 29-Mar-2013 Ted Kremenek <kremenek@apple.com> Add static analyzer support for conditionally executing static initializers.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178318 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
oreEngine.cpp
xprEngine.cpp
xprEngineC.cpp
02a88c3edf1aeb9580e0b6e444b30c52846a673c 29-Mar-2013 Ted Kremenek <kremenek@apple.com> Add configuration plumbing to enable static initializer branching in the CFG for the analyzer.

This setting still isn't enabled yet in the analyzer. This is
just prep work.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178317 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
nalyzerOptions.cpp
41988f331a74a72cf243a2a68ffb56418e9a174e 29-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Add support for escape of const pointers and use it to allow “newed” pointers to escape

Add a new callback that notifies checkers when a const pointer escapes. Currently, this only works
for const pointers passed as a top level parameter into a function. We need to differentiate the const
pointers escape from regular escape since the content pointed by const pointer will not change;
if it’s a file handle, a file cannot be closed; but delete is allowed on const pointers.

This should suppress several false positives reported by the NewDelete checker on llvm codebase.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178310 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
rogramState.cpp
egionStore.cpp
aabb4c5eacca6d78ef778f33ec5cd4c755d71a39 29-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Apply the suppression rules to the nil receiver only if the value participates in the computation of the nil we warn about.

We should only suppress a bug report if the IDCed or null returned nil value is directly related to the value we are warning about. This was
not the case for nil receivers - we would suppress a bug report that had an IDCed nil receiver on the path regardless of how it’s
related to the warning.

1) Thread EnableNullFPSuppression parameter through the visitors to differentiate between tracking the value which
is directly responsible for the bug and other values that visitors are tracking (ex: general tracking of nil receivers).
2) in trackNullOrUndef specifically address the case when a value of the message send is nil due to the receiver being nil.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178309 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
697462881c4b9b704c7859f4bab0a6116c684bb1 28-Mar-2013 Anton Yartsev <anton.yartsev@gmail.com> [analyzer] For now assume all standard global 'operator new' functions allocate memory in heap.
+ Improved test coverage for cplusplus.NewDelete checker.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178244 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
b061720ddf88b4a1934dbbb1b874a424716cd7d7 27-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Use evalBind for C++ new of scalar types.

These types will not have a CXXConstructExpr to do the initialization for
them. Previously we just used a simple call to ProgramState::bindLoc, but
that doesn't trigger proper checker callbacks (like pointer escape).

Found by Anton Yartsev.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178160 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
3655119ab1cb7b26926afeeb0f96cb21a21e410a 27-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Cleanup: only get the PostStmt when we need the underlying Stmt + comment

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178153 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
4a49df3be929d442535d6721ab8a2bbc8a7cd528 27-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Ensure that the node NilReceiverBRVisitor is looking for is not reclaimed

The visitor should look for the PreStmt node as the receiver is nil in the PreStmt and this is the node. Also, tag the nil
receiver nodes with a special tag for consistency.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178152 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
1533833e21ae5b3f5f39b168b3fbac109ee77008 27-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Make sure IDC works for ‘NSContainer value/key is nil’ checks.

Register the nil tracking visitors with the region and refactor trackNullOrUndefValue a bit.

Also adds the cast and paren stripping before checking if the value is an OpaqueValueExpr
or ExprWithCleanups.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178093 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
8a660eb1084294a903f6dcc00bf2fa4e3bc92cfc 26-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Change inlining policy to inline small functions when reanalyzing ObjC methods as top level.

This allows us to better reason about(inline) small wrapper functions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178063 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
df5f80f8a34e26a4fb77f48f858c7838426a0785 26-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] micro optimization as per Jordan’s feedback on r177905.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178062 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
5db8fac5f304d9973f724d5aeb4108367d36f781 25-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Set concrete offset bindings to UnknownVal when processing symbolic offset binding, even if no bindings are present.

This addresses an undefined value false positive from concreteOffsetBindingIsInvalidatedBySymbolicOffsetAssignment.

Fixes PR14877; radar://12991168.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177905 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
8f7bfb40b72f478d83b018a280f99c0386576ae3 24-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Teach ConstraintManager to ignore NonLoc <> NonLoc comparisons.

These aren't generated by default, but they are needed when either side of
the comparison is tainted.

Should fix our internal buildbot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177846 91177308-0d34-0410-b5e6-96231b3b80d8
impleConstraintManager.cpp
4708b3dde86b06f40927ae9cf30a2de83949a8f2 23-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Teach constraint managers about unsigned comparisons.

In C, comparisons between signed and unsigned numbers are always done in
unsigned-space. Thus, we should know that "i >= 0U" is always true, even
if 'i' is signed. Similarly, "u >= 0" is also always true, even though '0'
is signed.

Part of <rdar://problem/13239003> (false positives related to std::vector)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177806 91177308-0d34-0410-b5e6-96231b3b80d8
PSIntType.cpp
angeConstraintManager.cpp
impleConstraintManager.cpp
a339cd66be6202c6e86916f52a347d0289bf2eea 23-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Loc-Loc operations (subtraction or comparison) produce a NonLoc.

For two concrete locations, we were producing another concrete location and
then casting it to an integer. We should just create a nonloc::ConcreteInt
to begin with.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177805 91177308-0d34-0410-b5e6-96231b3b80d8
Vals.cpp
impleSValBuilder.cpp
281698935f62ac1d35ddd3533a562c1589aadc8b 23-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Also transform "a < b" to "(b - a) > 0" in the constraint manager.

We can support the full range of comparison operations between two locations
by canonicalizing them as subtraction, as in the previous commit.

This won't work (well) if either location includes an offset, or (again)
if the comparisons are not consistent about which region comes first.

<rdar://problem/13239003>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177803 91177308-0d34-0410-b5e6-96231b3b80d8
impleConstraintManager.cpp
8569281fb7ce9b5ca164a0528b876acbb45eb989 23-Mar-2013 Jordan Rose <jordan_rose@apple.com> Add reverseComparisonOp and negateComparisonOp to BinaryOperator.

...and adopt them in the analyzer.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177802 91177308-0d34-0410-b5e6-96231b3b80d8
impleConstraintManager.cpp
impleSValBuilder.cpp
78114a58f8cf5e9b948e82448b2f0904f5b6c19e 23-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Translate "a != b" to "(b - a) != 0" in the constraint manager.

Canonicalizing these two forms allows us to better model containers like
std::vector, which use "m_start != m_finish" to implement empty() but
"m_finish - m_start" to implement size(). The analyzer should have a
consistent interpretation of these two symbolic expressions, even though
it's not properly reasoning about either one yet.

The other unfortunate thing is that while the size() expression will only
ever be written "m_finish - m_start", the comparison may be written
"m_finish == m_start" or "m_start == m_finish". Right now the analyzer does
not attempt to canonicalize those two expressions, since it doesn't know
which length expression to pick. Doing this correctly will probably require
implementing unary minus as a new SymExpr kind (<rdar://problem/12351075>).

For now, the analyzer inverts the order of arguments in the comparison to
build the subtraction, on the assumption that "begin() != end()" is
written more often than "end() != begin()". This is purely speculation.

<rdar://problem/13239003>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177801 91177308-0d34-0410-b5e6-96231b3b80d8
angeConstraintManager.cpp
impleConstraintManager.cpp
impleConstraintManager.h
8958efacf8d52918cfe624116338bec62312582d 23-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Use SymExprs to represent '<loc> - <loc>' and '<loc> == <loc>'.

We just treat this as opaque symbols, but even that allows us to handle
simple cases where the same condition is tested twice. This is very common
in the STL, which means that any project using the STL gets spurious errors.

Part of <rdar://problem/13239003>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177800 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
683d25656f28937f78c815f70545139c432f1ff3 23-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Correct the stale comment.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177788 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
0f3a34fb7fea37ebfbcba8b400ccb697b9559b49 22-Mar-2013 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Break cycles (optionally) when trimming an ExplodedGraph."

The algorithm used here was ridiculously slow when a potential back-edge
pointed to a node that already had a lot of successors. The previous commit
makes this feature unnecessary anyway.

This reverts r177468 / f4cf6b10f863b9bc716a09b2b2a8c497dcc6aa9b.

Conflicts:

lib/StaticAnalyzer/Core/BugReporter.cpp

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177765 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
228094a28f81ddba94427239dea5c6e59ff6aabc 22-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Use a forward BFS instead of a reverse BFS to find shortest paths.

For a given bug equivalence class, we'd like to emit the report with the
shortest path. So far to do this we've been trimming the ExplodedGraph to
only contain relevant nodes, then doing a reverse BFS (starting at all the
error nodes) to find the shortest paths from the root. However, this is
fairly expensive when we are suppressing many bug reports in the same
equivalence class.

r177468-9 tried to solve this problem by breaking cycles during graph
trimming, then updating the BFS priorities after each suppressed report
instead of recomputing the whole thing. However, breaking cycles is not
a cheap operation because an analysis graph minus cycles is still a DAG,
not a tree.

This fix changes the algorithm to do a single forward BFS (starting from the
root) and to use that to choose the report with the shortest path by looking
at the error nodes with the lowest BFS priorities. This was Anna's idea, and
has the added advantage of requiring no update step: we can just pick the
error node with the next lowest priority to produce the next bug report.

<rdar://problem/13474689>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177764 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
1aa4f5019164592643bf46b7d61f15b6ef509c8e 22-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Fix ExprEngine::ViewGraph to handle C++ initializers.

Debugging aid only, no functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177762 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
aa5573364b79bf4d85380aaec59cae2eeefcb322 20-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Appease buildbots: include template arguments in base class ref.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177583 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
f8e2c06cea1548c437761cb65cfbf97d50a057a7 20-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't invalidate globals when there's no call involved.

This fixes some mistaken condition logic in RegionStore that caused
global variables to be invalidated when /any/ region was invalidated,
rather than only as part of opaque function calls. This was only
being used by CStringChecker, and so users will now see that strcpy()
and friends do not invalidate global variables.

Also, add a test case we don't handle properly: explicitly-assigned
global variables aren't being invalidated by opaque calls. This is
being tracked by <rdar://problem/13464044>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177572 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
74f6982232c25ae723b1cc5abc59665a10867f21 20-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Track malloc'd memory into struct fields.

Due to improper modelling of copy constructors (specifically, their
const reference arguments), we were producing spurious leak warnings
for allocated memory stored in structs. In order to silence this, we
decided to consider storing into a struct to be the same as escaping.
However, the previous commit has fixed this issue and we can now properly
distinguish leaked memory that happens to be in a struct from a buffer
that escapes within a struct wrapper.

Originally applied in r161511, reverted in r174468.
<rdar://problem/12945937>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177571 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
f8ddc098981d4d85cad4e72fc6dfcfe83b842b66 20-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Invalidate regions indirectly accessible through const pointers.

In this case, the value of 'x' may be changed after the call to indirectAccess:

struct Wrapper {
int *ptr;
};

void indirectAccess(const Wrapper &w);

void test() {
int x = 42;
Wrapper w = { x };

clang_analyzer_eval(x == 42); // TRUE
indirectAccess(w);
clang_analyzer_eval(x == 42); // UNKNOWN
}

This is important for modelling return-by-value objects in C++, to show
that the contents of the struct are escaping in the return copy-constructor.

<rdar://problem/13239826>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177570 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
rogramState.cpp
egionStore.cpp
e1a2e90876cbe2187250939374d26036ccba2ad6 20-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove strip of ElementRegion in CallEvent::invalidateRegions.

This is a bit of old code trying to deal with the fact that functions that
take pointers often use them to access an entire array via pointer
arithmetic. However, RegionStore already conservatively assumes you can use
pointer arithmetic to access any part of a region.

Some day we may want to go back to handling this specifically for calls,
but we can do that in the future.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177569 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
2110350909701fcd6b55c636e24a675f0a905fea 20-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Re-apply "Do part of the work to find shortest bug paths up front".

With the assurance that the trimmed graph does not contain cycles,
this patch is safe (with a few tweaks), and provides the performance
boost it was intended to.

Part of performance work for <rdar://problem/13433687>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177469 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
f4cf6b10f863b9bc716a09b2b2a8c497dcc6aa9b 20-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Break cycles (optionally) when trimming an ExplodedGraph.

Having a trimmed graph with no cycles (a DAG) is much more convenient for
trying to find shortest paths, which is exactly what BugReporter needs to do.

Part of the performance work for <rdar://problem/13433687>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177468 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
9f3495aeaa24da4eacf8f6c274adcef65e2f3617 19-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Do not believe lazy binding when symbolic region types do not match

This fixes a crash when analyzing LLVM that was exposed by r177220 (modeling of
trivial copy/move assignment operators).

When we look up a lazy binding for “Builder”, we see the direct binding of Loc at offset 0.
Previously, we believed the binding, which led to a crash. Now, we do not believe it as
the types do not match.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177453 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
239b6e47d282bd66c8b559ac47b8b42b34da619e 19-Mar-2013 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Do part of the work to find shortest bug paths up front."

The whole reason we were doing a BFS in the first place is because an
ExplodedGraph can have cycles. Unfortunately, my removeErrorNode "update"
doesn't work at all if there are cycles.

I'd still like to be able to avoid doing the BFS every time, but I'll come
back to it later.

This reverts r177353 / 481fa5071c203bc8ba4f88d929780f8d0f8837ba.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177448 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
15d68882f5fa4afae8333e75b2bfd5e2834c8aaf 19-Mar-2013 Stephen Hines <srhines@google.com> Merge branch 'upstream' into merge_2013_03_18

Conflicts:
lib/Sema/SemaDeclAttr.cpp

Change-Id: I05e70941163ec5a461eba43ef78f6738cd5a1e69
a5f80b2ea6d30c5055c067530d63bb0dcaf937d0 19-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Do part of the work to find shortest bug paths up front.

Splitting the graph trimming and the path-finding (r177216) already
recovered quite a bit of performance lost to increased suppression.
We can still do better by also performing the reverse BFS up front
(needed for shortest-path-finding) and only walking the shortest path
for each report. This does mean we have to walk back up the path and
invalidate all the BFS numbers if the report turns out to be invalid,
but it's probably still faster than redoing the full BFS every time.

More performance work for <rdar://problem/13433687>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177353 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
85a92cfa52ddf4c45fe2baca4d7fea0bdc5ed103 19-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Replace uses of assume() with isNull() in BR visitors.

Also, replace a std::string with a SmallString.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177352 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
a8d937e4bdd39cdf503f77454e9dc4c9c730a9f7 16-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Model trivial copy/move assignment operators with a bind as well.

r175234 allowed the analyzer to model trivial copy/move constructors as
an aggregate bind. This commit extends that to trivial assignment
operators as well. Like the last commit, one of the motivating factors here
is not warning when the right-hand object is partially-initialized, which
can have legitimate uses.

<rdar://problem/13405162>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177220 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
1efffab67364f5afcc25f5f5f77e0f7ba5d41055 16-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Separate graph trimming from creating the single-path graph.

When we generate a path diagnostic for a bug report, we have to take the
full ExplodedGraph and limit it down to a single path. We do this in two
steps: "trimming", which limits the graph to all the paths that lead to
this particular bug, and "creating the report graph", which finds the
shortest path in the trimmed path to any error node.

With BugReporterVisitor false positive suppression, this becomes more
expensive: it's possible for some paths through the trimmed graph to be
invalid (i.e. likely false positives) but others to be valid. Therefore
we have to run the visitors over each path in the graph until we find one
that is valid, or until we've ruled them all out. This can become quite
expensive.

This commit separates out graph trimming from creating the report graph,
performing the first only once per bug equivalence class and the second
once per bug report. It also cleans up that portion of the code by
introducing some wrapper classes.

This seems to recover most of the performance regression described in my
last commit.

<rdar://problem/13433687>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177216 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
c9963132736782d0c9178c744b3e2307cfb98a08 16-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Eliminate InterExplodedGraphMap class and NodeBackMap typedef.

...in favor of this typedef:

typedef llvm::DenseMap<const ExplodedNode *, const ExplodedNode *>
InterExplodedGraphMap;

Use this everywhere the previous class and typedef were used.

Took the opportunity to ArrayRef-ize ExplodedGraph::trim while I'm at it.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177215 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
xprEngine.cpp
9a9fe4068eed2fc72ec985e5ae393fb79a8fb9ad 16-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't repeat a bug equivalence class if every report is invalid.

I removed this check in the recursion->iteration commit, but forgot that
generatePathDiagnostic may be called multiple times if there are multiple
PathDiagnosticConsumers.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177214 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
74c0d6988462c2cb882e7a8b8050fe119a5af56f 16-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Use isLiveRegion to determine when SymbolRegionValue is dead.

Fixes a FIXME, improves dead symbol collection, suppresses a false positive,
which resulted from reusing the same symbol twice for simulation of 2 calls to the same function.

Fixing this lead to 2 possible false negatives in CString checker. Since the checker is still alpha and
the solution will not require revert of this commit, move the tests to a FIXME section.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177206 91177308-0d34-0410-b5e6-96231b3b80d8
ymbolManager.cpp
f510f5cd57fa9b7ea6f6e103c65c0df95a55d986 16-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] BugReporterVisitors: handle the case where a ternary operator is wrapped in a cast.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177205 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
f8ba81e8bbc4d0d424c3b4c3581a9467e972c4de 16-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Address Jordan’s review of r177138 (a micro optimization)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177204 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
2f13eb116e62161c5e4d198f7831f226e5cea9da 15-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Make GRBugReporter::generatePathDiagnostic iterative, not recursive.

The previous generatePathDiagnostic() was intended to be tail-recursive,
restarting and trying again if a report was marked invalid. However:
(1) this leaked all the cloned visitors, which weren't being deleted, and
(2) this wasn't actually tail-recursive because some local variables had
non-trivial destructors.

This was causing us to overflow the stack on inputs with large numbers of
reports in the same equivalence class, such as sqlite3.c. Being iterative
at least prevents us from blowing out the stack, but doesn't solve the
performance issue: suppressing thousands (yes, thousands) of paths in the
same equivalence class is expensive. I'm looking into that now.

<rdar://problem/13423498>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177189 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
cc08ca9b3cd2b715a699bcc772ce2e83a502915a 15-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Collect stats on the max # of bug reports in an equivalence class.

We discovered that sqlite3.c currently has 2600 reports in a single
equivalence class; it would be good to know if this is a recent
development or what.

(For the curious, the different reports in an equivalence class represent
the same bug found along different paths. When we're suppressing false
positives, we need to go through /every/ path to make sure there isn't a
valid path to a bug. This is a flaw in our after-the-fact suppression,
made worse by the fact that that function isn't particularly optimized.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177188 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
05cb2eb0a79a05e6079106575fbf0dd58a388edf 15-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Include opcode in dumping a SymSymExpr.

For debugging use only; no functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177187 91177308-0d34-0410-b5e6-96231b3b80d8
ymbolManager.cpp
6a15f39a6bfd7a30085c5fa8f67d0b64b74b132a 15-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Look through ExprWhenCleanups when trying to track a NULL.

Silences a few false positives in LLVM.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177186 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
810169e7a1f858a787d2db050deebaee7e10c97f 15-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Refactor checks in IDC visitor for consistency and speed

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177138 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
dc9c160dede7e2f5cc11755db6aaa57e7fccbcec 15-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Teach trackNullOrUndef to look through ternary operators

Allows the suppression visitors trigger more often.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177137 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
a4bb4f6ca8dd31ad96cb9526a5abe1273f18ff40 14-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Change the way in which IDC Visitor decides to kick in and make sure it attaches in the given edge case

In the test case below, the value V is not constrained to 0 in ErrorNode but it is in node N.
So we used to fail to register the Suppression visitor.

We also need to change the way we determine that the Visitor should kick in because the node N belongs to
the ExplodedGraph and might not be on the BugReporter path that the visitor sees. Instead of trying to match the node,
turn on the visitor when we see the last node in which the symbol is ‘0’.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177121 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
6022c4e17c0d2ad9c43ef6bc830d394b670a4705 13-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] BugReporter - more precise tracking of C++ references

When BugReporter tracks C++ references involved in a null pointer violation, we
want to differentiate between a null reference and a reference to a null pointer. In the
first case, we want to track the region for the reference location; in the second, we want
to track the null pointer.

In addition, the core creates CXXTempObjectRegion to represent the location of the
C++ reference, so teach FindLastStoreBRVisitor about it.

This helps null pointer suppression to kick in.

(Patch by Anna and Jordan.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176969 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
1b125665bec87c85921c92ebec1d3f60404d1d86 13-Mar-2013 Ted Kremenek <kremenek@apple.com> Remove stray space.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176966 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
c5b9c8bc6d77175f6d41d898511b1e7b1e2f86f8 13-Mar-2013 Ted Kremenek <kremenek@apple.com> [analyzer] Handle Objc Fast enumeration for "loop is executed 0 times".

Fixes <rdar://problem/12322528>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176965 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
77b72231a0316509cc939b052be35fafce606567 11-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Look for calls along with lvalue nodes in trackNullOrUndefValue.

r176737 fixed bugreporter::trackNullOrUndefValue to find nodes for an lvalue
even if the rvalue node had already been collected. This commit extends that
to call statement nodes as well, so that if a call is contained within
implicit casts we can still track the return value.

No test case because node reclamation is extremely finicky (dependent on
how the AST and CFG are built, and then on our current reclamation rules,
and /then/ on how many nodes were generated by the analyzer core and the
current set of checkers). I consider this a low-risk change, though, and
it will only happen in cases of reclamation when the rvalue node isn't
available.

<rdar://problem/13340764>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176829 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
0415998dd77986630efe8f1aed633519cc41e1f3 09-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Make Suppress IDC checker aware that it might not start from the same node it was registered at

The visitor used to assume that the value it’s tracking is null in the first node it examines. This is not true.
If we are registering the Suppress Inlined Defensive checks visitor while traversing in another visitor
(such as FindlastStoreVisitor). When we restart with the IDC visitor, the invariance of the visitor does
not hold since the symbol we are tracking no longer exists at that point.

I had to pass the ErrorNode when creating the IDC visitor, because, in some cases, node N is
neither the error node nor will be visible along the path (we had not finalized the path at that point
and are dealing with ExplodedGraph.)

We should revisit the other visitors which might not be aware that they might get nodes, which are
later in path than the trigger point.

This suppresses a number of inline defensive checks in JavaScriptCore.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176756 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
0183768813658d419e3124b576744b03ec8e9b55 09-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Look for lvalue nodes when tracking a null pointer.

r176010 introduced the notion of "interesting" lvalue expressions, whose
nodes are guaranteed never to be reclaimed by the ExplodedGraph. This was
used in bugreporter::trackNullOrUndefValue to find the region that contains
the null or undef value being tracked.

However, the /rvalue/ nodes (i.e. the loads from these lvalues that produce
a null or undef value) /are/ still being reclaimed, and if we couldn't
find the node for the rvalue, we just give up. This patch changes that so
that we look for the node for either the rvalue or the lvalue -- preferring
the former, since it lets us fall back to value-only tracking in cases
where we can't get a region, but allowing the latter as well.

<rdar://problem/13342842>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176737 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
8c84707fd0fbe9f6f7d17fadd5a9fe162dff8445 09-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't rely on finding the correct return statement for suppression.

Previously, ReturnVisitor waited to suppress a null return path until it
had found the inlined "return" statement. Now, it checks up front whether
the return value was NULL, and suppresses the warning right away if so.

We still have to wait until generating the path notes to invalidate the bug
report, or counter-suppression will never be triggered. (Counter-suppression
happens while generating path notes, but the generation won't happen for
reports already marked invalid.)

This isn't actually an issue today because we never reclaim nodes for
top-level statements (like return statements), but it could be an issue
some day in the future. (But, no expected behavioral change and no new
test case.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176736 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
962fbc46664f2486d6805549130fa6b310de6d60 07-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Clean up a few doc comments for ProgramState and CallEvent.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176600 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
713e07591995d761f65c7132289dce003a29870f 06-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] IDC: Add config option; perform the idc check on first “null node” rather than last “non-null”.

The second modification does not lead to any visible result, but, theoretically, is what we should
have been looking at to begin with since we are checking if the node was assumed to be null in
an inlined function.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176576 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
bd3aca04d304b9f31240b94af0aad818f6f932ab 06-Mar-2013 Stephen Hines <srhines@google.com> Update build rules for Clang merge to version 176138.

Change-Id: Ib028329a591e6175998d969f11b5404bf3f19e81
ndroid.mk
450b86c0c9ff8307f5145ced621914600196c500 06-Mar-2013 Stephen Hines <srhines@google.com> Merge commit 'b58f810669d9c17bcc025b7560de01d162856f34' into merge_20130226

Conflicts:
include/clang/Basic/LangOptions.def
lib/Sema/SemaDeclAttr.cpp

Change-Id: Ia10b4d3b2c949a72d328cb58b113f90237d4a5d5
41f3f3a4792f46787632fdb94f952f6b3ce3f4ae 05-Mar-2013 Jordan Rose <jordan_rose@apple.com> Silence a number of static analyzer warnings with assertions and such.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176469 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
cc5dbdae70c6eb2423921f52a35ba4686d2969cf 02-Mar-2013 Anna Zaks <ganna@apple.com> [analyzer] Simple inline defensive checks suppression

Inlining brought a few "null pointer use" false positives, which occur because
the callee defensively checks if a pointer is NULL, whereas the caller knows
that the pointer cannot be NULL in the context of the given call.

This is a first attempt to silence these warnings by tracking the symbolic value
along the execution path in the BugReporter. The new visitor finds the node
in which the symbol was first constrained to NULL. If the node belongs to
a function on the active stack, the warning is reported, otherwise, it is
suppressed.

There are several areas for follow up work, for example:
- How do we differentiate the cases where the first check is followed by
another one, which does happen on the active stack?

Also, this only silences a fraction of null pointer use warnings. For example, it
does not do anything for the cases where NULL was assigned inside a callee.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176402 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
rogramState.cpp
d764e20189dbb42b38ada383a0a159f6adc0d56c 02-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Special-case bitfields when finding sub-region bindings.

Previously we were assuming that we'd never ask for the sub-region bindings
of a bitfield, since a bitfield cannot have subregions. However,
unification of code paths has made that assumption invalid. While we could
take advantage of this by just checking for the single possible binding,
it's probably better to do the right thing, so that if/when we someday
support unions we'll do the right thing there, too.

This fixes a handful of false positives in analyzing LLVM.

<rdar://problem/13325522>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176388 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
9abf1b4577b75ffcc46afbdfb55de334f68f05c0 01-Mar-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Suppress paths involving a reference whose rvalue is null.

Most map types have an operator[] that inserts a new element if the key
isn't found, then returns a reference to the value slot so that you can
assign into it. However, if the value type is a pointer, it will be
initialized to null. This is usually no problem.

However, if the user /knows/ the map contains a value for a particular key,
they may just use it immediately:

// From ClangSACheckersEmitter.cpp
recordGroupMap[group]->Checkers

In this case the analyzer reports a null dereference on the path where the
key is not in the map, even though the user knows that path is impossible
here. They could silence the warning by adding an assertion, but that means
splitting up the expression and introducing a local variable. (Note that
the analyzer has no way of knowing that recordGroupMap[group] will return
the same reference if called twice in a row!)

We already have logic that says a null dereference has a high chance of
being a false positive if the null came from an inlined function. This
patch simply extends that to references whose rvalues are null as well,
silencing several false positives in LLVM.

<rdar://problem/13239854>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176371 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
e33d852452c7008ccd0677aae88f1055cf1a9af1 28-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] RegionStore: collectSubRegionKeys -> collectSubRegionBindings

By returning the (key, value) binding pairs, we save lookups afterwards.
This also enables further work later on.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176230 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
6f4160828db75f36b22a204da202723c592644f3 27-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Teach FindLastStoreBRVisitor to understand stores of the same value.

Consider this case:

int *p = 0;
p = getPointerThatMayBeNull();
*p = 1;

If we inline 'getPointerThatMayBeNull', we might know that the value of 'p'
is NULL, and thus emit a null pointer dereference report. However, we
usually want to suppress such warnings as error paths, and we do so by using
FindLastStoreBRVisitor to see where the NULL came from. In this case, though,
because 'p' was NULL both before and after the assignment, the visitor
would decide that the "last store" was the initialization, not the
re-assignment.

This commit changes FindLastStoreBRVisitor to consider all PostStore nodes
that assign to this region. This still won't catches changes made directly
by checkers if they re-assign the same value, but it does handle the common
case in user-written code and will trigger ReturnVisitor's suppression
machinery as expected.

<rdar://problem/13299738>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176201 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
a11f22f60673c6c9556976b49e64bf7fa751f4eb 27-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Turn on C++ constructor inlining by default.

This enables constructor inlining for types with non-trivial destructors.
The plan is to enable destructor inlining within the next month, but that
needs further verification.

<rdar://problem/12295329>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176200 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
b7a3f74bbb02788ad1b597fe3897db2d8a4fed43 27-Feb-2013 Ted Kremenek <kremenek@apple.com> [analyzer] Add stop-gap patch to prevent assertion failure when analyzing LLVM codebase.

This potentially reduces a performance optimization of throwing away
PreStmtPurgeDeadSymbols nodes. I'll investigate the performance impact
soon and see if we need something better.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176149 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
deb8f5d533b7bcd962976ecdbc1464fe754b6de0 27-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] If a struct has a partial lazy binding, its fields aren't Undef.

This is essentially the same problem as r174031: a lazy binding for the first
field of a struct may stomp on an existing default binding for the
entire struct. Because of the way RegionStore is set up, we can't help
but lose the top-level binding, but then we need to make sure that accessing
one of the other fields doesn't come back as Undefined.

In this case, RegionStore is now correctly detecting that the lazy binding
we have isn't the right type, but then failing to follow through on the
implications of that: we don't know anything about the other fields in the
aggregate. This fix adds a test when searching for other kinds of default
values to see if there's a lazy binding we rejected, and if so returns
a symbolic value instead of Undefined.

The long-term fix for this is probably a new Store model; see
<rdar://problem/12701038>.

Fixes <rdar://problem/13292559>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176144 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
egionStore.cpp
4238f41d484729aca260140fbbc53a68769bf60a 26-Feb-2013 Ted Kremenek <kremenek@apple.com> [analyzer] Use 'MemRegion::printPretty()' instead of assuming the region is a VarRegion.

Fixes PR15358 and <rdar://problem/13295437>.

Along the way, shorten path diagnostics that say "Variable 'x'" to just
be "'x'". By the context, it is obvious that we have a variable,
and so this just consumes text space.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176115 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
eafb5c694cc5d165149fcb9453bc9355fb0d44a5 26-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't look through casts when creating pointer temporaries.

Normally, we need to look through derived-to-base casts when creating
temporary object regions (added in r175854). However, if the temporary
is a pointer (rather than a struct/class instance), we need to /preserve/
the base casts that have been applied.

This also ensures that we really do create a new temporary region when
we need to: MaterializeTemporaryExpr and lvalue CXXDefaultArgExprs.

Fixes PR15342, although the test case doesn't include the crash because
I couldn't isolate it.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176069 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
6f8e9b6caed0bf6108cf90f0d54fa637b60b3b9e 25-Feb-2013 Ted Kremenek <kremenek@apple.com> [analyzer] Recover all PreStmtPurgeDeadSymbols nodes with a single successor or predecessor.

These nodes are never consulted by any analyzer client code, so they are
used only for machinery for removing dead bindings. Once successor nodes
are generated they can be safely removed.

This greatly reduces the amount of nodes that are generated in some case,
lowering the memory regression when analyzing Sema.cpp introduced by
r176010 from 14% to 2%.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176050 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
42f2309f739549bead6e5a6c34fd1be4d087998f 25-Feb-2013 Anna Zaks <ganna@apple.com> [analyzer] Address Jordan's code review of r175857.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176043 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
fbdbed3bde8577815826b9d15790e5effb913f7b 25-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle reference parameters with default values.

r175026 added support for default values, but didn't take reference
parameters into account, which expect the default argument to be an
lvalue. Use createTemporaryRegionIfNeeded if we can evaluate the default
expr as an rvalue but the expected result is an lvalue.

Fixes the most recent report of PR12915. The original report predates
default argument support, so that can't be it.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176042 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
egionStore.cpp
6dc5c33fd4334ccf4a661c331f86e23829e51d55 25-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Base regions may be invalid when layered on symbolic regions.

While RegionStore checks to make sure casts on TypedValueRegions are valid,
it does not do the same for SymbolicRegions, which do not have perfect type
info anyway. Additionally, MemRegion::getAsOffset does not take a
ProgramState, so it can't use dynamic type info to determine a better type
for the regions. (This could also be dangerous if the type of a super-region
changes!)

Account for this by checking that a base object region is valid on top of a
symbolic region, and falling back to "symbolic offset" mode if not.

Fixes PR15345.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176034 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
6c5038cf8486d92ae53bf4513141bd40a5ae0734 25-Feb-2013 Ted Kremenek <kremenek@apple.com> [analyzer] Relax assumption in FindLastStoreBRVisitor that the thing we are looking for is always a VarRegion.

This was triggering assertion failures when analyzing the LLVM codebase. This
is fallout from r175988.

I've got delta chewing away on a test case, but I wanted the fix to go
in now.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176011 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
4e9c0854382d37325771b50f6cf899a75119fa24 25-Feb-2013 Ted Kremenek <kremenek@apple.com> [analyzer] add the notion of an "interesting" lvalue expression for ExplodedNode pruning.

r175988 modified the ExplodedGraph trimming algorithm to retain all
nodes for "lvalue" expressions. This patch refines that notion to
only "interesting" expressions that would be used for diagnostics.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176010 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xplodedGraph.cpp
43b82b823a6113fdbee54243b280db9c55ef72cb 24-Feb-2013 Ted Kremenek <kremenek@apple.com> [analyzer] tracking stores/constraints now works for ObjC ivars or struct fields.

This required more changes than I originally expected:

- ObjCIvarRegion implements "canPrintPretty" et al
- DereferenceChecker indicates the null pointer source is an ivar
- bugreporter::trackNullOrUndefValue() uses an alternate algorithm
to compute the location region to track by scouring the ExplodedGraph.
This allows us to get the actual MemRegion for variables, ivars,
fields, etc. We only hand construct a VarRegion for C++ references.
- ExplodedGraph no longer drops nodes for expressions that are marked
'lvalue'. This is to facilitate the logic in the previous bullet.
This may lead to a slight increase in size in the ExplodedGraph,
which I have not measured, but it is likely not to be a big deal.

I have validated each of the changed plist output.

Fixes <rdar://problem/12114812>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175988 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xplodedGraph.cpp
emRegion.cpp
0dd15d78fb0c99faa5df724139ba4c16a9a345c6 24-Feb-2013 Ted Kremenek <kremenek@apple.com> Add "KnownSVal" to represent SVals that cannot be UnknownSVal.

This provides a few sundry cleanups, and allows us to provide
a compile-time check for a case that was a runtime assertion.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175987 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
b07805485c603be3d8011f72611465324c9e664b 23-Feb-2013 David Blaikie <dblaikie@gmail.com> Remove the CFGElement "Invalid" state.

Use Optional<CFG*> where invalid states were needed previously. In the one case
where that's not possible (beginAutomaticObjDtorsInsert) just use a dummy
CFGAutomaticObjDtor.

Thanks for the help from Jordan Rose & discussion/feedback from Ted Kremenek
and Doug Gregor.

Post commit code review feedback on r175796 by Ted Kremenek.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175938 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
allEvent.cpp
oreEngine.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
athDiagnostic.cpp
ae7396c3891748762d01431e16541b3eb9125c4d 22-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't canonicalize the RecordDecl used in CXXBaseObjectRegion.

This Decl shouldn't be the canonical Decl; it should be the Decl used by
the CXXBaseSpecifier in the subclass. Unfortunately, that means continuing
to throw getCanonicalDecl() on all comparisons.

This fixes MemRegion::getAsOffset's use of ASTRecordLayout when redeclarations
are involved.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175913 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
b04a2387ac23adfa063de03844cb16c0d77fb405 22-Feb-2013 Ted Kremenek <kremenek@apple.com> [analyzer] Implement "Loop executed 0 times" diagnostic correctly.

Fixes <rdar://problem/13236549>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175863 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
8dadf15224f1a8df96793e5fc4e0b0e38a5ffbe4 22-Feb-2013 Anna Zaks <ganna@apple.com> [analyzer] Place all inlining policy checks into one palce

Previously, we had the decisions about inlining spread out
over multiple functions.

In addition to the refactor, this commit ensures
that we will always inline BodyFarm functions as long as the Decl
is available. This fixes false positives due to those functions
not being inlined when no or minimal inlining is enabled such (as
shallow mode).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175857 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
5e5440ba9c135f523f72e7e7c5da59d390d697c5 22-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Make sure a materialized temporary matches its bindings.

This is a follow-up to r175830, which made sure a temporary object region
created for, say, a struct rvalue matched up with the initial bindings
being stored into it. This does the same for the case in which the AST
actually tells us that we need to create a temporary via a
MaterializeObjectExpr. I've unified the two code paths and moved a static
helper function onto ExprEngine.

This also caused a bit of test churn, causing us to go back to describing
temporary regions without a 'const' qualifier. This seems acceptable; it's
our behavior from a few months ago.

<rdar://problem/13265460> (part 2)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175854 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
f08740ba5903d089a53cc315c19286e2189f9ff3 22-Feb-2013 Ted Kremenek <kremenek@apple.com> Fix regression in modeling assignments of an address of a variable to itself. Fixes <rdar://problem/13226577>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175852 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
87193dac8f2c6c8f7ee1aa9eeb64622ec75c881b 22-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Fix buildbot by not reusing a variable name.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175848 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
9f1d541ef1aca8f953e5bb4e7177969f0a2062d5 22-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Make sure a temporary object region matches its initial bindings.

When creating a temporary region (say, when a struct rvalue is used as
the base of a member expr), make sure we account for any derived-to-base
casts. We don't actually record these in the LazyCompoundVal that
represents the rvalue, but we need to make sure that the temporary region
we're creating (a) matches the bindings, and (b) matches its expression.

Most of the time this will do exactly the same thing as before, but it
fixes spurious "garbage value" warnings introduced in r175234 by the use
of lazy bindings to model trivial copy constructors.

<rdar://problem/13265460>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175830 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
df1f94ebfac4578e27ad008522c7b333e977e51b 22-Feb-2013 David Blaikie <dblaikie@gmail.com> Simplify code to use castAs rather than getAs + assert.

Post commit review feedback on r175812 from Jordan Rose.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175826 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
7a95de68c093991047ed8d339479ccad51b88663 21-Feb-2013 David Blaikie <dblaikie@gmail.com> Replace ProgramPoint llvm::cast support to be well-defined.

See r175462 for another example/more details.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175812 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
oreEngine.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
fdf6a279c9a75c778eba382d9a156697092982a1 21-Feb-2013 David Blaikie <dblaikie@gmail.com> Replace CFGElement llvm::cast support to be well-defined.

See r175462 for another example/more details.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175796 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
allEvent.cpp
oreEngine.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
athDiagnostic.cpp
6d35b412fc0289681f320acc389f7a83066ec9e2 21-Feb-2013 NAKAMURA Takumi <geek4civic@gmail.com> StaticAnalyzer/Core: Suppress warnings. [-Wunused-variable, -Wunused-function]

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175721 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
79741c49fcc72aaa01e68f07d9d13f3d9130b11e 21-Feb-2013 NAKAMURA Takumi <geek4civic@gmail.com> Whitespace.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175720 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
4411b423e91da0a2c879b70c0222aeba35f72044 21-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Record whether a base object region represents a virtual base.

This allows MemRegion and MemRegionManager to avoid asking over and over
again whether an class is a virtual base or a non-virtual base.

Minor optimization/cleanup; no functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175716 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
emRegion.cpp
tore.cpp
472b0613ff67e8598ef6a69bb478c721b21a9294 21-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Tidy up a few uses of Optional in RegionStore.

Some that I just added needed conversion to use 'None', others looked
better using Optional<SVal>::create.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175714 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
66874fb18afbffb8b2ca05576851a64534be3352 21-Feb-2013 David Blaikie <dblaikie@gmail.com> Use None rather than Optional<T>() where possible.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175705 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
egionStore.cpp
11f0cae4bf4f62dcc706d33c1f795d460cd64816 21-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Tighten up safety in the use of lazy bindings.

- When deciding if we can reuse a lazy binding, make sure to check if there
are additional bindings in the sub-region.
- When reading from a lazy binding, don't accidentally strip off casts or
base object regions. This slows down lazy binding reading a bit but is
necessary for type sanity when treating one class as another.

A bit of minor refactoring allowed these two checks to be unified in a nice
early-return-using helper function.

<rdar://problem/13239840>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175703 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
dc84cd5efdd3430efb22546b4ac656aa0540b210 20-Feb-2013 David Blaikie <dblaikie@gmail.com> Include llvm::Optional in clang/Basic/LLVM.h

Post-commit CR feedback from Jordan Rose regarding r175594.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175679 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
allEvent.cpp
nvironment.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineObjC.cpp
emRegion.cpp
athDiagnostic.cpp
rogramState.cpp
egionStore.cpp
ValBuilder.cpp
Vals.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
tore.cpp
0b9c328bb47b38ef6ff877a42e8a90a31ab0e2e1 20-Feb-2013 David Blaikie <dblaikie@gmail.com> Use op-> directly rather than via Optional<T>::getPointer.

Post-commit CR feedback from Jordan Rose regarding r175594.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175677 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
5251abea41b446c26e3239c8dd6c7edea6fc335d 20-Feb-2013 David Blaikie <dblaikie@gmail.com> Replace SVal llvm::cast support to be well-defined.

See r175462 for another example/more details.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175594 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
allEvent.cpp
nvironment.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
emRegion.cpp
athDiagnostic.cpp
rogramState.cpp
egionStore.cpp
ValBuilder.cpp
Vals.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
tore.cpp
206f49966f66ad7cbfe3d37c14fa7e6e7410f3be 20-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Account for the "interesting values" hash table resizing.

RegionStoreManager::getInterestingValues() returns a pointer to a
std::vector that lives inside a DenseMap, which is constructed on demand.
However, constructing one such value can lead to constructing another
value, which will invalidate the reference created earlier.

Fixed by delaying the new entry creation until the function returns.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175582 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
65f991ccbec43b4a860f70594c92528ee8fb7c6f 19-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't accidentally strip off base object regions for lazy bindings.

If a base object is at a 0 offset, RegionStoreManager may find a lazy
binding for the entire object, then try to attach a FieldRegion or
grandparent CXXBaseObjectRegion on top of that (skipping the intermediate
region). We now preserve as many layers of base object regions necessary
to make the types match.

<rdar://problem/13239840>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175556 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ada0d224fcff5ff07c9dd846379592f92ccf5ee7 15-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't assert when mixing reinterpret_cast and derived-to-base casts.

This just adds a very simple check that if a DerivedToBase CastExpr is
operating on a value with known C++ object type, and that type is not the
base type specified in the AST, then the cast is invalid and we should
return UnknownVal.

In the future, perhaps we can have a checker that specifies that this is
illegal, but we still shouldn't assert even if the user turns that checker
off.

PR14872

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175239 91177308-0d34-0410-b5e6-96231b3b80d8
tore.cpp
bc403861bc4e6f7ad1371e9e129f0f25b38b3a9a 15-Feb-2013 Jordan Rose <jordan_rose@apple.com> Re-apply "[analyzer] Model trivial copy/move ctors with an aggregate bind."

...after a host of optimizations related to the use of LazyCompoundVals
(our implementation of aggregate binds).

Originally applied in r173951.
Reverted in r174069 because it was causing hangs.
Re-applied in r174212.
Reverted in r174265 because it was /still/ causing hangs.

If this needs to be reverted again it will be punted to far in the future.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175234 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
28743b006bd88cd7d0ea97b4f17646f8fc429b89 15-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Cache the bindings accessible through a LazyCompoundVal.

This means we don't have to recompute them all later for every
removeDeadSymbols check.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175233 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ef9e6d66574393310da7e7508a5a363eb9f6c4d1 15-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Scan the correct store when finding symbols in a LazyCompoundVal.

Previously, we were scanning the current store. Now, we properly scan the
store that the LazyCompoundVal came from, which may have very different
live symbols.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175232 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
fcfcd80cd1de38fe272e1a8ae8faa3cfb6b2e37e 15-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Tweak LazyCompoundVal reuse check to ignore qualifiers.

This is optimization only; no behavioral change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175231 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
0a0f1309d0fbeb0e77edbbc4e0b15cc330c3a28c 15-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Use collectSubRegionKeys to make removeDeadBindings faster.

Previously, whenever we had a LazyCompoundVal, we crawled through the
entire store snapshot looking for bindings within the LCV's region. Now, we
just ask for the subregion bindings of the lazy region and only visit those.

This is an optimization (so no test case), but it may allow us to clean up
more dead bindings than we were previously.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175230 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
9d688e219caa37e60975ec8d5bebe74a176c9c2b 15-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Refactor RegionStore's sub-region bindings traversal.

This is going to be used in the next commit.
While I'm here, tighten up assumptions about symbolic offset
BindingKeys, and make offset calculation explicitly handle all
MemRegion kinds.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175228 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
697a68590a75f5cd2326c8f686a6c666b51688b6 14-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Try constant-evaluation for all variables, not just globals.

In C++, constants captured by lambdas (and blocks) are not actually stored
in the closure object, since they can be expanded at compile time. In this
case, they will have no binding when we go to look them up. Previously,
RegionStore thought they were uninitialized stack variables; now, it checks
to see if they are a constant we know how to evaluate, using the same logic
as r175026.

This particular code path is only for scalar variables. Constant arrays and
structs are still unfortunately unhandled; we'll need a stronger solution
for those.

This may have a small performance impact, but only for truly-undefined
local variables, captures in a non-inlined block, and non-constant globals.
Even then, in the non-constant case we're only doing a quick type check.

<rdar://problem/13105553>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175194 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
38f68ef19cb51d5876e9025b5fceb44b33ec9ed7 13-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Use Clang's evaluation for global constants and default arguments.

Previously, we were handling only simple integer constants for globals and
the smattering of implicitly-valued expressions handled by Environment for
default arguments. Now, we can use any integer constant expression that
Clang can evaluate, in addition to everything we handled before.

PR15094 / <rdar://problem/12830437>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175026 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
egionStore.cpp
04870edbea6cf88412c8c9c1eba65f7fc1fa12d9 13-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Use makeZeroVal in RegionStore's lazy evaluation of statics.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175025 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
f07e815823e03c046bbc186ec2b41d656e9cac7f 09-Feb-2013 NAKAMURA Takumi <geek4civic@gmail.com> clang/lib/StaticAnalyzer/Core/BugReporter.cpp: Appease old msvc in std::pair(0, 0).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174792 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
8185674528423e2504a1fae35c28c24104846510 08-Feb-2013 Ted Kremenek <kremenek@apple.com> Teach BugReporter (extensive diagnostics) to emit a diagnostic when a loop body is skipped.

Fixes <rdar://problem/12322528>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174736 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
19df705c75ba341b3ae8f2ff3e3f411d5f49887c 08-Feb-2013 Ted Kremenek <kremenek@apple.com> Remove stale instance variable.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174730 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
8135886ab74d852a6702b1f5656a0b146abe210a 08-Feb-2013 Anna Zaks <ganna@apple.com> [analyzer] Remove redundant check as per Jordan's feedback.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174680 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
233e26acc0ff2a1098f4c813f69286fce840a422 08-Feb-2013 Anna Zaks <ganna@apple.com> [analyzer] Add pointer escape type param to checkPointerEscape callback

The checkPointerEscape callback previously did not specify how a
pointer escaped. This change includes an enum which describes the
different ways a pointer may escape. This enum is passed to the
checkPointerEscape callback when a pointer escapes. If the escape
is due to a function call, the call is passed. This changes
previous behavior where the call is passed as NULL if the escape
was due to indirectly invalidating the region the pointer referenced.

A patch by Branden Archer!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174677 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
2b6876173b36d92aaf379c29cb339d91b4d358ee 08-Feb-2013 Anna Zaks <ganna@apple.com> [analyzer] Don't reinitialize static globals more than once along a path

This patch makes sure that we do not reinitialize static globals when
the function is called more than once along a path. The motivation is
code with initialization patterns that rely on 2 static variables, where
one of them has an initializer while the other does not. Currently, we
reset the static variables with initializers on every visit to the
function along a path.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174676 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
b98c6fe8877b809d4da3020692c9b38f972b92cf 06-Feb-2013 Anna Zaks <ganna@apple.com> [analyzer]Revert part of r161511; suppresses leak false positives in C++

This is a "quick fix".

The underlining issue is that when a const pointer to a struct is passed
into a function, we do not invalidate the pointer fields. This results
in false positives that are common in C++ (since copy constructors are
prevalent). (Silences two llvm false positives.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174468 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
5846720f08a6b225484bfe663599c2b057a99bc8 05-Feb-2013 Ted Kremenek <kremenek@apple.com> Change subexpressions to be visited in the CFG from left-to-right.

This is a more natural order of evaluation, and it is very important
for visualization in the static analyzer. Within Xcode, the arrows
will not jump from right to left, which looks very visually jarring.
It also provides a more natural location for dataflow-based diagnostics.

Along the way, we found a case in the analyzer diagnostics where we
needed to indicate that a variable was "captured" by a block.

-fsyntax-only timings on sqlite3.c show no visible performance change,
although this is just one test case.

Fixes <rdar://problem/13016513>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174447 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
emRegion.cpp
beca02fc66db76eacdaced9df3bc79530c064842 05-Feb-2013 Anna Zaks <ganna@apple.com> [analyzer] Teach the analyzer to use a symbol for p when evaluating
(void*)p.

Addresses the false positives similar to the test case.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174436 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
2a3fe34b4a2a1b6ceab8838b896435378ae0e692 02-Feb-2013 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Model trivial copy/move ctors with an aggregate bind."

...again. The problem has not been fixed and our internal buildbot is still
getting hangs.

This reverts r174212, originally applied in r173951, then reverted in r174069.
Will not re-apply until the entire project analyzes successfully on my
local machine.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174265 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
453cb859a3c8dcafe79ae840dfc35ff8eae1b4b3 02-Feb-2013 Anna Zaks <ganna@apple.com> [analyzer] Always inline functions with bodies generated by BodyFarm.

Inlining these functions is essential for correctness. We often have
cases where we do not inline calls. For example, the shallow mode and
when reanalyzing previously inlined ObjC methods as top level.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174245 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
135d0fe1ae89c39e3de9849cceda98253b063f14 02-Feb-2013 Anna Zaks <ganna@apple.com> [analyzer] Fix typo.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174243 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
5500fc193af4b786bbbbee6ece743f523448e90b 01-Feb-2013 Jordan Rose <jordan_rose@apple.com> Re-apply "[analyzer] Model trivial copy/move ctors with an aggregate bind."

With the optimization in the previous commit, this should be safe again.

Originally applied in r173951, then reverted in r174069.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174212 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
978aeac1a90020b2a0ae6c7eb7fe65aa8226f74a 01-Feb-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Reuse a LazyCompoundVal if its type matches the new region.

This allows us to keep from chaining LazyCompoundVals in cases like this:
CGRect r = CGRectMake(0, 0, 640, 480);
CGRect r2 = r;
CGRect r3 = r2;

Previously we only made this optimization if the struct did not begin with
an aggregate member, to make sure that we weren't picking up an LCV for
the first field of the struct. But since LazyCompoundVals are typed, we can
make that inference directly by comparing types.

This is a pure optimization; the test changes are to guard against possible
future regressions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174211 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
Vals.cpp
33e83b6cf776875be5716d214710717a898325c0 31-Jan-2013 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Model trivial copy/move ctors with an aggregate bind."

It's causing hangs on our internal analyzer buildbot. Will restore after
investigating.

This reverts r173951 / baa7ca1142990e1ad6d4e9d2c73adb749ff50789.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174069 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
0e450cbd94e5936fdecf42b810069e7becd3938d 31-Jan-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] If a lazy binding is undefined, pretend that it's unknown instead.

This is a hack to work around the fact that we don't track extents for our
default bindings:

CGPoint p;
p.x = 0.0;
p.y = 0.0;
rectParam.origin = p;
use(rectParam.size); // warning: uninitialized value in rectParam.size.width

In this case, the default binding for 'p' gets copied into 'rectParam',
because the 'origin' field is at offset 0 within CGRect. From then on,
rectParam's old default binding (in this case a symbol) is lost.

This patch silences the warning by pretending that lazy bindings are never
made from uninitialized memory, but not only is that not true, the original
default binding is still getting overwritten (see FIXME test cases).
The long-term solution is tracked in <rdar://problem/12701038>

PR14765 and <rdar://problem/12875012>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174031 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
5255f27362ffbfedea889870bf8d5812dae97553 31-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Fix a bug in region store that lead to undefined value false
positives.

The includeSuffix was only set on the first iteration through the
function, resulting in invalid regions being produced by getLazyBinding
(ex: zoomRegion.y).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174016 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ac3a3e7a402cd349dd2b7d70cd92c5fe702ae831 30-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Make shallow mode more shallow.

Redefine the shallow mode to inline all functions for which we have a
definite definition (ipa=inlining). However, only inline functions that
are up to 4 basic blocks large and cut the max exploded nodes generated
per top level function in half.

This makes shallow faster and allows us to keep inlining small
functions. For example, we would keep inlining wrapper functions and
constructors/destructors.

With the new shallow, it takes 104s to analyze sqlite3, whereas
the deep mode is 658s and previous shallow is 209s.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173958 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
6bbe1442a5f3f5f761582a9005e9edf1d49c4da2 30-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Use analyzer config for max-inlinable-size option.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173957 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
86ff12c8a8a356ca284ca7687749216fbfd74519 30-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Move report false positive suppression to report visitors.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173956 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
ce32890df08387b50a960f785da79ac5582b7f74 30-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Remove further references to analyzer-ipa.

Thanks Jordan!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173955 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
baa7ca1142990e1ad6d4e9d2c73adb749ff50789 30-Jan-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Model trivial copy/move ctors with an aggregate bind.

This is faster for the analyzer to process than inlining the constructor
and performing a member-wise copy, and it also solves the problem of
warning when a partially-initialized POD struct is copied.

Before:
CGPoint p;
p.x = 0;
CGPoint p2 = p; <-- assigned value is garbage or undefined

After:
CGPoint p;
p.x = 0;
CGPoint p2 = p; // no-warning

This matches our behavior in C, where we don't see a field-by-field copy.

<rdar://problem/12305288>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173951 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
07c52d2813a6b5e4025276d3687bd25f75fd51b9 26-Jan-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] C++ initializers may require cleanups; look through these.

When the analyzer sees an initializer, it checks if the initializer
contains a CXXConstructExpr. If so, it trusts that the CXXConstructExpr
does the necessary work to initialize the object, and performs no further
initialization.

This patch looks through any implicit wrapping expressions like
ExprWithCleanups to find the CXXConstructExpr inside.

Fixes PR15070.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173557 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
dede2fd56d053a114a65ba72583981ce7aab27da 26-Jan-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] bugreporter::getDerefExpr now takes a Stmt, not an ExplodedNode.

This allows it to be used in places where the interesting statement
doesn't match up with the current node. No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173546 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
aeca2cc3a6f486abff3fdfb4e82903cd3ca4267e 26-Jan-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Add 'prune-paths' config option to disable path pruning.

This should be used for testing only. Path pruning is still on by default.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173545 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporter.cpp
7ee8906295d56ceb84b8b3da502cdc8770509868 26-Jan-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Rename PruneNullReturnPaths to SuppressNullReturnPaths.

"Prune" is the term for eliminating pieces of a path that are not
relevant to the user. "Suppress" means don't show that path at all.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173544 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
d130140cb7bce73b4350c5d50495443abe38418a 25-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Add "-analyzer-config mode=[deep|shallow] ".

The idea is to introduce a higher level "user mode" option for
different use scenarios. For example, if one wants to run the analyzer
for a small project each time the code is built, they would use
the "shallow" mode.

The user mode option will influence the default settings for the
lower-level analyzer options. For now, this just influences the ipa
modes, but we plan to find more optimal settings for them.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173386 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
bfa9ab8183e2fdc74f8633d758cb0c6201314320 25-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Replace "-analyzer-ipa" with "-analyzer-config ipa".

The idea is to eventually place all analyzer options under
"analyzer-config". In addition, this lays the ground for introduction of
a high-level analyzer mode option, which will influence the
default setting for IPAMode.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173385 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
73f0563009a6715a5d3d41f664f5bfab5096d51f 25-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] refactor: access IPAMode through the accessor.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173384 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
15bb58edc9d053aa49c28167deb41ff0409ddabc 21-Jan-2013 Stephen Hines <srhines@google.com> Merge commit 'd130fd2e141f1fef412c2d58e7385370801bd718' into merge-llvm

Conflicts:
lib/Basic/Targets.cpp

Change-Id: I90a669a33ffe4de8b32c8459016fd0b2a55da0ad
187f8bd88bfc92cf3fea62b7d8db5f92edce410a 21-Jan-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Show notes inside implicit calls at the last explicit call site.

Before:
struct Wrapper { <-- 2. Calling default constructor for 'NonTrivial'.
NonTrivial m;
};

Wrapper w; <-- 1. Calling implicit default constructor for 'Wrapper'.

After:
struct Wrapper {
NonTrivial m;
};

Wrapper w; <-- 1. Calling implicit default constructor for 'Wrapper'.
^-- 2. Calling default constructor for 'NonTrivial'.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173067 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
e6b9d802fb7b16d93474c4f1c179ab36202e8a8b 20-Jan-2013 Guy Benyei <guy.benyei@intel.com> Implement OpenCL event_t as Clang builtin type, including event_t related OpenCL restrictions (OpenCL 1.2 spec 6.9)


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172973 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
2b9de0bc05e3e1092a9d1880e62aeaa54dc343e3 19-Jan-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't show "Entered 'foo'" if 'foo' is implicit.

Before:
Calling implicit default constructor for 'Foo' (where Foo is constructed)
Entered call from 'test' (at "=default" or 'Foo' declaration)
Calling default constructor for 'Bar' (at "=default" or 'Foo' declaration)

After:
Calling implicit default constructor for 'Foo' (where Foo is constructed)
Calling default constructor for 'Bar' (at "=default" or 'Foo' declaration)

This only affects the plist diagnostics; this note is never shown in the
other diagnostics.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172915 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
1dfebd9f995066a229c34516eb14bc69c6bcde2c 19-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Suppress warnings coming out of macros defined in sys/queue.h

Suppress the warning by just not emitting the report. The sink node
would get generated, which is fine since we did reach a bad state.

Motivation

Due to the way code is structured in some of these macros, we do not
reason correctly about it and report false positives. Specifically, the
following loop reports a use-after-free. Because of the way the code is
structured inside of the macro, the analyzer assumes that the list can
have cycles, so you end up with use-after-free in the loop, that is
safely deleting elements of the list. (The user does not have a way to
teach the analyzer about shape of data structures.)

SLIST_FOREACH_SAFE(item, &ctx->example_list, example_le, tmpitem) {
if (item->index == 3) { // if you remove each time, no complaints
assert((&ctx->example_list)->slh_first == item);
SLIST_REMOVE(&ctx->example_list, item, example_s, example_le);
free(item);
}
}

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172883 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
e02be97811c785f91ac43a0feed2db862de1867f 18-Jan-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Special path notes for C++ special member functions.

Examples:
Calling implicit default constructor for Foo
Calling defaulted move constructor for Foo
Calling copy constructor for Foo
Calling implicit destructor for Foo
Calling defaulted move assignment operator for Foo
Calling copy assignment operator for Foo

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172833 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
dc47c9a71c99ce2e5b9d84f1cd3487b6852b3543 18-Jan-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Do a better job describing C++ member functions in the call stack.

Examples:
Calling constructor for 'Foo'
Entered call from 'Foo::create'

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172832 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
16303fcc569ea149dc2de38ff9e367d2d4831cee 15-Jan-2013 David Greene <greened@obbligato.org> Fix Cast

Properly use const_cast to fix a cast-away-const error.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172561 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
bdc691f1d61765dd806d5ae3b75ae004f676a7c9 14-Jan-2013 Jordan Rose <jordan_rose@apple.com> [analyzer] Add ProgramStatePartialTrait<const void *>.

This should fix cast-away-const warnings reported by David Greene.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172446 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
cfa88f893915ceb8ae4ce2f17c46c24a4d67502f 12-Jan-2013 Dmitri Gribenko <gribozavr@gmail.com> Remove useless 'llvm::' qualifier from names like StringRef and others that are
brought into 'clang' namespace by clang/Basic/LLVM.h


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172323 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
heckerRegistry.cpp
xprEngine.cpp
athDiagnostic.cpp
listDiagnostics.cpp
egionStore.cpp
9195caf28f2a5dcef1e299bf3e5232a018ca1c68 12-Jan-2013 Ted Kremenek <kremenek@apple.com> Refine analyzer's handling of unary '!' and floating types to not assert.

Fixes PR 14634 and <rdar://problem/12903080>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172274 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
707a8659a546d32cf976d4c3927c793a643b18e1 11-Jan-2013 Ted Kremenek <kremenek@apple.com> Correctly propagate uninitialized values within logical expressions.

Fixes assertion failure reported in PR 14635 and
<rdar://problem/12902945> respectively.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172263 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
beac9e3772e255f89dad0abe34811953121912b2 09-Jan-2013 Ted Kremenek <kremenek@apple.com> Do not model loads from complex types, since we don't accurately model the imaginary and real parts yet.

Fixes false positive reported in <rdar://problem/12964481>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171987 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
6dfb96045bebe00212d251da1dad4660cb8652ac 08-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Only include uniqueling location as issue_hash when available

This makes us more optimistic when matching reports in a changing code
base. Addresses Jordan's feedback for r171825.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171884 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
97bfb558f69c09b01a5c1510f08dc91eb62329a7 08-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Include the bug uniqueing location in the issue_hash.

The issue here is that if we have 2 leaks reported at the same line for
which we cannot print the corresponding region info, they will get
treated as the same by issue_hash+description. We need to AUGMENT the
issue_hash with the allocation info to differentiate the two issues.

Add the "hash" (offset from the beginning of a function) representing
allocation site to solve the issue.

We might want to generalize solution in the future when we decide to
track more than just the 2 locations from the diagnostics.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171825 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
listDiagnostics.cpp
c1c6a4981a4b50476d71c88f8dac81a1430885ed 08-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Plist: change the type of issue_hash from int to string.

This gives more flexibility to what could be stored as issue_hash.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171824 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
344c77aac25e5d960aced3f45fbaa09853383f6d 03-Jan-2013 Anna Zaks <ganna@apple.com> [analyzer] Rename callback EndPath -> EndFunction

This better reflects when callback is called and what the checkers
are relying on. (Both names meant the same pre-IPA.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171432 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
b99083e60325a28063fb588f458a871151971fdc 02-Jan-2013 Chandler Carruth <chandlerc@gmail.com> Re-sort #include lines using the llvm/utils/sort_includes.py script.

Removes a duplicate #include as well as cleaning up some sort order
regressions since I last ran the script over Clang.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171364 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
87aa2fbc75a897e7c4a4082374aaba3f50db6f0f 21-Dec-2012 Roman Divacky <rdivacky@freebsd.org> Remove duplicate includes.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170903 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
1655bcd052a67a3050fc55df8ecce57342352e68 21-Dec-2012 Anna Zaks <ganna@apple.com> [analyzer] Address Jordan's nitpicks as per code review of r170625.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170832 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngine.cpp
rogramState.cpp
bf53dfac8195835028bd6347433f7dbebcc29fc1 20-Dec-2012 Anna Zaks <ganna@apple.com> [analyzer] Add the pointer escaped callback.

Instead of using several callbacks to identify the pointer escape event,
checkers now can register for the checkPointerEscape.

Converted the Malloc checker to use the new callback.
SimpleStreamChecker will be converted next.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170625 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerManager.cpp
xprEngine.cpp
rogramState.cpp
egionStore.cpp
9fcc2ab2ec5e00802880e205568ff3afbd70a773 19-Dec-2012 Ted Kremenek <kremenek@apple.com> Pass AnalyzerOptions to PathDiagnosticConsumer to make analyzer options accessible there.

This is plumbing needed for later functionality changes.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170488 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
7959671d456c916706a5f61af609d8f1fc95decf 17-Dec-2012 Anna Zaks <ganna@apple.com> [analyzer] Implement "do not inline large functions many times"
performance heuristic

After inlining a function with more than 13 basic blocks 32 times, we
are not going to inline it anymore. The idea is that inlining large
functions leads to drastic performance implications. Since the function
has already been inlined, we know that we've analyzed it in many
contexts.

The following metrics are used:
- Large function is a function with more than 13 basic blocks (we
should switch to another metric, like cyclomatic complexity)
- We consider that we've inlined a function many times if it's been
inlined 32 times. This number is configurable with -analyzer-config
max-times-inline-large=xx

This heuristic addresses a performance regression introduced with
inlining on one benchmark. The analyzer on this benchmark became 60
times slower with inlining turned on. The heuristic allows us to analyze
it in 24% of the time. The performance improvements on the other
benchmarks I've tested with are much lower - under 10%, which is
expected.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170361 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
d74324371465a152387ac45e737ab7d23e543552 14-Dec-2012 Anton Yartsev <anton.yartsev@gmail.com> fixed line endings

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170238 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
2bfa166a26edb6f26915abe38caa551dbb05ad19 14-Dec-2012 Anton Yartsev <anton.yartsev@gmail.com> added post-statement callback to CXXNewExpr and pre-statement callback to CXXDeleteExpr

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170234 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
12b3e3199c530b72f3cc44dd24a1e20ed6086292 14-Dec-2012 Anna Zaks <ganna@apple.com> [analyzer] Propagate the checker's state from checkBranchCondition

Fixes a bug, where we were dropping the state modifications from the
checkBranchCondition checker callback.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170232 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
b0abacf2f1f77214e4c77d6ec8a02b097bb98f7a 14-Dec-2012 Ted Kremenek <kremenek@apple.com> Refactor dump methods to make RegionBindingsRef printable in the debugger.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170170 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
4f69eb4daa3c5ce8b88535fc560f2ee102a580f4 12-Dec-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't crash running destructors for multidimensional arrays.

We don't handle array destructors correctly yet, but we now apply the same
hack (explicitly destroy the first element, implicitly invalidate the rest)
for multidimensional arrays that we already use for linear arrays.

<rdar://problem/12858542>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170000 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
75f31c4862643ab09479c979fabf754e7ffe1460 07-Dec-2012 Anna Zaks <ganna@apple.com> [analyzer] Optimization heuristic: do not reanalyze every ObjC method as
top level.

This heuristic is already turned on for non-ObjC methods
(inlining-mode=noredundancy). If a method has been previously analyzed,
while being inlined inside of another method, do not reanalyze it as top
level.

This commit applies it to ObjCMethods as well. The main caveat here is
that to catch the retain release errors, we are still going to reanalyze
all the ObjC methods but without inlining turned on.

Gives 21% performance increase on one heavy ObjC benchmark, which
suffered large performance regressions due to ObjC inlining.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169639 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCallAndReturn.cpp
afa7cae15b117c4b75794c6c32424953d94b4359 07-Dec-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Fix r168019 to work with unpruned paths as well.

This is the case where the analyzer tries to print out source locations
for code within a synthesized function body, which of course does not have
a valid source location. The previous fix attempted to do this during
diagnostic path pruning, but some diagnostics have pruning disabled, and
so any diagnostic with a path that goes through a synthesized body will
either hit an assertion or emit invalid output.

<rdar://problem/12657843> (again)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169631 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
18f860ee6cc43c8fc80834073b097eb5c02b22cf 07-Dec-2012 Ted Kremenek <kremenek@apple.com> Reduce conversions between Store <-> ImmutableMapRef in RegionStore.

This reduces canonicalization of ImmutableMaps. This reduces analysis time
of one heavy Objective-C file by another 1%.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169630 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
0c312a90c5b9d27e1425bf8d0448e133a97806ce 07-Dec-2012 Ted Kremenek <kremenek@apple.com> Add helper method to convert from a RegionStoreRefBindings to a Store.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169622 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
bf25fb1e2eaea0eadb90d1a9ce91e7d510c8972a 07-Dec-2012 Ted Kremenek <kremenek@apple.com> Cache queries to lookupPrivateMethod() within ObjCMethodCall::getRuntimeDefinition().

The same queries can happen thousands of times. This reduces the analysis
time on one heavy Objective-C file by 2.4%.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169589 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
23dca7d88f3e9a7925bfb2c5449499900c906633 07-Dec-2012 Ted Kremenek <kremenek@apple.com> Further reduce analysis time by 0.2% on a heavy Objective-C example by avoiding over-eager canonicalization of clusters.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169586 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
75191fdbc3d3eec5f3447b285acf6cfcc2054b25 07-Dec-2012 David Blaikie <dblaikie@gmail.com> Unbreak the GCC (4.4 & other bot) builds from r169571.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169581 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
29f5ccd7ef9bc066cb5894834945eaad2c4c7e53 07-Dec-2012 Ted Kremenek <kremenek@apple.com> Change RegionStore to always use ImmutableMapRef for processing cluster bindings.

This reduces analysis time by 1.2% on one test case (Objective-C), but
also cleans up some of the code conceptually as well. We can possible
just make RegionBindingsRef -> RegionBindings, but I wanted to stage
things.

After this, we should revisit Jordan's optimization of not canonicalizing
the immutable AVL trees for the cluster bindings as well.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169571 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
14491490a5276ff4da9b28100fb8e7d442944288 06-Dec-2012 Ted Kremenek <kremenek@apple.com> Revert "[analyzer] Aggressively cut back on the canonicalization in RegionStore."

Jordan and I discussed this, and we are going to do this another way.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169538 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
c39f9fa39c472a6663111788b89c67fd365271d8 06-Dec-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove isa<> followed by dyn_cast<>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169530 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
9428723d6730f4fd257e15b78d24991ae95bbd84 06-Dec-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove unused fields from ExprEngine.

'currStmt', 'CleanedState', and 'EntryNode' were being set, but only ever
used locally.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169529 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineObjC.cpp
e9cd031c77a92015571425b6445e8867816997cd 06-Dec-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove checks that predate the linearized CFG.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169528 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
4ecca28e20410f5e2816c5ddff5cdeaf45fb74b5 06-Dec-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use a smarter algorithm to find the last block in an inlined call.

Previously we would search for the last statement, then back up to the
entrance of the block that contained that statement. Now, while we're
scanning for the statement, we just keep track of which blocks are being
exited (in reverse order).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169526 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
6960d08b4ddf389d7c81504df7f16dc645120482 06-Dec-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use optimized assumeDual for branches.

This doesn't seem to make much of a difference in practice, but it does
have the potential to avoid a trip through the constraint manager.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169524 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
426cc12317468d42ba4e603731ebe5971af098a6 06-Dec-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Aggressively cut back on the canonicalization in RegionStore.

Whenever we touch a single bindings cluster multiple times, we can delay
canonicalizing it until the final access. This has some interesting
implications, in particular that we shouldn't remove an /empty/ cluster
from the top-level map until canonicalization.

This is good for a 2% speedup or so on the test case in
<rdar://problem/12810842>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169523 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
7affe151f5689b2d3547b8947c4099532c78a021 06-Dec-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove bindExprAndLocation, which does extra work for no gain.

This feature was probably intended to improve diagnostics, but was currently
only used when dumping the Environment. It shows what location a given value
was loaded from, e.g. when evaluating an LValueToRValue cast.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169522 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
rogramState.cpp
e3ce2c10c3f6ae7b26700d758de909deab190d42 06-Dec-2012 Ted Kremenek <kremenek@apple.com> Only provide explicit getCapturedRegion() and getOriginalRegion() from referenced_vars_iterator.

This is a nice conceptual cleanup.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169480 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
24570c4c258545f8310e4bc96503a5668982cf67 06-Dec-2012 Ted Kremenek <kremenek@apple.com> Pull logic to map from VarDecl* to captured region using a helper function. WIP.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169479 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
55fc873017f10f6f566b182b70f6fc22aefa3464 04-Dec-2012 Chandler Carruth <chandlerc@gmail.com> Sort all of Clang's files under 'lib', and fix up the broken headers
uncovered.

This required manually correcting all of the incorrect main-module
headers I could find, and running the new llvm/utils/sort_includes.py
script over the files.

I also manually added quite a few missing headers that were uncovered by
shuffling the order or moving headers up to be main-module-headers.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169237 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporter.cpp
ugReporterVisitors.cpp
allEvent.cpp
heckerManager.cpp
oreEngine.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
TMLDiagnostics.cpp
emRegion.cpp
athDiagnostic.cpp
listDiagnostics.cpp
rogramState.cpp
angeConstraintManager.cpp
ValBuilder.cpp
impleSValBuilder.cpp
tore.cpp
extPathDiagnostics.cpp
a93d0f280693b8418bc88cf7a8c93325f7fcf4c6 01-Dec-2012 Benjamin Kramer <benny.kra@googlemail.com> Include pruning and general cleanup.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169095 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
allEvent.cpp
heckerRegistry.cpp
nvironment.cpp
athDiagnostic.cpp
Vals.cpp
9852f58f50b4fc20914fbce5b4454135a42343f4 01-Dec-2012 Benjamin Kramer <benny.kra@googlemail.com> Don't include Type.h in DeclarationName.h.

Recursively prune some includes.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169094 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
2fa67efeaf66a9332c30a026dc1c21bef6c33a6c 01-Dec-2012 Benjamin Kramer <benny.kra@googlemail.com> Pull the Attr iteration parts out of Attr.h, so including DeclBase.h doesn't pull in all the generated Attr code.

Required to pull some functions out of line, but this shouldn't have a perf impact.
No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169092 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
9c0466603f2051fec9270686dfcd270630e62530 29-Nov-2012 Ted Kremenek <kremenek@apple.com> Correctly handle IntegralToBool casts in C++ in the static analyzer. Fixes <rdar://problem/12759044>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168843 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
3881866dc782c5e13b21031bd363e93fbf367167 28-Nov-2012 Ted Kremenek <kremenek@apple.com> Remove workaround in RegionStore in r168741 since it is handled more generally by r168757.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168774 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
1994e3993e5e2c606f4ab22563768af6f03dad30 28-Nov-2012 Ted Kremenek <kremenek@apple.com> Fix another false positive due to a CXX temporary object appearing in a C initializer.

The stop-gap here is to just drop such objects when processing the InitListExpr.
We still need a better solution.

Fixes <rdar://problem/12755044>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168757 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
bd8a11e224c3ec6cbc4bb9b1fc70a8aa3a633e43 28-Nov-2012 Ted Kremenek <kremenek@apple.com> Provide stop-gap solution to crash reported in PR 14436.

This was also covered by <rdar://problem/12753384>. The static analyzer
evaluates a CXXConstructExpr within an initializer expression and
RegionStore doesn't know how to handle the resulting CXXTempObjectRegion
that gets created. We need a better solution than just dropping the
value, but we need to better understand how to implement the right
semantics here.

Thanks to Jordan for his help diagnosing the behavior here.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168741 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
dac6cd533d90fa1f75e66f83f7d5ebc12e34bfb7 26-Nov-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix a crash reported in PR 14400.

The AllocaRegion did not have the superRegion (based on LocationContext)
as part of it's hash. As a consequence, the AllocaRegions from
different frames were uniqued to be the same region.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168599 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
84e1513beb8450f31d9589dcdfc33b0890405ab6 15-Nov-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Fix a use-after-free introduced in r168019.

In code like this:

void foo() {
bar();
baz();
}

...the location for the call to 'bar()' was being used as a backup location
for the call to 'baz()'. This is fine unless the call to 'bar()' is deemed
uninteresting and that part of the path deleted.

(This looks like a logic error as well, but in practice the only way 'baz()'
could have an invalid location is if the entire body of 'foo()' is
synthesized, meaning the call to 'bar()' will be using the location of the
call to 'foo()' anyway. Nevertheless, the new version better matches the
intent of the code.)

Found by Matt Beaumont-Gay using ASan. Thanks, Matt!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168080 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
63bc186d6ac0b44ba4ec6fccb5f471b05c79b666 15-Nov-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Report leaks at the closing brace of a function body.

This fixes a few cases where we'd emit path notes like this:

+---+
1| v
p = malloc(len);
^ |2
+---+

In general this should make path notes more consistent and more correct,
especially in cases where the leak happens on the false branch of an if
that jumps directly to the end of the function. There are a couple places
where the leak is reported farther away from the cause; these are usually
cases where there are several levels of nested braces before the end of
the function. This still matches our current behavior for when there /is/
a statement after all the braces, though.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168070 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
84c484545c5906ba55143e212b4a5275ab55889f 15-Nov-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Mark symbol values as dead in the environment.

This allows us to properly remove dead bindings at the end of the top-level
stack frame, using the ReturnStmt, if there is one, to keep the return value
live. This in turn removes the need for a check::EndPath callback in leak
checkers.

This does cause some changes in the path notes for leak checkers. Previously,
a leak would be reported at the location of the closing brace in a function.
Now, it gets reported at the last statement. This matches the way leaks are
currently reported for inlined functions, but is less than ideal for both.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168066 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
368f3b070e8cb657a65bfa443d60256676d269e7 15-Nov-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Make sure calls in synthesized functions have valid path locations.

We do this by using the "most recent" good location: if a synthesized
function 'A' calls another function 'B', the path notes for the call to 'B'
will be placed at the same location as the path note for calling 'A'.

Similarly, the call to 'A' will have a note saying "Entered call from...",
and now we just don't emit that (since the user doesn't have a body to look
at anyway).

Previously, we were doing this for the "Calling..." notes, but not for the
"Entered call from..." or "Returning to caller". This caused a crash when
the path entered and then exiting a call within a synthesized body.

<rdar://problem/12657843>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168019 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
bae930d4c69a624881e66f1628ee615e149362f7 13-Nov-2012 Anna Zaks <ganna@apple.com> [analyzer] Address Jordan's feedback for r167780.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167790 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
d51db4935736fd943bfd46dfa74d41e9a3c2d41f 13-Nov-2012 Anna Zaks <ganna@apple.com> [analyzer] Follow up to r167762 - precisely determine the adjustment
conditions.

The adjustment is needed only in case of dynamic dispatch performed by
the analyzer - when the runtime declaration is different from the static
one.

Document this explicitly in the code (by adding a helper). Also, use
canonical Decls to avoid matching against the case where the definition
is different from found declaration.

This fix suppresses the testcase I added in r167762, so add another
testcase to make sure we do test commit r167762.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167780 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
e7ad14e18247ec6fc3d46b208829e3dac6d85a1d 12-Nov-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix a regression (from r 165079): compare canonical types.

Suppresses a leak false positive (radar://12663777).

In addition, we'll need to rewrite the adjustReturnValue() method not to
return UnknownVal by default, but rather assert in cases we cannot
handle. To make it possible, we need to correctly handle some of the
edge cases we already know about.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167762 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
4e674f77150b52d8e6ae82faf64fbdac79d675d3 10-Nov-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] When invalidating symbolic offset regions, take fields into account.

Previously, RegionStore was being VERY conservative in saying that because
p[i].x and p[i].y have a concrete base region of 'p', they might overlap.
Now, we check the chain of fields back up to the base object and check if
they match.

This only kicks in when dealing with symbolic offset regions because
RegionStore's "base+offset" representation of concrete offset regions loses
all information about fields. In cases where all offsets are concrete
(s.x and s.y), RegionStore will already do the right thing, but mixing
concrete and symbolic offsets can cause bindings to be invalidated that
are known to not overlap (e.g. p[0].x and p[i].y).
This additional refinement is tracked by <rdar://problem/12676180>.

<rdar://problem/12530149>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167654 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
40d8551890bc8454c4e0a28c9072c9c1d1dd588a 05-Nov-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Move convenience REGISTER_*_WITH_PROGRAMSTATE to CheckerContext.h

As Anna pointed out, ProgramStateTrait.h is a relatively obscure header,
and checker writers may not know to look there to add their own custom
state.

The base macro that specializes the template remains in ProgramStateTrait.h
(REGISTER_TRAIT_WITH_PROGRAMSTATE), which allows the analyzer core to keep
using it.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167385 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
rogramState.cpp
angeConstraintManager.cpp
0a591c242b867844d483091cae546e294bbee312 03-Nov-2012 NAKAMURA Takumi <geek4civic@gmail.com> StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp: Appease msvc.

0 (as nullptr) is incompatible to pointer in type matching on msvc.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167355 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
8501b7a1c4c4a9ba0ea6cb8e500e601ef3759deb 03-Nov-2012 Anna Zaks <ganna@apple.com> [analyzer] Run remove dead on end of path.

This will simplify checkers that need to register for leaks. Currently,
they have to register for both: check dead and check end of path.

I've modified the SymbolReaper to consider everything on the stack dead
if the input StackLocationContext is 0.

(This is a bit disruptive, so I'd like to flash out all the issues
asap.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167352 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCallAndReturn.cpp
egionStore.cpp
ymbolManager.cpp
b355be838a22a511d078504b2277f70aea52ca85 03-Nov-2012 Anna Zaks <ganna@apple.com> [analyzer] Refactor: Remove Pred from NodeBuilderContext.

Node builders should manage the nodes, not the context.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167350 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
oreEngine.cpp
xprEngine.cpp
2f3017f9cbd3774f690c979410bfec38423d03af 03-Nov-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add some convenience accessors to CallEvent, and use them.

These are CallEvent-equivalents of helpers already accessible in
CheckerContext, as part of making it easier for new checkers to be written
using CallEvent rather than raw CallExprs.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167338 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerContext.cpp
d624607d4196e4b37d235daa14699bcb3c1012a6 03-Nov-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] isCLibraryFunction: check that the function is at TU-scope.

Also, Decls already carry a pointer to the ASTContext, so there's no need
to pass an extra argument to the predicate.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167337 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
166d502d5367ceacd1313a33cac43b1048b8524d 02-Nov-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use nice macros for the common ProgramStateTraits (map, set, list).

Also, move the REGISTER_*_WITH_PROGRAMSTATE macros to ProgramStateTrait.h.

This doesn't get rid of /all/ explicit uses of ProgramStatePartialTrait,
but it does get a lot of them.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167276 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
rogramState.cpp
angeConstraintManager.cpp
785950e59424dca7ce0081bebf13c0acd2c4fff6 02-Nov-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Rename 'EmitReport' to 'emitReport'.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167275 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
c45bb4dcb648cd8b5250492afe7df254e4157aaa 31-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Let ConstraintManager subclasses provide a more efficient checkNull.

Previously, every call to a ConstraintManager's isNull would do a full
assumeDual to test feasibility. Now, ConstraintManagers can override
checkNull if they have a cheaper way to do the same thing.
RangeConstraintManager can do this in less than half the work.

<rdar://problem/12608209>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167138 91177308-0d34-0410-b5e6-96231b3b80d8
onstraintManager.cpp
angeConstraintManager.cpp
3719ed248b7b7e239b1b435dd569b007aaea9d26 31-Oct-2012 Anna Zaks <ganna@apple.com> [analyzer]Don't invalidate const arguments when there is no
IdentifierInfo.

Ee: C++ copy constructors.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167092 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
6a329ee7567cf3267ffab2bc755ea8c773d967e7 29-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] New option to not suppress null return paths if an argument is null.

Our one basic suppression heuristic is to assume that functions do not
usually return NULL. However, when one of the arguments is NULL it is
suddenly much more likely that NULL is a valid return value. In this case,
we don't suppress the report here, but we do attach /another/ visitor to
go find out if this NULL argument also comes from an inlined function's
error path.

This new behavior, controlled by the 'avoid-suppressing-null-argument-paths'
analyzer-config option, is turned off by default. Turning it on produced
two false positives and no new true positives when running over LLVM/Clang.

This is one of the possible refinements to our suppression heuristics.
<rdar://problem/12350829>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166941 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
athDiagnostic.cpp
09f7bf14d25bdc55cb715bc8d40600906848a409 29-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use the CallEnter node to get a value for tracked null arguments.

Additionally, don't collect PostStore nodes -- they are often used in
path diagnostics.

Previously, we tried to track null arguments in the same way as any other
null values, but in many cases the necessary nodes had already been
collected (a memory optimization in ExplodedGraph). Now, we fall back to
using the value of the argument at the time of the call, which may not
always match the actual contents of the region, but often will.

This is a precursor to improving our suppression heuristic.
<rdar://problem/12350829>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166940 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xplodedGraph.cpp
3800165e56107df7430520aa98afdf7065db2dd2 26-Oct-2012 Ted Kremenek <kremenek@apple.com> Add comments for RemoveRedundantMsgs, rename it to removeRedundantMsgs() per Jordan's feedback.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166778 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
b85cce094887ab5cf1c47acfe306e2fb1d3cfbb1 26-Oct-2012 Ted Kremenek <kremenek@apple.com> TrackConstraintBRVisitor and ConditionBRVisitor can emit similar
path notes for cases where a value may be assumed to be null, etc.
Instead of having redundant diagnostics, do a pass over the generated
PathDiagnostic pieces and remove notes from TrackConstraintBRVisitor
that are already covered by ConditionBRVisitor, whose notes tend
to be better.

Fixes <rdar://problem/12252783>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166728 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
603513d2294c437b37bcf47f326b686e31bd9e84 24-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle 'SomeVar.SomeEnumConstant', which is legal in C++.

This caused assertion failures analyzing LLVM.

<rdar://problem/12560282>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166529 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
4d9e497a2b1eab3b1214848216050c64fc3acfd6 24-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Replace -analyzer-no-eagerly-trim-egraph with graph-trim-interval.

After every 1000 CFGElements processed, the ExplodedGraph trims out nodes
that satisfy a number of criteria for being "boring" (single predecessor,
single successor, and more). Rather than controlling this with a cc1 option,
which can only disable this behavior, we now have an analyzer-config option,
'graph-trim-interval', which can change this interval from 1000 to something
else. Setting the value to 0 disables reclamation.

The next commit relies on this behavior to actually test anything.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166528 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xplodedGraph.cpp
xprEngine.cpp
b59b580a57a36df9d146473098d14c64508ff319 20-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Assume 'new' never returns NULL if it could throw an exception.

This is actually required by the C++ standard in
[basic.stc.dynamic.allocation]p3:

If an allocation function declared with a non-throwing
exception-specification fails to allocate storage, it shall return a
null pointer. Any other allocation function that fails to allocate
storage shall indicate failure only by throwing an exception of a type
that would match a handler of type std::bad_alloc.

We don't bother checking for the specific exception type, but just go off
the operator new prototype. This should help with a certain class of lazy
initalization false positives.

<rdar://problem/12115221>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166363 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
d4ce811ae08398e357c8ce3e707ba5f2aa0041a5 17-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] When binding to a ParenExpr, bind to its inner expression instead.

This actually looks through several kinds of expression, such as
OpaqueValueExpr and ExprWithCleanups. The idea is that binding and lookup
should be consistent, and so if the environment needs to be modified later,
the code doing the modification will not have to manually look through these
"transparent" expressions to find the real binding to change.

This is necessary for proper updating of struct rvalues as described in
the previous commit.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166121 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
f1e67d75fc922ff905de9faa6326bb1a96685ec1 17-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Create a temporary region when accessing a struct rvalue.

In C++, rvalues that need to have their address taken (for example, to be
passed to a function by const reference) will be wrapped in a
MaterializeTemporaryExpr, which lets CodeGen know to create a temporary
region to store this value. However, MaterializeTemporaryExprs are /not/
created when a method is called on an rvalue struct, even though the 'this'
pointer needs a valid value. CodeGen works around this by creating a
temporary region anyway; now, so does the analyzer.

The analyzer also does this when accessing a field of a struct rvalue.
This is a little unfortunate, since the rest of the struct will soon be
thrown away, but it does make things consistent with the rest of the
analyzer.

This allows us to bring back the assumption that all known 'this' values
are Locs. This is a revised version of r164828-9, reverted in r164876-7.

<rdar://problem/12137950>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166120 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngine.cpp
f238aa4f556c0aa3024abebaf3bdbf5f3f68fb94 16-Oct-2012 Anna Zaks <ganna@apple.com> [analyzer] Embed the analyzer version into the plist output.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165994 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
e5a934d3c840872d58724383a83443ed38f1d831 13-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove the "direct bindings only" Environment lookup.

This was only used by OSAtomicChecker and makes it more
difficult to update values for expressions that the environment
may look through instead (it's not the same as IgnoreParens).
With this gone, we can have bindExpr bind to the inner
expression that getSVal will find.

Groundwork for <rdar://problem/12137950>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165866 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
42e95acef35f4633119be1c1381e88878c966502 13-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove unneeded 'inlineCall' checker callback.

I believe the removed assert in CheckerManager says it best:

InlineCall is a special hacky callback to allow intrusive
evaluation of the call (which simulates inlining). It is
currently only used by OSAtomicChecker and should go away
at some point.

OSAtomicChecker has gone away; inlineCall can now go away as well!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165865 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
786e6204e55cc01094a3e86104c82932a65fb2ca 11-Oct-2012 Jordan Rose <jordan_rose@apple.com> Reapply "[analyzer] Treat fields of unions as having symbolic offsets."

This time, actually uncomment the code that's supposed to fix the problem.

This reverts r165671 / 8ceb837585ed973dc36fba8dfc57ef60fc8f2735.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165676 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
8ceb837585ed973dc36fba8dfc57ef60fc8f2735 11-Oct-2012 Eric Christopher <echristo@gmail.com> Temporarily Revert "[analyzer] Treat fields of unions as having symbolic offsets."

Author: Jordan Rose <jordan_rose@apple.com>
Date: Wed Oct 10 21:31:21 2012 +0000

[analyzer] Treat fields of unions as having symbolic offsets.

This allows only one field to be active at a time in RegionStore.
This isn't quite the correct behavior for unions, but it at least
would handle the case of "value goes in, value comes out" from the
same field.

RegionStore currently has a number of places where any access to a union
results in UnknownVal being returned. However, it is clearly missing
some cases, or the original issue wouldn't have occurred. It is probably
now safe to remove those changes, but that's a potentially destabilizing
change that should wait for more thorough testing.

Fixes PR14054.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165660 91177308-0d34-0410-b5e6-96231b3b80d8

This reverts commit cf9030e480f77ab349672f00ad302e216c26c92c.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165671 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
cf9030e480f77ab349672f00ad302e216c26c92c 10-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Treat fields of unions as having symbolic offsets.

This allows only one field to be active at a time in RegionStore.
This isn't quite the correct behavior for unions, but it at least
would handle the case of "value goes in, value comes out" from the
same field.

RegionStore currently has a number of places where any access to a union
results in UnknownVal being returned. However, it is clearly missing
some cases, or the original issue wouldn't have occurred. It is probably
now safe to remove those changes, but that's a potentially destabilizing
change that should wait for more thorough testing.

Fixes PR14054.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165660 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
cf4ce93caedca1d91ec5824981f9e45eda20b261 06-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle implicit statements used for end-of-path nodes' source locs.

Some implicit statements, such as the implicit 'self' inserted for "free"
Objective-C ivar access, have invalid source locations. If one of these
statements is the location where an issue is reported, we'll now look at
the enclosing statements for a valid source location.

<rdar://problem/12446776>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165354 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
48314cf6a289bc5a082d8c769c58a38f924c93b7 03-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Adjust the return type of an inlined devirtualized method call.

In C++, overriding virtual methods are allowed to specify a covariant
return type -- that is, if the return type of the base method is an
object pointer type (or reference type), the overriding method's return
type can be a pointer to a subclass of the original type. The analyzer
was failing to take this into account when devirtualizing a method call,
and anything that relied on the return value having the proper type later
would crash.

In Objective-C, overriding methods are allowed to specify ANY return type,
meaning we can NEVER be sure that devirtualizing will give us a "safe"
return value. Of course, a program that does this will most likely crash
at runtime, but the analyzer at least shouldn't crash.

The solution is to check and see if the function/method being inlined is
the function that static binding would have picked. If not, check that
the return value has the same type. If the types don't match, see if we
can fix it with a derived-to-base cast (the C++ case). If we can't,
return UnknownVal to avoid crashing later.

<rdar://problem/12409977>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165079 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
aa66b08d2d8bbf05bae8c68f58724f754ab57b35 03-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Push evalDynamicCast and evalDerivedToBase up to Store.

These functions are store-agnostic, and would benefit from information in
DynamicTypeInfo but gain nothing from the store type.

No intended functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165078 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
tore.cpp
041ce8e00afd1185549a25d5c2b97d219ae032d9 03-Oct-2012 Jordan Rose <jordan_rose@apple.com> Teach getCXXRecordDeclForPointerType about references.

Then, rename it getPointeeCXXRecordDecl and give it a nice doc comment,
and actually use it.

No intended functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165077 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
86e7b7e4421eacdd5ae610a0fb2d8ea5dec5e644 02-Oct-2012 Ted Kremenek <kremenek@apple.com> Silence -Wunused-value warning.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165059 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
48d05e6d776f4b68f3db4016eb5680ac041c2b7d 02-Oct-2012 Ted Kremenek <kremenek@apple.com> Refactor clients of AnalyzerOptions::getBooleanOption() to have
an intermediate helper method to query and populate the Optional value.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165043 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
94bb74cef72a33d77c5d6739abfc0840c781eb8e 02-Oct-2012 Ted Kremenek <kremenek@apple.com> Tweak AnalyzerOptions::getOptionAsInteger() to populate the string
table, making it printable with the ConfigDump checker. Along the
way, fix a really serious bug where the value was getting parsed
from the string in code that was in an assert() call. This means
in a Release-Asserts build this code wouldn't work as expected.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165041 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
9e28fe60bbfa5de196ce4aa396210bf10fc5c266 02-Oct-2012 Ted Kremenek <kremenek@apple.com> Change AnalyzerOptions::mayInlineCXXMemberFunction to default populate
the config string table. Also setup a test for dumping the analyzer
configuration for C++.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165040 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
e606e3d224d3fa8f6d4358ec66858d46754457a0 01-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Allow ObjC ivar lvalues where the base is nil.

By analogy with C structs, this seems to be legal, if probably discouraged.
It's only if the ivar is read from or written to that there's a problem.
Running a program that gets the "address" of an instance variable does in
fact return the offset when the base "object" is nil.

This isn't a full revert because r164442 includes some diagnostic tweaks
as well; those have been kept.

This partially reverts r164442 / 08965091770c9b276c238bac2f716eaa4da2dca4.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164960 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineObjC.cpp
d27a368f4800b447b970b7c438d0fb4da00838dc 01-Oct-2012 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Check that a member expr is valid even when the result is an lvalue."

The original intent of this commit was to catch potential null dereferences
early, but it breaks the common "home-grown offsetof" idiom (PR13927):

(((struct Foo *)0)->member - ((struct foo *)0))

As it turns out, this appears to be legal in C, per a footnote in
C11 6.5.3.2: "Thus, &*E is equivalent to E (even if E is a null pointer)".
In C++ this issue is still open:
http://www.open-std.org/jtc1/sc22/wg21/docs/cwg_active.html#232

We'll just have to make sure we have good path notes in the future.

This reverts r164441 / 9be016dcd1ca3986873a7b66bd4bc027309ceb59.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164958 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
622b6fb0a1d280c16e135c7e427b79cafffbde1f 01-Oct-2012 Ted Kremenek <kremenek@apple.com> Have AnalyzerOptions::getBooleanOption() stick the matching config
string in the config table so that it can be dumped as part of the
config dumper. Add a test to show that these options are sticking
and can be cross-checked using FileCheck.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164954 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
0504a598a5dc8f3f45e79d4f8ea206a926507859 01-Oct-2012 Jordan Rose <jordan_rose@apple.com> Reapply "[analyzer] Handle inlined constructors for rvalue temporaries correctly."

This is related to but not blocked by <rdar://problem/12137950>
("Return-by-value structs do not have associated regions")

This reverts r164875 / 3278d41e17749dbedb204a81ef373499f10251d7.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164952 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
ca5d78d0bc3010164f2f9682967d64d7e305a167 01-Oct-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Make ProgramStateManager's SubEngine parameter optional.

It is possible and valid to have a state manager and associated objects
without having a SubEngine or checkers.

Patch by Olaf Krzikalla!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164947 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
rogramState.cpp
angeConstraintManager.cpp
impleConstraintManager.cpp
impleConstraintManager.h
ce6644bc1e921833f9b3c10cf7d4a0b78e8d5dc9 29-Sep-2012 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Create a temporary region for rvalue structs when accessing fields"

This reverts commit 6f61df3e7256413dcb99afb9673f4206e3c4992c.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164877 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
20aa40342bd74895128860c081aa84cd85bfa68d 29-Sep-2012 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Create a temp region when a method is called on a struct rvalue."

This reverts commit 0006ba445962621ed82ec84400a6b978205a3fbc.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164876 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
846c898cebf02cb753125633c52e0d1d7fd94b4b 29-Sep-2012 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Handle inlined constructors for rvalue temporaries correctly."

This reverts commit 580cd17f256259f39a382e967173f34d68e73859.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164875 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
580cd17f256259f39a382e967173f34d68e73859 28-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle inlined constructors for rvalue temporaries correctly.

Previously the analyzer treated all inlined constructors like lvalues,
setting the value of the CXXConstructExpr to the newly-constructed
region. However, some CXXConstructExprs behave like rvalues -- in
particular, the implicit copy constructor into a pass-by-value argument.
In this case, we want only the /contents/ of a temporary object to be
passed, so that we can use the same "copy each argument into the
parameter region" algorithm that we use for scalar arguments.

This may change when we start modeling destructors of temporaries,
but for now this is the last part of <rdar://problem/12137950>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164830 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
0006ba445962621ed82ec84400a6b978205a3fbc 28-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Create a temp region when a method is called on a struct rvalue.

An rvalue has no address, but calling a C++ member function requires a
'this' pointer. This commit makes the analyzer create a temporary region
in which to store the struct rvalue and use as a 'this' pointer whenever
a member function is called on an rvalue, which is essentially what
CodeGen does.

More of <rdar://problem/12137950>. The last part is tracking down the
C++ FIXME in array-struct-region.cpp.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164829 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
6f61df3e7256413dcb99afb9673f4206e3c4992c 28-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Create a temporary region for rvalue structs when accessing fields

Struct rvalues are represented in the analyzer by CompoundVals,
LazyCompoundVals, or plain ConjuredSymbols -- none of which have associated
regions. If the entire structure is going to persist, this is not a
problem -- either the rvalue will be assigned to an existing region, or
a MaterializeTemporaryExpr will be present to create a temporary region.
However, if we just need a field from the struct, we need to create the
temporary region ourselves.

This is inspired by the way CodeGen handles calls to temporaries;
support for that in the analyzer is coming next.

Part of <rdar://problem/12137950>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164828 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
b35007cc4de8256b39dc1ed9abdeb8b2458c3c01 26-Sep-2012 Ted Kremenek <kremenek@apple.com> Revert "Use sep instead of ' '."

This isn't correct, as Jordan correctly points out.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164711 91177308-0d34-0410-b5e6-96231b3b80d8
angeConstraintManager.cpp
fb9a0ede96023d18af24ee98854db9606fdafb5c 26-Sep-2012 Ted Kremenek <kremenek@apple.com> Use sep instead of ' '.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164709 91177308-0d34-0410-b5e6-96231b3b80d8
angeConstraintManager.cpp
732cdf383f9030ff2b9fb28dfbdae2285ded80c6 26-Sep-2012 Ted Kremenek <kremenek@apple.com> Remove unnecessary ASTContext& parameter from SymExpr::getType().

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164661 91177308-0d34-0410-b5e6-96231b3b80d8
onstraintManager.cpp
emRegion.cpp
rogramState.cpp
angeConstraintManager.cpp
egionStore.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
ymbolManager.cpp
0073a5c7ce38e98365c00921316030627b3d129f 25-Sep-2012 Jordan Rose <jordan_rose@apple.com> Reapply "[analyzer] Remove constraints on dead symbols as part of removeDeadBindings."

Previously, we'd just keep constraints around forever, which means we'd
never be able to merge paths that differed only in constraints on dead
symbols.

Because we now allow constraints on symbolic expressions, not just single
symbols, this requires changing SymExpr::symbol_iterator to include
intermediate symbol nodes in its traversal, not just the SymbolData leaf
nodes.

This depends on the previous commit to be correct. Originally applied in
r163444, reverted in r164275, now being re-applied.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164622 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
ymbolManager.cpp
6e3bf21f20d4d744fdf5acd719e9f442f4a144fc 25-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Calculate liveness for symbolic exprs as well as atomic symbols.

No tests, but this allows the optimization of removing dead constraints.
We can then add tests that we don't do this prematurely.

<rdar://problem/12333297>

Note: the added FIXME to investigate SymbolRegionValue liveness is
tracked by <rdar://problem/12368183>. This patch does not change the
existing behavior.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164621 91177308-0d34-0410-b5e6-96231b3b80d8
ymbolManager.cpp
05c3b9ac74e12238e7ec5f237132e2348a8b5f4e 24-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer]Prevent infinite recursion(assume->checker:evalAssume->assume)

(Unfortunately, I do not have a good reduced test case for this.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164541 91177308-0d34-0410-b5e6-96231b3b80d8
impleConstraintManager.cpp
b9d4e5e3bb235f1149e99d3c833ff7cb3474c9f1 22-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Suppress bugs whose paths go through the return of a null pointer.

This is a heuristic intended to greatly reduce the number of false
positives resulting from inlining, particularly inlining of generic,
defensive C++ methods that live in header files. The suppression is
triggered in the cases where we ask to track where a null pointer came
from, and it turns out that the source of the null pointer was an inlined
function call.

This change brings the number of bug reports in LLVM from ~1500 down to
around ~300, a much more manageable number. Yes, some true positives may
be hidden as well, but from what I looked at the vast majority of silenced
reports are false positives, and many of the true issues found by the
analyzer are still reported.

I'm hoping to improve this heuristic further by adding some exceptions
next week (cases in which a bug should still be reported).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164449 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
53221da865144db0ba6bd89ab30bcf81de0fe5d2 22-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Track a null value back through FindLastStoreBRVisitor.

Also, tidy up the other tracking visitors so that they mark the right
things as interesting and don't do extra work.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164448 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
d632d6fc606f0be438c3b6fe5c43f1b3f5db98b1 22-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Always allow BugReporterVisitors to see the bug path.

Before, PathDiagnosticConsumers that did not support actual path output
would (sensibly) cause the generation of the full path to be skipped.
However, BugReporterVisitors may want to see the path in order to mark a
BugReport as invalid.

Now, even for a path generation scheme of 'None' we will still create a
trimmed graph and walk backwards through the bug path, doing no work other
than passing the nodes to the BugReporterVisitors. This isn't cheap, but
it's necessary to properly do suppression when the first path consumer does
not support path notes.

In the future, we should try only generating the path and visitor-provided
path notes once, or at least only creating the trimmed graph once.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164447 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
8347d3d45e6f128bba19821f0d2f54cadd4d49bb 22-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Allow a BugReport to be marked "invalid" during path generation.

This is intended to allow visitors to make decisions about whether a
BugReport is likely a false positive. Currently there are no visitors
making use of this feature, so there are no tests.

When a BugReport is marked invalid, the invalidator must provide a key
that identifies the invaliation (intended to be the visitor type and a
context pointer of some kind). This allows us to reverse the decision
later on. Being able to reverse a decision about invalidation gives us more
flexibility, and allows us to formulate conditions like "this report is
invalid UNLESS the original argument is 'foo'". We can use this to
fine-tune our false-positive suppression (coming soon).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164446 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
6686b6694a7998623550ff6529f2f53bfee94328 22-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Look through OpaqueValueExprs when tracking a nil value.

This allows us to show /why/ a particular object is nil, even when it is
wrapped in an OpaqueValueExpr.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164445 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
85e99373835fe1b4cec624bc48dc8dfe14c2a783 22-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Better path notes for null pointers passed as arguments.

Rather than saying "Null pointer value stored to 'foo'", we now say
"Passing null pointer value via Nth parameter 'foo'", which is much better.
The note is also now on the argument expression as well, rather than the
entire call.

This paves the way for continuing to track arguments back to their sources.

<rdar://problem/12211490>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164444 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
615a092a511cd2dfe1a5364ebf5f80e55e33034d 22-Sep-2012 Jordan Rose <jordan_rose@apple.com> Use llvm::getOrdinalSuffix to print ordinal numbers in diagnostics.

Just a refactoring of common infrastructure. No intended functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164443 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
991bcb4370fe849603346ebbddc8dd47bc29d235 22-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Check that an ObjCIvarRefExpr's base is non-null even as an lvalue.

Like with struct fields, we want to catch cases like this early,
so that we can produce better diagnostics and path notes:

PointObj *p = nil;
int *px = &p->_x; // should warn here
*px = 1;

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164442 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xprEngineObjC.cpp
dd1d7d88f1fe6d7d7e79acaec3f83bc10d9f7b97 22-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Check that a member expr is valid even when the result is an lvalue.

We want to catch cases like this early, so that we can produce better
diagnostics and path notes:

Point *p = 0;
int *px = &p->x; // should warn here
*px = 1;

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164441 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
938869941e5a01049fb301fbf82f3caa4c7efa09 21-Sep-2012 Ted Kremenek <kremenek@apple.com> Re-enable faux-bodies by default.

Try this again, now that r164392 is in place.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164393 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
1cc9a80f8df979d5ff26739ebf3c134c4e6a4ed0 21-Sep-2012 NAKAMURA Takumi <geek4civic@gmail.com> Revert r164364, "Flip "faux-bodies" in the analyzer on by default to flush out bugs."

It crashed test/Analysis/Output/blocks.m on some hosts.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164368 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
85cb7a5696f93f8b98604d3e72525921a32537f0 21-Sep-2012 Ted Kremenek <kremenek@apple.com> Flip "faux-bodies" in the analyzer on by default to flush out bugs.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164364 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ddc0c4814788dda4ef224cd4d22d07154a6ede49 21-Sep-2012 Ted Kremenek <kremenek@apple.com> Simplify getRuntimeDefinition() back to taking no arguments.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164363 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
a43df9539644bf1c258e12710cd69d79b0b078cd 21-Sep-2012 Ted Kremenek <kremenek@apple.com> Implement faux-body-synthesis of well-known functions in the static analyzer when
their implementations are unavailable. Start by simulating dispatch_sync().

This change is largely a bunch of plumbing around something very simple. We
use AnalysisDeclContext to conjure up a fake function body (using the
current ASTContext) when one does not exist. This is controlled
under the analyzer-config option "faux-bodies", which is off by default.

The plumbing in this patch is largely to pass the necessary machinery
around. CallEvent needs the AnalysisDeclContextManager to get
the function definition, as one may get conjured up lazily.

BugReporter and PathDiagnosticLocation needed to be relaxed to handle
invalid locations, as the conjured body has no real source locations.
We do some primitive recovery in diagnostic generation to generate
some reasonable locations (for arrows and events), but it can be
improved.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164339 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
nalyzerOptions.cpp
ugReporter.cpp
allEvent.cpp
xprEngineCallAndReturn.cpp
8e289bb59c5c1c29900604b86238c3088f506782 20-Sep-2012 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Remove constraints on dead symbols as part of removeDeadBindings."

While we definitely want this optimization in the future, we're not
currently handling constraints on symbolic /expressions/ correctly.
These should stay live even if the SymExpr itself is no longer referenced
because could recreate an identical SymExpr later. Only once the SymExpr
can no longer be recreated -- i.e. a component symbol is dead -- can we
safely remove the constraints on it.

This liveness issue is tracked by <rdar://problem/12333297>.

This reverts r163444 / 24c7f98828e039005cff3bd847e7ab404a6a09f8.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164275 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
ymbolManager.cpp
5fc1d0c4532c55cc47ba6628f296bf5b86d2eaf0 17-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Teach the analyzer about implicit initialization of statics
in ObjCMethods.

Extend FunctionTextRegion to represent ObjC methods as well as
functions. Note, it is not clear what type ObjCMethod region should
return. Since the type of the FunctionText region is not currently used,
defer solving this issue.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164046 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
Vals.cpp
5f7c0add1ea1d8e1d2f920d77fd1a7b6160c2d93 13-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Don't reimplement an existing function.

Thanks Jordan.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163762 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
4ef19205b6912316296db74a9073ad6fa60e4cca 13-Sep-2012 Ted Kremenek <kremenek@apple.com> Refactor logic in ExprEngine for detecting 'noreturn' methods
in NSException to a helper object in libAnalysis that can also
be used by Sema. Not sure if the predicate name 'isImplicitNoReturn'
is the best one, but we can massage that later.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163759 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineObjC.cpp
16e6a7cb41319459ded69b4d47f405c1035dd347 13-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Do not report use of undef on "return foo();" when the return type is void.

Fixes a false positive found by analyzing LLVM code base.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163750 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
522fc21f3adc647817edc8017e6928a64c96899b 13-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Teach UndefOrNullArgVisitor to track parent regions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163748 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
emRegion.cpp
1a7bcc41efb73d80fd45eb71494b073f388d333c 13-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Fix another use of the address of a temporary, like r163402.

Again, GCC is more aggressive about reusing temporary space than we are,
leading to Release build crashes for this undefined behavior.

PR13710 (though it may not be the only problem there)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163747 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
d66b3c56a5da1cbaf5ec12811ee7221231b6c301 12-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle when the dynamic type is worse than the static type.

Currently we don't update the dynamic type of a C++ object when it is
cast. This can cause the situation above, where the static type of the
region is now known to be a subclass of the dynamic type.

Once we start updating DynamicTypeInfo in response to the various kinds
of casts in C++, we can re-add this assert to make sure we don't miss
any cases. This work is tracked by <rdar://problem/12287087>.

In -Asserts builds, we will simply not return any runtime definition
when our DynamicTypeInfo is known to be incorrect like this.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163745 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
fe3769dbb448edf8e5ece13b14017608558d4763 12-Sep-2012 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Use the static type for a virtual call if the dynamic type is worse."

Using the static type may be inconsistent with later calls. We should just
report that there is no inlining definition available if the static type is
better than the dynamic type. See next commit.

This reverts r163644 / 19d5886d1704e24282c86217b09d5c6d35ba604d.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163744 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
f57a2aa02c0578c5bd834fec0d44c16ad9908620 12-Sep-2012 Ted Kremenek <kremenek@apple.com> Fix regression where "looping back to the head of" PathDiagnosticEvents
were not emitted.

Fixes <rdar://problem/12280665>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163683 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
9a4db032ecd991626d236a502e770126db32bd31 12-Sep-2012 Richard Smith <richard-llvm@metafoo.co.uk> PR13811: Add a FunctionParmPackExpr node to handle references to function
parameter packs where the reference is not being expanded but the pack has
been. Previously, Clang would segfault in such cases.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163672 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
e9f1f234932e80bb83be9b094e163ca4c47a3086 11-Sep-2012 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Disable STL inlining. Blocked by PR13724."

While PR13724 is still an issue, it's not actually an issue in the STL.
We can keep this option around in case there turn out to be widespread
false positives due to poor modeling of the C++ standard library functions,
but for now we'd like to get more data.

This reverts r163633 / c6baadceec1d5148c20ee6c902a102233c547f62.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163647 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
19d5886d1704e24282c86217b09d5c6d35ba604d 11-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use the static type for a virtual call if the dynamic type is worse.

reinterpret_cast does not provide any of the usual type information that
static_cast or dynamic_cast provide -- only the new type. This can get us
in a situation where the dynamic type info for an object is actually a
superclass of the static type, which does not match what CodeGen does at all.
In these cases, just fall back to the static type as the best possible type
for devirtualization.

Should fix the crashes on our internal buildbot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163644 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
c6baadceec1d5148c20ee6c902a102233c547f62 11-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Disable STL inlining. Blocked by PR13724.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163633 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
e5cc4c967178669dd19832bc0fb03b293d5d969f 11-Sep-2012 Stephen Hines <srhines@google.com> Merge up through LLVM r163557.

New CommentCommandInfo and CommentHTMLTagsProperties targets for TableGen.

Updated Android.mk source files for AST, StaticAnalyzer/Checkers,
StaticAnalyzer/Core, driver, and TableGen.

Split Rewrite/Android.mk into Core and Frontend sub-libraries.

Change-Id: Ia114939e242a79570c41a519f4f3cc712a0ed9a8
ndroid.mk
00b4f64ecb26b031c1f4888f39be6c706156356a 11-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Member function calls that use qualified names are non-virtual.

C++11 [expr.call]p1: ...If the selected function is non-virtual, or if the
id-expression in the class member access expression is a qualified-id,
that function is called. Otherwise, its final overrider in the dynamic type
of the object expression is called.

<rdar://problem/12255556>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163577 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
9f0b1324a5352713337c75ef4a5acffd96609c6c 11-Sep-2012 Stephen Hines <srhines@google.com> Merge branch 'upstream' into merge-2012_09_10
e08dcbe75eb9b3ffe6f1f60ac2b216b4c878606a 11-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Turn stl inlining back on.

The one reported bug, which was exposed by stl inlining, is addressed in
r163558.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163574 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
4ea9b89ff6dc50d5404eb56cad5e5870bce49ef2 11-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Do not count calls to small functions when computing stack
depth.

We only want to count how many substantial functions we inlined. This
is an improvement to r163558.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163571 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
57330eed3fbe530cb05996e4a346cc5fc217c0d9 11-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Add an option to enable/disable objc inlining.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163562 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
7229d0011766c174beffe6a846d78f448f845b39 11-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Add ipa-always-inline-size option (with 3 as the default).

The option allows to always inline very small functions, whose size (in
number of basic blocks) is set using -analyzer-config
ipa-always-inline-size option.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163558 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
978869aa6e31a4bc6afdf5446ffb717aad3f7d97 10-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Make the defaults explicit for each of the new config options.

Also, document both new inlining options in IPA.txt.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163551 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
81fb50e8b120fc95dc0245b4112972d4d7cca3b5 10-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] For now, don't inline C++ standard library functions.

This is a (heavy-handed) solution to PR13724 -- until we know we can do
a good job inlining the STL, it's best to be consistent and not generate
more false positives than we did before. We can selectively whitelist
certain parts of the 'std' namespace that are known to be safe.

This is controlled by analyzer config option 'c++-stdlib-inlining', which
can be set to "true" or "false".

This commit also adds control for whether or not to inline any templated
functions (member or non-member), under the config option
'c++-template-inlining'. This option is currently on by default.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163548 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
15f9f74f0cc7c2923b1977c6d33059251e6df204 10-Sep-2012 Ted Kremenek <kremenek@apple.com> Fix another case where we should be using isBeforeInTranslationUnit().

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163533 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
d727d39ca779920898d77f5dcbbb3980175594ef 10-Sep-2012 Ted Kremenek <kremenek@apple.com> Add a few more cases where we should be using isBeforeInTranslationUnit().

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163531 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
acc714ba6c448e6dc278acf9b6eafee44d7f48a7 10-Sep-2012 Ted Kremenek <kremenek@apple.com> Revert "Revert Ted's r163489 and r163490, due to breakage."

I need to see how this breaks on other platforms when I fix the issue
that Benjamin Kramer pointed out.

This includes r163489 and r163490, plus a two line change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163512 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
2343b3d0c29356583a013d900f2817083ac2d4a0 10-Sep-2012 NAKAMURA Takumi <geek4civic@gmail.com> Revert Ted's r163489 and r163490, due to breakage.

r163489, "Take another crack at stabilizing the emission order of analyzer"
r163490, "Use isBeforeInTranslationUnitThan() instead of operator<."

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163497 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
c265cddad7f9ca9eda1e7d08c2595ec73acec724 10-Sep-2012 Ted Kremenek <kremenek@apple.com> Use isBeforeInTranslationUnitThan() instead of operator<.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163490 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
4dfd141350009c742f4949a753ffe4a1524a2792 10-Sep-2012 Ted Kremenek <kremenek@apple.com> Take another crack at stabilizing the emission order of analyzer
diagnostics without using FoldingSetNodeIDs. This is done
by doing a complete recursive comparison of the PathDiagnostics.

Note that the previous method of comparing FoldingSetNodeIDs did
not end up relying on unstable things such as pointer addresses, so
I suspect this may still have some issues on various buildbots because
I'm not sure if the true source of non-determinism has been eliminated.
The tests pass for me, so the only way to know is to commit this change
and see what happens.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163489 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
7c06f036a3092a7e019979e1ca836a1fbe14edc7 10-Sep-2012 Ted Kremenek <kremenek@apple.com> Indent the "message" key in analyzer plist output.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163487 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
ce15cce38c34ae73348457da73c52df81cde3588 09-Sep-2012 Ted Kremenek <kremenek@apple.com> Remove dead method ProgramState::MarshalState().

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163479 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
22505ef15e32db31a4f834a387cf73a913bc8f66 08-Sep-2012 Ted Kremenek <kremenek@apple.com> Fix bug in BugReporter::RemoveUneededCalls() where "prunable"
PathDiagnosticEventPieces were *always* pruned. Instead, they
are suppose to only be pruned if the entire call gets pruned.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163460 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
0187a1b8b9b2b7657de0ba8b0d4f67d30bec83e8 08-Sep-2012 Ted Kremenek <kremenek@apple.com> Attempt (again) to stabilize the order of the emission of diagnostics
of the analyzer by using the FullProfile() of a PathDiagnostic
for ordering them.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163455 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
82f2ad456a82da1b9cb7ddfc994c8f5fa44b59e6 08-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] ObjCSelfInitChecker should always clean up in postCall checks.

ObjCSelfInitChecker stashes information in the GDM to persist it across
function calls; it is stored in pre-call checks and retrieved post-call.
The post-call check is supposed to clear out the stored state, but was
failing to do so in cases where the call did not have a symbolic return
value.

This was actually causing the inappropriate cache-out from r163361.
Per discussion with Anna, we should never actually cache out when
assuming the receiver of an Objective-C message is non-nil, because
we guarded that node generation by checking that the state has changed.
Therefore, the only states that could reach this exact ExplodedNode are
ones that should have merged /before/ making this assumption.

r163361 has been reverted and the test case removed, since it won't
actually test anything interesting now.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163449 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineObjC.cpp
e157ae53772e90a3ee3cba3eaa7da3300eb249eb 08-Sep-2012 Ted Kremenek <kremenek@apple.com> Revert "Attempt to make the PathDiagnostic emission order more deterministic by"

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163446 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
62a456312ad633169528d5fc85063704dc8f5d0f 08-Sep-2012 Ted Kremenek <kremenek@apple.com> Revert "Further tweaks to hopefully make the PathDiagnostic emission more deterministic."

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163445 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
24c7f98828e039005cff3bd847e7ab404a6a09f8 08-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove constraints on dead symbols as part of removeDeadBindings.

Previously, we'd just keep constraints around forever, which means we'd
never be able to merge paths that differed only in constraints on dead
symbols.

Because we now allow constraints on symbolic expressions, not just single
symbols, this requires changing SymExpr::symbol_iterator to include
intermediate symbol nodes in its traversal, not just the SymbolData leaf
nodes.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163444 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
ymbolManager.cpp
f6d05bbedd482e634507a099e3416fa05cbc0e78 08-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Symbolic regions are live if any subregions are live.

RegionStoreManager was only treating a SymbolicRegion's symbel as live
if there was a binding referring to the region itself.

No test case because constraints are currently not being cleaned out
of the constraint manager at all (even if the symbol is legitimately dead).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163443 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
9874f597ef5d5748695c88daaa9a3208f95c2032 08-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Cast the result of a placement new-expression to the correct type.

This is necessary because further analysis will assume that the SVal's
type matches the AST type. This caused a crash when trying to perform
a derived-to-base cast on a C++ object that had been new'd to be another
object type.

Yet another crash in PR13763.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163442 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
ec5fda4dedbc249b61be032f710e8c9d6396fee8 08-Sep-2012 Ted Kremenek <kremenek@apple.com> Further tweaks to hopefully make the PathDiagnostic emission more deterministic.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163430 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
47cbd0f3892c7965cf16a58393f9f17a22d4d4d9 08-Sep-2012 Ted Kremenek <kremenek@apple.com> Remove ProgramState::getSymVal(). It was being misused by Checkers,
with at least one subtle bug in MacOSXKeyChainAPIChecker where the
calling the method was a substitute for assuming a symbolic value
was null (which is not the case).

We still keep ConstraintManager::getSymVal(), but we use that as
an optimization in SValBuilder and ProgramState::getSVal() to
constant-fold SVals. This is only if the ConstraintManager can
provide us with that information, which is no longer a requirement.
As part of this, introduce a default implementation of
ConstraintManager::getSymVal() which returns null.

For Checkers, introduce ConstraintManager::isNull(), which queries
the state to see if the symbolic value is constrained to be a null
value. It does this without assuming it has been implicitly constant
folded.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163428 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
onstraintManager.cpp
rogramState.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
b4b4523cc52bebc5ed47cc501959ab31286a1065 08-Sep-2012 Ted Kremenek <kremenek@apple.com> Attempt to make the PathDiagnostic emission order more deterministic by
looking at PathPieces.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163427 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
ace64b5f6a338111084bf4a7c9b7488a9965ef4e 08-Sep-2012 Ted Kremenek <kremenek@apple.com> Remove ConstraintManager:isEqual(). It is no longer used.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163425 91177308-0d34-0410-b5e6-96231b3b80d8
angeConstraintManager.cpp
9198c71a626e2f0d29d92152832f3e80f4af59b3 07-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use cast<> instead of getAs<> for a CFGElement known to be a CFGStmt.

When adding the next statement to the CoreEngine's work list, we take care
of all the special cases first. We certainly shouldn't be building
PostStmts with null statements (the diagnostics machinery assumes such
StmtPoints do not exist), and we should find out sooner if we're missing
a special case.

A refinement of r163402 that should help prevent further issues like PR13760.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163409 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
b5204ee30229c76f8a0be48800508483737ceb5a 07-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't use the address of a temporary CFGElement.

GCC destroys temporary objects more aggressively than clang, so this
results in incorrect behavior when compiling GCC Release builds.

We could avoid this issue under C++11 by preventing getAs from being
called when 'this' is an rvalue:

template<class ElemTy> const ElemTy *getAs() const & { ... }
template<class ElemTy> const ElemTy *getAs() const && = delete;

Unfortunately, we do not have compatibility macros for this behavior yet.

This will hopefully fix PR13760 and PR13762.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163402 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
99d68e9b4cc4a6bdb526722469d3f7412abd82be 07-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Explain why we need condition 8.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163394 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
62bde3e0a0699a72f9dbd1045dc4a3c554a46dd3 07-Sep-2012 Ted Kremenek <kremenek@apple.com> ExplodedGraph::shouldCollectNode() should not collect nodes for non-Expr Stmts
(as this previously was the case before this was refactored). We also shouldn't
need to specially handle BinaryOperators since the eagerly-assume heuristic tags
such nodes.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163374 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
c47dc1b9734ea9bebb281499d58d22c2647713a9 07-Sep-2012 Ted Kremenek <kremenek@apple.com> Fix bug in ConditionBRVisitor where for C++ (and not C) we were not ignoring
implicit pointer-to-boolean conversions in condition expressions. This would
result in inconsistent diagnostic emission between C and C++.

A consequence of this is now ConditionBRVisitor and TrackConstraintBRVisitor may
emit redundant diagnostics, for example:

"Assuming pointer value is null" (TrackConstraintBRVisitor)
"Assuming 'p' is null" (ConditionBRVisitor)

We need to reconcile the two, and perhaps prefer one over the other in some
cases.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163372 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
8f0d0fef5f90b16600cdb802d5d7344417c34aad 07-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Fail gracefully when the dynamic type is outside the hierarchy.

With some particularly evil casts, we can get an object whose dynamic type
is not actually a subclass of its static type. In this case, we won't even
find the statically-resolved method as a devirtualization candidate.

Rather than assert that this situation cannot occur, we now simply check
that the dynamic type is not an ancestor or descendent of the static type,
and leave it at that.

This error actually occurred analyzing LLVM: CallEventManager uses a
BumpPtrAllocator to allocate a concrete subclass of CallEvent
(FunctionCall), but then casts it to the actual subclass requested
(such as ObjCMethodCall) to perform the constructor.

Yet another crash in PR13763.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163367 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
5601c9aac3bf7be5e1ea8a76149090933d2d3c78 07-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't crash if we cache out while evaluating an ObjC message.

A bizarre series of coincidences led us to generate a previously-seen
node in the middle of processing an Objective-C message, where we assume
the receiver is non-nil. We were assuming that such an assumption would
never "cache out" like this, and blithely went on using a null ExplodedNode
as the predecessor for the next step in evaluation.

Although the test case committed here is complicated, this could in theory
happen in other ways as well, so the correct fix is just to test if the
non-nil assumption results in an ExplodedNode we've seen before.

<rdar://problem/12243648>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163361 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineObjC.cpp
200fa2e70d52ae6d620e81cd45536071fdde70c0 06-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't attempt to devirtualize calls to base class destructors.

CXXDestructorCall now has a flag for when it is a base destructor call.
Other kinds of destructor calls (locals, fields, temporaries, and 'delete')
all behave as "whole-object" destructors and do not behave differently
from one another (specifically, in these cases we /should/ try to
devirtualize a call to a virtual destructor).

This was causing crashes in both our internal buildbot, the crash still
being tracked in PR13765, and some of the crashes being tracked in PR13763,
due to a assertion failure. (The behavior under -Asserts happened to be
correct anyway.)

Adding this knowledge also allows our DynamicTypePropagation checker to do
a bit less work; the special rules about virtual method calls during a
destructor only require extra handling during base destructors.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163348 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngine.cpp
xprEngineCXX.cpp
31ba6135375433b617a8587ea6cc836a014ebd86 06-Sep-2012 Roman Divacky <rdivacky@freebsd.org> Dont cast away const needlessly. Found by gcc48 -Wcast-qual.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163325 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
emRegion.cpp
egionStore.cpp
9b925ac059089dfe74e3b8fa5effe519fb9ee885 06-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Enhance the member expr tracking to account for references.

As per Jordan's suggestion. (Came out of code review for r163261.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163269 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
5a1ffe98b04120846a15f7105905b5f363b08635 06-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Always include destructors in the analysis CFG.

While destructors will continue to not be inlined (unless the analyzer
config option 'c++-inlining' is set to 'destructors'), leaving them out
of the CFG is an incomplete model of the behavior of an object, and
can cause false positive warnings (like PR13751, now working).

Destructors for temporaries are still not on by default, since
(a) we haven't actually checked this code to be sure it's fully correct
(in particular, we probably need to be very careful with regard to
lifetime-extension when a temporary is bound to a reference,
C++11 [class.temporary]p5), and
(b) ExprEngine doesn't actually do anything when it sees a temporary
destructor in the CFG -- not even invalidate the object region.

To enable temporary destructors, set the 'cfg-temporary-dtors' analyzer
config option to '1'. The old -cfg-add-implicit-dtors cc1 option, which
controlled all implicit destructors, has been removed.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163264 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
nalyzerOptions.cpp
352c657f789d5633b07d56d76cf78fda05c31353 06-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix a crash PR13762.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163262 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
d91696e8680bbe89df1076fded1bc54104526060 06-Sep-2012 Anna Zaks <ganna@apple.com> [analyzer] NullOrUndef diagnostics: track symbols binded to regions.

If a region is binded to a symbolic value, we should track the symbol.

(The code I changed was not previously exercised by the regression
tests.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163261 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
6ebea89be233eaba5e29de8cf3524ad150c860bb 05-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Be more forgiving about calling methods on struct rvalues.

The problem is that the value of 'this' in a C++ member function call
should always be a region (or NULL). However, if the object is an rvalue,
it has no associated region (only a conjured symbol or LazyCompoundVal).
For now, we handle this in two ways:

1) Actually respect MaterializeTemporaryExpr. Before, it was relying on
CXXConstructExpr to create temporary regions for all struct values.
Now it just does the right thing: if the value is not in a temporary
region, create one.

2) Have CallEvent recognize the case where its 'this' pointer is a
non-region, and just return UnknownVal to keep from confusing clients.

The long-term problem is being tracked internally in <rdar://problem/12137950>,
but this makes many test cases pass.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163220 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCXX.cpp
4e45dba1c0234eec7b7c348dbbf568c5ac9fc471 05-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Clean up a couple uses of getPointeeType().

No intended functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163219 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
egionStore.cpp
impleSValBuilder.cpp
fd11957f02da689480618d5fc642ef14164e9cdc 05-Sep-2012 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Treat all struct values as regions (even rvalues)."

This turned out to have many implications, but what eventually seemed to
make it unworkable was the fact that we can get struct values (as
LazyCompoundVals) from other places besides return-by-value function calls;
that is, we weren't actually able to "treat all struct values as regions"
consistently across the entire analyzer core.

Hopefully we'll be able to come up with an alternate solution soon.

This reverts r163066 / 02df4f0aef142f00d4637cd851e54da2a123ca8e.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163218 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ymbolManager.cpp
791dd0a3f855b61ee97387dca67af86a1edff9f2 04-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't use makeIntVal to create a floating-point value.

SimpleSValBuilder processes a couple trivial identities, including 'x - x'
and 'x ^ x' (both 0). However, the former could appear with arguments of
floating-point type, and we weren't checking for that. This started
triggering an assert with r163069, which checks that a constant value is
actually going to be used as an integer or pointer.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163159 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
568ba871bbac959029671b81f8e531edb7e0d7d6 04-Sep-2012 Joao Matos <ripzonetriton@gmail.com> Revert r163083 per chandlerc's request.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163149 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
5be92de217a1940d0e109abd0f401df4480c1a4b 02-Sep-2012 Joao Matos <ripzonetriton@gmail.com> Implemented parsing and AST support for the MS __leave exception statement. Also a minor fix to __except printing in StmtPrinter.cpp. Thanks to Aaron Ballman for review.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163083 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
9eb214a691663a04ee61197e7d605128c85e09f7 01-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Silence unused variable warnings in NDEBUG builds.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163073 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
91ab900a939e95d965e18299b66928fdbe2aa38d 01-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Disallow creation of int vals with explicit bit width / signedness.

All clients of BasicValueFactory should be using QualTypes instead, and
indeed it seems they are. This caught the (fortunately harmless) bug
fixed in the previous commit.

No intended functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163069 91177308-0d34-0410-b5e6-96231b3b80d8
asicValueFactory.cpp
d04713598ee8af6e01b925dca4e38bfd78227dad 01-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't attempt to create a floating-point value of "1" for ++/--.

The current logic would actually create a float- or double-sized signed
integer value of 1, which is not at all the same.

No test because the value would be swallowed by an Unknown as soon as it
gets added or subtracted to the original value, but it enables the cleanup
in the next patch.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163068 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
02df4f0aef142f00d4637cd851e54da2a123ca8e 01-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Treat all struct values as regions (even rvalues).

This allows us to correctly symbolicate the fields of structs returned by
value, as well as get the proper 'this' value for when methods are called
on structs returned by value.

This does require a moderately ugly hack in the StoreManager: if we assign
a "struct value" to a struct region, that now appears as a Loc value being
bound to a region of struct type. We handle this by simply "dereferencing"
the struct value region, which should create a LazyCompoundVal.

This should fix recent crashes analyzing LLVM and on our internal buildbot.

<rdar://problem/12137950>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163066 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ymbolManager.cpp
5699f62df144545702b91e91836a63db4e5f2627 01-Sep-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Always derive a CallEvent's return type from its origin expr.

Previously, we preferred to get a result type by looking at the callee's
declared result type. This allowed us to handlereferences, which are
represented in the AST as lvalues of their pointee type. (That is, a call
to a function returning 'int &' has type 'int' and value kind 'lvalue'.)

However, this results in us preferring the original type of a function
over a casted type. This is a problem when a function pointer is casted
to another type, because the conjured result value will have the wrong
type. AdjustedReturnValueChecker is supposed to handle this, but still
doesn't handle the case where there is no "original function" at all,
i.e. where the callee is unknown.

Now, we instead look at the call expression's value kind (lvalue, xvalue,
or prvalue), and adjust the expr's type accordingly. This will have no
effect when the function is inlined, and will conjure the value that will
actually be used when it is not.

This makes AdjustedReturnValueChecker /nearly/ unnecessary; unfortunately,
the cases where it would still be useful are where we need to cast the
result of an inlined function or a checker-evaluated function, and in these
cases we don't know what we're casting /from/ by the time we can do post-
call checks. In light of that, remove AdjustedReturnValueChecker, which
was already not checking quite a few calls.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163065 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
305c613af6cfc40e519c75d9d2c84c6fa9a841c0 01-Sep-2012 Ted Kremenek <kremenek@apple.com> Split library clangRewrite into clangRewriteCore and clangRewriteFrontend.
This is similar to how we divide up the StaticAnalyzer libraries to separate
core functionality to what is clearly associated with Frontend actions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163050 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
TMLDiagnostics.cpp
de5277fc555551857602bd7a7e5e616274e2d4a6 31-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Though C++ inlining is enabled, don't inline ctors and dtors.

More generally, this adds a new configuration option 'c++-inlining', which
controls which C++ member functions can be considered for inlining. This
uses the new -analyzer-config table, so the cc1 arguments will look like this:

... -analyzer-config c++-inlining=[none|methods|constructors|destructors]

Note that each mode implies that all the previous member function kinds
will be inlined as well; it doesn't make sense to inline destructors
without inlining constructors, for example.

The default mode is 'methods'.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163004 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
MakeLists.txt
xprEngineCallAndReturn.cpp
3a46f5fd1709f6df03bbb8b0abf84052dc0f39ff 31-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Ensure that PathDiagnostics profile the same regardless of path.

PathDiagnostics are actually profiled and uniqued independently of the
path on which the bug occurred. This is used to merge diagnostics that
refer to the same issue along different paths, as well as by the plist
diagnostics to reference files created by the HTML diagnostics.

However, there are two problems with the current implementation:

1) The bug description is included in the profile, but some
PathDiagnosticConsumers prefer abbreviated descriptions and some
prefer verbose descriptions. Fixed by including both descriptions in
the PathDiagnostic objects and always using the verbose one in the profile.

2) The "minimal" path generation scheme provides extra information about
which events came from macros that the "extensive" scheme does not.
This resulted not only in different locations for the plist and HTML
diagnostics, but also in diagnostics being uniqued in the plist output
but not in the HTML output. Fixed by storing the "end path" location
explicitly in the PathDiagnostic object, rather than trying to find the
last piece of the path when the diagnostic is requested.

This should hopefully finish unsticking our internal buildbot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162965 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
8c916ee23c7c16e859eb55a907385f94039f8b27 31-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Fix a crash in plist-html generation introduced in r162939.

Basically, do the correct thing to fix the XML generation error, rather
than making it even worse by unilaterally dereferencing a null pointer.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162964 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
a6c66cedc022c9e5d45a937d6b8cff491a6bf81b 31-Aug-2012 Eli Friedman <eli.friedman@gmail.com> Change the representation of builtin functions in the AST
(__builtin_* etc.) so that it isn't possible to take their address.
Specifically, introduce a new type to represent a reference to a builtin
function, and a new cast kind to convert it to a function pointer in the
operand of a call. Fixes PR13195.



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162962 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
fbcb3f11fc90e9f00e6074e9b118b8dc11ca604c 31-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Refactor the logic that determines if a functions should be
reanalyzed.

The policy on what to reanalyze should be in AnalysisConsumer with the
rest of visitation order logic.

There is no reason why ExprEngine needs to pass the Visited set to
CoreEngine, it can populate it itself.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162957 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
f9f5fdbbeff3f60c5e8c0461df48d84365d56fd7 30-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Plist diagnostics: Fix a case where we fail to close an XML tag.

If the current path diagnostic does /not/ have files associated with it, we
were simply skipping on to the next diagnostic with 'continue'. But that
also skipped the close tag for the diagnostic's <dict> node.

Part of fixing our internal analyzer buildbot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162939 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
2fa9d72d4d23ccdcd4137946e5ebafac7a04f04c 30-Aug-2012 Ted Kremenek <kremenek@apple.com> Rename 'MaxLoop' to 'maxBlockVisitOnPath' to reflect reality. We
should consider renaming the command line option as well.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162932 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
0caa2d47b84337e942b3f6652adfafe4ae506cfe 30-Aug-2012 Ted Kremenek <kremenek@apple.com> Rename AnalyzerOptions 'EagerlyAssume' to 'eagerlyAssumeBinOpBifurcation'.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162930 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xprEngine.cpp
255d4d4226b24036ceb11228fbb74286e58620f7 30-Aug-2012 Ted Kremenek <kremenek@apple.com> Store const& to AnalyzerOptions in AnalysisManager instead of copying
individual flags.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162929 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
28694c1fe44082970cd53ca7ffef25f668e4c545 30-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Fixup 162863.

Thanks Jordan.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162875 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
80de487e03dd0f44e4572e2122ebc1aa6a3961f5 29-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Improved diagnostic pruning for calls initializing values.

This heuristic addresses the case when a pointer (or ref) is passed
to a function, which initializes the variable (or sets it to something
other than '0'). On the branch where the inlined function does not
set the value, we report use of undefined value (or NULL pointer
dereference). The access happens in the caller and the path
through the callee would get pruned away with regular path pruning. To
solve this issue, we previously disabled diagnostic pruning completely
on undefined and null pointer dereference checks, which entailed very
verbose diagnostics in most cases. Furthermore, not all of the
undef value checks had the diagnostic pruning disabled.

This patch implements the following heuristic: if we pass a pointer (or
ref) to the region (on which the error is reported) into a function and
it's value is either undef or 'NULL' (and is a pointer), do not prune
the function.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162863 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
7b73e0832b20af1f43601a3d19e76d02d9f4dce5 29-Aug-2012 Ted Kremenek <kremenek@apple.com> Add new -cc1 driver option -analyzer-config, which allows one to specify
a comma separated collection of key:value pairs (which are strings). This
allows a general way to provide analyzer configuration data from the command line.

No clients yet.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162827 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
827eeb63614309bafac9d77a5a3a7ca81f1e4751 28-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Teach CallEventManager that CXXTemporaryObjectExpr is also a ctor.

Specifically, CallEventManager::getCaller was looking at the call site for
an inlined call and trying to see what kind of call it was, but it only
checked for CXXConstructExprClass. (It's not using an isa<> here to avoid
doing three more checks on the the statement class.)

This caused an unreachable when we actually did inline the constructor of a
temporary object.

PR13717

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162792 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
632e5022f68fcae3b68bbc90538a60f3ba20229f 28-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] When we look for the last stmt in a function, skip implicit dtors.

When exiting a function, the analyzer looks for the last statement in the
function to see if it's a return statement (and thus bind the return value).
However, the search for "the last statement" was accepting statements that
were in implicitly-generated inlined functions (i.e. destructors). So we'd
go and get the statement from the destructor, and then say "oh look, this
function had no explicit return...guess there's no return value". And /that/
led to the value being returned being declared dead, and all our leak
checkers complaining.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162791 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
65e209ad795aeb3908760a45b1cbda0748cc0658 28-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't purge dead symbols at the end of calls if -analyzer-purge=none.

No test case since this is a debug option that we will never turn on by
default since it makes the leak checkers much less useful. (We'll only report
leaks at the end of analysis if -analyzer-purge=none.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162772 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
a1f81bb0e55749a1414b1b5124bb83b9052ff2ac 28-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Rename addTrackNullOrUndefValueVisitor to trackNullOrUndefValue.

This helper function (in the clang::ento::bugreporter namespace) may add more
than one visitor, but conceptually it's tracking a single use of a null or
undefined value and should do so as best it can.

Also, the BugReport parameter has been made a reference to underscore that
it is non-optional.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162720 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
166b7bd43551964d65bcf4918f51a167b8374e2a 28-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Refactor FindLastStoreBRVisitor to not find the store ahead of time.

As Anna pointed out to me offline, it's a little silly to walk backwards through
the graph to find the store site when BugReporter will do the exact same walk
as part of path diagnostic generation.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162719 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
7aba1171b32265b2206f3fa8f8886953051b58f5 28-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] If the last store into a region came from a function, step into it.

Previously, if we were tracking stores to a variable 'x', and came across this:

x = foo();

...we would simply emit a note here and stop. Now, we'll step into 'foo' and
continue tracking the returned value from there.

<rdar://problem/12114689>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162718 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
6062334cc388bce69fb3978c4ecb26c6485a5c2b 28-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Rename CallEvent::mayBeInlined to CallEvent::isCallStmt.

The two callers are using this in order to be conservative, so let's just
clarify the information that's actually being provided here. This is not
related to inlining decisions in any way.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162717 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xplodedGraph.cpp
xprEngine.cpp
364b9f95fa47b0ca7f1cc694195f7a9953652f81 27-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Look through casts when trying to track a null pointer dereference.

Also, add comments to addTrackNullOrUndefValueVisitor.

Thanks for the review, Anna!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162695 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
6fe4dfbc9e5a7018763b1d898876d9b2b8ec3425 27-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't inline constructors for objects allocated with operator new.

Because the CXXNewExpr appears after the CXXConstructExpr in the CFG, we don't
actually have the correct region to construct into at the time we decide
whether or not to inline. The long-term fix (discussed in PR12014) might be to
introduce a new CFG node (CFGAllocator) that appears before the constructor.

Tracking the short-term fix in <rdar://problem/12180598>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162689 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
210f5a28227c90d739298e3e6729e827858fe397 27-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] More internal stats collection.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162687 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
c210cb7a358d14cdd93b58562f33ff5ed2d895c1 27-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Inline constructors for any object with a trivial destructor.

This allows us to better reason about status objects, like Clang's own
llvm::Optional (when its contents are trivially destructible), which are
often intended to be passed around by value.

We still don't inline constructors for temporaries in the general case.

<rdar://problem/11986434>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162681 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
3682f1ea9c7fddc7dcbc590891158ba40f7fca16 25-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use the common evalBind infrastructure for initializers.

This allows checkers (like the MallocChecker) to process the effects of the
bind. Previously, using a memory-allocating function (like strdup()) in an
initializer would result in a leak warning.

This does bend the expectations of checkBind a bit; since there is no
assignment expression, the statement being used is the initializer value.
In most cases this shouldn't matter because we'll use a PostInitializer
program point (rather than PostStmt) for any checker-generated nodes, though
we /will/ generate a PostStore node referencing the internal statement.
(In theory this could have funny effects if someone actually does an
assignment within an initializer; in practice, that seems like it would be
very rare.)

<rdar://problem/12171711>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162637 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
heckerManager.cpp
xprEngine.cpp
df5faf5e7ae6823d0af0b801c4ac26d47f2cee97 25-Aug-2012 Chad Rosier <mcrosier@apple.com> [ms-inline asm] As part of a larger refactoring, rename AsmStmt to GCCAsmStmt.
No functional change intended.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162632 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
b75e2602e246b44bb285be8cc31166302d77998f 24-Aug-2012 Ted Kremenek <kremenek@apple.com> Rework how PathDiagnosticConsumers pass knowledge of what files they
generated for a given diagnostic to another. Because PathDiagnostics
are specific to a give PathDiagnosticConsumer, store in
a FoldingSet a unique hash for a PathDiagnostic (that will be the same
for the same bug for different PathDiagnosticConsumers) that
stores a list of files generated. This can then be read by the
other PathDiagnosticConsumers.

This fixes breakage in the PLIST-HTML output.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162580 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
23df2437a47ff129d2923ae325d42e79682a7f14 24-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] If we dereference a NULL that came from a function, show the return.

More generally, any time we try to track where a null value came from, we
should show if it came from a function. This usually isn't necessary if
the value is symbolic, but if the value is just a constant we previously
just ignored its origin entirely. Now, we'll step into the function and
recursively add a visitor to the returned expression.

<rdar://problem/12114609>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162563 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
8eba6f194484c38ed724375aeab27de556113a84 23-Aug-2012 Stephen Hines <srhines@google.com> Add new files for merge to upstream r162325.

Change-Id: I44af8265445bd67d7985164e2e3117b8c3d8d3c1
ndroid.mk
80ea4bc944eb01c220eeaa004b21ad709ba928e1 24-Aug-2012 Stephen Hines <srhines@google.com> Merge branch 'upstream' into merge_2

Conflicts:
lib/Sema/SemaDeclAttr.cpp

Change-Id: If47d0d39459760017258502b4d9e859ac36a273b
5a90193ad825656d4a03099cd5e9c928d1782b5e 24-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Make analyzer less aggressive when dealing with [self init].

With inlining, retain count checker starts tracking 'self' through the
init methods. The analyser results were too noisy if the developer
did not follow 'self = [super init]' pattern (which is common
especially in older code bases) - we reported self init anti-pattern AND
possible use-after-free. This patch teaches the retain count
checker to assume that [super init] does not fail when it's not consumed
by another expression. This silences the retain count warning that warns
about possibility of use-after-free when init fails, while preserving
all the other checking on 'self'.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162508 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
0156439a3d718ea0ef5922c38d189a60829c8a86 24-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] For now, treat pointers-to-members as non-null void * symbols.

Until we have full support for pointers-to-members, we can at least
approximate some of their use by tracking null and non-null values.
We thus treat &A::m_ptr as a non-null void * symbol, and MemberPointer(0)
as a pointer-sized null constant.

This enables support for what is sometimes called the "safe bool" idiom,
demonstrated in the test case.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162495 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
c386d8f148c1a9d4992c64188e2873fcbc6da20d 24-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle UserDefinedConversion casts in C++.

This is trivial; the UserDefinedConversion always wraps a CXXMemberCallExpr
for the appropriate conversion function, so it's just a matter of
propagating that value to the CastExpr itself.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162494 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
b66529d04727dc686b97ea3d937fc9785792f505 23-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Support C++ default arguments if they are literal values.

A CXXDefaultArgExpr wraps an Expr owned by a ParmVarDecl belonging to the
called function. In general, ExprEngine and Environment ought to treat this
like a ParenExpr or other transparent wrapper expression, with the inside
expression evaluated first.

However, if we call the same function twice, we'd produce a CFG that contains
the same wrapped expression twice, and we're not set up to handle that. I've
added a FIXME to the CFG builder to come back to that, but meanwhile we can
at least handle expressions that don't need to be explicitly evaluated:
literals. This probably handles many common uses of default parameters:
true/false, null, etc.

Part of PR13385 / <rdar://problem/12156507>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162453 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
a8eaf008e92759142982f7b40720b2b2674bd663 23-Aug-2012 Richard Smith <richard-llvm@metafoo.co.uk> Fix undefined behavior: member function calls where 'this' is a null pointer.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162430 91177308-0d34-0410-b5e6-96231b3b80d8
ymbolManager.cpp
ad0fe03b897f9486191e75c8d90c3ffa9b4fd6a5 23-Aug-2012 Ted Kremenek <kremenek@apple.com> Fix an assortment of doxygen comment issues found by -Wdocumentation.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162412 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
efb3d56720654f5355ff8fc666499cc6554034f4 22-Aug-2012 Ted Kremenek <kremenek@apple.com> Despite me asking Jordan to do r162313, revert it. We can provide
another way to whitelist these special cases. This is an intermediate patch.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162386 91177308-0d34-0410-b5e6-96231b3b80d8
angeConstraintManager.cpp
impleConstraintManager.cpp
e3f3825bd82f84f2a1ae0a02274a33298bb720b3 22-Aug-2012 Ted Kremenek <kremenek@apple.com> Remove BasicConstraintManager. It hasn't been in active service for a while.

As part of this change, I discovered that a few of our tests were not testing
the RangeConstraintManager. Luckily all of those passed when I moved them
over to use that constraint manager.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162384 91177308-0d34-0410-b5e6-96231b3b80d8
asicConstraintManager.cpp
MakeLists.txt
56a46b51df691f857f7120aaf2d4deeff0b014de 22-Aug-2012 Ted Kremenek <kremenek@apple.com> Rename 'unbindLoc()' (in ProgramState) and 'Remove()' to
'killBinding()'. The name is more specific, and one just forwarded
to the other.

Add some doxygen comments along the way.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162350 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
egionStore.cpp
66c486f275531df6362b3511fc3af6563561801b 22-Aug-2012 Ted Kremenek <kremenek@apple.com> Rename 'currentX' to 'currX' throughout analyzer and libAnalysis.
Also rename 'getCurrentBlockCounter()' to 'blockCount()'.

This ripples a bunch of code simplifications; mostly aesthetic,
but makes the code a bit tighter.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162349 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
3b1df8bb941a18c4a7256d7cfcbccb9de7e39995 22-Aug-2012 Ted Kremenek <kremenek@apple.com> Rename 'getConjuredSymbol*' to 'conjureSymbol*'.

No need to have the "get", the word "conjure" is a verb too!
Getting a conjured symbol is the same as conjuring one up.

This shortening is largely cosmetic, but just this simple changed
cleaned up a handful of lines, making them less verbose.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162348 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
egionStore.cpp
ValBuilder.cpp
ymbolManager.cpp
32a549a64922af0903bdb777613ae7ae4490b70f 22-Aug-2012 Ted Kremenek <kremenek@apple.com> Remove Store::bindDecl() and Store::bindDeclWithNoInit(), and
all forwarding methods.

This functionality is already covered by bindLoc().

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162346 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
rogramState.cpp
egionStore.cpp
5be88dc79d2768d67371103b6535fb8c4a6f27a1 22-Aug-2012 Ted Kremenek <kremenek@apple.com> Rename 'BindCompoundLiteral' to 'bindCompoundLiteral' and
add doxygen comments.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162345 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
egionStore.cpp
ab9c04fda542d096c667d6a3746d94c884f80e7b 22-Aug-2012 Ted Kremenek <kremenek@apple.com> Consilidate SmallPtrSet count() followed by insert() into a single insert().

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162330 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
12e2fb0db76ca2705ce5169e04d9cd52762fc685 22-Aug-2012 Matt Beaumont-Gay <matthewbg@google.com> Add an llvm_unreachable to pacify GCC's -Wreturn-type.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162325 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
c568e2f801a62e442cbbd823b71f70175715661f 21-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Set the default IPA mode to 'basic-inlining', which excludes C++.

Under -analyzer-ipa=basic-inlining, only C functions, blocks, and C++ static
member functions are inlined -- essentially, the calls that behave like simple
C function calls. This is essentially the behavior in Xcode 4.4.

C++ support still has some rough edges, and we don't want users to be worried
about them if they download and run their own checker. (In particular, the
massive number of false positives for analyzing LLVM comes from inlining
defensively-written code in contexts where more aggressive assumptions are
implicitly made. This problem is not unique to C++, but it is exacerbated by
the higher proportion of code that lives in header files in C++.)

The eventual goal is to be comfortable enough with C++ support (and simple
Objective-C support) to advance to -analyzer-ipa=inlining as the default
behavior. See the IPA design notes for more details.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162318 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
58fc86d68d53eb6c47cc34974b6f37627a5f386c 21-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Push "references are non-null" knowledge up to the common parent.

This reduces duplication across the Basic and Range constraint managers, and
keeps their internals free of dealing with the semantics of C++. It's still
a little unfortunate that the constraint manager is dealing with this at all,
but this is pretty much the only place to put it so that it will apply to all
symbolic values, even when embedded in larger expressions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162313 91177308-0d34-0410-b5e6-96231b3b80d8
asicConstraintManager.cpp
angeConstraintManager.cpp
impleConstraintManager.cpp
a34d4f47321324187ed57948628f5938357ae034 21-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Assume that reference symbols are non-null.

By doing this in the constraint managers, we can ensure that ANY reference
whose value we don't know gets the effect, even if it's not a top-level
parameter.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162246 91177308-0d34-0410-b5e6-96231b3b80d8
asicConstraintManager.cpp
angeConstraintManager.cpp
1833d284346b9fa11aae4e6aa07381347c04745c 20-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add comments to ExplodedNode::NodeGroup.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162216 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
fa06f0464a04bb7fce1fcfb3780d151bb029e00c 20-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Replace boolean IsSink parameters with 'generateSink' methods.

Generating a sink is significantly different behavior from generating a
normal node, and a simple boolean parameter can be rather opaque. Per
offline discussion with Anna, adding new generation methods is the
clearest way to communicate intent.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162215 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineObjC.cpp
7f839a6b35e5007964b538423b0a570eed26fc10 20-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] The result of && or || is always a 1 or 0.

Forgetting to at least cast the result was giving us Loc/NonLoc problems
in SValBuilder (hitting an assertion). But the standard (both C and C++)
does actually guarantee that && and || will result in the actual values
1 and 0, typed as 'int' in C and 'bool' in C++, and we can easily model that.

PR13461

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162209 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
c32a453e40b2c8878fed10512fb2f570b7aba576 18-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Treat C++ 'throw' as a sink.

Our current handling of 'throw' is all CFG-based: it jumps to a 'catch' block
if there is one and the function exit block if not. But this doesn't really
get the right behavior when a function is inlined: execution will continue on
the caller's side, which is always the wrong thing to do.

Even within a single function, 'throw' completely skips any destructors that
are to be run. This is essentially the same problem as @finally -- a CFGBlock
that can have multiple entry points, whose exit points depend on whether it
was entered normally or exceptionally.

Representing 'throw' as a sink matches our current (non-)handling of @throw.
It's not a perfect solution, but it's better than continuing analysis in an
inconsistent or even impossible state.

<rdar://problem/12113713>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162157 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
19275bdec34b2ec5d77a78c0ea393a45ab05e128 18-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Treat @throw as a sink (stop processing).

The CFG approximates @throw as a return statement, but that's not good
enough in inlined functions. Moreover, since Objective-C exceptions are
usually considered fatal, we should be suppressing leak warnings like we
do for calls to noreturn functions (like abort()).

The comments indicate that we were probably intending to do this all along;
it may have been inadvertantly changed during a refactor at one point.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162156 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
46e778145c56cd9b42cb399795a294b29cb78b62 18-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use PointerUnion to implement ExplodedNode::NodeGroup.

We shouldn't be reinventing our own wheels. This also paves the way for
marking different kinds of sinks.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162154 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
27762243921cd0b8105b7ee5b7c614590363082f 16-Aug-2012 Ted Kremenek <kremenek@apple.com> Remove #if 0 that has been around for a long time.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162030 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
2b2c49d2ac5adb34f900f7a854a3ad5a6b0dff3c 16-Aug-2012 Ted Kremenek <kremenek@apple.com> Remove "range_iterator" from PathDiagnosticPiece and just use ArrayRef<SourceRange> for ranges. This
removes conceptual clutter, and can allow us to easy migrate to C++11 style for-range loops if we
ever move to using C++11 in Clang.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162029 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
c4bac8e376b98d633bb00ee5f510d5e58449753c 16-Aug-2012 Ted Kremenek <kremenek@apple.com> Allow multiple PathDiagnosticConsumers to be used with a BugReporter at the same time.

This fixes several issues:

- removes egregious hack where PlistDiagnosticConsumer would forward to HTMLDiagnosticConsumer,
but diagnostics wouldn't be generated consistently in the same way if PlistDiagnosticConsumer
was used by itself.

- emitting diagnostics to the terminal (using clang's diagnostic machinery) is no longer a special
case, just another PathDiagnosticConsumer. This also magically resolved some duplicate warnings,
as we now use PathDiagnosticConsumer's diagnostic pruning, which has scope for the entire translation
unit, not just the scope of a BugReporter (which is limited to a particular ExprEngine).

As an interesting side-effect, diagnostics emitted to the terminal also have their trailing "." stripped,
just like with diagnostics emitted to plists and HTML. This required some tests to be updated, but now
the tests have higher fidelity with what users will see.

There are some inefficiencies in this patch. We currently generate the report graph (from the ExplodedGraph)
once per PathDiagnosticConsumer, which is a bit wasteful, but that could be pulled up higher in the
logic stack. There is some intended duplication, however, as we now generate different PathDiagnostics (for the same issue)
for different PathDiagnosticConsumers. This is necessary to produce the diagnostics that a particular
consumer expects.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162028 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
ugReporter.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
d1420c6fa788669e49f21e184927c7833881e399 16-Aug-2012 Richard Smith <richard-llvm@metafoo.co.uk> Store SourceManager pointer on PrintingPolicy in the case where we're dumping,
and remove ASTContext reference (which was frequently bound to a dereferenced
null pointer) from the recursive lump of printPretty functions. In so doing,
fix (at least) one case where we intended to use the 'dump' mode, but that
failed because a null ASTContext reference had been passed in.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162011 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
e6cd0548fd8f52bcda917add482770fa418c619b 16-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Look through all casts when trying to track constraints.

Previously, we were losing path notes (in both text and plist form)
because the interesting DeclRefExpr was buried in a cast.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161999 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
da29ac527063fc9714547088bf841bfa30557bf0 15-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Even if we are not inlining a virtual call, still invalidate!

Fixes a mistake introduced in r161916.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161987 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
4e79fdfe22db1c982e8fdf8397fee426a8c57821 15-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Correctly devirtualize virtual method calls in constructors.

This is the other half of C++11 [class.cdtor]p4 (the destructor side
was added in r161915). This also fixes an issue with post-call checks
where the 'this' value was already being cleaned out of the state, thus
being omitted from a reconstructed CXXConstructorCall.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161981 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
fc87350ce0b279c82b1c9d2647063f4acf48a978 15-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't try to devirtualize if the class is incomplete.

A similar issue to the previous commit, introduced by r161915.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161961 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
9f6441ad92c30028032eb3df6f4a7f2ebe393a68 15-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Only adjust the type of 'this' when we devirtualize a method call.

With reinterpret_cast, we can get completely unrelated types in a region
hierarchy together; this was resulting in CXXBaseObjectRegions being layered
directly on an (untyped) SymbolicRegion, whose symbol was from a completely
different type hierarchy. This was what was causing the internal buildbot to
fail.

Reverts r161911, which merely masked the problem.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161960 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
emRegion.cpp
b763ede873c23c8651bd18eba0c62e929b496ba5 15-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't inline dynamic-dispatch methods unless -analyzer-ipa=dynamic.

Previously we were checking -analyzer-ipa=dynamic-bifurcate only, and
unconditionally inlining everything else that had an available definition,
even under -analyzer-ipa=inlining (but not under -analyzer-ipa=none).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161916 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
0ad36baedc516005cb6ea97d96327517ebfe5138 15-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Correctly devirtualize virtual method calls in destructors.

C++11 [class.cdtor]p4: When a virtual function is called directly or
indirectly from a constructor or from a destructor, including during
the construction or destruction of the class’s non-static data members,
and the object to which the call applies is the object under
construction or destruction, the function called is the final overrider
in the constructor's or destructor's class and not one overriding it in
a more-derived class.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161915 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
rogramState.cpp
cd6873e5c6b89caefa0baeb21c4ad94976fa1b8a 15-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] A base class needs a complete definition to provide offsets.

No test case yet; trying to reduce one from a failing internal buildbot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161911 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
38aee3bb4ffe14c8323785ae2fafed6f627fb577 14-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer]Assume that the properties cannot be overridden when dot
syntax is used.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161889 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
42c72c258e08ca79c9267346b4badcddd8fcd001 14-Aug-2012 Benjamin Kramer <benny.kra@googlemail.com> Do NOT use inline functions with LLVM_ATTRIBUTE_USED.

The function will be emitted into every single TU including the header!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161872 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
f41c0dd023b2990eee0296390a88641d157777f7 14-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Look up DynamicTypeInfo by region instead of symbol.

This allows us to store type info for non-symbolic regions.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161811 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
645baeed6800f952e9ad1d5666e01080385531a2 14-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Reduce code duplication: make CXXDestructorCall a CXXInstanceCall.

While there is now some duplication between SimpleCall and the CXXInstanceCall
sub-hierarchy, this is much better than copy-and-pasting the devirtualization
logic shared by both instance methods and destructors.

An unfortunate side effect is that there is no longer a single CallEvent type
that corresponds to "calls written as CallExprs". For the most part this is a
good thing, but the checker callback eval::Call still takes a CallExpr rather
than a CallEvent (since we're not sure if we want to allow checkers to
evaluate other kinds of calls). A mistake here will be caught by a cast<> in
CheckerManager::runCheckersForEvalCall.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161809 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerManager.cpp
xprEngineCallAndReturn.cpp
8ec104b9fffb917924c495ce3dd25694e4e3087a 14-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Be more careful when downcasting for devirtualization.

Virtual base regions are never layered, so simply stripping them off won't
necessarily get you to the correct casted class. Instead, what we want is
the same logic for evaluating dynamic_cast: strip off base regions if possible,
but add new base regions if necessary.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161808 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
0a5629812019ce8bef86ade5425ac261bb544fd8 14-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle dynamic_casts that turn out to be upcasts.

This can occur with multiple inheritance, which jumps from one parent to
the other, and with virtual inheritance, since virtual base regions always
wrap the actual object and can't be nested within other base regions.

This also exposed some incorrect logic for multiple inheritance: even if B
is known not to derive from C, D might still derive from both of them.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161798 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
b11a3ada9a22e146c6edd33bcc6301e221fedd7a 14-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't strip CXXBaseObjectRegions when checking dynamic_casts.

...and /do/ strip CXXBaseObjectRegions when casting to a virtual base class.

This allows us to enforce the invariant that a CXXBaseObjectRegion can always
provide an offset for its base region if its base region has a known class
type, by only allowing virtual bases and direct non-virtual bases to form
CXXBaseObjectRegions.

This does mean some slight problems for our modeling of dynamic_cast, which
needs to be resolved by finding a path from the current region to the class
we're trying to cast to.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161797 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
emRegion.cpp
egionStore.cpp
Vals.cpp
b6d2bea04801cb66263de2f3fe99ef8e1dcd9f53 11-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Strip CXXBaseObjectRegions when devirtualizing method calls.

This was causing a crash when we tried to re-apply a base object region to
itself. It probably also caused incorrect offset calculations in RegionStore.

PR13569 / <rdar://problem/12076683>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161710 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
9584f67b6da17283a31dedf0a1cab2d83a3d121c 11-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Try to devirtualize even if the static callee has no definition.

This mostly affects pure virtual methods, but would also affect parent
methods defined inline in the header when analyzing the child's source file.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161709 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
54918ba02ba900c0e0bb4fd3d749b6b1ac4e50a9 10-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Track if a region can be a subclass in the dynamic type info.

When object is allocated with alloc or init, we assume it cannot be a
subclass (currently used only for bifurcation purposes).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161682 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
3f558af01643787d209a133215b0abec81b5fe30 10-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Optimize dynamic dispatch bifurcation by detecting the cases
when we don't need to split.

In some cases we know that a method cannot have a different
implementation in a subclass:
- the class is declared in the main file (private)
- all the method declarations (including the ones coming from super
classes) are in the main file.

This can be improved further, but might be enough for the heuristic.
(When we are too aggressive splitting the state, efficiency suffers.
When we fail to split the state coverage might suffer.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161681 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
d1a4f68a4301d1ee3098cc9db0cd507b96dd1bee 10-Aug-2012 Benjamin Kramer <benny.kra@googlemail.com> Fix a couple of pedantic gcc warnings.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161656 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
5ad76c073e1822d11901a8552c6aa9372038b5f0 10-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Merge RegionStore's KillStruct and CopyLazyBindings: BindAggregate.

Both methods need to clear out existing bindings and provide a new default
binding. Originally KillStruct always provided UnknownVal as the default,
but it's allowed symbolic values for quite some time (for handling returned
structs in C).

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161637 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
1e934431adba0f459668a59c6059b9596fd627b4 10-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Cluster bindings in RegionStore by base region.

This should speed up activities that need to access bindings by cluster,
such as invalidation and dead-bindings cleaning. In some cases all we save
is the cost of building the region cluster map, but other times we can
actually avoid traversing the rest of the store.

In casual testing, this produced a speedup of nearly 10% analyzing SQLite,
with /less/ memory used.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161636 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
824e07ac8f5c9efdddb4254de0203b9675b1ef0b 10-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Cache the "concrete offset base" for regions with symbolic offsets.

This makes it faster to access and invalidate bindings with symbolic offsets
by only computing this information once.

No intended functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161635 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
2c5f8d79ed128892fa548a3308a938a3a53fbb5e 09-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] A CXXBaseObjectRegion should correspond to a DIRECT base.

An ASTContext's RecordLayoutInfo can only be used to look up offsets of
direct base classes, and we need the offset to make non-symbolic bindings
in RegionStore. This change makes sure that we have one layer of
CXXBaseObjectRegion for each base we are casting through.

This was causing crashes on an internal buildbot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161621 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
tore.cpp
d4fe57f7f7a8793227effc1274d70ec44cee9a4f 09-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Rename the function to better reflect what it actually does.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161617 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
6960f6e53b0d9a69a460c99ec199470271ff9603 09-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Clarify the values in Dyn. Dispatch Bifurcation map.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161616 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
5960f4aeac9760198c80e05d70d8dadb1db0ff0e 09-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Improve readability of the dyn. dispatch bifurcation patch
r161552.

As per Jordan's feedback.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161603 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
fc05decf08feefd2ffe8cc250219aee6eab3119c 09-Aug-2012 Anna Zaks <ganna@apple.com> Unbreak the build.

Declaring "const Decl *Decl" is not a good idea.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161567 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
e90d3f847dcce76237078b67db8895eb7a24189e 09-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Bifurcate the path with dynamic dispatch.

This is an initial (unoptimized) version. We split the path when
inlining ObjC instance methods. On one branch we always assume that the
type information for the given memory region is precise. On the other we
assume that we don't have the exact type info. It is important to check
since the class could be subclassed and the method can be overridden. If
we always inline we can loose coverage.

Had to refactor some of the call eval functions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161552 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
919e8a1c6698bfa6848571d366430126bced727d 08-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Clean up the printing of FieldRegions for leaks.

Unfortunately, generalized region printing is very difficult:
- ElementRegions are used both for casting and as actual elements.
- Accessing values through a pointer means going through an intermediate
SymbolRegionValue; symbolic regions are untyped.
- Referring to implicitly-defined variables like 'this' and 'self' could be
very confusing if they come from another stack frame.

We fall back to simply not printing the region name if we can't be sure it
will print well. This will allow us to improve in the future.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161512 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
0d53ab4024488d0c6cd283992be3fd4b67099bd3 08-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Track malloc'd regions stored in structs.

The main blocker on this (besides the previous commit) was that
ScanReachableSymbols was not looking through LazyCompoundVals.
Once that was fixed, it's easy enough to clear out malloc data on return,
just like we do when we bind to a global region.

<rdar://problem/10872635>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161511 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
e0d24eb1060a213ec9820dc02c45f26b2d5b348b 08-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Revamp RegionStore to distinguish regions with symbolic offsets.

RegionStore currently uses a (Region, Offset) pair to describe the locations
of memory bindings. However, this representation breaks down when we have
regions like 'array[index]', where 'index' is unknown. We used to store this
as (SubRegion, 0); now we mark them specially as (SubRegion, SYMBOLIC).

Furthermore, ProgramState::scanReachableSymbols depended on the existence of
a sub-region map, but RegionStore's implementation doesn't provide for such
a thing. Moving the store-traversing logic of scanReachableSymbols into the
StoreManager allows us to eliminate the notion of SubRegionMap altogether.

This fixes some particularly awkward broken test cases, now in
array-struct-region.c.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161510 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
rogramState.cpp
egionStore.cpp
tore.cpp
8ed21ef726be89ef7151b5ff397631379bd8a537 07-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Address Jordan's review of DynamicTypePropagation.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161391 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
c7ecc43c33a21b82c49664910b19fcc1f555aa51 07-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Add a checker to manage dynamic type propagation.

Instead of sprinkling dynamic type info propagation throughout
ExprEngine, the added checker would add the more precise type
information on known APIs (Ex: ObjC alloc, new) and propagate
the type info in other cases (ex: ObjC init method, casts (the second is
not implemented yet)).

Add handling of ObjC alloc, new and init to the checker.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161357 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineC.cpp
rogramState.cpp
563ea2335d7d0df44bbfe8941f64523e8af1fc14 04-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Update initializer assertion for delegating constructors.

Like base constructors, delegating constructors require no further
processing in the CFGInitializer node.

Also, add PrettyStackTraceLoc to the initializer and destructor logic
so we can get better stack traces in the future.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161283 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
685379965c1b105ce89cf4f6c60810932b7f4d0d 04-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] When a symbol is null, we should track its constraints.

Because of this, we would previously emit NO path notes when a parameter
is constrained to null (because there are no stores). Now we show where we
made the assumption, which is much more useful.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161280 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
b0e1badc2a9b8275b48dfb15c6907a282b949b02 04-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Flatten path diagnostics for text output like we do for HTML.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161279 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
extPathDiagnostics.cpp
9da59a67a27a4d3fc9d59552f07808a32f85e9d3 04-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Track null/uninitialized C++ objects used in method calls.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161278 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
7ad4848d4744b8d60289f3e359250cebdaaf7114 04-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Provide useful PathDiagnosticLocations for CallEnter/Exit events.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161277 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
20165e796c16311a83911db74c04d797e93471b2 04-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] FindLastStoreBRVisitor was not actually finding stores.

The visitor walks back through the ExplodedGraph as expected, but
it wasn't actually keeping track of when a value was assigned. This
meant that it only worked when the value was assigned when the variable
was defined.

Tests in the next commit (dependent on another change).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161276 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
c1290e006045a72120329ad23aa43c66fbe300be 03-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Fixup: remove the extra whitespace

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161265 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
148fee988e32efcad45ecf7b3bf714880c657dda 03-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] ObjC Inlining: Start tracking dynamic type info in the GDM

In the following code, find the type of the symbolic receiver by
following it and updating the dynamic type info in the state when we
cast the symbol from id to MyClass *.

MyClass *a = [[self alloc] init];
return 5/[a testSelf];

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161264 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
rogramState.cpp
5b978519d2c5f5b4541768a827b675e997d4cd34 03-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix a typo. Thanks Jordan.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161249 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
ee959355b93c0648fea88dc986d196e3705407dc 03-Aug-2012 Shih-wei Liao <sliao@google.com> Apply changes to migrate to CLANG-160673-20120724.

Change-Id: I00d23ac9b893c62dca281ec771eeb5f911854bae
ndroid.mk
08fc8eb5a1cc9c01af67e016ab21c9b905711eb1 03-Aug-2012 Shih-wei Liao <sliao@google.com> Merge with Clang upstream r160673 (Jul 24th 2012)

Conflicts:
lib/Sema/SemaDeclAttr.cpp

Change-Id: I37f02f20642a037b9da8d35fefa01986cd250b14
d015f4febe85d3e3340172d70042840c51bbd836 03-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Solve another source of non-determinism in the diagnostic
engine.

The code that was supposed to split the tie in a deterministic way is
not deterministic. Most likely one of the profile methods uses a
pointer. After this change we do finally get the consistent diagnostic
output. Testing this requires running the analyzer on large code bases
and diffing the results.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161224 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
207c408b14f0c29d65d6ad311456be94b812d5dd 02-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Also emit Prev/Next links for macros in HTML output. Oops.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161154 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
b23b711ad3dfb96dc9c457bd55c6e959bd1e0b8a 02-Aug-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add Prev/Next links to the HTML output.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161153 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
0eb6c37dd4e4ad8fa2363003dea270f9fd6c2969 02-Aug-2012 Anna Zaks <ganna@apple.com> [analyzer] Flush bug reports in deterministic order.

This makes the diagnostic output order deterministic.
1) This makes order of text diagnostics consistent from run to run.

2) Also resulted in different bugs being reported (from one run to
another) with plist-html output.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161151 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
2f9c40a915593849f6b0f5c4de516e2f597d0d66 31-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Control C++ inlining with a macro in ExprEngineCallAndReturn.cpp.

For now this will stay on, but this way it's easy to switch off if we need
to pull back our support for a while.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161064 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
e1ce783708b65eaa832ffad03d239264046dd0eb 31-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Turn -cfg-add-initializers on by default, and remove the flag.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161060 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
4fe64ad383c056774087113561063429103ac9a6 31-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't try to inline if there's no region for a message receiver.

While usually we'd use a symbolic region rather than a straight-up Unknown,
we can still generate unknowns via array subscripts with symbolic indexes.
(And if this ever changes in the future, we still shouldn't crash.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161059 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
6d8ab45a203eb701c2fd1104492cb4bd7557a3e9 31-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add a FIXME about devirtualization in ctors/dtors.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161058 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
6b4be2ef4ce49717ff972434975ce3c34c9a1c4c 31-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Getting an lvalue for a reference field still requires a load.

This was causing a crash in our array-to-pointer logic, since the region
was clearly not an array.

PR13440 / <rdar://problem/11977113>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161051 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
ef15831780b705475e7b237ac16418e9b53cb7a6 31-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Let CallEvent decide what goes in an inital stack frame.

This removes explicit checks for 'this' and 'self' from
Store::enterStackFrame. It also removes getCXXThisRegion() as a virtual
method on all CallEvents; it's now only implemented in the parts of the
hierarchy where it is relevant. Finally, it removes the option to ask
for the ParmVarDecls attached to the definition of an inlined function,
saving a recomputation of the result of getRuntimeDefinition().

No visible functionality change!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161017 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
tore.cpp
f0324d33967f28758f7243c7bb1a469c5a0394b6 31-Jul-2012 Anna Zaks <ganna@apple.com> [analyzer] Handle inlining of instance calls to super.

Use self-init.m for testing. (It used to have a bunch of failing tests
with dynamic inlining turned on.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161012 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
57c033621dacd8720ac9ff65a09025f14f70e22f 31-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Perform post-call checks for all inlined calls.

Previously, we were only checking the origin expressions of inlined calls.
Checkers using the generic postCall and older postObjCMessage callbacks were
ignored. Now that we have CallEventManager, it is much easier to create
a CallEvent generically when exiting an inlined function, which we can then
use for post-call checks.

No test case because we don't (yet) have any checkers that depend on this
behavior (which is why it hadn't been fixed before now).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161005 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerManager.cpp
xprEngineCallAndReturn.cpp
2d18419a7c8f9a2975d4ed74a202de6467308ad1 30-Jul-2012 Anna Zaks <ganna@apple.com> [analyzer] Very simple ObjC instance method inlining

- Retrieves the type of the object/receiver from the state.
- Binds self during stack setup.
- Only explores the path on which the method is inlined (no
bifurcation to explore the path on which the method is not inlined).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160991 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
rogramState.cpp
tore.cpp
e13056a8bb532ddfdc07952a13169aa422bacd3b 30-Jul-2012 Anna Zaks <ganna@apple.com> [analyzer] Add -analyzer-ipa=dynamic option for inlining dynamically
dispatched methods.

Disabled by default for now.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160988 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
d563d3fb73879df7147b8a5302c3bf0e1402ba18 30-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Only allow CallEvents to be created by CallEventManager.

This ensures that it is valid to reference-count any CallEvents, and we
won't accidentally try to reclaim a CallEvent that lives on the stack.
It also hides an ugly switch statement for handling CallExprs!

There should be no functionality change here.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160986 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerManager.cpp
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
972a3680bdd95f2e9d6316b391f1c47513dc78cc 30-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Introduce a CallEventManager to keep a pool of CallEvents.

This allows us to get around the C++ "virtual constructor" problem
when we'd like to create a CallEvent from an ExplodedNode, an inlined
StackFrameContext, or another CallEvent. The solution has three parts:

- CallEventManager uses a BumpPtrAllocator to allocate CallEvent-sized
memory blocks. It also keeps a cache of freed CallEvents for reuse.
- CallEvents all have protected copy constructors, along with cloneTo()
methods that use placement new to copy into CallEventManager-managed
memory, vtables intact.
- CallEvents owned by CallEventManager are now wrapped in an
IntrusiveRefCntPtr. Going forwards, it's probably a good idea to create
ALL CallEvents through the CallEventManager, so that we don't accidentally
try to reclaim a stack-allocated CallEvent.

All of this machinery is currently unused but will be put into use shortly.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160983 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
11abf2ad01f64ede7c0555167f41a1c5852f80c6 27-Jul-2012 NAKAMURA Takumi <geek4civic@gmail.com> clang/lib: [CMake] Update tblgen'd dependencies.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160851 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
69a0e5021c5c49a34aa25cd89b1e613a52097e65 27-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Look through SubstNonTypeTemplateParmExprs.

We were treating this like a CXXDefaultArgExpr, but
SubstNonTypeTemplateParmExpr actually appears when a template is
instantiated, i.e. we have all the information necessary to evaluate it.
This allows us to inline functions like llvm::array_lengthof.

<rdar://problem/11949235>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160846 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
979f098cfa808cc9236b39658cc3757a39dfa459 27-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use a stack-based local AGAIN to fix the build for real.

It's a good thing CallEvents aren't created all over the place yet.
I checked all the uses this time and the private copy constructor
/really/ shouldn't cause any more problems.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160845 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
e3fd87c18b865a1bf61d3b977051580f9315f2a5 27-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use a stack-based local instead of a temporary to fix build.

Passing a temporary via reference parameter still requires a visible
copy constructor.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160840 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
6da60499eae46caf9f92f7ba35c607043dc3f7fa 27-Jul-2012 Ted Kremenek <kremenek@apple.com> Look at the preceding CFGBlock for the expression to load from in ExprEngine::VisitGuardedExpr
instead of walking to the preceding PostStmt node. There are cases where the last evaluated
expression does not appear in the ExplodedGraph.

Fixes PR 13466.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160819 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
7c99aa385178c630e29f671299cdd9c104f1c885 26-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] CallEvent is no longer a value object.

After discussion, the type-based dispatch was decided to be bad for
maintenance and made it very easy for subtle bugs to creep in. Instead,
we'll just be very careful when we do have to allocate these on the heap.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160817 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
f540c54701e3eeb34cb619a3a4eb18f1ac70ef2d 26-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Rename Calls.{h,cpp} to CallEvent.{h,cpp}. No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160815 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
allEvent.cpp
alls.cpp
heckerManager.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
egionStore.cpp
tore.cpp
1d3ca251f9891623fac0dbe70eece42564e274ed 26-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't crash on implicit statements inside initializers.

Our BugReporter knows how to deal with implicit statements: it looks in
the ParentMap until it finds a parent with a valid location. However, since
initializers are not in the body of a constructor, their sub-expressions are
not in the ParentMap. That was easy enough to fix in AnalysisDeclContext.

...and then even once THAT was fixed, there's still an extra funny case
of Objective-C object pointer fields under ARC, which are initialized with
a top-level ImplicitValueInitExpr. To catch these cases,
PathDiagnosticLocation will now fall back to the start of the current
function if it can't find any other valid SourceLocations. This isn't great,
but it's miles better than a crash.

(All of this is only relevant when constructors and destructors are being
inlined, i.e. under -cfg-add-initializers and -cfg-add-implicit-dtors.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160810 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
e460c46c5d602f65354cab0879c458890273591c 26-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't crash on array constructors and destructors.

This workaround is fairly lame: we simulate the first element's constructor
and destructor and rely on the region invalidation to "initialize" the rest
of the elements.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160809 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
3a0a9e3e8bbaa45f3ca22b1e20b3beaac0f5861e 26-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle C++ member initializers and destructors.

This uses CFG to tell if a constructor call is for a member, and uses
the member's region appropriately.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160808 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
075f6fbcb4d858c09e9b138f8dc10d8d3d43d935 26-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use the CFG to see if a constructor is for a local variable.

Previously we were using ParentMap and crawling through the parent DeclStmt.
This should be at least slightly cheaper (and is also more flexible).

No (intended) functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160807 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
888c90ac0ef6baf7d47e86cf5cc4715707d223b1 26-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle base class initializers and destructors.

Most of the logic here is fairly simple; the interesting thing is that
we now distinguish complete constructors from base or delegate constructors.
We also make sure to cast to the base class before evaluating a constructor
or destructor, since non-virtual base classes may behave differently.

This includes some refactoring of VisitCXXConstructExpr and VisitCXXDestructor
in order to keep ExprEngine.cpp as clean as possible (leaving the details for
ExprEngineCXX.cpp).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160806 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
183ba8e19d49ab1ae25d3cdd0a19591369c5ab9f 26-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Show paths for destructor calls.

This modifies BugReporter and friends to handle CallEnter and CallExitEnd
program points that came from implicit call CFG nodes (read: destructors).

This required some extra handling for nested implicit calls. For example,
the added multiple-inheritance test case has a call graph that looks like this:

testMultipleInheritance3
~MultipleInheritance
~SmartPointer
~Subclass
~SmartPointer
***bug here***

In this case we correctly notice that we started in an inlined function
when we reach the CallEnter program point for the second ~SmartPointer.
However, when we reach the next CallEnter (for ~Subclass), we were
accidentally re-using the inner ~SmartPointer call in the diagnostics.

Rather than guess if we saw the corresponding CallExitEnd based on the
contents of the active path, we now just ask the PathDiagnostic if there's
any known stack before popping off the top path.

(A similar issue could have occured without multiple inheritance, but there
wasn't a test case for it.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160804 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
da5fc53d6b024872c4c1d2c8c5da11e08bf116aa 26-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Inline ctors + dtors when the CFG is built for them.

At the very least this means initializer nodes for constructors and
automatic object destructors are present in the CFG.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160803 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
df51fb91c5c2a265019c3f24bf2993149abc79f8 26-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] PostImplicitCall can also occur between CFGElements.

This avoids an assertion crash when we invalidate on a destructor call
instead of inlining it.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160802 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
9dc5167e4017ef4c8b327abb6f72225eec2e0f19 26-Jul-2012 Anna Zaks <ganna@apple.com> [analyzer] Inline ObjC class methods.

- Some cleanup(the TODOs) will be done after ObjC method inlining is
complete.
- Simplified CallEvent::getDefinition not to require ISDynamicDispatch
parameter.
- Also addressed Jordan's comments from r160530.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160768 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
a2ad394dad8c90fb0374756a331d4a141f4a227d 26-Jul-2012 Ted Kremenek <kremenek@apple.com> Remove the ability to stash arbitrary pointers into UndefinedVal (no longer needed).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160764 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
829846b5002d7f8d6a54b9c58c3ecf7cac56d2cc 25-Jul-2012 Ted Kremenek <kremenek@apple.com> Remove ExprEngine::MarkBranch(), as it is no longer needed.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160761 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
469841a8e0967f038aa0f78e1926ce82e06248c7 25-Jul-2012 Ted Kremenek <kremenek@apple.com> Update ExprEngine's handling of ternary operators to find the ternary expression
value by scanning the path, rather than assuming we have visited the '?:' operator
as a terminator (which sets a value indicating which expression to grab the
final ternary expression value from).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160760 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
bed28ac1d1463adca3ecf24fca5c30646fa9dbb2 23-Jul-2012 Sylvestre Ledru <sylvestre@debian.org> Fix a typo (the the => the)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160622 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
c9dce4dbec86bff12c546586087a903c7b151dbd 21-Jul-2012 Benjamin Kramer <benny.kra@googlemail.com> Remove unused private member variable uncovered by the recent changes to clang's -Wunused-private-field.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160584 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
e81ce256b62717dd846bd19aecc4115a0dcd4995 20-Jul-2012 Anna Zaks <ganna@apple.com> [analyzer] Refactor VisitObjCMessage and VisitCallExpr to rely on the
same implementation for call evaluation.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160530 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
7c30427afb4c2171ee4d336477f5e4d7c277ccb4 19-Jul-2012 Richard Smith <richard-llvm@metafoo.co.uk> Silence another GCC warning.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160488 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
8919e688dc610d1f632a4d43f7f1489f67255476 18-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Combine all ObjC message CallEvents into ObjCMethodCall.

As pointed out by Anna, we only differentiate between explicit message sends

This also adds support for ObjCSubscriptExprs, which are basically the same
as properties in many ways. We were already checking these, but not emitting
nice messages for them.

This depends on the llvm::PointerIntPair change in r160456.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160461 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
4b3918e9534e46f9ac067c6e0018f94613292efa 18-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Rename addExtraInvalidatedRegions to get...Regions

Per Anna's comment that "add..." sounds like a method that modifies
the receiver, rather than its argument.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160460 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
b7a23e05d1d8f07f2a6edce5c88c728fe894c2c7 18-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Make CallEvent a value object.

We will need to be able to easily reconstruct a CallEvent from an ExplodedNode
for diagnostic purposes, and that's exactly what factory functions are for.
CallEvent objects are small enough (four pointers and a SourceLocation) that
returning them through the stack is fairly cheap. Clients who just need to use
existing CallEvents can continue to do so using const references.

This uses the same sort of "kind-field-dispatch" as SVal, though most of the
nastiness is contained in the DISPATCH and DISPATCH_ARG macros at the end of
the file. (We can't use a template for this because member-pointers to base
class methods don't call derived-class methods even when casting to the
derived class. We can't use variadic macros because they're a C99 feature.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160459 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
4ccc4cc5d4e7c5c436d5f45065d3639cfc7c6e48 18-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove obsolete ObjCPropRef SVal kind.

ObjC properties are handled through their semantic form of ObjCMessageExprs
and their wrapper PseudoObjectExprs, and have been for quite a while. The
syntactic ObjCPropertyRefExprs do not appear in the CFG and are not visited
by ExprEngine.

No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160458 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
Vals.cpp
7ff8f5e9b1b8d87a64853735fc4218a6a9f70652 18-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove unused ExprEngine::VisitCXXTemporaryObjectExpr.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160457 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
21625c69e88d232e71a3bd4ba9d4bbb484183bf1 18-Jul-2012 Ted Kremenek <kremenek@apple.com> Fix crash in RegionStoreManager::evalDerivedToBase() due to not handling references
(in uses of dynamic_cast<>).

Fixes <rdar://problem/11817693>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160427 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
a6a1abac4701a3d08dc61070acd46b6a19be95ea 17-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove stale result type lvalue code.

This code has been moved around multiple times, but seems to have been
obsolete ever since we started handled references like pointers.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160375 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
89e5aaf57e20b39e35b0d068ebbc09ae736f2e1e 17-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Handle new-expressions with initializers for scalars.

<rdar://problem/11818967>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160328 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
xprEngineCXX.cpp
f85f60ae3a6aad0f2b92154bf3a9601cf9a245c0 16-Jul-2012 Daniel Jasper <djasper@google.com> Prevent unused-variable warning in optimized builds.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160257 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
3f635c08b2d0b2d5bafb38da09589cb238407faa 14-Jul-2012 Ted Kremenek <kremenek@apple.com> Refine CFG so that '&&' and '||' don't lead to extra confluence points when used in a branch, but
instead push the terminator for the branch down into the basic blocks of the subexpressions of '&&' and '||'
respectively. This eliminates some artifical control-flow from the CFG and results in a more
compact CFG.

Note that this patch only alters the branches 'while', 'if' and 'for'. This was complex enough for
one patch. The remaining branches (e.g., do...while) can be handled in a separate patch, but they
weren't immediately tackled because they were less important.

It is possible that this patch introduces some subtle bugs, particularly w.r.t. to destructor placement.
I've tried to audit these changes, but it is also known that the destructor logic needs some refinement
in the area of '||' and '&&' regardless (i.e., their are known bugs).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160218 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
c36b30c92c78b95fd29fb5d9d6214d737b3bcb02 12-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Don't inline virtual calls unless we can devirtualize properly.

Previously we were using the static type of the base object to inline
methods, whether virtual or non-virtual. Now, we try to see if the base
object has a known type, and if so ask for its implementation of the method.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160094 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngineCallAndReturn.cpp
emRegion.cpp
0ffbfd1a7f80f9a3c07317cb8f44c562f2ba1ba5 11-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add debug.DumpCalls, which prints out any CallEvents it sees.

This is probably not so useful yet because it is not path-sensitive, though
it does try to show inlining with indentation.

This also adds a dump() method to CallEvent, which should be useful for
debugging.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160030 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
48b6247804eacc262cc5508e0fbb74ed819fbb6e 11-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Construct stack variables directly in their VarDecl.

Also contains a number of tweaks to inlining that are necessary
for constructors and destructors. (I have this enabled on a private
branch, but it is very much unstable.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160023 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineCallAndReturn.cpp
tore.cpp
e54cfc7b9990acffd0a8a4ba381717b4bb9f3011 11-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use CallEvent for building inlined stack frames.

In order to accomplish this, we now build the callee's stack frame
as part of the CallEnter node, rather than the subsequent BlockEdge node.
This should not have any effect on perceived behavior or diagnostics.

This makes it safe to re-enable inlining of member overloaded operators.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160022 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngineCallAndReturn.cpp
rogramState.cpp
egionStore.cpp
tore.cpp
852aa0d2c5d2d1faf2d77b5aa3c0848068a342c5 11-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Make CallEnter, CallExitBegin, and CallExitEnd not be StmtPoints

These ProgramPoints are used in inlining calls,
and not all calls have associated statements anymore.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160021 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
oreEngine.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
8d276d38c258dfc572586daf6c0e8f8fce249c0e 11-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add a CXXDestructorCall CallEvent.

While this work is still fairly tentative (destructors are still left out of
the CFG by default), we now handle destructors in the same way as any other
calls, instead of just automatically trying to inline them.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160020 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
28038f33aa2db4833881fea757a1f0daf85ac02b 11-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add new PreImplicitCall and PostImplicitCall ProgramPoints.

These are currently unused, but are intended to be used in lieu of PreStmt
and PostStmt when the call is implicit (e.g. an automatic object destructor).

This also modifies the Data1 field of ProgramPoints to allow storing any
pointer-sized value, as opposed to only aligned pointers. This is necessary
to store SourceLocations.

There is currently no BugReporter support for these; they should be skipped
over in any diagnostic output.

This commit also tags checkers that currently rely on function calls only
occurring at StmtPoints.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160019 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
heckerManager.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
ee158bc29bc12ce544996f7cdfde14aba63acf4d 09-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] When inlining, make sure we use the definition decl.

This was a regression introduced during the CallEvent changes; a call to
FunctionDecl::hasBody was also being used to replace the decl found by
lookup with the actual definition. To keep from making this mistake again
(particularly if/when we start inlining Objective-C methods), this commit
adds a "getDefinition()" method to CallEvent, which should do the right
thing under any circumstances.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159940 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
752bee2493ec2931bd18899753552e3a47dc85fe 06-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Be careful about LazyCompoundVals, which may be for the first field.

We use LazyCompoundVals to avoid copying the contents of structs and arrays
around in the store, and when we need to pass a struct around that already
has a LazyCompoundVal we just use the original one. However, it's possible
that the first field of a struct may have a LazyCompoundVal of its own, and
we currently can't distinguish a LazyCompoundVal for the first element of a
struct from a LazyCompoundVal for the entire struct. In this case we should
just drop the optimization and make a new LazyCompoundVal that encompasses
the old one.

PR13264 / <rdar://problem/11802440>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159866 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
8d3ba23f2d9e6c87794d059412a0808c9cbacb25 06-Jul-2012 Dmitri Gribenko <gribozavr@gmail.com> Implement AST classes for comments, a real parser for Doxygen comments and a
very simple semantic analysis that just builds the AST; minor changes for lexer
to pick up source locations I didn't think about before.

Comments AST is modelled along the ideas of HTML AST: block and inline content.

* Block content is a paragraph or a command that has a paragraph as an argument
or verbatim command.
* Inline content is placed within some block. Inline content includes plain
text, inline commands and HTML as tag soup.



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159790 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
478851c3ed6bd784e7377dffd8e57b200c1b9ba9 04-Jul-2012 Benjamin Kramer <benny.kra@googlemail.com> Drop the ASTContext.h include from Stmt.h and fix up transitive users.

This required moving the ctors for IntegerLiteral and FloatingLiteral out of
line which shouldn't change anything as they are usually called through Create
methods that are already out of line.

ASTContext::Deallocate has been a nop for a long time, drop it from ASTVector
and make it independent from ASTContext.h

Pass the StorageAllocator directly to AccessedEntity so it doesn't need to
have a definition of ASTContext around.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159718 91177308-0d34-0410-b5e6-96231b3b80d8
asicValueFactory.cpp
fdaa33818cf9bad8d092136e73bd2e489cb821ba 04-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] For now, don't inline non-static member overloaded operators.

Our current inlining support (specifically RegionStore::enterStackFrame)
doesn't know that calls to overloaded operators may be calls to non-static
member functions, and that in these cases the first argument should be
treated as 'this'. This caused incorrect results and sometimes crashes.

The long-term fix will be to rewrite RegionStore::enterStackFrame to use
CallEvent and its subclasses, but for now we can just disable these
problematic calls by classifying them under a new CallEvent,
CXXMemberOperatorCall.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159692 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngineCallAndReturn.cpp
70cbf3cc09eb21db1108396d30a414ea66d842cc 03-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Introduce CXXAllocatorCall to handle placement arg invalidation.

This is NOT full-blown support for operator new, but removes some nasty
duplicated code introduced in r158784.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159608 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
840c9842ed8b3a2b1276519a80f89e7d409fc148 02-Jul-2012 Jordan Rose <jordan_rose@apple.com> Revert "Remove unused member (& consequently unused parameter) in SA's Call code."

...and instead add an accessor. We're not using this today, but it's something
that should probably stay in the source for potential clients, and it doesn't
cost a lot. (ObjCPropertyAccess is only created on the stack, and right now
there's only ever one alive at a time.)

This reverts r159581 / commit 8e674e1da34a131faa7d43dc3fcbd6e49120edbe.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159595 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
8e674e1da34a131faa7d43dc3fcbd6e49120edbe 02-Jul-2012 David Blaikie <dblaikie@gmail.com> Remove unused member (& consequently unused parameter) in SA's Call code.

This member became unused in r159559.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159581 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
d4aeb8050a1d0fe47c53a73361c8b0b8ac310f46 02-Jul-2012 Ted Kremenek <kremenek@apple.com> Bail out the LiveVariables analysis when the CFG is very large, as
we are encountering some scalability issues with memory usage. The
appropriate long term fix is to make the analysis more scalable, but
this will at least prevent the analyzer swapping when
analyzing very large functions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159578 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
96479da6ad9d921d875e7be29fe1bfa127be8069 02-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add generic preCall and postCall checks.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159562 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
362a31cacc19764f3630928a9e4779af2576e074 02-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Convert CXXConstructExpr over to use CallEvent for evaluation.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159561 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
69f87c956b3ac2b80124fd9604af012e1061473a 02-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Use CallEvent for inlining and call default-evaluation.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159560 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
heckerManager.cpp
xprEngineCallAndReturn.cpp
de507eaf3cb54d3cb234dc14499c10ab3373d15f 02-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Finish replacing ObjCMessage with ObjCMethodDecl and friends.

The preObjCMessage and postObjCMessage callbacks now take an ObjCMethodCall
argument, which can represent an explicit message send (ObjCMessageSend) or an
implicit message generated by a property access (ObjCPropertyAccess).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159559 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
heckerManager.cpp
xprEngine.cpp
xprEngineObjC.cpp
cde8cdbd6a662c636164465ad309b5f17ff01064 02-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Begin replacing ObjCMessage with ObjCMethodCall and friends.

Previously, the CallEvent subclass ObjCMessageInvocation was just a wrapper
around the existing ObjCMessage abstraction (over message sends and property
accesses). Now, we have abstract CallEvent ObjCMethodCall with subclasses
ObjCMessageSend and ObjCPropertyAccess.

In addition to removing yet another wrapper object, this should make it easy
to add a ObjCSubscriptAccess call event soon.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159558 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngine.cpp
xprEngineObjC.cpp
85d7e01cf639b257d70f8a129709a2d7594d7b22 02-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Move the last bits of CallOrObjCMessage over to CallEvent.

This involved refactoring some common pointer-escapes code onto CallEvent,
then having MallocChecker use those callbacks for whether or not to consider
a pointer's /ownership/ as escaping. This still needs to be pinned down, and
probably we want to make the new argumentsMayEscape() function a little more
discerning (content invalidation vs. ownership/metadata invalidation), but
this is a good improvement.

As a bonus, also remove CallOrObjCMessage from the source completely.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159557 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
alls.cpp
xplodedGraph.cpp
xprEngine.cpp
bjCMessage.cpp
740d490593e0de8732a697c9f77b90ddd463863b 02-Jul-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add a new abstraction over all types of calls: CallEvent

This is intended to replace CallOrObjCMessage, and is eventually intended to be
used for anything that cares more about /what/ is being called than /how/ it's
being called. For example, inlining destructors should be the same as inlining
blocks, and checking __attribute__((nonnull)) should apply to the allocator
calls generated by operator new.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159554 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
alls.cpp
heckerManager.cpp
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
rogramState.cpp
egionStore.cpp
8d0f528afd9fcb9ebb8ccb4b8a529a05375b628e 29-Jun-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add a test that we are, in fact, doing a DFS on the ExplodedGraph.

Previously:
...the comment said DFS...
...the WorkList being instantiated said BFS...
...and the implementation was actually DFS...
...due to an unintentional change in 2010...
...and everything kept working anyway.

This fixes our std::deque implementation of BFS, but switches back to a
SmallVector-based implementation of DFS.

We should probably still investigate the ramifications of DFS vs. BFS,
especially for large functions (and especially when we hit our block path
limit), since this might completely change our memory use. It can also mask
some bugs and reveal others depending on when we halt analysis. But at least
we will not have this kind of little mistake creep in again.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159397 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
4715ed95e3e710db097bfdd9a38b67bd7e86aced 27-Jun-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Remove unneeded helper function (it's in ASTContext.h)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159244 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
10f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2 23-Jun-2012 Ted Kremenek <kremenek@apple.com> Implement initial static analysis inlining support for C++ methods.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159047 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
egionStore.cpp
ValBuilder.cpp
0206425d9f13486bc18ad4fbd84c4a76d2535dc4 23-Jun-2012 Anna Zaks <ganna@apple.com> [analyzer] Remove a statistic - it's too expensive.

(Committed in r159038 by mistake.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159040 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
1e548f12f7cd6631a3e688a9580ede92898d9e69 23-Jun-2012 Anna Zaks <ganna@apple.com> [analyzer]scan-build: report the total number of steps analyzer performs

This would be useful to investigate performance issues.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159038 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
df19fe7cafcb02859efeb6963cddeafef4350ddf 23-Jun-2012 Anna Zaks <ganna@apple.com> [analyzer] Report the cumulative number of steps the analyzer performs.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159036 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
6c234b1fd1da64a14a77433cb805cb1aa798512a 22-Jun-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Check for +raise:format: on subclasses of NSException as well.

We don't handle exceptions yet, so we treat them as sinks. ExprEngine
hardcodes messages that are known to raise Objective-C exceptions like -raise,
but it was only checking for +raise:format: and +raise:format:arguments: on
NSException itself, not subclasses.

<rdar://problem/11724201>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159010 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineObjC.cpp
b0d8671f95fe08a220118bca29063ba4d11a9dac 21-Jun-2012 Chandler Carruth <chandlerc@gmail.com> Remove a goofy CMake hack and use the standard CMake facilities to
express library-level dependencies within Clang.

This is no more verbose really, and plays nicer with the rest of the
CMake facilities. It should also have no change in functionality.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158888 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
e38c1c2c449529e60f48e740cb8662e68e5a5330 20-Jun-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Invalidate placement args; return the pointer given to placement new

The default global placement new just returns the pointer it is given.
Note that other custom 'new' implementations with placement args are not
guaranteed to do this.

In addition, we need to invalidate placement args, since they may be updated by
the allocator function. (Also, right now we don't properly handle the
constructor inside a CXXNewExpr, so we need to invalidate the placement args
just so that callers know something changed!)

This invalidation is not perfect because CallOrObjCMessage doesn't support
CXXNewExpr, and all of our invalidation callbacks expect that if there's no
CallOrObjCMessage, the invalidation is happening manually (e.g. by a direct
assignment) and shouldn't affect checker-specific metadata (like malloc state);
hence the malloc test case in new-fail.cpp. But region values are now
properly invalidated, at least.

The long-term solution to this problem is to rework CallOrObjCMessage into
something more general, rather than the morass of branches it is today.

<rdar://problem/11679031>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158784 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
333e05f24717c79637e83806fd5142c752a86afa 18-Jun-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add a comment: why we treat array compound literals as lvalues.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158681 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
3083d3c550dedf68101dd9133905c3c7d35662bd 16-Jun-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Array CompoundLiteralExprs need to be treated like lvalues.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158588 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
9955e708ffadb479b82b26d93dfcf0f5a2a6e372 16-Jun-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Return an UnknownVal when we try to get the binding for a VLA.

This happens in C++ mode right at the declaration of a struct VLA;
MallocChecker sees a bind and tries to get see if it's an escaping bind.
It's likely that our handling of this is still incomplete, but it fixes a
crash on valid without disturbing anything else for now.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158587 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
2e6f5b823912ae76211427cb8684c9eaa6e53a1f 16-Jun-2012 James Dennett <jdennett@google.com> Documentation cleanup: fix a type, LocatioinE -> LocationE

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158566 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
5b8c69494881b7d35bc6244b4a19be0cc2eab368 12-Jun-2012 Jordan Rose <jordan_rose@apple.com> Revert "[analyzer] Treat LValueBitCasts like regular pointer bit casts."

This does not actually give us the right behavior for reinterpret_cast
of references. Reverting so I can think about it some more.

This reverts commit 50a75a6e26a49011150067adac556ef978639fe6.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158341 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
egionStore.cpp
570d03c6831a8e19447dc863aa94ffff020077eb 12-Jun-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Treat LValueBitCasts like regular pointer bit casts.

These casts only appear in very well-defined circumstances, in which the
target of a reinterpret_cast or a function formal parameter is an lvalue
reference. According to the C++ standard, the following are equivalent:

reinterpret_cast<T&>( x)
*reinterpret_cast<T*>(&x)

[expr.reinterpret.cast]p11

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158338 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
egionStore.cpp
8cd64b4c5553fa6284d248336cb7c82dc960a394 11-Jun-2012 Chad Rosier <mcrosier@apple.com> Etch out the code path for MS-style inline assembly.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158325 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
1895a0a6936001374f66adbdfcf8abe5edf912ea 11-Jun-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Add ObjCLoopChecker: objects from NSArray et al are non-nil.

While collections containing nil elements can still be iterated over in an
Objective-C for-in loop, the most common Cocoa collections -- NSArray,
NSDictionary, and NSSet -- cannot contain nil elements. This checker adds
that assumption to the analyzer state.

This was the cause of some minor false positives concerning CFRelease calls
on objects in an NSArray.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158319 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineObjC.cpp
a64fae162fd1ca9398f6f4ecb27648d965e01587 08-Jun-2012 Anna Zaks <ganna@apple.com> [analyzer] Add experimental "issue hash" to the plist diagnostic.

CmpRuns.py can be used to compare issues from different analyzer runs.
Since it uses the issue line number to unique 2 issues, adding a new
line to the beginning of a file makes all issues in the file reported as
new.

The hash will be an opaque value which could be used (along with the
function name) by CmpRuns to identify the same issues. This way, we only
fail to identify the same issue from two runs if the function it appears
in changes (not perfect, but much better than nothing).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158180 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
783f0087ecb5af27d2f8caed7d6b904797c3d752 07-Jun-2012 Anna Zaks <ganna@apple.com> [analyzer] Fixit for r158136.

I falsely assumed that the memory spaces are equal when we reach this
point, they might not be when memory space of one or more is stack or
Unknown. We don't want a region from Heap space alias something with
another memory space.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158165 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
e17fdb2d5dbf0ffefd417587003eebbe5baf5984 07-Jun-2012 Anna Zaks <ganna@apple.com> [analyzer] Anti-aliasing: different heap allocations do not alias

Add a concept of symbolic memory region belonging to heap memory space.
When comparing symbolic regions allocated on the heap, assume that they
do not alias.

Use symbolic heap region to suppress a common false positive pattern in
the malloc checker, in code that relies on malloc not returning the
memory aliased to other malloc allocations, stack.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158136 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
ValBuilder.cpp
impleSValBuilder.cpp
36397dc6c1bf1513a3bac4eabe9209e5b2295a55 06-Jun-2012 Jordan Rose <jordan_rose@apple.com> [analyzer] Provide debug descriptions for all memory space regions.

Patch by Guillem Marpons!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158106 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
581deb3da481053c4993c7600f97acf7768caac5 06-Jun-2012 David Blaikie <dblaikie@gmail.com> Revert Decl's iterators back to pointer value_type rather than reference value_type

In addition, I've made the pointer and reference typedef 'void' rather than T*
just so they can't get misused. I would've omitted them entirely but
std::distance likes them to be there even if it doesn't use them.

This rolls back r155808 and r155869.

Review by Doug Gregor incorporating feedback from Chandler Carruth.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158104 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
impleSValBuilder.cpp
facde171ae4b8926622a1bffa833732a06f1875b 06-Jun-2012 Benjamin Kramer <benny.kra@googlemail.com> Remove unused private member variables found by clang's new -Wunused-private-field.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158086 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
7453a72cd0dcc70f29006ba488b743f078072bc7 06-Jun-2012 Ted Kremenek <kremenek@apple.com> PlistDiagnostics: force the ranges for control-flow edges to be single locations, forcing
adjacent edges to have compatible ranges. This simplifies the layout logic for some clients.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158028 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
0344e5423db6dbb614f057887be714d2c0f7f0f6 04-Jun-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix a diagnostics bug which lead to a crash on the buildbot.

This bug was triggered by r157851. It only happens in the case where we
don't perform optimal diagnostic pruning.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157950 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
c0e71a15bce9bb8c0d4ec1c42fab70c03140f9e0 02-Jun-2012 Anna Zaks <ganna@apple.com> [analyzer] Rely on canBeInlined utility instead of checking CallExpr
explicitly.

This will make it easier to add inlining support to more expressions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157870 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
xprEngine.cpp
183ff2aaacbc1995ed64d5e2ffea4456fd871633 02-Jun-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix a spurious undef value warning.

When we timeout or exceed a max number of blocks within an inlined
function, we retry with no inlining starting from a node right before
the CallEnter node. We assume the state of that node is the state of the
program before we start evaluating the call. However, the node pruning
removes this node as unimportant.

Teach the node pruning to keep the predecessors of the call enter nodes.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157860 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
144e52be486a3906aec90c51b0ac94a30313152e 02-Jun-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix lack of coverage after empty inlined function.

We should not stop exploring the path after we return from an empty
function.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157859 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
7fa9b4f258636d89342eda28f21a986c8ac353b1 01-Jun-2012 Ted Kremenek <kremenek@apple.com> static analyzer: add inlining support for directly called blocks.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157833 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
emRegion.cpp
rogramState.cpp
egionStore.cpp
ed7948b55fa4b2505f240cc5287137f451172b4c 31-May-2012 Ted Kremenek <kremenek@apple.com> Allow some BugReports to opt-out of PathDiagnostic callstack pruning until we have significantly
improved the pruning heuristics. The current heuristics are pretty good, but they make diagnostics
for uninitialized variables warnings particularly useless in some cases.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157734 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
e41458c37923c77fdae39676b3b4bce9f6c80def 25-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Don't crash on LValBitCast

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157478 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
17eb65f1bfcc33d2a9ecefe32368cb374155dbdc 24-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Treat cast of array to reference in the same way as array to
pointer.

Fixes one of the crashes reported in PR12874.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157401 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
13dd47a0c01f8b4a6b3fbe379218f7ba8e692d0f 22-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Bind UnknownVal to InitListExpr for unsupported types
(ex: float).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157211 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
b7824d9919c3588e898c22f47a5248f10a7a084d 21-May-2012 Benjamin Kramer <benny.kra@googlemail.com> Analyzer: Fix PR12905, a crash when encountering a call to a function named "C".

While there clean up indentation.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157204 91177308-0d34-0410-b5e6-96231b3b80d8
bjCMessage.cpp
591b5f53c0e11d87401b4804bb1be1a53f95c619 19-May-2012 Anna Zaks <ganna@apple.com> [analyzer] For locations, use isGLValue() instead of isLValue().

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157088 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineCallAndReturn.cpp
bjCMessage.cpp
719b429e3ed660cfd9cce88397b29c695a25fa50 19-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix a c++11 crash: xvalues can be locations (VisitMemberExpr)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157082 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
70fdbc366da85880aae5baebd3351e993ca05603 12-May-2012 Jordy Rose <jediknil@belkadan.com> [analyzer] RetainCountChecker: track ObjC boxed expression objects.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156699 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
df8755884e039d3f313ee0fea42b955257b5e240 11-May-2012 Argyrios Kyrtzidis <akyrtzi@gmail.com> The Lexer constructor expects a source location at the start of the
file buffer, not at the start of lexing.

Fixes assertion hit in format diagnostics. rdar://11418366

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156647 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
51d18cab1f55df33d85137868b59fec0c4a8776a 11-May-2012 Ted Kremenek <kremenek@apple.com> Include line that was meant to be in my last commit.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156582 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
8667052a53a47a6290dc9ae98e5c3d9277df5f4a 11-May-2012 Ted Kremenek <kremenek@apple.com> Fix insidious RegionStore bug where we (a) didn't handle vector types and (b) had
a horrible bug in GetLazyBindings where we falsely appended a field suffix when traversing 3 or more
layers of lazy bindings. I don't have a reduced test case yet; but I have added the original source
to an internal regression test suite. I'll see about coming up with a reduced test case.

Fixes <rdar://problem/11405978> (for real).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156580 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
b3b1ae85757a8722caccb742b73ca31b4b53bb0a 10-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Exit early if constraint solver is given a non-integer symbol
to reason about.

As part of taint propagation, we now allow creation of non-integer
symbolic expressions like a cast from int to float.

Addresses PR12511 (radar://11215362).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156578 91177308-0d34-0410-b5e6-96231b3b80d8
impleConstraintManager.cpp
50b5a5c32e07301e4edcc01aca1f8a49a128c66c 09-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Simplify r156446, as per Ted's review.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156482 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
caa62af79db9be0ef0843aa77cbc216108842855 09-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Allow pointers to escape through selector callbacks.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156481 91177308-0d34-0410-b5e6-96231b3b80d8
bjCMessage.cpp
a8f2362307b436023095e66efd678ae591c02184 09-May-2012 Anna Zaks <ganna@apple.com> [analyzer] We currently do not fully support CompoundLiterals in
RegionStore, so be explicit about it and generate UnknownVal().

This is a hack to ensure we never produce undefined values for a value
coming from a compound value. (The undefined values can lead to
false positives.)

radar://10127782

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156446 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
4213e389d6f8fa96ab30eec0d932e4e3eee32997 08-May-2012 Ted Kremenek <kremenek@apple.com> Having RegionStore lower field bindings to raw offsets, just like ElementRegions. This is a bit
disruptive, but it allows RegionStore to better "see" through casts that reinterpret arrays of values
as structs. Fixes <rdar://problem/11405978>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156428 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
7dbbc2178fb487f3a8bff03a2c9e87f727bf2b98 08-May-2012 Ted Kremenek <kremenek@apple.com> When creating lazy bindings in RegionStore, propagate existing lazy bindings instead of creating new ones.
This is a functionality optimization.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156427 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
6341931b144cbf369ab816e871322c99ee62bea7 08-May-2012 Ted Kremenek <kremenek@apple.com> Include address of Store in graphviz output of ExplodedGraph.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156426 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
c319c585c0d5899cba0dca2272e6e4909c8b9f16 08-May-2012 Ted Kremenek <kremenek@apple.com> Teach the analyzer about CXXScaleValueInitExpr.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156369 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
2cbc12fa24482889159926aab79e361ebe2e7f91 08-May-2012 Jordy Rose <jediknil@belkadan.com> [analyzer] BasicConstraintManager: drop NE-constraints once we have a value.

This could conceivably cut down on state proliferation, although we don't
use BasicConstraintManager by default anymore. No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156362 91177308-0d34-0410-b5e6-96231b3b80d8
asicConstraintManager.cpp
1d8db493f86761df9470254a2ad572fc6abf1bf6 08-May-2012 Jordy Rose <jediknil@belkadan.com> [analyzer] Rework both constraint managers to handle mixed-type comparisons.

This involves keeping track of three separate types: the symbol type, the
adjustment type, and the comparison type. For example, in "$x + 5 > 0ULL",
if the type of $x is 'signed char', the adjustment type is 'int' and the
comparison type is 'unsigned long long'. Most of the time these three types
will be the same, but we should still do the right thing when the
comparison value is out of range, and wraparound should be calculated in
the adjustment type.

This also re-disables an out-of-bounds test; we were extracting the symbol
from non-additive SymIntExprs, but then throwing away the integer.

Sorry for the large patch; both the basic and range constraint managers needed
to be updated together, since they share code in SimpleConstraintManager.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156361 91177308-0d34-0410-b5e6-96231b3b80d8
PSIntType.cpp
asicConstraintManager.cpp
MakeLists.txt
angeConstraintManager.cpp
impleConstraintManager.cpp
impleConstraintManager.h
d3b6d99cd57522b15dcec0eb771a97d9599d4db2 08-May-2012 Jordy Rose <jediknil@belkadan.com> [analyzer] Add an abstraction for the bit width and signedness of an APSInt. No functionality change.

There are more parts of the analyzer that could use the convenience of APSIntType, particularly the constraint engine, but that needs a fair amount of rewriting to handle mixed-type constraints anyway.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156360 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
6400f02ab2048eb9aa2bc31b26db9f19a99d35f4 07-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix a crash in triggered by OSAtomicChecker.

SValBuilder should return an UnknownVal() when comparison of int and ptr
fails. Previous to this commit, it went on assuming that we are dealing
with pointer arithmetic.

PR12509, radar://11390991

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156320 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
3127d48cd8572d88d16e2b2d16045bdb3f7a4a98 07-May-2012 David Blaikie <dblaikie@gmail.com> Remove variable made unused by r156270.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156273 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
c838fd2ab889ffbb82c90da0cd634ef75b614b2c 07-May-2012 Jordy Rose <jediknil@belkadan.com> [analyzer] Reduce parallel code paths in SimpleSValBuilder::evalBinOpNN, and handle mixed-type operations more generally.

The logical change is that the integers in SymIntExprs may not have the same type as the symbols they are paired with. This was already the case with taint-propagation expressions created by SValBuilder::makeSymExprValNN, but I think those integers may never have been used. SimpleSValBuilder should be able to handle mixed-integer-type SymIntExprs fine now, though, and the constraint managers were already being defensive (though not entirely correct). All existing tests pass.

The logic in evalBinOpNN has been simplified so that conversion is done as late as possible. As a result, most of the switch cases have been reduced to do the minimal amount of work, delegating to another case when they can by substituting ConcreteInts and (as before) reversing the left and right arguments when useful.

Comparisons require special handling in two places (building SymIntExprs and evaluating constant-constant operations) because we don't /know/ the best type for comparing the two values. I've approximated the rules in Sema [C99 6.3.1.8] but it'd be nice to refactor Sema's actual algorithm into ASTContext.

This is also groundwork for handling mixed-type constraints better than we do now.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156270 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
85d87df66a50a15a1957f7213802000b451a8ec9 04-May-2012 Ted Kremenek <kremenek@apple.com> Explicitly model capturing variables for blocks in the static analyzer. Fixes <rdar://problem/11125868>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156211 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
emRegion.cpp
egionStore.cpp
84d43848e39eab9e3386cbfb3906ba2d6a382f24 04-May-2012 Anna Zaks <ganna@apple.com> [analyzer]Fixup r156134: Handle the case when FunctionDecl isn't avail.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156183 91177308-0d34-0410-b5e6-96231b3b80d8
bjCMessage.cpp
b79d862af66d8dd9d059863813b9a27d744bd990 04-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Assume pointer escapes when a callback is passed inside
a struct.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156135 91177308-0d34-0410-b5e6-96231b3b80d8
bjCMessage.cpp
aca0ac58d2ae80d764e3832456667d7322445e0c 04-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Allow pointers escape through calls containing callback args.

(Since we don't have a generic pointer escape callback, modify
ExprEngineCallAndReturn as well as the malloc checker.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156134 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
bjCMessage.cpp
90a7126f76b7511b0a073cbbcde40d1334b40542 03-May-2012 Jordy Rose <jediknil@belkadan.com> [analyzer] When promoting constant integers in a comparison, use the larger width of the two to avoid truncation.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156089 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
14d20b1dff6370f76279fcfb0fd780e2e5eb57bb 03-May-2012 Jordy Rose <jediknil@belkadan.com> [analyzer] Equality ops are like relational ops in that the arguments shouldn't be converted to the result type. Fixes PR12206 and dupe PR12510.

This was probably the original intent of r133041 (also me, a year ago).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156062 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
e55a14a025c38800d07f1ab0db7dbbe4a2fe1605 03-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Conjure a symbol to ensure we can identify pointer arithmetic

We need to identify the value of ptr as
ElementRegion (result of pointer arithmetic) in the following code.
However, before this commit '(2-x)' evaluated to Unknown value, and as
the result, 'p + (2-x)' evaluated to Unknown value as well.

int *p = malloc(sizeof(int));
ptr = p + (2-x);

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156052 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
da3960347a5d563d6746cb363b25466282a09ce3 03-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Do not assert on constructing SymSymExpr with diff types.

The resulting type info is stored in the SymSymExpr, so no reason not to
support construction of expression with different subexpression types.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156051 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
impleSValBuilder.cpp
baeaa9ad120f60b1c5b6f1a84286b507dbe2b55d 03-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Add a complexity bound on history tracking.

(Currently, this is only relevant for tainted data.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156050 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
ymbolManager.cpp
31595e22b7e0d21b0b7c4c4fb196e97d3edc2a08 03-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Revert the functional part of r155944.

The change resulted in multiple issues on the buildbot, so it's not
ready for prime time. Only enable history tracking for tainted
data(which is experimental) for now.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156049 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
11abcecc8c919673237cf37384290a1ef1943976 02-May-2012 Ted Kremenek <kremenek@apple.com> Refine analyzer diagnostics by adding an expression "cone-of-influence" to reverse track interesting
values through interesting expressions. This allows us to map from interesting values in a caller
to interesting values in a caller, thus recovering some precision in diagnostics lost from IPA.

Fixes <rdar://problem/11327497>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155971 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
2a6e30d9ec947e26df55b4ea4eb5b583bb85ee96 02-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix an assertion failure triggered by the analyzer buildbot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155964 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
140d0c64417e2fb5fc4dd40ce0d46b037ac11b02 01-May-2012 Ted Kremenek <kremenek@apple.com> Teach SValBuilder to handle casts of symbolic pointer values to an integer twice. Fixes <rdar://problem/11212866>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155950 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
e2241cbb0455a60ba27d6c4b9d601ffef3ed103f 01-May-2012 Anna Zaks <ganna@apple.com> [analyzer] Construct a SymExpr even when the constraint solver cannot
reason about the expression.

This essentially keeps more history about how symbolic values were
constructed. As an optimization, previous to this commit, we only kept
the history if one of the symbols was tainted, but it's valuable keep
the history around for other purposes as well: it allows us to avoid
constructing conjured symbols.

Specifically, we need to identify the value of ptr as
ElementRegion (result of pointer arithmetic) in the following code.
However, before this commit '(2-x)' evaluated to Unknown value, and as
the result, 'p + (2-x)' evaluated to Unknown value as well.

int *p = malloc(sizeof(int));
ptr = p + (2-x);

This change brings 2% slowdown on sqlite. Fixes radar://11329382.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155944 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
impleSValBuilder.cpp
262bc18e32500558af7cb0afa205b34bd37bafed 30-Apr-2012 David Blaikie <dblaikie@gmail.com> Remove the ref/value inconsistency in filter_decl_iterator.

filter_decl_iterator had a weird mismatch where both op* and op-> returned T*
making it difficult to generalize this filtering behavior into a reusable
library of any kind.

This change errs on the side of value, making op-> return T* and op* return
T&.

(reviewed by Richard Smith)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155808 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
impleSValBuilder.cpp
8f40afbf7740c39fccaa4b8cc5aa2814d5ed6fdc 26-Apr-2012 Ted Kremenek <kremenek@apple.com> [analyzer] check lazy bindings in RegionStore first before looking for default values. Fixes <rdar://problem/11269741>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155615 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
28c9e5720dea5f7b9a4d154ee49886c69de8ae29 24-Apr-2012 Shih-wei Liao <sliao@google.com> Migrate external/clang to CLANG-155088-20120419.

Change-Id: I7e31d8b22ef405f54838a8582c78291fa45ca344
ndroid.mk
fa784da5b9039ead42323bfe9ae6d33ab3c5c6b3 24-Apr-2012 Shih-wei Liao <sliao@google.com> Merge with CLANG upstream r155088.

Conflicts:
lib/Basic/Targets.cpp

Change-Id: Id80f069ae25e623967b705e9fa11cfd94dd2461c
0b3ade86a1c60cf0c7b56aa238aff458eb7f5974 20-Apr-2012 Anna Zaks <ganna@apple.com> [analyzer] Run remove dead bindings right before leaving a function.

This is needed to ensure that we always report issues in the correct
function. For example, leaks are identified when we call remove dead
bindings. In order to make sure we report a callee's leak in the callee,
we have to run the operation in the callee's context.

This change required quite a bit of infrastructure work since:
- We used to only run remove dead bindings before a given statement;
here we need to run it after the last statement in the function. For
this, we added additional Program Point and special mode in the
SymbolReaper to remove all symbols in context lower than the current
one.
- The call exit operation turned into a sequence of nodes, which are
now guarded by CallExitBegin and CallExitEnd nodes for clarity and
convenience.

(Sorry for the long diff.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155244 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
heckerManager.cpp
oreEngine.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
ymbolManager.cpp
eb382ec1507cf2c8c12d7443d0b67c076223aec6 19-Apr-2012 Patrick Beard <pcbeard@mac.com> Implements boxed expressions for Objective-C. <rdar://problem/10194391>


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155082 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
01561d1039bfdda61edd20eed939011a8632c7c7 17-Apr-2012 Ted Kremenek <kremenek@apple.com> Change ExprEngine::shouldInlineDecl() to be defensive in checking if the CFG of the callee is valid. Fixes <rdar://problem/11257631>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154896 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
534986f2b21e6050bf00163cd6423fd92155a6ed 14-Apr-2012 Richard Smith <richard-llvm@metafoo.co.uk> Add an AttributedStmt type to represent a statement with C++11 attributes
attached. Since we do not support any attributes which appertain to a statement
(yet), testing of this is necessarily quite minimal.

Patch by Alexander Kornienko!


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154723 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
87e154c09bbb060a0620bc988d7723bee64fb79c 13-Apr-2012 Douglas Gregor <dgregor@apple.com> Remove the unused, unmaintained, incomplete 'Index' library.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154672 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
oreEngine.cpp
6a86082f3a06a2dcceaaf63f78a0e52d64bcbaa3 13-Apr-2012 Anna Zaks <ganna@apple.com> [analyzer] PCH deserialization optimization.

We should not deserialize unused declarations from the PCH file. Achieve
this by storing the top level declarations during parsing
(HandleTopLevelDecl ASTConsumer callback) and analyzing/building a call
graph only for those.

Tested the patch on a sample ObjC file that uses PCH. With the patch,
the analyzes is 17.5% faster and clang consumes 40% less memory.
Got about 10% overall build/analyzes time decrease on a large Objective
C project.

A bit of CallGraph refactoring/cleanup as well..

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154625 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
7ea1c5639764aa3ebe124f4350c5f2b3be795667 12-Apr-2012 Anna Zaks <ganna@apple.com> [analyzer] dynamic_cast Simplify null value generation.

As per Jordy's review. Creating a symbol here is more flexible; however
I could not come up with an example where it was needed. (What
constrains can be added on of the symbol constrained to 0?)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154542 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
a2c8d2edfff1573450c6feba876830dd746ffaad 10-Apr-2012 Anna Zaks <ganna@apple.com> [analyzer] dynamic_cast: Better model cast from a reference.

Generate a sink when the dynamic_cast from a reference fails to
represent a thrown exception.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154438 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
egionStore.cpp
e19f86edab8fb3c2c1e99e0e9815b6058504df9b 10-Apr-2012 Anna Zaks <ganna@apple.com> [analyzer] Add support for C++ dynamic_cast.

Simulate the C++ dynamic_cast in the analyzer.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154434 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
egionStore.cpp
bd613137499b1d4c3b63dccd0aa21f6add243f4f 07-Apr-2012 Ted Kremenek <kremenek@apple.com> Rework ExprEngine::evalLoad and clients (e.g. VisitBinaryOperator) so that when we generate a new ExplodedNode
we use the same Expr* as the one being currently visited. This is preparation for transitioning to having
ProgramPoints refer to CFGStmts.

This required a bit of trickery. We wish to keep the old Expr* bindings in the Environment intact,
as plenty of logic relies on it and there is no reason to change it, but we sometimes want the Stmt* for
the ProgramPoint to be different than the Expr* being used for bindings. This requires adding an extra
argument for some functions (e.g., evalLocation). This looks a bit strange for some clients, but
it will look a lot cleaner when were start using CFGStmt* in the appropriate places.

As some fallout, the diagnostics arrows are a bit difference, since some of the node locations have changed.
I have audited these, and they look reasonable.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154214 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineObjC.cpp
6fd4505ad67a186da8cc26fdb493c93fe4937555 05-Apr-2012 Ted Kremenek <kremenek@apple.com> Require that all static analyzer issues have a category. As part of this change,
consolidate some commonly used category strings into global references (more of this can be done, I just did a few).

Fixes <rdar://problem/11191537>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154121 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
b98b998e9a5637012ab39ad1dabdad7c798721e8 05-Apr-2012 Ted Kremenek <kremenek@apple.com> Handle symbolicating a reference in an initializer expression that we don't understand.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154084 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
907344e4977ac704f248d82ef235b88be08584d5 05-Apr-2012 Anna Zaks <ganna@apple.com> [analyzer] Change warding in a path diagnostic:
"No method actually called because receiver is nil" ->
"No method is called because receiver is nil"

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154077 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
4f4705faae9fc10e21be95eb39317f714cf8307f 05-Apr-2012 Anna Zaks <ganna@apple.com> [analyzer] Remove redundant if statement (pointed out by Ted).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154075 91177308-0d34-0410-b5e6-96231b3b80d8
Vals.cpp
07189521a15d9c088216b943649cb9fe231cbb57 04-Apr-2012 Ted Kremenek <kremenek@apple.com> Include the "issue context" (e.g. function or method) where a static analyzer issue occurred in the plist output.

Fixes <rdar://problem/11004527>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154030 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
listDiagnostics.cpp
88fc18120ca14b82bef695d6440f51e4c468916c 04-Apr-2012 Ted Kremenek <kremenek@apple.com> Change BugReporter's usage of IsCachedDiagnostic to only impact pruning diagnostics emitted to the
console, and leave it up to PathDiagnosticConsumer to unique reports with the shortest path.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153987 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
e62f048960645b79363408fdead53fec2a063c52 03-Apr-2012 Anna Zaks <ganna@apple.com> [analyzer] Record the basic blocks covered by the analyzes run.

Store this info inside the function summary generated for all analyzed
functions. This is useful for coverage stats and can be helpful for
analyzer state space search strategies.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153923 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
oreEngine.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
unctionSummary.cpp
31b57628576a2355428fd4b57f828a3aa8423000 03-Apr-2012 Ted Kremenek <kremenek@apple.com> Fix another false positive in RegionStore involving doing loads from symbolic offsets. We still don't
properly reason about such accesses, but we shouldn't emit bogus "uninitialized value" warnings
either. Fixes <rdar://problem/11127008>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153913 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
d9b795524eb3dc035523f82f135d0a8adf15cd72 02-Apr-2012 Ted Kremenek <kremenek@apple.com> Fix potential null dereference in the static analyzer when inlining a call that has already been inlined. Unfortunately I have no test case.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153900 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
4a5f724538cbc275370c9504e8169ce92503256c 01-Apr-2012 Benjamin Kramer <benny.kra@googlemail.com> Analyzer: Store BugReports directly in a ilist instead of adding another layer of inderection with std::list

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153847 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
62a5c34ddc54696725683f6c5af1c8e1592c5c38 30-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer]Malloc,RetainRelease: Allow pointer to escape via NSMapInsert.

Fixes a false positive (radar://11152419). The current solution of
adding the info into 3 places is quite ugly. Pending a generic pointer
escapes callback.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153731 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
3bbd8cd831788c506f2980293eb3c7e1b3ca2501 30-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Do not inline functions which previously reached max block
count.

This is an optimization for "retry without inlining" option. Here, if we
failed to inline a function due to reaching the basic block max count,
we are going to store this information and not try to inline it
again in the translation unit. This can be viewed as a function summary.

On sqlite, with this optimization, we are 30% faster then before and
cover 10% more basic blocks (partially because the number of times we
reach timeout is decreased by 20%).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153730 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCallAndReturn.cpp
b47dbcbc12430fdf3e5a5b9f59cdec5480e89e75 28-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Enable retry exhausted without inlining by default.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153591 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
xprEngine.cpp
253955ca25c7e7049963b5db613c0cd15d66e4f8 28-Mar-2012 Anna Zaks <ganna@apple.com> [analyser] Stats checker: do not mark a node as exhausted if we will
retry without inlining.

(+ other minor cleanups)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153581 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngine.cpp
6488dc31153be6f98b404c7860be6c66bb4ec917 28-Mar-2012 Ted Kremenek <kremenek@apple.com> Fix suspicious comparison reported by PVS-Studio!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153568 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
5903a373db3d27794c90b25687e0dd6adb0e497d 27-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Add an option to re-analyze a dead-end path without inlining.

The analyzer gives up path exploration under certain conditions. For
example, when the same basic block has been visited more than 4 times.
With inlining turned on, this could lead to decrease in code coverage.
Specifically, if we give up inside the inlined function, the rest of
parent's basic blocks will not get analyzed.

This commit introduces an option to enable re-run along the failed path,
in which we do not inline the last inlined call site. This is done by
enqueueing the node before the processing of the inlined call site
with a special policy encoded in the state. The policy tells us not to
inline the call site along the path.

This lead to ~10% increase in the number of paths analyzed. Even though
we expected a much greater coverage improvement.

The option is turned off by default for now.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153534 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
oreEngine.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
560ad31c413724fafd13d6fd723e403f28daa132 22-Mar-2012 Shih-wei Liao <sliao@google.com> Migrate external/clang to CLANG-153220-20120321.

Change-Id: I3b469a42a5048f05f06d14aba34419119047e1a9
ndroid.mk
d316862f4fb281ec08a2e45cd3e5580574adb889 24-Mar-2012 Shih-wei Liao <sliao@google.com> Merge branch 'upstream' into sliao_d
3bc75ca0a636efdc93471c9b6bad43085a22bf3a 24-Mar-2012 Jordy Rose <jediknil@belkadan.com> [analyzer] Restart path diagnostic generation if any of the visitors change the report configuration while walking the path.

This required adding a change count token to BugReport, but also allowed us to ditch ImmutableList as the BugReporterVisitor data type.

Also, remove the hack from MallocChecker, now that visitors appear in the opposite order. This is not exactly a fix, but the common case -- custom diagnostics after generic ones -- is now the default behavior.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153369 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
514f2c9dcb9e04b52929c5b141a6fe88bd68b33f 23-Mar-2012 Ted Kremenek <kremenek@apple.com> Avoid applying retain/release effects twice in RetainCountChecker when a function call was inlined (i.e., we do not need to apply summaries in such cases).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153309 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngineCallAndReturn.cpp
5aac0b6ae95f137b1783f3e6227241fb457b8f8b 22-Mar-2012 Ted Kremenek <kremenek@apple.com> Fix static analyzer crash on code taking the address of a field. Fixes PR 11146.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153283 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
638e2d31fceed041e7e16aada4188c94cb5797bb 22-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Add the stat for the number of successfully explored paths.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153281 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
749bbe6f5f23676244f12a0d41511c8e73516feb 22-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Add stats useful for coverage investigations.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153280 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
3d7c44e01d568e5d5c0fac9c6ccb3f080157ba19 21-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Malloc: Utter the name of the leaked variable.
Specifically, we use the last store of the leaked symbol in the leak diagnostic.
(No support for struct fields since the malloc checker doesn't track those
yet.)

+ Infrastructure to track the regions used in store evaluations.
This approach is more precise than iterating the store to
obtain the region bound to the symbol, which is used in RetainCount
checker. The region corresponds to what is uttered in the code in the
last store and we do not rely on the store implementation to support
this functionality.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153212 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
emRegion.cpp
27b867ea1c9cb4b40f9b817c303d6df3ee753da9 21-Mar-2012 Anna Zaks <ganna@apple.com> [analyser] Factor out FindUniqueBinding from RetainCount checker.

So that others could use it as well. No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153211 91177308-0d34-0410-b5e6-96231b3b80d8
tore.cpp
8fe4525680ce72e90cee3e58b5654e3ae955447f 17-Mar-2012 NAKAMURA Takumi <geek4civic@gmail.com> StaticAnalyzer: Fix abuse of StringRef in r152962.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152982 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
fbd58743fa6c793b84ed60a0e2325335a53da6c4 17-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Shorten the stack hint diagnostic.

Do not display the standard "Returning from 'foo'", when a stack hint is
available.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152964 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
56a938ff85a444eb3d30d2634d92ce5b1f6fae56 17-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Create symbol-aware stack hints (building upon r152837).

The symbol-aware stack hint combines the checker-provided message
with the information about how the symbol was passed to the callee: as
a parameter or a return value.

For malloc, the generated messages look like this :
"Returning from 'foo'; released memory via 1st parameter"
"Returning from 'foo'; allocated memory via 1st parameter"
"Returning from 'foo'; allocated memory returned"
"Returning from 'foo'; reallocation of 1st parameter failed"


(We are yet to handle cases when the symbol is a field in a struct or
an array element.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152962 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
076add680e281709cf081052be0dcb822dc8f37d 17-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] +Comments

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152961 91177308-0d34-0410-b5e6-96231b3b80d8
Vals.cpp
131579f198f9cc9e6405adbe6159110c283ec5a4 17-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Add a statistic for the number of times we reach the max
number of steps in the work list.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152960 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
ce612f5a7d306f919c7ae57fcd8c5ecb5d83d54e 16-Mar-2012 Ted Kremenek <kremenek@apple.com> Fix analyzer crash on analyzing 'catch' with no condition variable.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152900 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
8ec588e2ac57311604cf80608c7d4b3fb3b022f7 15-Mar-2012 Jordy Rose <jediknil@belkadan.com> [analyzer] If a metadata symbol is interesting, its region is interesting as well.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152868 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
d7b83148ac0a537f5ec9be9d87bbec62b75435f4 15-Mar-2012 Jordy Rose <jediknil@belkadan.com> [analyzer] Remove AggExprVisitor, a dead class that assisted in visiting C++ expressions with a "base object", because the CFG is now linearized.

The only use of AggExprVisitor was in #if 0 code (the analyzer's incomplete C++ support), so there is no actual behavioral change anyway.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152856 91177308-0d34-0410-b5e6-96231b3b80d8
ggExprVisitor.cpp
MakeLists.txt
xprEngineCXX.cpp
368a0d565f078666ca5bfb7fe08d04648688e4bc 15-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Allow checkers to supply call stack diagnostic hints for the
BugVisitor DiagnosticPieces.

When checkers create a DiagnosticPieceEvent, they can supply an extra
string, which will be concatenated with the call exit message for every
call on the stack between the diagnostic event and the final bug report.
(This is a simple version, which could be/will be further enhanced.)

For example, this is used in Malloc checker to produce the ",
which allocated memory" in the following example:

static char *malloc_wrapper() { // 2. Entered call from 'use'
return malloc(12); // 3. Memory is allocated
}

void use() {
char *v;
v = malloc_wrapper(); // 1. Calling 'malloc_wrappers'
// 4. Returning from 'malloc_wrapper', which allocated memory
} // 5. Memory is never released; potential
memory leak

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152837 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
59e7f4e6e69872d2fc4031f66b47b8ad64967e51 15-Mar-2012 Matt Beaumont-Gay <matthewbg@google.com> '#if 0' out a variable that's only used in other preprocessor-disabled code.

(Why are we keeping all of this code around anyway? Say the word and I'll
start swinging the delete hammer.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152749 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
9373937945e1e075dfa08169eaccc1ad0b31f699 14-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Diagnostics: Supply Caller information even if the bug occurs
in the callee.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152734 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
e711d7e7875920fee4180a26bfc67d67f0f71a2c 14-Mar-2012 Erik Verbruggen <erikjv@me.com> [Analyser] Remove unnecessary recursive visits for ExprWithCleanups and
MaterializeTemporaryExpr.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152730 91177308-0d34-0410-b5e6-96231b3b80d8
ggExprVisitor.cpp
xprEngine.cpp
e5049d29f74183d88a332ce4868e84a9c12893f0 14-Mar-2012 Erik Verbruggen <erikjv@me.com> [Analyser] Removes more recursive visitations in ExprEngine that are no
longer needed as the CFG is fully linearized.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152720 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
6cc0969ab37c614d6cf496f2ed6d2fca397a0133 13-Mar-2012 Anna Zaks <ganna@apple.com> [analyser] Refactor shouldInline logic into a helper.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152677 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
fc544e3d52c43746b1b273f38ec7d65461f0064a 13-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Call enter/exit diagnostic should refer to caller/callee,
respectively.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152676 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
29af3c7425b791daf5c9ec0a820d6b5baab2ddcc 13-Mar-2012 Ted Kremenek <kremenek@apple.com> Add new analyzer diagnostic mode where plists can have bugs that span multiple files.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152586 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
e881efe78596a6ce9219237b737ced4adb1f8251 12-Mar-2012 Ted Kremenek <kremenek@apple.com> [analyzer] Include inlining call stack depth in plist output.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152584 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
4e4d08403ca5cfd4d558fa2936215d3a4e5a528d 11-Mar-2012 David Blaikie <dblaikie@gmail.com> Unify naming of LangOptions variable/get function across the Clang stack (Lex to AST).

The member variable is always "LangOpts" and the member function is always "getLangOpts".

Reviewed by Chris Lattner

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152536 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
heckerContext.cpp
xprEngineC.cpp
TMLDiagnostics.cpp
emRegion.cpp
listDiagnostics.cpp
f4b88a45902af1802a1cb42ba48b1c474474f228 10-Mar-2012 John McCall <rjmccall@apple.com> Remove BlockDeclRefExpr and introduce a bit on DeclRefExpr to
track whether the referenced declaration comes from an enclosing
local context. I'm amenable to suggestions about the exact meaning
of this bit.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152491 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
337e4dbc6859589b8878146a88bebf754e916702 10-Mar-2012 Ted Kremenek <kremenek@apple.com> [analyzer] fix regression in analyzer of NOT actually aborting on Stmts it doesn't understand. We registered
as aborted, but didn't treat such cases as sinks in the ExplodedGraph.

Along the way, add basic support for CXXCatchStmt, expanding the set of code we actually analyze (hopefully correctly).

Fixes: <rdar://problem/10892489>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152468 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngine.cpp
xprEngineCXX.cpp
ValBuilder.cpp
3fd5f370a28552976c52e76c3035d79012d78dda 09-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Add support for NoRedundancy inlining mode.

We do not reanalyze a function, which has already been analyzed as an
inlined callee. As per PRELIMINARY testing, this gives over
50% run time reduction on some benchmarks without decreasing of the
number of bugs found.

Turning the mode on by default.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152440 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngine.cpp
76aadc346c3a4c363238a1e1232f324c3355d9e0 09-Mar-2012 Ted Kremenek <kremenek@apple.com> [analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions.
Essentially, a bug centers around a story for various symbols and regions. We should only include
the path diagnostic events that relate to those symbols and regions.

The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which
can be modified at BugReport creation or by BugReporterVisitors.

This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as
having desired behavior. The only regression is a missing null check diagnostic for the return
value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix,
and I have added a FIXME to the test case.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152361 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
66253352131e3e7a22b3bfd0e180607aa2bfb988 09-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Rework inlining related command line options.
- Remove -analyzer-inline-call.
- Add -analyzer-ipa=[none|inlining]
- Add -analyzer-inlining-mode to allow experimentation for
different performance tuning methods.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152351 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
9fcce65e7e1307b5b8da9be13e4092d6bb94dc1d 07-Mar-2012 Richard Smith <richard-llvm@metafoo.co.uk> AST representation for user-defined literals, plus just enough of semantic
analysis to make the AST representation testable. They are represented by a
new UserDefinedLiteral AST node, which is a sugared CallExpr. All semantic
properties, including full CodeGen support, are achieved for free by this
representation.

UserDefinedLiterals can never be dependent, so no custom instantiation
behavior is required. They are mangled as if they were direct calls to the
underlying literal operator. This matches g++'s apparent behavior (but not its
actual mangling, which is broken for literal-operator-ids).

User-defined *string* literals are now fully-operational, but the semantic
analysis is quite hacky and needs more work. No other forms of user-defined
literal are created yet, but the AST support for them is present.

This patch committed after midnight because we had already hit the quota for
new kinds of literal yesterday.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152211 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
1a45a5ff5d495cb6cd9a3d4d06317af79c0f634d 06-Mar-2012 Ted Kremenek <kremenek@apple.com> Add static analyzer support for new NSArray/NSDictionary/NSNumber literals.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152139 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
097ebb3d8ce55d1f78a3f1e7a0978dbde5ee2898 06-Mar-2012 Ted Kremenek <kremenek@apple.com> [analyzer] add a diagnostic event when entering a call via inlining, within the callee, and add an edge.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152086 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
listDiagnostics.cpp
2dd17abf11ae64339fa6bfaa57d76e13a5fbe5b8 06-Mar-2012 Ted Kremenek <kremenek@apple.com> [analyzer] 'Looping back to the head of the loop' diagnostics are prunable.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152083 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
a99f874bf2ade1e32f0feda7d5b8211171440f02 06-Mar-2012 Ted Kremenek <kremenek@apple.com> Teach SimpleSValBuilder that (in the absence of more information) stack memory doesn't alias symbolic memory. This is a heuristic/hack, but works well in practice. Fixes <rdar://problem/10978247>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152065 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
361035524dc26094825134f30c07311f38f4f8b1 06-Mar-2012 Stephen Hines <srhines@google.com> Merge with upstream Clang @152062.

Added include/clang/Config/config.h
(note the ANDROID_CONFIG_H header guard because CONFIG_H is already taken)

Added support for AttrTemplateInstantiate TableGen rules.

Added libLLVMVectorize dependency.

Build
-HostInfo.cpp
-CallGraph.cpp
+GlobalCallGraph.cpp
-MultiInitializer.cpp
+PPCallbacks.cpp
+SemaConsumer.cpp
+ChainedDiagnosticConsumer.cpp
+DependencyGraph.cpp
+DiagnosticRenderer.cpp
+LayoutOverrideSource.cpp
+WindowsToolChain.cpp
+SemaLambda.cpp
+BoolAssignmentChecker.cpp
+LambdaMangleContext.cpp
+CStringSyntaxChecker.cpp
+ObjCContainersASTChecker.cpp
+ObjCContainersChecker.cpp
+VirtualCallChecker.cpp
+Dominators.cpp
+SubEngine.cpp
+RewriteModernObjC.cpp

Change-Id: Ifda805ce87ae132f055131f4f83692b5c3d63d17
ndroid.mk
91932089c31e1233f0c478b03412e90a65e07ad2 05-Mar-2012 Stephen Hines <srhines@google.com> Merge branch 'upstream' into merge-20120305

Conflicts:
lib/Basic/Targets.cpp

Change-Id: Ib76c138030a701355ce39a6eda1a89a79f401667
a81d3d434e6581ff354eaf5b2a3c25c75771a792 04-Mar-2012 Erik Verbruggen <erikjv@me.com> Remove a recursive visitation in ExprEngine that is no longer needed because the CFG is fully linearized.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152007 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
4ba86bc53bb280ba46a08459eda7d283d513b61f 02-Mar-2012 Ted Kremenek <kremenek@apple.com> [analyzer diagnostics] flush locations *before* popping the current path when visiting a CallEnter.

Fixes <rdar://problem/10967815>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151938 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
8235f9c9c8b3d1737d1c6bd57f7ba3f616b92392 02-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Bound the size of the functions being inlined + provide
command line options for inlining tuning.

This adds the option for stack depth bound as well as function size
bound.

+ minor doxygenification

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151930 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
xprEngineCallAndReturn.cpp
77d09441e59d3bced6c3d55505eb3a67a784fe02 02-Mar-2012 Ted Kremenek <kremenek@apple.com> [analyzer diagnostics] Change CompactPathDiagnostic to recursively compact diagnostics in calls into macro pieces.
Also fix handling of macros within calls in the HTMLDiagnostics.

This also adds a test case for r151774.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151872 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
TMLDiagnostics.cpp
cc2c4b293d8590346f26b7ecc16d299226b8794f 02-Mar-2012 Ted Kremenek <kremenek@apple.com> Teach the analyzer to just ignore CXXBindTemporaryExpr. There's nothing special to do with it, since destructors are represented explicitly in the CFG.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151856 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
b2c60b04a597cc5ba4154837cf8e0a155a376fd7 01-Mar-2012 Argyrios Kyrtzidis <akyrtzi@gmail.com> Move llvm/ADT/SaveAndRestore.h -> llvm/Support/SaveAndRestore.h.

Needs llvm update.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151829 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
3edf02f66d339a3ae6d06aeb96c78d9089b53bc1 01-Mar-2012 Anna Zaks <ganna@apple.com> [analyzer] Diagnostics - do not try to cleanup the path with macros, it
will be done by the general cleanup later on.
A Patch by Ted.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151784 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
725167443808efdc39a99f4eb132a0ae64ac5118 01-Mar-2012 Ted Kremenek <kremenek@apple.com> Change if...else if...else if... to a switch.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151775 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
62ff52868976a8494224a2914f1869329777944c 01-Mar-2012 Ted Kremenek <kremenek@apple.com> [analyzer] when scanning FIDs in a PathDiagnostic, correctly recurse calls and macros.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151774 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
listDiagnostics.cpp
ca23eb212c78ac5bc62d0881635579dbe7095639 29-Feb-2012 Anna Zaks <ganna@apple.com> [analyzer] Malloc: A pointer might escape through CFContainers APIs,
funopen, setvbuf.

Teach the checker and the engine about these APIs to resolve malloc
false positives. As I am adding more of these APIs, it is clear that all
this should be factored out into a separate callback (for example,
region escapes). Malloc, KeyChainAPI and RetainRelease checkers could
all use it.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151737 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
4fafeb6452a79794726a1adc53fb5e2a5887c5f9 29-Feb-2012 Erik Verbruggen <erikjv@me.com> Remove a recursive visitiation in ExprEngine that is no longer needed
because the CFG is fully linearized.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151711 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
56d8fd0b8a65a7ccae3669cd650ca443cf24b73e 29-Feb-2012 Ted Kremenek <kremenek@apple.com> [analyzer diagnostics] Refactor filtration for PathDiagnosticConsumers that don't support cross-file diagnostics
into a common place. Currently enable this filtration for Plist diagnostics as well.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151664 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
athDiagnostic.cpp
c89f4b05721f53cfbaf32fc0c4919a4616e68440 29-Feb-2012 Ted Kremenek <kremenek@apple.com> [analyzer diagnostics] start prototyping stripping PathDiagnostics of unnecessary cruft caused by path inlining.

This introduces a concept of a "prunable" PathDiagnosticEvent. Currently this is a flag, but
we may evolve the concept to make this more dynamically inferred.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151663 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
c2994283aa7538b7420c8e398cde7afa328d7042 28-Feb-2012 Anna Zaks <ganna@apple.com> [analyzer] Stats: Add the stats about remove dead bindings, correct the
test.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151656 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
07d39a479cf8f20294407e749f9933da34ebecb7 28-Feb-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix Malloc False Positive (PR 12100)

When allocated buffer is passed to CF/NS..NoCopy functions, the
ownership is transfered unless the deallocator argument is set to
'kCFAllocatorNull'.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151608 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
4c62b557e269a27515dfca1f754ae936c8fdb824 28-Feb-2012 Ted Kremenek <kremenek@apple.com> [analyzer] teach analyzer about ObjC literals, thus trimming out a false positive with the malloc() checker involving
comparing literal addresses to nil.

Fixes <rdar://problem/10579586>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151602 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
emRegion.cpp
tore.cpp
e739a29c62c67eaec0af5c4d5c75f9e8f11228bd 28-Feb-2012 Ted Kremenek <kremenek@apple.com> [analyzer] Don't generate an explicit ExplodedNode for StringLiterals; have the SVal lazily generated from Environment::getSVal().

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151589 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
d45d361f2ce5c37824052357e2218e8a5509eba5 27-Feb-2012 Argyrios Kyrtzidis <akyrtzi@gmail.com> Move "clang/Analysis/Support/SaveAndRestore.h" to "llvm/ADT/SaveAndRestore.h"
to make it more widely available.

Depends on llvm commit r151564

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151566 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
ff80afcfb2b00ccffcb6cb10528bec565fc59edd 24-Feb-2012 Anna Zaks <ganna@apple.com> [analyzer] Run remove dead bindings before each call.

This ensures that we report the bugs associated with symbols going
out of scope in the correct function context.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151369 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
e55b03a6e44b99c1cd77b8ea5e4d836c28948904 24-Feb-2012 Anna Zaks <ganna@apple.com> [analyzer] We were silently stopping exploring the path after
visiting 'return;' statement!

This most likely caused us to skip a bunch of code when analyzing with
inlining.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151368 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
4ca8ac2e61c37ddadf37024af86f3e1019af8532 24-Feb-2012 Douglas Gregor <dgregor@apple.com> Implement a new type trait __is_trivially_constructible(T, Args...)
that provides the behavior of the C++11 library trait
std::is_trivially_constructible<T, Args...>, which can't be
implemented purely as a library.

Since __is_trivially_constructible can have zero or more arguments, I
needed to add Yet Another Type Trait Expression Class, this one
handling arbitrary arguments. The next step will be to migrate
UnaryTypeTrait and BinaryTypeTrait over to this new, more general
TypeTrait class.

Fixes the Clang side of <rdar://problem/10895483> / PR12038.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151352 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
59950d3aa54ca5066b1fb08a8c79ebfe10e0919b 24-Feb-2012 Ted Kremenek <kremenek@apple.com> Make PathDiagnosticBuilder sensitive to varying LocationContexts, thus fixing a bug in the inlining diagnostics where the wrong location could be used.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151349 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
2042fc1f36d471f437023e8899f0c4fadded2341 24-Feb-2012 Ted Kremenek <kremenek@apple.com> Reapply r151317, but when computing the PathDiagnostic profile and size keep into account the nested structure. Also fix a problem with how
inlining impacted Plist diagnostics, and adjust some ranges in the Plist output due to richer information.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151346 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
68fbb3ee8ae374b6505885e907af92b30eef707f 24-Feb-2012 Chad Rosier <mcrosier@apple.com> Revert r151317 - Rework PathDiagnostics creation.. - to appease buildbots.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151338 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
4970ef8e3527ac356c3e9fde0710561fcb63e424 24-Feb-2012 Ted Kremenek <kremenek@apple.com> Rework PathDiagnostic creation so that call stacks are captured by a nested PathDiagnosticCallPiece.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151317 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
ca8e36eb637e232475ef31c3f22d5da907390917 23-Feb-2012 Anna Zaks <ganna@apple.com> [analyzer] Malloc: unique leak reports by allocation site.

When we find two leak reports with the same allocation site, report only
one of them.

Provide a helper method to BugReporter to facilitate this.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151287 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
0d389b819c33bdf0375694a8f141c8f02e002b18 23-Feb-2012 Anna Zaks <ganna@apple.com> [analyzer] Invalidate the region passed to pthread_setspecific() call.

Make this call an exception in ExprEngine::invalidateArguments:
'int pthread_setspecific(ptheread_key k, const void *)' stores
a value into thread local storage. The value can later be retrieved
with 'void *ptheread_getspecific(pthread_key)'. So even thought the
parameter is 'const void *', the region escapes through the
call.

(Here we just blacklist the call in the ExprEngine's default
logic. Another option would be to add a checker which evaluates
the call and triggers the call to invalidate regions.)

Teach the Malloc Checker, which treats all system calls as safe about
the API.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151220 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
ac1303eca6cbe3e623fb5ec6fe7ec184ef4b0dfa 22-Feb-2012 Douglas Gregor <dgregor@apple.com> Generate an AST for the conversion from a lambda closure type to a
block pointer that returns a block literal which captures (by copy)
the lambda closure itself. Some aspects of the block literal are left
unspecified, namely the capture variable (which doesn't actually
exist) and the body (which will be filled in by IRgen because it can't
be written as an AST).

Because we're switching to this model, this patch also eliminates
tracking the copy-initialization expression for the block capture of
the conversion function, since that information is now embedded in the
synthesized block literal. -1 side tables FTW.



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151131 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
7f9b1d963d4b7e2faff7305733e3453130b402fe 21-Feb-2012 Ted Kremenek <kremenek@apple.com> Have ScanReachableSymbols reported reachable regions. Fixes a false positive with nested array literals. <rdar://problem/10686586>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151012 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
rogramState.cpp
c93dc7889644293e318e19d82830ea2acc45b678 20-Feb-2012 Dylan Noblesmith <nobled@dreamwidth.org> Basic: import IntrusiveRefCntPtr<> into clang namespace

The class name is long enough without the llvm:: added.
Also bring in RefCountedBase and RefCountedBaseVPTR.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150958 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
99c06be61f13c6bfe41586b59f5747d644f1b2ac 18-Feb-2012 Ted Kremenek <kremenek@apple.com> Teach analyzer that blocks with no captures are globals. Fixes <rdar://problem/10348049>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150896 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
b673a41c92aa276f2e37164d0747be1cfb0c402b 18-Feb-2012 Ted Kremenek <kremenek@apple.com> Adopt ExprEngine and checkers to ObjC property refactoring. Everything was working, but now diagnostics are aware of message expressions implied by uses of properties. Fixes <rdar://problem/9241180>.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150888 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
xprEngineObjC.cpp
bjCMessage.cpp
3133f79cf451e6302dd05262b4bb53a3e4fd6300 18-Feb-2012 Ted Kremenek <kremenek@apple.com> Have conjured symbols depend on LocationContext, to add context sensitivity for functions called more than once.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150849 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
rogramState.cpp
egionStore.cpp
ValBuilder.cpp
ymbolManager.cpp
998e2754281b19bb1db19299ae16c2fd5947bcc0 17-Feb-2012 Anna Zaks <ganna@apple.com> [analyzer] Generalize function name checking in CString checker.
(Ex: It was not treating __inline_strcpy as strcpy. Will add tests that
rely on this later on.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150845 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
bdd4c848349d4091d66b052efa453e6d69a77e36 16-Feb-2012 Ted Kremenek <kremenek@apple.com> Add checker visitation hooks in ExprEngine::Visit() for common no-op expressions. To be used later.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150723 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
2ac58b7c09938bb28c51c7cd2deada609b75f94c 16-Feb-2012 Ted Kremenek <kremenek@apple.com> Revert "Move ExplodedNode reclaimation out of ExprEngine and into CoreEngine. Also have it based on adding predecessors/successors, not node allocation. No measurable performance change."

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150722 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xplodedGraph.cpp
xprEngine.cpp
437ee81e54f39c2363d5fe0ea155604c28adc615 16-Feb-2012 Ted Kremenek <kremenek@apple.com> Move ExplodedNode reclaimation out of ExprEngine and into CoreEngine. Also have it based on adding predecessors/successors, not node allocation. No measurable performance change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150720 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xplodedGraph.cpp
xprEngine.cpp
626719bd2c09e27fe7c182724a812d27f59e3819 16-Feb-2012 Ted Kremenek <kremenek@apple.com> Minor cleanup to node data structures in ExplodedGraph. No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150719 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xplodedGraph.cpp
2aed8b88613863f3c439cdfb205bdf8b608fb205 16-Feb-2012 Sebastian Redl <sebastian.redl@getdesigned.at> Revert "Revert "Make CXXNewExpr contain only a single initialier, and not hold the used constructor itself.""

This reintroduces commit r150682 with a fix for the Bullet benchmark crash.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150685 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
1548d14f4092a817f7d90ad3e7a65266dc85fbc5 16-Feb-2012 Sebastian Redl <sebastian.redl@getdesigned.at> Revert "Make CXXNewExpr contain only a single initialier, and not hold the used constructor itself."
It leads to a compiler crash in the Bullet benchmark.

This reverts commit r12014.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150684 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
5f688f4b15d02aa7ad159c46b1f78fe59d412f12 16-Feb-2012 Sebastian Redl <sebastian.redl@getdesigned.at> Make CXXNewExpr contain only a single initialier, and not hold the used constructor itself.

Holding the constructor directly makes no sense when list-initialized arrays come into play. The constructor is now held in a CXXConstructExpr, if construction is what is done. The new design can also distinguish properly between list-initialization and direct-initialization, as well as implicit default-initialization constructors and explicit value-initialization constructors. Finally, doing it this way removes redundance from the AST because CXXNewExpr doesn't try to handle both the allocation and the initialization responsibilities.

This breaks the static analysis of new expressions. I've filed PR12014 to track this.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150682 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
5a0917d1367115d5fddfe7551f8634759217b54b 16-Feb-2012 Anna Zaks <ganna@apple.com> [analyzer] Diagnostics: Ensure that the default end of diagnostic path
piece can always be generated.

The default end of diagnostic path piece was failing to generate on a
BlockEdge that was outgoing from a basic block without a terminator,
resulting in a very simple diagnostic being rendered (ex: no path
highlighting or custom visitors). Reuse another function, which is
essentially doing the same thing and correct it not to fail when a block
has no terminator.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150659 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
athDiagnostic.cpp
4d4e5c1ae83f4510caa486b3ad19de13048f9f04 15-Feb-2012 John McCall <rjmccall@apple.com> Split reinterpret_casts of member pointers out from CK_BitCast; this
is general goodness because representations of member pointers are
not always equivalent across member pointer types on all ABIs
(even though this isn't really standard-endorsed).

Take advantage of the new information to teach IR-generation how
to do these reinterprets in constant initializers. Make sure this
works when intermingled with hierarchy conversions (although
this is not part of our motivating use case). Doing this in the
constant-evaluator would probably have been better, but that would
require a *lot* of extra structure in the representation of
constant member pointers: you'd really have to track an arbitrary
chain of hierarchy conversions and reinterpretations in order to
get this right. Ultimately, this seems less complex. I also
wasn't quite sure how to extend the constant evaluator to handle
foldings that we don't actually want to treat as extended
constant expressions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150551 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
66c40400e7d6272b0cd675ada18dd62c1f0362c7 14-Feb-2012 Anna Zaks <ganna@apple.com> [analyzer] Make Malloc Checker optimistic in presence of inlining.
(In response of Ted's review of r150112.)

This moves the logic which checked if a symbol escapes through a
parameter to invalidateRegionCallback (instead of post CallExpr visit.)

To accommodate the change, added a CallOrObjCMessage parameter to
checkRegionChanges callback.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150513 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
rogramState.cpp
9050e3ad959d08fb53446a5e261e66aaa97d9fc8 14-Feb-2012 Ted Kremenek <kremenek@apple.com> Remove recusive expression visitation in ExprEngine::VisitIncrementDecrementOperator().

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150511 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
a91ac5bae3944e0eed9ef25294dfb2b8681b8159 14-Feb-2012 Ted Kremenek <kremenek@apple.com> Remove recursive visitation in ExprEngine for UO_Not, UO_Minus, UO_LNot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150509 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
224c48945b1687489a8079fb4fcc42b409823400 14-Feb-2012 Ted Kremenek <kremenek@apple.com> Remove recursive visitation in ExprEngine for UO_Deref, UO_AddrOf, and UO_Extension.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150506 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
c1e08dc876d7944678214f0ba222e258d62c9953 14-Feb-2012 Ted Kremenek <kremenek@apple.com> Remove ExprEngine recursive visitation of unary UO_Imag operation.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150505 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
019316636b0a2d2273b945a98e52d454acee66ef 14-Feb-2012 Ted Kremenek <kremenek@apple.com> Further remove some recursive visitiation in ExprEngine that is no longer needed because the CFG is fully linearized.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150504 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
10520d76044e8fff71d414f30c21b449fd104960 09-Feb-2012 Ted Kremenek <kremenek@apple.com> [analyzer] Proactively avoid inlining vararg functions and blocks until we properly support them.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150207 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
af84f8fea486dde096466e85f4bca7c8d3ff4571 08-Feb-2012 Ted Kremenek <kremenek@apple.com> Remove explicit delete of PathDiagnosticMacroPiece, as it is now reference counted.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150110 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
802e02463b880f53a6e645bde78cc412481ce9e0 08-Feb-2012 Ted Kremenek <kremenek@apple.com> Change PathDiagnosticPieces to be reference counted (simplifying their management), and introduce 'PathPieces' as a common container for PathDiagnosticPieces.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150054 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
eb2303c76971f3cc89bbb367ce77564ccb7042c1 08-Feb-2012 Ted Kremenek <kremenek@apple.com> Refactor pieces of PathDiagnostic into its own data structure. No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150053 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
d7a3e2c5f61cd4893f95b69a424fe4def3aa0f69 07-Feb-2012 Benjamin Kramer <benny.kra@googlemail.com> Revert my patches which removed Diagnostic.h includes by moving some operator overloads out of line.

This seems to negatively affect compile time onsome ObjC tests
(which use a lot of partial diagnostics I assume). I have to come
up with a way to keep them inline without including Diagnostic.h
everywhere. Now adding a new diagnostic requires a full rebuild
of e.g. the static analyzer which doesn't even use those diagnostics.

This reverts commit 6496bd10dc3a6d5e3266348f08b6e35f8184bc99.
This reverts commit 7af19b817ba964ac560b50c1ed6183235f699789.
This reverts commit fdd15602a42bbe26185978ef1e17019f6d969aa7.
This reverts commit 00bd44d5677783527d7517c1ffe45e4d75a0f56f.
This reverts commit ef9b60ffed980864a8db26ad30344be429e58ff5.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150006 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
ugReporter.cpp
heckerRegistry.cpp
extPathDiagnostics.cpp
a59d20b135bfde058a5a69045bab5ec4e2553f74 07-Feb-2012 Benjamin Kramer <benny.kra@googlemail.com> Print NamedDecls directly to a raw_ostream where possible.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149982 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
01d08018b7cf5ce1601707cfd7a84d22015fc04e 07-Feb-2012 Douglas Gregor <dgregor@apple.com> Introduce basic ASTs for lambda expressions. This covers:
- Capturing variables by-reference and by-copy within a lambda
- The representation of lambda captures
- The creation of the non-static data members in the lambda class
that store the captured variables
- The initialization of the non-static data members from the
captured variables
- Pretty-printing lambda expressions

There are a number of FIXMEs, both explicit and implied, including:
- Creating a field for a capture of 'this'
- Improved diagnostics for initialization failures when capturing
variables by copy
- Dealing with temporaries created during said initialization
- Template instantiation
- AST (de-)serialization
- Binding and returning the lambda expression; turning it into a
proper temporary
- Lots and lots of semantic constraints
- Parameter pack captures


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149977 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
a6215b93c45ee5931536b57d10b987747143313b 07-Feb-2012 Ted Kremenek <kremenek@apple.com> Create PathDiagnosticCallEnter and PathDiagnosticCallExit, to remark calls in PathDiagnostics from other events. This will
have potential uses later.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149960 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
5de4fdb8de700f95b0b863a9e5a4a508de17a034 07-Feb-2012 Ted Kremenek <kremenek@apple.com> Tweak BugReporter extensive diagnostics to not add edges between function calls.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149959 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
b9201d2d138dca631cdc43f8e57d9e9e6248c25c 07-Feb-2012 Ted Kremenek <kremenek@apple.com> Quote name of function in path diagnostics.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149958 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
0cf3d471546251b12bdceff360f66c079c40526c 07-Feb-2012 Ted Kremenek <kremenek@apple.com> Add basic BugReporter support for CallEnter/CallExit. WIP.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149939 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
f7ccbad5d9949e7ddd1cbef43d482553b811e026 05-Feb-2012 Dylan Noblesmith <nobled@dreamwidth.org> Basic: import SmallString<> into clang namespace

(I was going to fix the TODO about DenseMap too, but
that would break self-host right now. See PR11922.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149799 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
6f42b62b6194f53bcbc349f5d17388e1936535d7 05-Feb-2012 Dylan Noblesmith <nobled@dreamwidth.org> Basic: import OwningPtr<> into clang namespace

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149798 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
listDiagnostics.cpp
egionStore.cpp
8fe83e1df954d72c0f4ffc15d20a5222ec151c21 04-Feb-2012 Benjamin Kramer <benny.kra@googlemail.com> Move a method from IdentifierTable.h out of line and remove the SmallString include.

Fix all the transitive include users.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149783 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
fdd15602a42bbe26185978ef1e17019f6d969aa7 04-Feb-2012 Benjamin Kramer <benny.kra@googlemail.com> Remove Diagnostic.h include from Preprocessor.h.

- Move the offending methods out of line and fix transitive includers.
- This required changing an enum in the PPCallback API into an unsigned.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149782 91177308-0d34-0410-b5e6-96231b3b80d8
extPathDiagnostics.cpp
00bd44d5677783527d7517c1ffe45e4d75a0f56f 04-Feb-2012 Benjamin Kramer <benny.kra@googlemail.com> Move various diagnostic operator<< overloads out of line and remove includes of Diagnostic.h.

Fix all the files that depended on transitive includes of Diagnostic.h.
With this patch in place changing a diagnostic no longer requires a full rebuild of the StaticAnalyzer.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149781 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
ugReporter.cpp
heckerRegistry.cpp
84aac9acc7a73360a7553c46f8da72773adbdd17 01-Feb-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix a crash in CheckerContext::isCLibraryFunction for C++
declarations with special names.

A patch by Dmitri Gribenko.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149525 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
e00575f12cf280621ef0ed4d69e909bdfc9fef62 31-Jan-2012 Anna Zaks <ganna@apple.com> [analyzer] Add checks for common anti-patterns in strncat.
(Since this is syntax only, might be a good candidate for turning into a
compiler warning.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149407 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
a5888f61be9f8d76e9b48a453dbced50523bd2e0 31-Jan-2012 Argyrios Kyrtzidis <akyrtzi@gmail.com> Reapply r149311 which I reverted by mistake.

Original log:

Convert ProgramStateRef to a smart pointer for managing the reference counts of ProgramStates. This leads to a slight memory
improvement, and a simplification of the logic for managing ProgramState objects.
# Please enter the commit message for your changes. Lines starting

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149339 91177308-0d34-0410-b5e6-96231b3b80d8
hecker.cpp
xprEngine.cpp
rogramState.cpp
b9b0f6fb6e113b5e6be3ed9754c4bf01186a17bf 31-Jan-2012 Argyrios Kyrtzidis <akyrtzi@gmail.com> Revert r149311 which failed to compile.

Original log:

Convert ProgramStateRef to a smart pointer for managing the reference counts of ProgramStates. This leads to a slight memory
improvement, and a simplification of the logic for managing ProgramState objects.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149336 91177308-0d34-0410-b5e6-96231b3b80d8
hecker.cpp
xprEngine.cpp
rogramState.cpp
841c96a885789afea9d32d1d842033768c6d2b19 31-Jan-2012 Ted Kremenek <kremenek@apple.com> Minor refactor within ExplodedGraph::reclaimRecentlyAllocatedNodes(). No functionality change.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149320 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
72e93068c9f2a2f05f5932cdd917c0d2961f11d9 31-Jan-2012 Ted Kremenek <kremenek@apple.com> Convert ProgramStateRef to a smart pointer for managing the reference counts of ProgramStates. This leads to a slight memory
improvement, and a simplification of the logic for managing ProgramState objects.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149311 91177308-0d34-0410-b5e6-96231b3b80d8
hecker.cpp
xprEngine.cpp
rogramState.cpp
af5f550de34525b27f0ff31dafce792caf8158b6 30-Jan-2012 Anna Zaks <ganna@apple.com> [analyzer] Add index out of bounds check for CFArrayGetArrayAtIndex.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149228 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
c35fb7d67d515659ad2325b4f6ec97c9fe64fb63 28-Jan-2012 Benjamin Kramer <benny.kra@googlemail.com> StaticAnalyzer: Move ObjC- and CXX-specific methods out of line so checkers that don't care about the language don't have to pull in all the headers.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149178 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
nvironment.cpp
xprEngineCXX.cpp
xprEngineObjC.cpp
emRegion.cpp
ValBuilder.cpp
tore.cpp
8bef8238181a30e52dea380789a7e2d760eac532 26-Jan-2012 Ted Kremenek <kremenek@apple.com> Change references to 'const ProgramState *' to typedef 'ProgramStateRef'.

At this point this is largely cosmetic, but it opens the door to replace
ProgramStateRef with a smart pointer that more eagerly acts in the role
of reclaiming unused ProgramState objects.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149081 91177308-0d34-0410-b5e6-96231b3b80d8
asicConstraintManager.cpp
ugReporter.cpp
ugReporterVisitors.cpp
heckerContext.cpp
heckerManager.cpp
oreEngine.cpp
nvironment.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
rogramState.cpp
angeConstraintManager.cpp
egionStore.cpp
ValBuilder.cpp
impleConstraintManager.cpp
impleConstraintManager.h
impleSValBuilder.cpp
tore.cpp
bac341346f3c8e713a8f165120fd54b500ee3189 26-Jan-2012 Ted Kremenek <kremenek@apple.com> Rework flushing of diagnostics to PathDiagnosticConsumer. Now all the reports are batched up before being flushed
to the underlying consumer implementation. This allows us to unique reports across analyses to multiple functions (which
shows up with inlining).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148997 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
d2e7090f97042ba8272f4f27ac243d8bf4151ecd 25-Jan-2012 Ted Kremenek <kremenek@apple.com> Post open source analyzer build checker-259.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148988 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
9d0064e802e81d0833e8ccab8978b17c0bac3625 25-Jan-2012 Ted Kremenek <kremenek@apple.com> Reduce peak memory usage of the static analyzer on sqlite3 (when using inlining) by 30%.

This is accomplished by periodically reclaiming nodes in the graph. This was an optimization
done before the CFG was linearized, but the CFG linearization destroyed that optimization since each
freshly created node couldn't be reclaimed and we only looked at a window of nodes created between
each ProcessStmt. This optimization can be reclaimed my merely expanding the window to N number of nodes.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148888 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
3026348bd4c13a0f83b59839f64065e0fcbea253 20-Jan-2012 David Blaikie <dblaikie@gmail.com> More dead code removal (using -Wunreachable-code)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148577 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
nvironment.cpp
xprEngine.cpp
impleConstraintManager.cpp
be97b7edb112520d764c24e8b9a159cdc692bcb6 20-Jan-2012 Anna Zaks <ganna@apple.com> [analyzer] Skip casts when determining taint dependencies + pretty
printing.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148517 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
461af1e502c9bd88330bbf17d449a7593fc0d624 20-Jan-2012 Anna Zaks <ganna@apple.com> [analyzer] Add a utility method that allows to find the macro name used
at the given location.

This could be useful when checkers' logic depends on whether a function
is called with a given macro argument.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148516 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
9b0c749a20d0f7d0e63441d76baa15def3f37fdb 18-Jan-2012 Anna Zaks <ganna@apple.com> [analyzer] Taint: add taint propagation rules for string and memory copy
functions.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148370 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
561d3abc881033776ece385a01a510e1cbc1fa92 17-Jan-2012 David Blaikie <dblaikie@gmail.com> Remove unnecessary default cases in switches over enums.

This allows -Wswitch-enum to find switches that need updating when these enums are modified.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148281 91177308-0d34-0410-b5e6-96231b3b80d8
Vals.cpp
7a7ee3033e44b45630981355460ef89efa0bdcc4 16-Jan-2012 David Chisnall <csdavec@swan.ac.uk> Some improvements to the handling of C11 atomic types:

- Add atomic-to/from-nonatomic cast types
- Emit atomic operations for arithmetic on atomic types
- Emit non-atomic stores for initialisation of atomic types, but atomic stores and loads for every other store / load
- Add a __atomic_init() intrinsic which does a non-atomic store to an _Atomic() type. This is needed for the corresponding C11 stdatomic.h function.
- Enables the relevant __has_feature() checks. The feature isn't 100% complete yet, but it's done enough that we want people testing it.

Still to do:

- Make the arithmetic operations on atomic types (e.g. Atomic(int) foo = 1; foo++;) use the correct LLVM intrinsic if one exists, not a loop with a cmpxchg.
- Add a signal fence builtin
- Properly set the fenv state in atomic operations on floating point values
- Correctly handle things like _Atomic(_Complex double) which are too large for an atomic cmpxchg on some platforms (this requires working out what 'correctly' means in this context)
- Fix the many remaining corner cases



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148242 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
52e4c60e31fee851e2988f7909aebf488e57fc12 16-Jan-2012 David Blaikie <dblaikie@gmail.com> Refactor variables unused under non-assert builds.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148229 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
b71d1570417d81de7b064ad788bea690e2c89111 13-Jan-2012 Anna Zaks <ganna@apple.com> [analyzer] Unwrap the pointers when ignoring the const cast.

radar://10686991

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148081 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
ce8ef16b1c58a304b7b59fad9836ad32d6ed020c 13-Jan-2012 Anna Zaks <ganna@apple.com> [analyzer] RegionStoreManager::getBinding() should not crash when
looking up value at a CodeTextRegion even when the type is not provided.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148079 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
dba241df071c4a15ac97e5cadd2d581998662809 13-Jan-2012 Anna Zaks <ganna@apple.com> [analyzer] Fix a typo in a warning message.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148078 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
0849ade4bb3e90c2fc0ce01ccd330f76f91da732 12-Jan-2012 Ted Kremenek <kremenek@apple.com> [analyzer] fix inlining's handling of mapping actual to formal arguments and limit the call stack depth. The analyzer can now accurately simulate factorial for limited depths.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148036 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
rogramState.cpp
egionStore.cpp
tore.cpp
1437425a62dbf7bdb0a855d3ed3b05ed2019ec1e 12-Jan-2012 Anna Zaks <ganna@apple.com> [analyzer] Rename Store::Retrieve() -> getBinding().

+ all the other Retrieve..() methods + a comment for ElementRegion.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148011 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
256ef642f8feef22fd53be7efa868e8e34752eed 11-Jan-2012 Ted Kremenek <kremenek@apple.com> Remove '#if 0' from ExprEngine::InlineCall(), and start fresh by wiring up inlining for straight C calls.
My hope is to reimplement this from first principles based on the simplifications of removing unneeded node builders
and re-evaluating how C++ calls are handled in the CFG. The hope is to turn inlining "on-by-default" as soon as possible
with a core set of things working well, and then expand over time.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147904 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
f660f4b1bedd6b614acf52108894b805b807c50d 10-Jan-2012 Ted Kremenek <kremenek@apple.com> Make PathDiagnosticLocation more resilient to null Stmt pointers.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147854 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
9f03b62036a7abc0a227b17f4a49b9eefced9450 07-Jan-2012 Anna Zaks <ganna@apple.com> [analyzer] Add basic format string vulnerability checking.

We already have a more conservative check in the compiler (if the
format string is not a literal, we warn). Still adding it here for
completeness and since this check is stronger - only triggered if the
format string is tainted.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147714 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
3070e13dca5bbefa32acb80ce4a7b217a6220983 07-Jan-2012 Ted Kremenek <kremenek@apple.com> [analyzer] Remove CallEnterNodeBuilder and simplify ExprEngine::processCallEnter().

This removes analysis of other translation units, but that was an experimental feature anyway that we will revisit later.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147705 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
242384ddb0e0b65dd7e9e0ac0cf3c31cf98b06a6 07-Jan-2012 Ted Kremenek <kremenek@apple.com> Correctly enqueue successors in ExprEngine::processCallExit().

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147698 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
894212e9510299abb203801e014fec76b7926a05 07-Jan-2012 Ted Kremenek <kremenek@apple.com> [analyzer] Remove CallExitNodeBuilder, and have ExprEngine::processCallExit() do the work manually. This is a nice simplification.

Along the way, fix Exprengine::processCallExit() to also perform the postStmt callback for checkers for CallExprs.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147697 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngineCallAndReturn.cpp
5eca482fe895ea57bc82410222e6426c09e63284 06-Jan-2012 Ted Kremenek <kremenek@apple.com> [analyzer] Make the entries in 'Environment' context-sensitive by making entries map from
(Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals.

This is needed to support basic IPA via inlining. Without this, we cannot tell
if a Stmt* binding is part of the current analysis scope (StackFrameContext) or
part of a parent context.

This change introduces an uglification of the use of getSVal(), and thus takes
two steps forward and one step back. There are also potential performance implications
of enlarging the Environment. Both can be addressed going forward by refactoring the
APIs and optimizing the internal representation of Environment. This patch
mainly introduces the functionality upon when we want to build upon (and clean up).

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147688 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
heckerContext.cpp
nvironment.cpp
xprEngine.cpp
xprEngineC.cpp
xp