| ef8225444452a1486bd721f3285301fe84643b00 |
21-Jul-2014 |
Stephen Hines <srhines@google.com> |
Update Clang for rebase to r212749.
This also fixes a small issue with arm_neon.h not being generated always.
Includes a cherry-pick of:
r213450 - fixes mac-specific header issue
r213126 - removes a default -Bsymbolic on Android
Change-Id: I2a790a0f5d3b2aab11de596fc3a74e7cbc99081d
nalyzerOptions.cpp
ugReporter.cpp
ugReporterVisitors.cpp
allEvent.cpp
oreEngine.cpp
nvironment.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
TMLDiagnostics.cpp
emRegion.cpp
athDiagnostic.cpp
listDiagnostics.cpp
|
| 6bcf27bb9a4b5c3f79cb44c0e4654a6d7619ad89 |
29-May-2014 |
Stephen Hines <srhines@google.com> |
Update Clang for 3.5 rebase (r209713).
Change-Id: I8c9133b0f8f776dc915f270b60f94962e771bc83
nalyzerOptions.cpp
asicValueFactory.cpp
ugReporter.cpp
ugReporterVisitors.cpp
allEvent.cpp
heckerManager.cpp
heckerRegistry.cpp
oreEngine.cpp
nvironment.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
TMLDiagnostics.cpp
emRegion.cpp
athDiagnostic.cpp
listDiagnostics.cpp
rogramState.cpp
angeConstraintManager.cpp
egionStore.cpp
Vals.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
tore.cpp
ymbolManager.cpp
|
| 651f13cea278ec967336033dd032faef0e9fc2ec |
24-Apr-2014 |
Stephen Hines <srhines@google.com> |
Updated to Clang 3.5a.
Change-Id: I8127eb568f674c2e72635b639a3295381fe8af82
nalyzerOptions.cpp
asicValueFactory.cpp
lockCounter.cpp
ugReporter.cpp
ugReporterVisitors.cpp
MakeLists.txt
allEvent.cpp
hecker.cpp
heckerRegistry.cpp
oreEngine.cpp
nvironment.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
TMLDiagnostics.cpp
emRegion.cpp
athDiagnostic.cpp
listDiagnostics.cpp
rettyStackTraceLocationContext.h
rogramState.cpp
angeConstraintManager.cpp
egionStore.cpp
ValBuilder.cpp
impleConstraintManager.h
impleSValBuilder.cpp
ymbolManager.cpp
|
| 229d345dd5a73ef6ba75d1d730ecf96e8dc9ecec |
08-Feb-2014 |
Stephen Hines <srhines@google.com> |
Update clang for merge to LLVM 3.4.
Update TableGen rules:
- AttrExprArgs
+ AttrIdentifierArg
+ AttrParsedAttrImpl
+ AttrTypeArg
Update config.h files.
Adjust Android.mk for added/removed files:
+ TransProtectedScope.cpp
- DumpXML.cpp
+ Consumed.cpp
+ CodeGenABITypes.cpp
+ SanitizerArgs.cpp
+ AllocationDiagnostics.cpp
- CommonBugCategories.cpp
+ IdenticalExprChecker.cpp
+ CommonBugCategories.cpp
- SymbolManager.cpp
- TextPathDiagnostics.cpp
+ SymbolManager.cpp
Change-Id: I73bea10e7e73e611f678bc5bf9935e26da63be17
ndroid.mk
|
| 1fab7c3e3bd97a909a80b1bfea1909c6e7347fc0 |
12-Feb-2014 |
Stephen Hines <srhines@google.com> |
Merge remote-tracking branch 'upstream/release_34' into merge-20140211
Conflicts:
lib/Basic/Targets.cpp
lib/Sema/SemaDeclAttr.cpp
Change-Id: I17ca7161f32007272ee82036d237d051847dd02e
|
| dd9e9cec6f863afa15dd91b34fbf15c66c678c02 |
09-Dec-2013 |
Bill Wendling <isanbard@gmail.com> |
Merging r196593:
------------------------------------------------------------------------
r196593 | zaks | 2013-12-06 10:56:29 -0800 (Fri, 06 Dec 2013) | 7 lines
Revert "[analyzer] Refactor conditional expression evaluating code"
This reverts commit r189090.
The original patch introduced regressions (see the added live-variables.* tests). The patch depends on the correctness of live variable analyses, which are not computed correctly. I've opened PR18159 to track the proper resolution to this problem.
The patch was a stepping block to r189746. This is why part of the patch reverts temporary destructor tests that started crashing. The temporary destructors feature is disabled by default.
------------------------------------------------------------------------
git-svn-id: https://llvm.org/svn/llvm-project/cfe/branches/release_34@196795 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
|
| 3eb52bb5d791630f926ff2226dae25012315ad9a |
20-Nov-2013 |
Bill Wendling <isanbard@gmail.com> |
Merging r195174:
------------------------------------------------------------------------
r195174 | zaks | 2013-11-19 16:11:42 -0800 (Tue, 19 Nov 2013) | 1 line
[analyzer] Fix an infinite recursion in region invalidation by adding block count to the BlockDataRegion.
------------------------------------------------------------------------
git-svn-id: https://llvm.org/svn/llvm-project/cfe/branches/release_34@195228 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
emRegion.cpp
ValBuilder.cpp
|
| fda9dbf1f4d15baaedffdd4b4bb529e06172f73d |
15-Nov-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Silence warnings coming from allocators used by std::basic_string.
This is similar to r194004: because we can't reason about the data structure
invariants of std::basic_string, the analyzer decides it's possible for an
allocator to be used to deallocate the string's inline storage. Just ignore
this by walking up the stack, skipping past methods in classes with
"allocator" in the name, and seeing if we reach std::basic_string that way.
PR17866
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@194764 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| d0e5f6a39e4fb30b3a217ae91aecc167a94022e6 |
15-Nov-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Include bug column numbers in HTML output (in a comment).
This has no effect on user-visible output, but can be used by post-processing
tools that work with the generated HTML, rather than using CmpRuns.py's
interface to work with plists.
Patch by György Orbán!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@194763 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
|
| 64cc0c37f78719f905029a9099445c214cb40ce3 |
08-Nov-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Specialize "loop executed 0 times" for for-in and for-range loops.
The path note that says "Loop body executed 0 times" has been changed to
"Loop body skipped when range is empty" for C++11 for-range loops, and to
"Loop body skipped when collection is empty" for Objective-C for-in loops.
Part of <rdar://problem/14992886>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@194234 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| bdc0bf3f84b8771572d8401c66903c56a2e1318e |
04-Nov-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Suppress warnings coming out of std::basic_string.
The analyzer cannot reason about the internal invariances of the data structure (radar://15194597).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@194004 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 2a648169f9ad854536814515cba1780fd02586d2 |
31-Oct-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't crash when a path goes through a 'delete' destructor call.
This was just left unimplemnted from r191381; the fix is to report this call
location as the location of the 'delete' expr.
PR17746
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@193783 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 8686d857c5461d56852154bafc05644890a0eee0 |
26-Oct-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't emit an "Assuming x is <OP> y" if it's not a comparison op.
We could certainly be more precise in many of our diagnostics, but before we
were printing "Assuming x is && y", which is just ridiculous.
<rdar://problem/15167979>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@193455 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 1dc31f5ead63d7197edf6f34a7821b93ea6698a1 |
23-Oct-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Generate a LazyCompoundVal when loading from a union-typed region.
This ensures that variables accessible through a union are invalidated when
the union value is passed to a function. We still don't fully handle union
values, but this should at least quiet some false positives.
PR16596
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@193265 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| d3d0dcfbf784c828c2f07384fd6a3401b0cd4e9e |
16-Oct-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't draw edges to C++11 in-class member initializers.
Since these aren't lexically in the constructor, drawing arrows would
be a horrible jump across the body of the class. We could still do
better here by skipping over unimportant initializers, but this at least
keeps everything within the body of the constructor.
<rdar://problem/14960554>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@192818 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 31b71f3097a338315a144067dde5b160c4e44fc9 |
07-Oct-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] ArrayRef-ize BugReporter::EmitBasicReport.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@192114 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| edcc199f5861dd8ad1ec3ad1b83512d2a92e515a |
04-Oct-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Replace bug category magic strings with shared constants, take 2.
Re-commit r191910 (reverted in r191936) with layering violation fixed, by
moving the bug categories to StaticAnalyzerCore instead of ...Checkers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191937 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
MakeLists.txt
ommonBugCategories.cpp
|
| 9b072b31ee2f41b8e30d1d22142c9ab72ac5ff1f |
28-Sep-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Make inlining decisions based on the callee being variadic.
...rather than trying to figure it out from the call site, and having
people complain that we guessed wrong and that a prototype-less call is
the same as a variadic call on their system. More importantly, fix a
crash when there's no decl at the call site (though we could have just
returned a default value).
<rdar://problem/15037033>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191599 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
|
| d7c47d94a55a03aeea14d411768e5593f50445da |
27-Sep-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Allow pre/post-statement checkers for UnaryOperator.
Found by Arthur Yoo.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191532 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 81557223ba8d7ef8b0468a6e1dc8fc79f2de46f2 |
25-Sep-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle destructors for the argument to C++ 'delete'.
Now that the CFG includes nodes for the destructors in a delete-expression,
process them in the analyzer using the same common destructor interface
currently used for local, member, and base destructors. Also, check for when
the value is known to be null, in which case no destructor is actually run.
This does not yet handle destructors for deleted /arrays/, which may need
more CFG work. It also causes a slight regression in the location of
double delete warnings; the double delete is detected at the destructor
call, which is implicit, and so is reported on the first access within the
destructor instead of at the 'delete' statement. This will be fixed soon.
Patch by Karthik Bhat!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191381 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngine.cpp
xprEngineCXX.cpp
|
| eac8c45f0d6528a21e68bf2651c3082d8e44132e |
25-Sep-2013 |
NAKAMURA Takumi <geek4civic@gmail.com> |
StaticAnalyzer/Core/RegionStore.cpp: Prune one last "\param IsConst", as fixup to r191342. [-Wdocumentation]
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191360 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| da8d37ce42d2db4e1e76ee6f7f38f10f6b0ef0f8 |
25-Sep-2013 |
Anton Yartsev <anton.yartsev@gmail.com> |
[analyzer] This patch removes passing around of const-invalidation vs regular-invalidation info by passing around a datastructure that maps regions and symbols to the type of invalidation they experience. This simplifies the code and would allow to associate more different invalidation types in the future.
With this patch things like preserving contents of regions (either hi- or low-level ones) or processing of the only top-level region can be implemented easily without passing around extra parameters.
This patch is a first step towards adequate modeling of memcpy() by the CStringChecker checker and towards eliminating of majority of false-positives produced by the NewDeleteLeaks checker.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191342 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerManager.cpp
xprEngine.cpp
emRegion.cpp
rogramState.cpp
egionStore.cpp
|
| 7c98f9f5c3202a0b11eda7f30b4edd8cb4d1139c |
20-Sep-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use getParentIgnoreParenCasts instead of doing it by hand.
Apart from being more compact and already implemented, this also handles the
case where the parent is null. (It does also ignore all casts, not just
implicit ones, but this is more efficient to test and in the case we care
about---a message in a PseudoObjectExpr---there should only be implicit casts
anyway.
This should fix our internal buildbot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191094 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| d76cec5567cb5b04cb5cc48a477a0c71b910053c |
18-Sep-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't even try to convert floats to booleans for now.
We now have symbols with floating-point type to make sure that
(double)x == (double)x comes out true, but we still can't do much with
these. For now, don't even bother trying to create a floating-point zero
value; just give up on conversion to bool.
PR14634, C++ edition.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190953 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
|
| 414a1bdbdaf250e0488589f12865c8961831b65d |
18-Sep-2013 |
Hal Finkel <hfinkel@anl.gov> |
Add the intrinsic __builtin_convertvector
LLVM supports applying conversion instructions to vectors of the same number of
elements (fptrunc, fptosi, etc.) but there had been no way for a Clang user to
cause such instructions to be generated when using builtin vector types.
C-style casting on vectors is already defined in terms of bitcasts, and so
cannot be used for these conversions as well (without leading to a very
confusing set of semantics). As a result, this adds a __builtin_convertvector
intrinsic (patterned after the OpenCL __builtin_astype intrinsic). This is
intended to aid the creation of vector intrinsic headers that create generic IR
instead of target-dependent intrinsics (in other words, this is a generic
_mm_cvtepi32_ps). As noted in the documentation, the action of
__builtin_convertvector is defined in terms of the action of a C-style cast on
each vector element.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190915 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| de940da033aa46c50c7d07c61f455e7c5053e90a |
17-Sep-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] More reliably detect property accessors.
This has a side effect of preventing a crash, which occurs because we get a
property getter declaration, which is overriding but is declared inside
@protocol. Will file a bug about this inconsistency internally. Getting a
small test case is very challenging.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190836 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| c07cad8364e7fb0e8cb0d5181edb7db718271b65 |
13-Sep-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Run post-stmt checks for DeclStmt.
No tests because no in-tree checkers use this, but that shouldn't stop
out-of-tree checkers.
Found by Aemon Cannon!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190650 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| d8dfae602d7b2e42b0eef6b1e7779c96833f83c1 |
11-Sep-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle zeroing constructors for fields of structs with empty bases.
RegionStore tries to protect against accidentally initializing the same
region twice, but it doesn't take subregions into account very well. If
the outer region being initialized is a struct with an empty base class,
the offset of the first field in the struct will be 0. When we initialize
the base class, we may invalidate the contents of the struct by providing
a default value of Unknown (or some new symbol). We then go to initialize
the member with a zeroing constructor, only to find that the region at
that offset in the struct already has a value. The best we can do here is
to invalidate that value and continue; neither the old default value nor
the new 0 is correct for the entire struct after the member constructor call.
The correct solution for this is to track region extents in the store.
<rdar://problem/14914316>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190530 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 36d558d85653315edb389677e995ec9ccdbfbf3d |
03-Sep-2013 |
Jordan Rose <jordan_rose@apple.com> |
Add an implicit dtor CFG node just before C++ 'delete' expressions.
This paves the way for adding support for modeling the destructor of a
region before it is deleted. The statement "delete <expr>" now generates
this series of CFG elements:
1. <expr>
2. [B1.1]->~Foo() (Implicit destructor)
3. delete [B1.1]
Patch by Karthik Bhat!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189828 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
athDiagnostic.cpp
|
| 95ab9e306f4deefeabd89ea61987f4a8d67e0890 |
02-Sep-2013 |
Pavel Labath <labath@google.com> |
[analyzer] Add very limited support for temporary destructors
This is an improved version of r186498. It enables ExprEngine to reason about
temporary object destructors. However, these destructor calls are never
inlined, since this feature is still broken. Still, this is sufficient to
properly handle noreturn temporary destructors.
Now, the analyzer correctly handles expressions like "a || A()", and executes the
destructor of "A" only on the paths where "a" evaluted to false.
Temporary destructor processing is still off by default and one has to
explicitly request it by setting cfg-temporary-dtors=true.
Reviewers: jordan_rose
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1259
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189746 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| bf3d71e85f7449161a414c2ec3410e60394bf38a |
30-Aug-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Treat the rvalue of a forward-declared struct as Unknown.
This will never happen in the analyzed code code, but can happen for checkers
that over-eagerly dereference pointers without checking that it's safe.
UnknownVal is a harmless enough value to get back.
Fixes an issue added in r189590, caught by our internal buildbot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189688 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 3c114f704a882f6923d6107f22aab89ba3d0a6b5 |
29-Aug-2013 |
Pavel Labath <labath@google.com> |
[analyzer] Fix handling of "empty" structs with base classes
Summary:
RegionStoreManager had an optimization which replaces references to empty
structs with UnknownVal. Unfortunately, this check didn't take into account
possible field members in base classes.
To address this, I changed this test to "is empty and has no base classes". I
don't consider it worth the trouble to go through base classes and check if all
of them are empty.
Reviewers: jordan_rose
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1547
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189590 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 3aa6f431897edf5fec32cbede8fcddbfb8fa16f7 |
28-Aug-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add support for testing the presence of weak functions.
When casting the address of a FunctionTextRegion to bool, or when adding
constraints to such an address, use a stand-in symbol to represent the
presence or absence of the function if the function is weakly linked.
This is groundwork for possible simple availability testing checks, and
can already catch mistakes involving inverted null checks for
weakly-linked functions.
Currently, the implementation reuses the "extent" symbols, originally created
for tracking the size of a malloc region. Since FunctionTextRegions cannot
be dereferenced, the extent symbol will never be used for anything else.
Still, this probably deserves a refactoring in the future.
This patch does not attempt to support testing the presence of weak
/variables/ (global variables), which would likely require much more of
a change and a generalization of "region structure metadata", like the
current "extents", vs. "region contents metadata", like CStringChecker's
"string length".
Patch by Richard <tarka.t.otter@googlemail.com>!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189492 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
impleConstraintManager.cpp
impleConstraintManager.h
impleSValBuilder.cpp
ymbolManager.cpp
|
| f18bfd44c4fe4ab28c44eecb7aeed618bcf8f627 |
28-Aug-2013 |
Pavel Labath <labath@google.com> |
[analyzer] Assume new returns non-null even under -fno-exceptions
Summary:
-fno-exceptions does not implicitly attach a nothrow specifier to every operator
new. Even in this mode, non-nothrow new must not return a null pointer. Failure
to allocate memory can be signalled by other means, or just by killing the
program. This behaviour is consistent with the compiler - even with
-fno-exceptions, the generated code never tests for null (and would segfault if
the opeator actually happened to return null).
Reviewers: jordan_rose
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1528
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189452 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 344472ebeded2fca2ed5013b9e87f81d09bfa908 |
23-Aug-2013 |
Robert Wilhelm <robert.wilhelm@gmx.net> |
Use pop_back_val() instead of both back() and pop_back().
No functionality change intended.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189112 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
athDiagnostic.cpp
listDiagnostics.cpp
ymbolManager.cpp
|
| 6a556a42d48cc098fb8dcb5d4ecdd0e03e32c0ec |
23-Aug-2013 |
Pavel Labath <labath@google.com> |
[analyzer] Refactor conditional expression evaluating code
Summary:
Instead of digging through the ExplodedGraph, to figure out which edge brought
us here, I compute the value of conditional expression by looking at the
sub-expression values.
To do this, I needed to change the liveness algorithm a bit -- now, the full
conditional expression also depends on all atomic sub-expressions, not only the
outermost ones.
Reviewers: jordan_rose
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1340
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189090 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
|
| 24146975f1af8c1b4b14e8545f218129d0e7dfeb |
22-Aug-2013 |
Eli Friedman <eli.friedman@gmail.com> |
Split isFromMainFile into two functions.
Basically, isInMainFile considers line markers, and isWrittenInMainFile
doesn't. Distinguishing between the two is useful when dealing with
files which are preprocessed files or rewritten with -frewrite-includes
(so we don't, for example, print useless warnings).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188968 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
allEvent.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
|
| d207f55cd58054aab77edca35b3e7f645738dfe2 |
19-Aug-2013 |
Pavel Labath <labath@google.com> |
[analyzer] Fix inefficiency in dead symbol removal
Summary:
ScanReachableSymbols uses a "visited" set to avoid scanning the same object
twice. However, it did not use the optimization for LazyCompoundVal objects,
which resulted in exponential complexity for long chains of temporary objects.
Adding this resulted in a decrease of analysis time from >3h to 3 seconds for
some files.
Reviewers: jordan_rose
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1398
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188677 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| e9a906b99286b44dcf5eb896f17df74d588e4ce9 |
16-Aug-2013 |
Benjamin Kramer <benny.kra@googlemail.com> |
Replace some DenseMap keys with simpler structures that don't need another DenseMapInfo specialization.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188580 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
|
| 5fba5a789a238c29ef811a39a39be722443ec1b1 |
16-Aug-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Merge TextPathDiagnostics and ClangDiagPathDiagConsumer.
This once again restores notes to following their associated warnings
in -analyzer-output=text mode. (This is still only intended for use as a
debugging aid.)
One twist is that the warning locations in "regular" analysis output modes
(plist, multi-file-plist, html, and plist-html) are reported at a different
location on the command line than in the output file, since the command
line has no path context. This commit makes -analyzer-output=text behave
like a normal output format, which means that the *command line output
will be different* in -analyzer-text mode. Again, since -analyzer-text is
a debugging aid and lo-fi stand-in for a regular output mode, this change
makes sense.
Along the way, remove a few pieces of stale code related to the path
diagnostic consumers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188514 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
listDiagnostics.cpp
extPathDiagnostics.cpp
|
| 6ebe9df900b79fd56a4db03b4f8aa6a180307a9d |
09-Aug-2013 |
Pavel Labath <labath@google.com> |
[analyzer] Enable usage of temporaries in InitListExprs
Summary:
ExprEngine had code which specificaly disabled using CXXTempObjectRegions in
InitListExprs. This was a hack put in r168757 to silence a false positive.
The underlying problem seems to have been fixed in the mean time, as removing
this code doesn't seem to break anything. Therefore I propose to remove it and
solve PR16629 in the process.
Reviewers: jordan_rose
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1325
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188059 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 4ac73c7514f9e836b4d9781738f333c5cb91cb63 |
08-Aug-2013 |
Stephen Hines <srhines@google.com> |
Merge commit '51e75aecf4fb303b91c9e54fd88e3509e5acc7a6' into merge-20130807
Conflicts:
lib/Basic/Targets.cpp
lib/Sema/SemaDeclAttr.cpp
Change-Id: If457223ecbee9e43c73d15333bf10d36590d05c4
|
| edc45d5a91f83d1135bc218f3c377e347ab0251f |
05-Aug-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Clarify that r187624 is a hack and should be fixed better later.
Tracked by <rdar://problem/14648821>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187729 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| cd007b18ba218925923a82ad4462fecf903f4a93 |
02-Aug-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Silently drop all reports within synthesized bodies.
Much of our diagnostic machinery is set up to assume that the report
end path location is valid. Moreover, the user may be quite confused
when something goes wrong in our BodyFarm-synthesized function bodies,
which may be simplified or modified from the real implementations.
Rather than try to make this all work somehow, just drop the report so
that we don't try to go on with an invalid source location.
Note that we still handle reports whose /paths/ go through invalid
locations, just not those that are reported in one.
We do have to be careful not to lose warnings because of this.
The impetus for this change was an autorelease being processed within
the synthesized body, and there may be other possible issues that are
worth reporting in some way. We'll take these as they come, however.
<rdar://problem/14611722>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187624 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| b6d0f4c8dd162b019681b60d06f7ad33500f4146 |
27-Jul-2013 |
Aaron Ballman <aaron@aaronballman.com> |
Using the function pointer instead of the function type; this allows us to re-enable a warning in MSVC by default.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187292 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 76b5dd48c9dbf2ed3e5830060ea55b81b7d1cca0 |
26-Jul-2013 |
Pavel Labath <labath@google.com> |
[analyzer] Fix FP warnings when binding a temporary to a local static variable
Summary:
When binding a temporary object to a static local variable, the analyzer would
complain about a dangling reference even though the temporary's lifetime should
be extended past the end of the function. This commit tries to detect these
cases and construct them in a global memory region instead of a local one.
Reviewers: jordan_rose
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1133
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187196 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
emRegion.cpp
|
| b2c405eb22b2b4844ded1f865675329c2d9793ed |
26-Jul-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove dead optimization for MaterializeTemporaryExpr.
Previously, we tried to avoid creating new temporary object regions if
the value to be materialized itself came from a temporary object region.
However, once we became more strict about lvalues vs. rvalues (months
ago), this optimization became dead code, because the input to this
function will always be an rvalue (i.e. a symbolic value or compound
value rather than a region, at least for structs).
This would be a nice optimization to keep, but removing it makes it
simpler to reason about temporary regions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187160 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 0aaa57d19c23165d5e422c706084799d97eabe97 |
25-Jul-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Weaken assertion to account for pointer-to-integer casts.
PR16690
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187132 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
|
| fee16225a103ee1459af4f3ecb89fa2804e81ac3 |
23-Jul-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Enable pseudo-destructor expressions.
These are cases where a scalar type is "destructed", usually due to
template instantiation (e.g. "obj.~T()", where 'T' is 'int'). This has
no actual effect and the analyzer should just skip over it.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186927 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 9815ec0a00fe04db92e51a4160fc905f6cd48f30 |
23-Jul-2013 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Add very limited support for temporary destructors"
The analyzer doesn't currently expect CFG blocks with terminators to be
empty, but this can happen when generating conditional destructors for
a complex logical expression, such as (a && (b || Temp{})). Moreover,
the branch conditions for these expressions are not persisted in the
state. Even for handling noreturn destructors this needs more work.
This reverts r186498.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186925 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| 4fa7eab771ab8212e1058bd1a91061ff120c8fbb |
19-Jul-2013 |
Alexey Bataev <a.bataev@hotmail.com> |
OpenMP: basic support for #pragma omp parallel
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186647 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| ac7cc2d37e82181e73fcc265c1d0a619d18b7605 |
19-Jul-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Include analysis stack in crash traces.
Sample output:
0. Program arguments: ...
1. <eof> parser at end of file
2. While analyzing stack:
#0 void inlined()
#1 void test()
3. crash-trace.c:6:3: Error evaluating statement
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186639 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCallAndReturn.cpp
rettyStackTraceLocationContext.h
|
| bccda13aa3fc2a4c674a8c0a7003a7e6b1ff17b0 |
17-Jul-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle C++11 member initializer expressions.
Previously, we would simply abort the path when we saw a default member
initialization; now, we actually attempt to evaluate it. Like default
arguments, the contents of these expressions are not actually part of the
current function, so we fall back to constant evaluation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186521 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| df70700f5aa5744d7f70fb3e6610ff434f643a71 |
17-Jul-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle C string default values for const char * arguments.
Previously, SValBuilder knew how to evaluate StringLiterals, but couldn't
handle an array-to-pointer decay for constant values. Additionally,
RegionStore was being too strict about loading from an array, refusing to
return a 'char' value from a 'const char' array. Both of these have been
fixed.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186520 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ValBuilder.cpp
|
| be2e1b11e3350e3a6e632c71beaab83aae3824d2 |
17-Jul-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Treat std::initializer_list as opaque rather than aborting.
Previously, the use of a std::initializer_list (actually, a
CXXStdInitializerListExpr) would cause the analyzer to give up on the rest
of the path. Now, it just uses an opaque symbolic value for the
initializer_list and continues on.
At some point in the future we can add proper support for initializer_list,
with access to the elements in the InitListExpr.
<rdar://problem/14340207>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186519 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 046e79a425bfa82b480b8a07ce11d96391fa0a9b |
17-Jul-2013 |
Pavel Labath <labath@google.com> |
[analyzer] Add very limited support for temporary destructors
Summary:
This patch enables ExprEndgine to reason about temporary object destructors.
However, these destructor calls are never inlined, since this feature is still
broken. Still, this is sufficient to properly handle noreturn temporary
destructors and close bug #15599. I have also enabled the cfg-temporary-dtors
analyzer option by default.
Reviewers: jordan_rose
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1131
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186498 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| 0a9350f2411926f4faaeb2ce7d7a9bc1f27751e9 |
16-Jul-2013 |
Craig Topper <craig.topper@gmail.com> |
Fix formatting. No functional change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186437 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 6afc66dc25f9b28d129f8bc842d43af0b0c71196 |
16-Jul-2013 |
Craig Topper <craig.topper@gmail.com> |
Add 'const' qualifiers to static const char* variables.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186383 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 8f6134c308951a72642eebb65a44408ea1e237a8 |
10-Jul-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove bogus assert: in C++11, 'new' can do list-initialization.
Previously, we asserted that whenever 'new' did not include a constructor
call, the type must be a non-record type. In C++11, however, uniform
initialization syntax (braces) allow 'new' to construct records with
list-initialization: "new Point{1, 2}".
Removing this assertion should be perfectly safe; the code here matches
what VisitDeclStmt does for regions allocated on the stack.
<rdar://problem/14403437>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@186028 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| e600d4be7d01661ab7601f9ef9c4d3236c377385 |
09-Jul-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fixup for r185609: actually do suppress warnings coming out of std::list.
list is the name of a class, not a namespace. Change the test as well - the previous
version did not test properly.
Fixes radar://14317928.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185898 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 70e7aeccbf5856a84f81366c6c1a0c0c01e70063 |
05-Jul-2013 |
Rafael Espindola <rafael.espindola@gmail.com> |
Use llvm::sys::fs::createUniqueFile.
Include a test that clang now produces output files with permissions matching
the umask.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185727 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
|
| 38d7c34f75eed2089802e209fb29bc2dfbf1b7a7 |
05-Jul-2013 |
Rafael Espindola <rafael.espindola@gmail.com> |
Fix PR16547.
We should not be asking unique_file to prepend the system temporary directory
when creating the html report. Unfortunately I don't think we can test this
with the current infrastructure since unique_file ignores MakeAbsolute if the
directory is already absolute and the paths provided by lit are.
I will take a quick look at making this api a bit less error prone.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185707 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
|
| 09d19efaa147762f84aed55efa7930bb3616a4e5 |
04-Jul-2013 |
Craig Topper <craig.topper@gmail.com> |
Use SmallVectorImpl instead of SmallVector for iterators and references to avoid specifying the vector size unnecessarily.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185610 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 8b625a3f7764959d0a2ac3cd860ce1e168e0fc9b |
04-Jul-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Suppress reports reported in std::list
The motivation is to suppresses false use-after-free reports that occur when calling
std::list::pop_front() or std::list::pop_back() twice. The analyzer does not
reason about the internal invariants of the list implementation, so just do not report
any of warnings in std::list.
Fixes radar://14317928.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185609 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 7f79b78351af03a392ee16d8ec557d47746c33c6 |
04-Jul-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Make sure that inlined defensive checks work on div by zero.
This suppresses a false positive in std::hash_map.
Fixes radar://14255587.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185608 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 330231537010ab1d77affcbcaffd4bbe358b4cfa |
02-Jul-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Pointers-to-members are (currently) Locs, not NonLocs.
While we don't model pointers-to-members besides "null" and "non-null",
we were using Loc symbols for valid pointers and NonLoc integers for the
null case. This hit the assert committed in r185401.
Fixed by using a true (Loc) null for null member pointers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185444 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| ed2e2de580f840385f25a188ed48d2a14948af76 |
02-Jul-2013 |
Pavel Labath <labath@google.com> |
Teach static analyzer about AttributedStmts
Summary:
Static analyzer used to abort when encountering AttributedStmts, because it
asserted that the statements should not appear in the CFG. This is however not
the case, since at least the clang::fallthrough annotation makes it through.
This commit simply makes the analyzer ignore the statement attributes.
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1030
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185417 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| f4af9d37510320f5d9b415020440926528900eef |
02-Jul-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Explicitly disallow mixed Loc-NonLoc comparisons.
The one bit of code that was using this is gone, and neither C nor C++
actually allows this. Add an assertion and remove dead code.
Found by Matthew Dempsky!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185401 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| be35df19cf9540c03048942ecafc6811643073ec |
25-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle zeroing CXXConstructExprs.
Re-apply r184511, reverted in r184561, with the trivial default constructor
fast path removed -- it turned out not to be necessary here.
Certain expressions can cause a constructor invocation to zero-initialize
its object even if the constructor itself does no initialization. The
analyzer now handles that before evaluating the call to the constructor,
using the same "default binding" mechanism that calloc() uses, rather
than simply ignoring the zero-initialization flag.
<rdar://problem/14212563>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184815 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 1fc9111d85c3929018cd5c85dd14f3dbb5d23d68 |
25-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't initialize virtual base classes more than once.
In order to make sure virtual base classes are always initialized once,
the AST contains initializers for the base class in /all/ of its
descendents, not just the immediate descendents. However, at runtime,
the most-derived object is responsible for initializing all the virtual
base classes; all the other initializers will be ignored.
The analyzer now checks to see if it's being called from another base
constructor, and if so does not perform virtual base initialization.
<rdar://problem/14236851>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184814 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 053c88bd93e6b2f4e498fd835155f955127d3489 |
21-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Handle zeroing CXXConstructExprs."
Per review from Anna, this really should have been two commits, and besides
it's causing problems on our internal buildbot. Reverting until these have
been worked out.
This reverts r184511 / 98123284826bb4ce422775563ff1a01580ec5766.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184561 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 98123284826bb4ce422775563ff1a01580ec5766 |
21-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle zeroing CXXConstructExprs.
Certain expressions can cause a constructor invocation to zero-initialize
its object even if the constructor itself does no initialization. The
analyzer now handles that before evaluating the call to the constructor,
using the same "default binding" mechanism that calloc() uses, rather
than simply ignoring the zero-initialization flag.
As a bonus, trivial default constructors are now no longer inlined; they
are instead processed explicitly by ExprEngine. This has a (positive)
effect on the generated path edges: they no longer stop at a default
constructor call unless there's a user-provided implementation.
<rdar://problem/14212563>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184511 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 9122025df6682a29ba4bdfc4330d2caebb8ea4de |
20-Jun-2013 |
Pavel Labath <labath@google.com> |
Fix static analyzer crash when casting from an incomplete type
Summary:
When doing a reinterpret+dynamic cast from an incomplete type, the analyzer
would crash (bug #16308). This fix makes the dynamic cast evaluator ignore
incomplete types, as they can never be used in a dynamic_cast. Also adding a
regression test.
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1006
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184403 91177308-0d34-0410-b5e6-96231b3b80d8
tore.cpp
|
| 37926da411d5a0047240b3ffd4dad0c4838aac57 |
19-Jun-2013 |
Pavel Labath <labath@google.com> |
Fix a crash in the static analyzer (bug #16307)
Summary:
When processing a call to a function, which got passed less arguments than it
expects, the analyzer would crash.
I've also added a test for that and a analyzer warning which detects these
cases.
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D994
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184288 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| bd34520a8c4fe689cca8afaa8114e50bd6bad8f8 |
19-Jun-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Do not create a CompoundVal for lvalue InitListExprs.
These should be treated like scalars. This fixes a crash reported in radar://14164698.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184257 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| cff15128c6c089bd6fae841b80680e6f5afbf0bf |
17-Jun-2013 |
Reid Kleckner <reid@kleckner.net> |
[AST] Don't include RecursiveASTVisitor.h in ASTContext.h
The untemplated implementation of getParents() doesn't need to be in a
header file.
RecursiveASTVisitor.h is full of repeated macro expansion. Moving this
include to ASTContext.cpp speeds up compilation of
LambdaMangleContext.cpp, a small C++ file with few includes, from 3.7s
to 2.8s for me locally. I haven't measured a full build, but it can't
hurt.
I had to fix a few static analyzer files that were depending on
transitive includes of C++ AST headers.
Reviewers: rsmith, klimek
Differential Revision: http://llvm-reviews.chandlerc.com/D982
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184075 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 7c3e615f01e8f9f587315800fdaf2305ed824568 |
13-Jun-2013 |
Richard Smith <richard-llvm@metafoo.co.uk> |
PR12086, PR15117
Introduce CXXStdInitializerListExpr node, representing the implicit
construction of a std::initializer_list<T> object from its underlying array.
The AST representation of such an expression goes from an InitListExpr with a
flag set, to a CXXStdInitializerListExpr containing a MaterializeTemporaryExpr
containing an InitListExpr (possibly wrapped in a CXXBindTemporaryExpr).
This more detailed representation has several advantages, the most important of
which is that the new MaterializeTemporaryExpr allows us to directly model
lifetime extension of the underlying temporary array. Using that, this patch
*drastically* simplifies the IR generation of this construct, provides IR
generation support for nested global initializer_list objects, fixes several
bugs where the destructors for the underlying array would accidentally not get
invoked, and provides constant expression evaluation support for
std::initializer_list objects.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183872 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 2049840b0ffe8ee4bf39051cfa8ca08440c8f667 |
12-Jun-2013 |
Stephen Hines <srhines@google.com> |
Merge commit '1342a4ef62dd7b839c6f09348b246a4f00282f29' into merge_20130612
|
| 1342a4ef62dd7b839c6f09348b246a4f00282f29 |
12-Jun-2013 |
Benjamin Kramer <benny.kra@googlemail.com> |
Port HTMLDiagnostics to PathV2. No intended functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183849 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
|
| 34392373fe25e943586de0fdbe37b806c3f7ff70 |
11-Jun-2013 |
Rafael Espindola <rafael.espindola@gmail.com> |
Include PathV1.h in files that use it.
This is preparation for replacing Path.h with PathV2.h.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183781 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
|
| a3f5a5afefca7653349a88472d5ce01ba7226e27 |
08-Jun-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer; alternate edges] Fix the edge locations in presence of macros.
We drew the diagnostic edges to wrong statements in cases the note was on a macro.
The fix is simple, but seems to work just fine for a whole bunch of test cases (plist-macros.cpp).
Also, removes an unnecessary edge in edges-new.mm, when function signature starts with a macro.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183599 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 57c8736e7dce5e63b4e1665d2c4fcf6e6ef959d0 |
07-Jun-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Address Jordan’s code review for r183451
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183455 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 6838710779a23ea5dfdb5764ad7b7a7451b00bf8 |
07-Jun-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Ensure that pieces with invalid locations always get removed from the BugReport
The function in which we were doing it used to be conditionalized. Add a new unconditional
cleanup step.
This fixes PR16227 (radar://14073870) - a crash when generating html output for one of the test files.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183451 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 5955c37230046e8c297f5afb9f91b7c8c1e18446 |
07-Jun-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] fixup the comment
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183450 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 49a246f4fad959888bb0164c624c3c2b03078e91 |
06-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer; new edges] Simplify edges in a C++11 for-range loop.
Previously our edges were completely broken here; now, the final result
is a very simple set of edges in most cases: one up to the "for" keyword
for context, and one into the body of the loop. This matches the behavior
for ObjC for-in loops.
In the AST, however, CXXForRangeStmts are handled very differently from
ObjCForCollectionStmts. Since they are specified in terms of equivalent
statements in the C++ standard, we actually have implicit AST nodes for
all of the semantic statements. This makes evaluation very easy, but
diagnostic locations a bit trickier. Fortunately, the problem can be
generally defined away by marking all of the implicit statements as
part of the top-level for-range statement.
One of the implicit statements in a for-range statement is the declaration
of implicit iterators __begin and __end. The CFG synthesizes two
separate DeclStmts to match each of these decls, but until now these
synthetic DeclStmts weren't in the function's ParentMap. Now, the CFG
keeps track of its synthetic statements, and the AnalysisDeclContext will
make sure to add them to the ParentMap.
<rdar://problem/14038483>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183449 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 632182d0e2011a6e21cf9abe34eef5a1f037e7ef |
06-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Improve debug output for PathDiagnosticPieces.
You can now dump a single PathDiagnosticPiece or PathDiagnosticLocation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183367 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 73b417f363a67439b30b3167ef8d9fb32e37191b |
06-Jun-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a crash that occurs when processing an rvalue array.
When processing ArrayToPointerDecay, we expect the array to be a location, not a LazyCompoundVal.
Special case the rvalue arrays by using a location to represent them. This case is handled similarly
elsewhere in the code.
Fixes PR16206.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183359 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 1089a57a88051f84aca66f3d8c92bda32a3a5c49 |
06-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer; new edges] Don't crash if the top-level entry edge is missing.
We previously asserted that there was a top-level function entry edge, but
if the function decl's location is invalid (or within a macro) this edge
might not exist. Change the assertion to an actual check, and don't drop
the first path piece if it doesn't match.
<rdar://problem/14070304>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183358 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 574c7cf6d0c8e8f8ecda360ae271d5391c404534 |
06-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer; new edges] Ignore self-edges, not all edges with the same location.
The edge optimizer needs to see edges for, say, implicit casts (which have
the same source location as their operand) to uniformly simplify the
entire path. However, we still don't want to produce edges from a statement
to /itself/, which could occur when two nodes in a row have the same
statement location.
This necessitated moving the check for redundant notes to after edge
optimization, since the check relies on notes being adjacent in the path.
<rdar://problem/14061675>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183357 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 048eeea6852043990c87e52938b53b5337bd098e |
04-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Enable the new edge algorithm by default.
...but don't yet migrate over the existing plist tests. Some of these
would be trivial to migrate; others could use a bit of inspection first.
In any case, though, the new edge algorithm seems to have proven itself,
and we'd like more coverage (and more usage) of it going forwards.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183165 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| e624524705ab660eb8d1feb9870ef2989fb2bdf4 |
04-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer; new edges] Omit subexpression back-edges that span multiple lines.
A.1 -> A -> B
becomes
A.1 -> B
This only applies if there's an edge from a subexpression to its parent
expression, and that is immediately followed by another edge from the
parent expression to a subsequent expression. Normally this is useful for
bringing the edges back to the left side of the code, but when the
subexpression is on a different line the backedge ends up looking strange,
and may even obscure code. In these cases, it's better to just continue
to the next top-level statement.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183164 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 22b0ad2d2a9c723bcdc94525a091fdbfbaa480fa |
04-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer; new edges] Don't eliminate subexpr edge cycles if the line is long.
Specifically, if the line is over 80 characters, or if the top-level
statement spans mulitple lines, we should preserve sub-expression edges
even if they form a simple cycle as described in the last commit, because
it's harder to infer what's going on than it is for shorter lines.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183163 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 3b5977e690b3d4476938a548bbd6f66c4a4a6dcd |
04-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer; new edges] Eliminate "cycle edges" for a single subexpression.
Generating context arrows can result in quite a few arrows surrounding a
relatively simple expression, often containing only a single path note.
|
1 +--2---+
v/ v
auto m = new m // 3 (the path note)
|\ |
5 +--4---+
v
Note also that 5 and 1 are two ends of the "same" arrow, i.e. they go from
event to event. 3 is not an arrow but the path note itself.
Now, if we see a pair of edges like 2 and 4---where 4 is the reverse of 2
and there is optionally a single path note between them---we will
eliminate /both/ edges. Anything more complicated will be left as is
(more edges involved, an inlined call, etc).
The next commit will refine this to preserve the arrows in a larger
expression, so that we don't lose all context.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183162 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 9d9b494aa36ceeb823c48acf04d2d7677174be88 |
04-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer; new edges] Improve enclosing contexts for logical expressions.
The old edge builder didn't have a notion of nested statement contexts,
so there was no special treatment of a logical operator inside an if
(or inside another logical operator). The new edge builder always tries
to establish the full context up to the top-level statement, so it's
important to know how much context has been established already rather
than just checking the innermost context.
This restores some of the old behavior for the old edge generation:
the context of a logical operator's non-controlling expression is the
subexpression in the old edge algorithm, but the entire operator
expression in the new algorithm.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183160 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 96f1061fbe59faff5b266a3a04061cefcfe03e2f |
04-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer; new edges] Include context for edges to sub-expressions.
The current edge-generation algorithm sometimes creates edges from a
top-level statement A to a sub-expression B.1 that's not at the start of B.
This creates a "swoosh" effect where the arrow is drawn on top of the
text at the start of B. In these cases, the results are clearer if we see
an edge from A to B, then another one from B to B.1.
Admittedly, this does create a /lot/ of arrows, some of which merely hop
into a subexpression and then out again for a single note. The next commit
will eliminate these if the subexpression is simple enough.
This updates and reuses some of the infrastructure from the old edge-
generation algorithm to find the "enclosing statement" context for a
given expression. One change in particular marks the context of the
LHS or RHS of a logical binary operator (&&, ||) as the entire operator
expression, rather than the subexpression itself. This matches our behavior
for ?:, and allows us to handle nested context information.
<rdar://problem/13902816>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183159 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 01f1ff79f70b3e042995a43b29ccbf0fffc77d5f |
04-Jun-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer; new edges] Include a top-level function entry edge while optimizing.
Although we don't want to show a function entry edge for a top-level path,
having it makes optimizing edges a little more uniform.
This does not affect any edges now, but will affect context edge generation
(next commit).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183158 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| f94cb007d03031bcf3d1b02f6a683a189e934953 |
31-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; new edges] add simplifySimpleBranches() to reduce edges for branches.
In many cases, the edge from the "if" to the condition, followed by an edge from the branch condition to the target code, is uninteresting.
In such cases, we should fold the two edges into one from the "if" to the target.
This also applies to loops.
Implements <rdar://problem/14034763>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183018 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 042ca3de1e8d723cb73ee4d9984509e4489a6bb7 |
31-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; new edges] in splitBranchConditionEdges() do not check that predecessor edge has source in the same lexical scope as the target branch.
Fixes <rdar://problem/14031292>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182987 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 34d1a0a1522c7bcc7bf431f5b9a92cde3f2315fd |
31-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer;alternate arrows] Rename 'adjustBranchEdges' to 'splitBranchConditionEdges'.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182986 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 904fd08edbedeb18b16875dd54b3f1edb049e9b9 |
30-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer; alternate edges] don't add an edge incoming from the start of a function"
...and make this work correctly in the current codebase.
After living on this for a while, it turns out to look very strange for
inlined functions that have only a single statement, and somewhat strange
for inlined functions in general (since they are still conceptually in the
middle of the path, and there is a function-entry path note).
It's worth noting that this only affects inlined functions; in the new
arrow generation algorithm, the top-level function still starts at the
first real statement in the function body, not the enclosing CompoundStmt.
This reverts r182078 / dbfa950abe0e55b173286a306ee620eff5f72ea.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182963 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| b347c76054a0a4b8e6d1fce44314f6daf3294c69 |
30-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't crash if a block's signature just has the return type.
It is okay to declare a block without an argument list: ^ {} or ^void {}.
In these cases, the BlockDecl's signature-as-written will just contain
the return type, rather than the entire function type. It is unclear if
this is intentional, but the analyzer shouldn't crash because of it.
<rdar://problem/14018351>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182948 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 3e8a85fcfc3d264e4c5b21fbdd741bbc0c24a266 |
30-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer; new edges] In for(;;), use the ForStmt itself for loop notes.
Most loop notes (like "entering loop body") are attached to the condition
expression guarding a loop or its equivalent. For loops may not have a
condition expression, though. Rather than crashing, just use the entire
ForStmt as the location. This is probably the best we can do.
<rdar://problem/14016063>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182904 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 1acb394679b6e644044a0f6c358229759009b1a6 |
29-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Accept references to variables declared "extern void" (C only).
In C, 'void' is treated like any other incomplete type, and though it is
never completed, you can cast the address of a void-typed variable to do
something useful. (In C++ it's illegal to declare a variable with void type.)
Previously we asserted on this code; now we just treat it like any other
incomplete type.
And speaking of incomplete types, we don't know their extent. Actually
check that in TypedValueRegion::getExtent, though that's not being used
by any checkers that are on by default.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182880 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
emRegion.cpp
|
| 7f1fd2f182717d5ce6cde60398128910c90f98be |
29-May-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Use the expression’s type instead of region’s type in ArrayToPointer decay evaluation
This gives slightly better precision, specifically, in cases where a non-typed region represents the array
or when the type is a non-array type, which can happen when an array is a result of a reinterpret_cast.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182810 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ValBuilder.cpp
|
| 3056439bb175db8c46b89fb4385de8b3a8e42d0d |
29-May-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Re-enable reasoning about CK_LValueBitCast
It’s important for us to reason about the cast as it is used in std::addressof. The reason we did not
handle the cast previously was a crash on a test case (see commit r157478). The crash was in
processing array to pointer decay when the region type was not an array. Address the issue, by
just returning an unknown in that case.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182808 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
egionStore.cpp
|
| 4e9179a3d0ec612a4d540281020b200254348a6b |
28-May-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Use a more generic MemRegion.getAsOffset to evaluate bin operators on MemRegions
In addition to enabling more code reuse, this suppresses some false positives by allowing us to
compare an element region to its base. See the ptr-arith.cpp test cases for an example.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182780 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| d474da062565596015558856333423199aed5eb1 |
24-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Treat analyzer-synthesized function bodies like implicit bodies.
When generating path notes, implicit function bodies are shown at the call
site, so that, say, copying a POD type in C++ doesn't jump you to a header
file. This is especially important when the synthesized function itself
calls another function (or block), in which case we should try to jump the
user around as little as possible.
By checking whether a called function has a body in the AST, we can tell
if the analyzer synthesized the body, and if we should therefore collapse
the call down to the call site like a true implicitly-defined function.
<rdar://problem/13978414>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182677 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
|
| 5a6fb20841220488f8be7254fbea8ba7233ebcd3 |
24-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer; new edges] Properly set location after exiting an inlined call.
The new edge algorithm would keep track of the previous location in each
location context, so that it could draw arrows coming in and out of each
inlined call. However, it tried to access the location of the call before
it was actually set (at the CallEnter node). This only affected
unterminated calls at the end of a path; calls with visible exit nodes
already had a valid location.
This patch ditches the location context map, since we're processing the
nodes in order anyway, and just unconditionally updates the PrevLoc
variable after popping out of an inlined call.
<rdar://problem/13983470>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182676 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| b1a4d37c0549501fe12907bc6ffa81bc5d04b98a |
23-May-2013 |
Benjamin Kramer <benny.kra@googlemail.com> |
Make helper functions static.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182589 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 0fa3504acfc7c20a87973c58ad3474adc94dd97d |
23-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer;alternate edges] fix type that was causing the wrong path piece to get removed.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182562 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 34bd3331b5ed34cc9027ee00e1aaabfecff8f742 |
22-May-2013 |
Pete Cooper <peter_cooper@apple.com> |
Insert explicit casts to try appease overload resolution in the buildbots
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182514 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 13feb9201e3a44d5e6159c67914c76d583a12769 |
22-May-2013 |
Ted Kremenek <kremenek@apple.com> |
Use scope-resolution operator to hopefully unbreak Windows builds.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182509 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| a705980a7c3315b7c72d99ce675342ad91b50642 |
22-May-2013 |
Ted Kremenek <kremenek@apple.com> |
Simplifiy code using return value of erase().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182506 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 1d85a9e8fb4e6ac513467b5fa825bd53e6fcba56 |
22-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate edges] remove redundant adjacent "events" with the same text.
Fixes <rdar://problem/13949982>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182505 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| de7bc0d997cc69bd5c337ab82665c2f7ed989138 |
22-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer;alternate edges] remove puny edges on the same line that span less than 3 columns.
These are legitimate control-flow edges, but visually they add
no value.
Implements <rdar://problem/13941325>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182502 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| ddf6e840ca0678c305d5d1c493a66d4cda554e5e |
22-May-2013 |
Ted Kremenek <kremenek@apple.com> |
Remove unnecessary assignment.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182501 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| eb41640fb417e25eb3218c2662a0dd512cdab04a |
22-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't crash if a block doesn't have a type signature.
Currently, blocks instantiated in templates lose their "signature as
written"; it's not clear if this is intentional. Change the analyzer's
use of BlockDecl::getSignatureAsWritten to check whether or not the
signature is actually there.
<rdar://problem/13954714>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182497 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
emRegion.cpp
|
| 61dfd6f160f7501e140704990db9c449d29f8649 |
22-May-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Do not assert on reports ending in calls within macros.
The crash is triggered by the newly added option (-analyzer-config report-in-main-source-file=true) introduced in r182058.
Note, ideally, we’d like to report the issue within the main source file here as well.
For now, just do not crash.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182445 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 52f926cc32e4f4969f767e98d98f0137358d5f12 |
21-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer;alternate edges] prune out extra edges to a subexpression where we dive-in and out of a subexpression.
Fixes <rdar://problem/13941891>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182426 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| a327bb12b1cd0c142eb06e30b4f6018b96d5babf |
21-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternated edges] look through expressions just like Environment does.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182425 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| e86ee1a213d244bb66b7eef3e9ab2266908cf4af |
21-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate edges] optimize edges for ObjC fast enumeration loops.
Fixes <rdar://problem/13942300>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182342 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 6d0da608c144eb57b7dd22f71b363191a4a1b2c0 |
18-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] New edges: include an edge to the end-of-path location.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182188 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| d1913d89e2ff3b38bb6293833cfd9d8ead76348e |
18-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add a debug dump for PathPieces, a list of PathDiagnosticPieces.
Originally implemented by Ted, extended by me.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182186 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| bb518991ce4298d8662235fc8cb13813f011c18d |
18-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer; alternate edges] improve support for edges with PseudoObjectExprs."
Ted and I spent a long time discussing this today and found out that neither
the existing code nor the new code was doing what either of us thought it
was, which is never good. The good news is we found a much simpler way to
fix the motivating test case (an ObjCSubscriptExpr).
This reverts r182083, but pieces of it will come back in subsequent commits.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182185 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 5a8e1ad062420ef74707bf093889403d07664b17 |
17-May-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Address Jordan's review comments for r182058
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182156 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
listDiagnostics.cpp
|
| e9aae62e8bca3abfc1dc36f67845444291171e13 |
17-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate edges] improve support for edges with PseudoObjectExprs.
This optimizes some spurious edges resulting from PseudoObjectExprs.
This required far more changes than I anticipated. The current
ParentMap does not record any hierarchy information between
a PseudoObjectExpr and its *semantic* expressions that may be
wrapped in OpaqueValueExprs, which are the expressions actually
laid out in the CFG. This means the arrow pruning logic could
not map from an expression to its containing PseudoObjectExprs.
To solve this, this patch adds a variant of ParentMap that
returns the "semantic" parentage of expressions (essentially
as they are viewed by the CFG). This alternate ParentMap is then
used by the arrow reducing logic to identify edges into pseudo
object expressions, and then eliminate them.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182083 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| a40983460cc3f8f583cd968ac2e4647dc30c83f5 |
17-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate edges] treat 'if' statements the same way we do as 'for' or 'while'.
This means adding an extra edge from the 'if' to the condition,
which aesthetically looks more pleasing.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182079 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| dbfa950abe0e55b173286a306ee620eff5f72ea8 |
17-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate edges] don't add an edge incoming from the start of a function
for a nested call. This matches what we do with the first stack frame.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182078 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 50fa64d4411a42e0b4f373a84d8d4f5cbf339ea3 |
17-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't inline ~shared_ptr.
The analyzer can't see the reference count for shared_ptr, so it doesn't
know whether a given destruction is going to delete the referenced object.
This leads to spurious leak and use-after-free warnings.
For now, just ban destructors named '~shared_ptr', which catches
std::shared_ptr, std::tr1::shared_ptr, and boost::shared_ptr.
PR15987
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182071 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
|
| d95b70175646829c26344d5f0bda1ec3009f2a5b |
17-May-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add an option to use the last location in the main source file as the report location.
Previously, we’ve used the last location of the analyzer issue path as the location of the
report. This might not provide the best user experience, when one analyzer a source
file and the issue appears in the header. Introduce an option to use the last location
of the path that is in the main source file as the report location.
New option can be enabled with -analyzer-config report-in-main-source-file=true.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182058 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporter.cpp
athDiagnostic.cpp
listDiagnostics.cpp
|
| 17828ca5857d5d9cadfffd339f888de58182c8f1 |
14-May-2013 |
David Blaikie <dblaikie@gmail.com> |
Provide operator<< for stream output of DeclarationNames
ASTDumper was already trying to do this & instead got an implicit bool
conversion by surprise (thus printing out 0 or 1 instead of the name of
the declaration). To avoid that issue & simplify call sites, simply make
it the normal/expected operator<<(raw_ostream&, ...) overload & simplify
all the existing call sites. (bonus: this function doesn't need to be a
member or friend, it's just using public API in DeclarationName)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181832 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 181e3ecc0907ae0103586a9f4db52241995a8267 |
13-May-2013 |
Rafael Espindola <rafael.espindola@gmail.com> |
Cleanup handling of UniqueExternalLinkage.
This patch renames getLinkage to getLinkageInternal. Only code that
needs to handle UniqueExternalLinkage specially should call this.
Linkage, as defined in the c++ standard, is provided by
getFormalLinkage. It maps UniqueExternalLinkage to ExternalLinkage.
Most places in the compiler actually want isExternallyVisible, which
handles UniqueExternalLinkage as internal.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181677 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
|
| 265448963a856bebdd0ae5abf67210054f44c64b |
10-May-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Do not check if sys/queue.h file is a system header.
In most cases it is, by just looking at the name. Also, this check prevents the heuristic from working in strange user settings.
radar://13839692
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181615 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| afde200cdae9731aa5826c6178eae9e7fef74475 |
09-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate arrows] for "loop back" edges add back the extra edge to the closing '}'
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181505 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 8841c532f217d938f47f4feaa3707b929cd71181 |
09-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer;alternate arrows] adapt 'for' loop aesthetic cleanup to 'while' loops.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181504 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| aecda966174516c0ac7c05ceb40e88fc99bcf27c |
08-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate edges] insert an extra edge for 'for' statements to conditions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181385 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 8484b37a2b7720c016d27a672343b1c67bd2e731 |
08-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer;alternate edges] edges from subexpressions of "?:" are important to retain
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181384 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| be0b207c4916f823497d31cbf5083efb4e374163 |
07-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer;alternate arrows] Fix inconsistencies in recorded location context when handling interprocedural paths.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181362 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| f4bbb1d8c2aa8b6630110827361ee0655e731548 |
07-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate arrows] add back recording whether we visited the first edge.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181361 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| b17c2f79093317a0bf3017350347170dd1061f49 |
07-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate arrows] remove pruning of loop diagnostics.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181360 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 03194fb1bbf2b2d17ff7e3d61ddb9d73e9297fdc |
07-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate arrows] include logical '||' and '&&' as anchors for edges.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181359 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| bc0fd8129626ff4e485388311b081e76d0f96795 |
07-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate arrows] include an edge from the "break" or "continue"
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181358 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 98fb1cca0eccb9cd8b40756907f0c27c9be791be |
07-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate arrows] the extra edge to the closing '}' in a loop adds no value.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181357 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 96b8134337883908fcc45484486fe200d6b3e32f |
07-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate arrows] the initializer of a ForStmt isn't interesting either.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181356 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 636478e288b88396d860f6b01b48b47953e3d5e9 |
07-May-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a crash triggered by printing a note on a default argument
Instead, use the location of the call to print the note.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181337 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| e2f7337958f21802e98777f441fe20ef7ba2adff |
07-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate arrows] The ForStmt increment is not a critical anchor for arrows.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181333 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| a399f776ee29e099da33eaf7f9d585b4edc4b61d |
07-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate edges] simplify optimization rules to look at control-flow conditions to prune edges.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181292 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| d0f5faf319550b0504b2f8f822d06a6b0279285b |
07-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate arrows] use the terminator condition as the location for 'entering loop body'
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181291 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| b097a57f58672a825c99fdfb668b04e921e363b9 |
07-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate arrows] provide a diagnostic for entering a loop for the first time.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181282 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 481da5554d03271b0d87b695449963f7728c5895 |
06-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate arrows] don't increment the path iterator when we just deleted the next iterator.
This is an optimization. It is possible that by deleting the next
edge we will pattern match again at the current spot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181256 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 00ffb8079b14cade816d8f668675e853e613dee0 |
06-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove now-unused bindCompoundLiteral helper function.
The one user has been changed to use getLValue on the compound literal
expression and then use the normal bindLoc to assign a value. No need
to special case this in the StoreManager.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181214 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
egionStore.cpp
|
| 6376703eb3325fe41233aed234fde81164af42a1 |
06-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle CXXTemporaryObjectExprs in compound literals.
This occurs because in C++11 the compound literal syntax can trigger a
constructor call via list-initialization. That is, "Point{x, y}" and
"(Point){x, y}" end up being equivalent. If this occurs, the inner
CXXConstructExpr will have already handled the object construction; the
CompoundLiteralExpr just needs to propagate that value forwards.
<rdar://problem/13804098>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181213 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 15676bec6fa9ad9466d93c163f2d1b8a3f559b3a |
04-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer;alternate edges] start experimenting with control flow "barriers" to prevent an edge being optimized away.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181088 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| e644ed5308ab22e4bcb5f821fe7ea9dae324a0a8 |
04-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer;alternate edges] ignore parentheses when determining edge levels.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181087 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| f468fa16e37fc8fa6a915fe36aee8f0434709789 |
04-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate edges] - eliminate unnecessary edges where between parents and subexpressions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181086 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| b9e13d555fc9f3e5515e2b1fa6f720e6f10bb076 |
04-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate edges] - merge control edges where we descend to a subexpression and pop back out.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181085 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| bb521b8f14ca29ee4e17ae1f9877586ef0bf8378 |
04-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer; alternate edges] prune edges whose end/begin locations have the same statement parents.
This change required some minor changes to LocationContextMap to have it map
from PathPieces to LocationContexts instead of PathDiagnosticCallPieces to
LocationContexts. These changes are in the other diagnostic
generation logic as well, but are functionally equivalent.
Interestingly, this optimize requires delaying "cleanUpLocation()" until
later; possibly after all edges have been optimized. This is because
we need PathDiagnosticLocations to refer to the semantic entity (e.g. a statement)
as long as possible. Raw source locations tell us nothing about
the semantic relationship between two locations in a path.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181084 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| cd389d8cc9abeffb1416b70dd58148e66e5d822b |
04-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer;alternate edges] - add in events (loop iterations, etc)
These were being dropped due a transcription mistake from the original
algorithm.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181083 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 83eba02c2ea333015335e2f74c4d11c5315b655d |
03-May-2013 |
Stephen Hines <srhines@google.com> |
Merge remote-tracking branch 'upstream/master' into merge-20130502
|
| af2836593979d4973bec5bd21f10eb6cc0d0f3e3 |
03-May-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Start hacking up alternate control-flow edge generation. WIP. Not guaranteed to do anything useful yet.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181040 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 2faee99ab67105e834d11df7db80a78a3e3ed37b |
03-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Check the stack frame when looking for a var's initialization.
FindLastStoreBRVisitor is responsible for finding where a particular region
gets its value; if the region is a VarRegion, it's possible that value was
assigned at initialization, i.e. at its DeclStmt. However, if a function is
called recursively, the same DeclStmt may be evaluated multiple times in
multiple stack frames. FindLastStoreBRVisitor was not taking this into
account and just picking the first one it saw.
<rdar://problem/13787723>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180997 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| dcd6224911e234ab3657b7d0b79a2add1ae4fdd8 |
03-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Fix trackNullOrUndef when tracking args that have nil receivers.
There were actually two bugs here:
- if we decided to look for an interesting lvalue or call expression, we
wouldn't go find its node if we also knew we were at a (different) call.
- if we looked through one message send with a nil receiver, we thought we
were still looking at an argument to the original call.
Put together, this kept us from being able to track the right values, which
means sub-par diagnostics and worse false-positive suppression.
Noticed by inspection.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180996 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| e19229be18725bd856410b478c0e63d81ab8e4f5 |
03-May-2013 |
Ted Kremenek <kremenek@apple.com> |
Make cleanUpLocation() a self-contained function.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180986 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| d306a530fca74e40916121f5583e0545e470b3c4 |
03-May-2013 |
Ted Kremenek <kremenek@apple.com> |
Re-apply 180974 with the build error fixed. This was the result
of a weird merge error with git.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180981 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| ae8c50552df2498130dd33a940d98e0dc4ec26b9 |
03-May-2013 |
Rafael Espindola <rafael.espindola@gmail.com> |
Revert "Change LocationContextMap to be a temporary instead of shared variable in BugReporter."
This reverts commit 180974. It broke the build.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180979 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| c70fac3c52092013b08163187f034b73c94bf3d0 |
03-May-2013 |
Ted Kremenek <kremenek@apple.com> |
Change LocationContextMap to be a temporary instead of shared variable in BugReporter.
BugReporter is used to process ALL bug reports. By using a shared map,
we are having mappings from different PathDiagnosticPieces to LocationContexts
well beyond the point where we are processing a given report. This
state is inherently error prone, and is analogous to using a global
variable. Instead, just create a temporary map, one per report,
and when we are done with it we throw it away. No extra state.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180974 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 4b75085f5669efc6407c662b5686361624c3ff2f |
02-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't try to evaluate MaterializeTemporaryExpr as a constant.
...and don't consider '0' to be a null pointer constant if it's the
initializer for a float!
Apparently null pointer constant evaluation looks through both
MaterializeTemporaryExpr and ImplicitCastExpr, so we have to be more
careful about types in the callers. For RegionStore this just means giving
up a little more; for ExprEngine this means handling the
MaterializeTemporaryExpr case explicitly.
Follow-up to r180894.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180944 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
ValBuilder.cpp
|
| e2b1246a24e8babf2f58c93713fba16b8edb8e2d |
02-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Consolidate constant evaluation logic in SValBuilder.
Previously, this was scattered across Environment (literal expressions),
ExprEngine (default arguments), and RegionStore (global constants). The
former special-cased several kinds of simple constant expressions, while
the latter two deferred to the AST's constant evaluator.
Now, these are all unified as SValBuilder::getConstantVal(). To keep
Environment fast, the special cases for simple constant expressions have
been left in, but the main benefits are that (a) unusual constants like
ObjCStringLiterals now work as default arguments and global constant
initializers, and (b) we're not duplicating code between ExprEngine and
RegionStore.
This actually caught a bug in our test suite, which is awesome: we stop
tracking allocated memory if it's passed as an argument along with some
kind of callback, but not if the callback is 0. We were testing this in
a case where the callback parameter had a default value, but that value
was 0. After this change, the analyzer now (correctly) flags that as a
leak!
<rdar://problem/13773117>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180894 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
egionStore.cpp
ValBuilder.cpp
|
| 776d3bb65c90278b9c65544b235d2ac40aea1d6e |
02-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't inline the [cd]tors of C++ iterators.
This goes with r178516, which instructed the analyzer not to inline the
constructors and destructors of C++ container classes. This goes a step
further and does the same thing for iterators, so that the analyzer won't
falsely decide we're trying to construct an iterator pointing to a
nonexistent element.
The heuristic for determining whether something is an iterator is the
presence of an 'iterator_category' member. This is controlled under the
same -analyzer-config option as container constructor/destructor inlining:
'c++-container-inlining'.
<rdar://problem/13770187>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180890 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 112344ab7f96cf482bce80530676712c282756d5 |
01-May-2013 |
Jordan Rose <jordan_rose@apple.com> |
Re-apply "[analyzer] Model casts to bool differently from other numbers."
This doesn't appear to be the cause of the slowdown. I'll have to try a
manual bisect to see if there's really anything there, or if it's just
the bot itself taking on additional load. Meanwhile, this change helps
with correctness.
This changes an assertion and adds a test case, then re-applies r180638,
which was reverted in r180714.
<rdar://problem/13296133> and PR15863
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180864 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
impleSValBuilder.cpp
|
| ed866e73bab7733f5226f84c52edefe23d694b2f |
30-Apr-2013 |
Ted Kremenek <kremenek@apple.com> |
Revert "[analyzer] Change PathPieces to be a wrapper around an ilist of (through indirection) PathDiagnosticPieces."
Jordan rightly pointed out that we can do the same with std::list.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180746 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
|
| 7651e53997e20f1e627ffce25ce613f79c48e3e3 |
30-Apr-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Change PathPieces to be a wrapper around an ilist of (through indirection) PathDiagnosticPieces.
Much of this patch outside of PathDiagnostics.h are just minor
syntactic changes due to the return type for operator* and the like
changing for the iterator, so the real focus should be on
PathPieces itself.
This change is motivated so that we can do efficient insertion
and removal of individual pieces from within a PathPiece, just like
this was a kind of "IR" for static analyzer diagnostics. We
currently implement path transformations by iterating over an
entire PathPiece and making a copy. This isn't very natural for
some algorithms.
We use an ilist here instead of std::list because we want operations
to rip out/insert nodes in place, just like IR manipulation. This
isn't being used yet, but opens the door for more powerful
transformation algorithms on diagnostic paths.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180741 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
|
| b5142359abc50e151c18bde88fbabec98b65077c |
30-Apr-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Remove comparePath's dependency on subscript operator.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180740 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 7e6b564d59df6c0594bc3a577f33536850290dec |
29-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Model casts to bool differently from other numbers."
This seems to be causing quite a slowdown on our internal analyzer bot,
and I'm not sure why. Needs further investigation.
This reverts r180638 / 9e161ea981f22ae017b6af09d660bfc3ddf16a09.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180714 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
|
| 5e6c06bc7deaaefe130b730032a9acb9cd38bf0c |
26-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Model casts to bool differently from other numbers.
Casts to bool (and _Bool) are equivalent to checks against zero,
not truncations to 1 bit or 8 bits.
This improved reasoning does cause a change in the behavior of the alpha
BoolAssignment checker. Previously, this checker complained about statements
like "bool x = y" if 'y' was known not to be 0 or 1. Now it does not, since
that conversion is well-defined. It's hard to say what the "best" behavior
here is: this conversion is safe, but might be better written as an explicit
comparison against zero.
More usefully, besides improving our model of booleans, this fixes spurious
warnings when returning the address of a local variable cast to bool.
<rdar://problem/13296133>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180638 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
|
| e0262e25206bef1d7efb0cb2f37abd1e42ada4cb |
24-Apr-2013 |
Anton Yartsev <anton.yartsev@gmail.com> |
[analyzer] Refactoring + explanatory comment.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180181 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 0f8579274a010f360a371b53101859d9d6052314 |
24-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Refactor BugReport::getLocation and PathDiagnosticLocation::createEndOfPath for greater code reuse
The 2 functions were computing the same location using different logic (each one had edge case bugs that the other
one did not). Refactor them to rely on the same logic.
The location of the warning reported in text/command line output format will now match that of the plist file.
There is one change in the plist output as well. When reporting an error on a BinaryOperator, we use the location of the
operator instead of the beginning of the BinaryOperator expression. This matches our output on command line and
looks better in most cases.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180165 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
|
| f2edbec1d9817df109304f9c19ae2b34fec1feea |
22-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Treat reinterpret_cast like a base cast in certain cases.
The analyzer represents all pointer-to-pointer bitcasts the same way, but
this can be problematic if an implicit base cast gets layered on top of a
manual base cast (performed with reinterpret_cast instead of static_cast).
Fix this (and avoid a valid assertion) by looking through cast regions.
Using reinterpret_cast this way is only valid if the base class is at the
same offset as the derived class; this is checked by -Wreinterpret-base-class.
In the interest of performance, the analyzer doesn't repeat this check
anywhere; it will just silently do the wrong thing (use the wrong offsets
for fields of the base class) if the user code is wrong.
PR15394
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180052 91177308-0d34-0410-b5e6-96231b3b80d8
tore.cpp
|
| c3bf52ced9652f555aa0767bb822ec4c64546212 |
21-Apr-2013 |
Richard Smith <richard-llvm@metafoo.co.uk> |
C++1y: Allow aggregates to have default initializers.
Add a CXXDefaultInitExpr, analogous to CXXDefaultArgExpr, and use it both in
CXXCtorInitializers and in InitListExprs to represent a default initializer.
There's an additional complication here: because the default initializer can
refer to the initialized object via its 'this' pointer, we need to make sure
that 'this' points to the right thing within the evaluation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179958 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 8ef064d53fb33b5a8f8743bcbb0a2fd5c3e97be1 |
20-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Ensure BugReporterTracking works on regions with pointer arithmetic
Introduce a new helper function, which computes the first symbolic region in
the base region chain. The corresponding symbol has been used for assuming that
a pointer is null. Now, it will also be used for checking if it is null.
This ensures that we are tracking a null pointer correctly in the BugReporter.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179916 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
emRegion.cpp
rogramState.cpp
Vals.cpp
impleConstraintManager.cpp
|
| 716859df842e5a56e816d820d8326ead152dd9e4 |
20-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Flip printPretty and printPrettyAsExpr as per suggestion from Jordan (r179572)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179915 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 044fe23e79fff3841cc4c315f8c97e1cdccdd8dd |
19-Apr-2013 |
Anton Yartsev <anton.yartsev@gmail.com> |
[analyzer] Call proper callback for const regions escaped other then on call.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179846 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 62fba4f08af16ff17b5cbe8816061349504317e4 |
18-Apr-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Refine 'nil receiver' diagnostics to mention the name of the method not called.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179776 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 258277d5a922e06ef523f7805900689b680ddc7d |
18-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] "Force" LazyCompoundVals on bind when they are simple enough.
The analyzer uses LazyCompoundVals to represent rvalues of aggregate types,
most importantly structs and arrays. This allows us to efficiently copy
around an entire struct, rather than doing a memberwise load every time a
struct rvalue is encountered. This can also keep memory usage down by
allowing several structs to "share" the same snapshotted bindings.
However, /lookup/ through LazyCompoundVals can be expensive, especially
since they can end up chaining back to the original value. While we try
to reuse LazyCompoundVals whenever it's safe, and cache information about
this transitivity, the fact is it's sometimes just not a good idea to
perpetuate LazyCompoundVals -- the tradeoffs just aren't worth it.
This commit changes RegionStore so that binding a LazyCompoundVal to struct
will do a memberwise copy if the struct is simple enough. Today's definition
of "simple enough" is "up to N scalar members" (see below), but that could
easily be changed in the future. This is enough to bring the test case in
PR15697 back down to a manageable analysis time (within 20% of its original
time, in an unfair test where the new analyzer is not compiled with LTO).
The actual value of "N" is controlled by a new -analyzer-config option,
'region-store-small-struct-limit'. It defaults to "2", meaning structs with
zero, one, or two scalar members will be considered "simple enough" for
this code path.
It's worth noting that a more straightforward implementation would do this
on load, not on bind, and make use of the structure we already have for this:
CompoundVal. A long time ago, this was actually how RegionStore modeled
aggregate-to-aggregate copies, but today it's only used for compound literals.
Unfortunately, it seems that we've special-cased LazyCompoundVal in certain
places (such as liveness checks) but failed to similarly special-case
CompoundVal in all of them. Until we're confident that CompoundVal is
handled properly everywhere, this solution is safer, since the entire
optimization is just an implementation detail of RegionStore.
<rdar://problem/13599304>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179767 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 476f41c4750421a7ead5014e75a0e790ff682754 |
18-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't crash if we cache out after making a temporary region.
A C++ overloaded operator may be implemented as an instance method, and
that instance method may be called on an rvalue object, which has no
associated region. The analyzer handles this by creating a temporary region
just for the evaluation of this call; however, it is possible that /by
creating the region/, the analyzer ends up in a previously-explored state.
In this case we don't need to continue along this path.
This doesn't actually show any behavioral change now, but it starts being
used with the next commit and prevents an assertion failure there.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179766 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 86f1745be24c834175e7a8a51b12f9a0063d532e |
18-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Tweak getDerefExpr more to track DeclRefExprs to references.
In the committed example, we now see a note that tells us when the pointer
was assumed to be null.
This is the only case in which getDerefExpr returned null (failed to get
the dereferenced expr) throughout our regression tests. (There were multiple
occurrences of this one.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179736 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 1e1d011874340f33b807ac90609424f90f72488a |
18-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Improve dereferenced expression tracking for MemberExpr with a dot and non-reference base
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179734 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 441625e6c7f8bf58e62a284ae1f855dafde31ec2 |
18-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Gain more precision retrieving the right SVal by specifying the type of the expression.
Thanks to Jordan for suggesting the fix.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179732 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 5b90ae7ba05a10a81f107ec1635deb1bd7292936 |
18-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Allow TrackConstraintBRVisitor to work when the value it’s tracking is not live in the last node of the path
We always register the visitor on a node in which the value we are tracking is live and constrained. However,
the visitation can restart at a node, later on the path, in which the value is under constrained because
it is no longer live. Previously, we just silently stopped tracking in that case.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179731 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 898be7b4a7b0a527d9bd2569eebc41a198e6e528 |
17-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't warn for returning void expressions in void blocks.
This was slightly tricky because BlockDecls don't currently store an
inferred return type. However, we can rely on the fact that blocks with
inferred return types will have return statements that match the inferred
type.
<rdar://problem/13665798>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179699 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 051303ce09291dfbed537fa33b0d8a4d92c82b75 |
16-Apr-2013 |
Tareq A. Siraj <tareq.a.sriaj@intel.com> |
Implement CapturedStmt AST
CapturedStmt can be used to implement generic function outlining as described in
http://lists.cs.uiuc.edu/pipermail/cfe-dev/2013-January/027540.html.
CapturedStmt is not exposed to the C api.
Serialization and template support are pending.
Author: Wei Pan <wei.pan@intel.com>
Differential Revision: http://llvm-reviews.chandlerc.com/D370
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179615 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 76da55d3a49e1805f51b1ced7c5da5bcd7f759d8 |
16-Apr-2013 |
John McCall <rjmccall@apple.com> |
Basic support for Microsoft property declarations and
references thereto.
Patch by Tong Shen!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179585 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386e |
16-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Do not crash when processing binary "?:" in C++
When computing the value of ?: expression, we rely on the last expression in
the previous basic block to be the resulting value of the expression. This is
not the case for binary "?:" operator (GNU extension) in C++. As the last
basic block has the expression for the condition subexpression, which is an
R-value, whereas the true subexpression is the L-value.
Note the operator evaluation just happens to work in C since the true
subexpression is an R-value (like the condition subexpression). CFG is the
same in C and C++ case, but the AST nodes are different, which the LValue to
Rvalue conversion happening after the BinaryConditionalOperator evaluation.
Changed the logic to only use the last expression from the predecessor only
if it matches either true or false subexpression. Note, the logic needed
fortification anyway: L and R were passed but not even used by the function.
Also, change the conjureSymbolVal to correctly compute the type, when the
expression is an LG-value.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179574 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
ValBuilder.cpp
|
| 07d8470effc0b0364801adddb6ff92bd22334402 |
16-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add pretty printing to CXXBaseObjectRegion.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179573 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 79d0cceb8847bfe6dc9da8eb2ea2f3c6bb73b813 |
16-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Address code review for r179395
Mostly refactoring + handle the nested fields by printing the innermost field only.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179572 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 82dd4396fcd2517d06382b7170f393d1b6351c7f |
16-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add more specialized error messages for corner cases as per Jordan's code review for r179396
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179571 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 28117be48de465bc2862a8f4aaab09338be5090b |
16-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't assert on a temporary of pointer-to-member type.
While we don't do anything intelligent with pointers-to-members today,
it's perfectly legal to need a temporary of pointer-to-member type to, say,
pass by const reference. Tweak an assertion to allow this.
PR15742 and PR15747
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179563 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| b93fc8ebed158ed5516fd85d11e89fffaf80622b |
15-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Be lazy about struct/array global invalidation too.
Structs and arrays can take advantage of the single top-level global
symbol optimization (described in the previous commit) just as well
as scalars.
No intended behavioral change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179555 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 262e0d41e49c6b823d62743535e2accb117a6ea9 |
15-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Re-enable using global regions as a symbolic base.
Now that we're invalidating global regions properly, we want to continue
taking advantage of a particular optimization: if all global regions are
invalidated together, we can represent the bindings of each region with
a "derived region value" symbol. Essentially, this lazily links each
global region with a single symbol created at invalidation time, rather
than binding each region with a new symbolic value.
We used to do this, but haven't been for a while; the previous commit
re-enabled this code path, and this handles the fallout.
<rdar://problem/13464044>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179554 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| e0208ff84598f48e0aafecf5b543afeff8574045 |
15-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Properly invalidate global regions on opaque function calls.
This fixes a regression where a call to a function we can't reason about
would not actually invalidate global regions that had explicit bindings.
void test_that_now_works() {
globalInt = 42;
clang_analyzer_eval(globalInt == 42); // expected-warning{{TRUE}}
invalidateGlobals();
clang_analyzer_eval(globalInt == 42); // expected-warning{{UNKNOWN}}
}
This has probably been around since the initial "cluster" refactoring of
RegionStore, if not longer.
<rdar://problem/13464044>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179553 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 8713e1a5c3f6658d54061e176b5baa9fadf14675 |
12-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Print a diagnostic note even if the region cannot be printed.
There are few cases where we can track the region, but cannot print the note,
which makes the testing limited. (Though, I’ve tested this manually by making
all regions non-printable.) Even though the applicability is limited now, the enhancement
will be more relevant as we start tracking more regions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179396 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 9e2f5977a180ae927d05e844c65b8a7873be48a4 |
12-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer]Print field region even when the base region is not printable
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179395 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
emRegion.cpp
|
| 7be2245487f9cd7d04f013db92280d9ccd323586 |
12-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Show "Returning from ..." note at caller's depth, not callee's.
Before:
1. Calling 'foo'
2. Doing something interesting
3. Returning from 'foo'
4. Some kind of error here
After:
1. Calling 'foo'
2. Doing something interesting
3. Returning from 'foo'
4. Some kind of error here
The location of the note is already in the caller, not the callee, so this
just brings the "depth" attribute in line with that.
This only affects plist diagnostic consumers (i.e. Xcode). It's necessary
for Xcode to associate the control flow arrows with the right stack frame.
<rdar://problem/13634363>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179351 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| 3ea09a802f973c2726b2a489ae08a4bded93410b |
12-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't emit extra context arrow after returning from an inlined call.
In this code
int getZero() {
return 0;
}
void test() {
int problem = 1 / getZero(); // expected-warning {{Division by zero}}
}
we generate these arrows:
+-----------------+
| v
int problem = 1 / getZero();
^ |
+---+
where the top one represents the control flow up to the first call, and the
bottom one represents the flow to the division.* It turns out, however, that
we were generating the top arrow twice, as if attempting to "set up context"
after we had already returned from the call. This resulted in poor
highlighting in Xcode.
* Arguably the best location for the division is the '/', but that's a
different problem.
<rdar://problem/13326040>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179350 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| a5796f87229b4aeebca71fa6ee1790ae7a5a0382 |
09-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Replace isIntegerType() with isIntegerOrEnumerationType().
Previously, the analyzer used isIntegerType() everywhere, which uses the C
definition of "integer". The C++ predicate with the same behavior is
isIntegerOrUnscopedEnumerationType().
However, the analyzer is /really/ using this to ask if it's some sort of
"integrally representable" type, i.e. it should include C++11 scoped
enumerations as well. hasIntegerRepresentation() sounds like the right
predicate, but that includes vectors, which the analyzer represents by its
elements.
This commit audits all uses of isIntegerType() and replaces them with the
general isIntegerOrEnumerationType(), except in some specific cases where
it makes sense to exclude scoped enumerations, or any enumerations. These
cases now use isIntegerOrUnscopedEnumerationType() and getAs<BuiltinType>()
plus BuiltinType::isInteger().
isIntegerType() is hereby banned in the analyzer - lib/StaticAnalysis and
include/clang/StaticAnalysis. :-)
Fixes real assertion failures. PR15703 / <rdar://problem/12350701>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179081 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xprEngine.cpp
xprEngineC.cpp
rogramState.cpp
egionStore.cpp
ValBuilder.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
ymbolManager.cpp
|
| 3e5ebf1a05603e08f2d0b2b2a5fa9406fe4cfb22 |
06-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] When creating a trimmed graph, preserve whether a node is a sink.
This is important because sometimes two nodes are identical, except the
second one is a sink.
This bug has probably been around for a while, but it wouldn't have been an
issue in the old report graph algorithm. I'm ashamed to say I actually looked
at this the first time around and thought it would never be a problem...and
then didn't include an assertion to back that up.
PR15684
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178944 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| ea7b481aa8298f1e59c4cfb64e53b38f86dec92d |
06-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Remove another redundancy from trackNullOrUndef
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178934 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 4b69feb6d90eb120d04f5d54f6b28cc295a46098 |
06-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix null tracking for the given test case, by using the proper state and removing redundant code.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178933 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 610f79cbab4d752349b5c81a94682a6a82b102e7 |
05-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Show path diagnostic for C++ initializers
Also had to modify the PostInitializer ProgramLocation to contain the field region.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178826 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xprEngine.cpp
athDiagnostic.cpp
|
| b11a9086ebaf8e081daa8a6cd94ea99c97c027d2 |
05-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Enable destructor inlining by default (c++-inlining=destructors).
This turns on not only destructor inlining, but inlining of constructors
for types with non-trivial destructors. Per r178516, we will still not
inline the constructor or destructor of anything that looks like a
container unless the analyzer-config option 'c++-container-inlining' is
set to 'true'.
In addition to the more precise path-sensitive model, this allows us to
catch simple smart pointer issues:
#include <memory>
void test() {
std::auto_ptr<int> releaser(new int[4]);
} // memory allocated with 'new[]' should not be deleted with 'delete'
<rdar://problem/12295363>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178805 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| 702077f14100f2d7acdb12ad49b53e64efc37d72 |
03-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Allow tracknullOrUndef look through the ternary operator even when condition is unknown
Improvement of r178684 and r178685.
Jordan has pointed out that I should not rely on the value of the condition to know which expression branch
has been taken. It will not work in cases the branch condition is an unknown value (ex: we do not track the constraints for floats).
The better way of doing this would be to find out if the current node is the right or left successor of the node
that has the ternary operator as a terminator (which is how this is done in other places, like ConditionBRVisitor).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178701 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 08291a937a149dbd036fd6ac8ab061eb8034343d |
03-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Correctly handle destructors for lifetime-extended temporaries.
The lifetime of a temporary can be extended when it is immediately bound
to a local reference:
const Value &MyVal = Value("temporary");
In this case, the temporary object's lifetime is extended for the entire
scope of the reference; at the end of the scope it is destroyed.
The analyzer was modeling this improperly in two ways:
- Since we don't model temporary constructors just yet, we create a fake
temporary region when it comes time to "materialize" a temporary into
a real object (lvalue). This wasn't taking base casts into account when
the bindings being materialized was Unknown; now it always respects base
casts except when the temporary region is itself a pointer.
- When actually destroying the region, the analyzer did not actually load
from the reference variable -- it was basically destroying the reference
instead of its referent. Now it does do the load.
This will be more useful whenever we finally start modeling temporaries,
or at least those that get bound to local reference variables.
<rdar://problem/13552274>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178697 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| cabc3fddae63f5eb3bd44bdecce7a3fbd69421a9 |
03-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] make peelOffOuterExpr in BugReporterVisitors recursively peel off select Exprs
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178685 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| c1bef5671e682de5a573c7c6b66871b36de0ec61 |
03-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Properly handle the ternary operator in trackNullOrUndefValue
1) Look for the node where the condition expression is live when checking if
it is constrained to true or false.
2) Fix a bug in ProgramState::isNull, which was masking the problem. When
the expression is not a symbol (,which is the case when it is Unknown) return
unconstrained value, instead of value constrained to “false”!
(Thankfully other callers of isNull have not been effected by the bug.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178684 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
rogramState.cpp
|
| 3d3fb9078f0112fa51d8d9862221f5544c5c80e7 |
03-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix typo.
Thanks Jordan!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178683 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| ecee1651c100342366a9417c85c6e50399039930 |
03-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Better model for copying of array fields in implicit copy ctors.
- Find the correct region to represent the first array element when
constructing a CXXConstructorCall.
- If the array is trivial, model the copy with a primitive load/store.
- Don't warn about the "uninitialized" subscript in the AST -- we don't use
the helper variable that Sema provides.
<rdar://problem/13091608>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178602 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 77e278880380fe9dc95a1491fe9216967d2e6d63 |
03-Apr-2013 |
Aaron Ballman <aaron@aaronballman.com> |
Silencing warnings in MSVC due to duplicate identifiers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178591 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| 658a28479dd775f6ff2c07fa5699a7ea01e04127 |
02-Apr-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Teach invalidateRegions that regions within LazyCompoundVal need to be invalidated
Refactor invalidateRegions to take SVals instead of Regions as input and teach RegionStore
about processing LazyCompoundVal as a top-level “escaping” value.
This addresses several false positives that get triggered by the NewDelete checker, but the
underlying issue is reproducible with other checkers as well (for example, MallocChecker).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178518 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
rogramState.cpp
egionStore.cpp
|
| c63a460d78a7625ff38d2b3580f78030c44f07db |
02-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] For now, don't inline [cd]tors of C++ containers.
This is a heuristic to make up for the fact that the analyzer doesn't
model C++ containers very well. One example is modeling that
'std::distance(I, E) == 0' implies 'I == E'. In the future, it would be
nice to model this explicitly, but for now it just results in a lot of
false positives.
The actual heuristic checks if the base type has a member named 'begin' or
'iterator'. If so, we treat the constructors and destructors of that type
as opaque, rather than inlining them.
This is intended to drastically reduce the number of false positives
reported with experimental destructor support turned on. We can tweak the
heuristic in the future, but we'd rather err on the side of false negatives
for now.
<rdar://problem/13497258>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178516 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
|
| c9092bb5eb67d859122abb69a0ef61e9249500cd |
02-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Cache whether a function is generally inlineable.
Certain properties of a function can determine ahead of time whether or not
the function is inlineable, such as its kind, its signature, or its
location. We can cache this value in the FunctionSummaries map to avoid
rechecking these static properties for every call.
Note that the analyzer may still decide not to inline a specific call to
a function because of the particular dynamic properties of the call along
the current path.
No intended functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178515 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 992acb2269171b6ef68694d71a36f6b7408d8e82 |
02-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use inline storage in the FunctionSummary DenseMap.
The summaries lasted for the lifetime of the map anyway; no reason to
include an extra allocation.
Also, use SmallBitVector instead of BitVector to track the visited basic
blocks -- most functions will have less than 64 basic blocks -- and
use bitfields for the other fields to reduce the size of the structure.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178514 91177308-0d34-0410-b5e6-96231b3b80d8
unctionSummary.cpp
|
| a12643622ad3b85972dfdd80fe9006a3e8d8fb80 |
02-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Allow suppressing diagnostics reported within the 'std' namespace
This is controlled by the 'suppress-c++-stdlib' analyzer-config flag.
It is currently off by default.
This is more suppression than we'd like to do, since obviously there can
be user-caused issues within 'std', but it gives us the option to wield
a large hammer to suppress false positives the user likely can't work
around.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178513 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
|
| 76f7761daee0fafd7609b25c95af4e011c743873 |
30-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Restructure ExprEngine::VisitCXXNewExpr to do a bit less work.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178402 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| e6f2bf86288bc45060b21c4f55a6153b8ba80443 |
30-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle caching out while evaluating a C++ new expression.
Evaluating a C++ new expression now includes generating an intermediate
ExplodedNode, and this node could very well represent a previously-
reachable state in the ExplodedGraph. If so, we can short-circuit the
rest of the evaluation.
Caught by the assertion a few lines later.
<rdar://problem/13510065>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178401 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 84e8a960ad76b3c7ca550b4cc92a1b90ed16d5c1 |
29-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Address Jordan’s review of r178309 - do not register an extra visitor for nil receiver
We can check if the receiver is nil in the node that corresponds to the StmtPoint of the message send.
At that point, the receiver is guaranteed to be live. We will find at least one unreclaimed node due to
my previous commit (look for StmtPoint instead of PostStmt) and the fact that the nil receiver nodes are tagged.
+ a couple of extra tests.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178381 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 4de4715ad02aa8c9437a9e0e2854a0ccc71a3188 |
29-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Look for a StmtPoint node instead of PostStmt in trackNullOrUndefValue.
trackNullOrUndefValue tries to find the first node that matches the statement it is tracking.
Since we collect PostStmt nodes (in node reclamation), none of those might be on the
current path, so relax the search to look for any StmtPoint.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178380 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 0f5c5c60e9806d13f0907cd99d7204ffab0e08f7 |
29-Mar-2013 |
Ted Kremenek <kremenek@apple.com> |
Add static analyzer support for conditionally executing static initializers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178318 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
oreEngine.cpp
xprEngine.cpp
xprEngineC.cpp
|
| 02a88c3edf1aeb9580e0b6e444b30c52846a673c |
29-Mar-2013 |
Ted Kremenek <kremenek@apple.com> |
Add configuration plumbing to enable static initializer branching in the CFG for the analyzer.
This setting still isn't enabled yet in the analyzer. This is
just prep work.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178317 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
nalyzerOptions.cpp
|
| 41988f331a74a72cf243a2a68ffb56418e9a174e |
29-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add support for escape of const pointers and use it to allow “newed” pointers to escape
Add a new callback that notifies checkers when a const pointer escapes. Currently, this only works
for const pointers passed as a top level parameter into a function. We need to differentiate the const
pointers escape from regular escape since the content pointed by const pointer will not change;
if it’s a file handle, a file cannot be closed; but delete is allowed on const pointers.
This should suppress several false positives reported by the NewDelete checker on llvm codebase.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178310 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
rogramState.cpp
egionStore.cpp
|
| aabb4c5eacca6d78ef778f33ec5cd4c755d71a39 |
29-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Apply the suppression rules to the nil receiver only if the value participates in the computation of the nil we warn about.
We should only suppress a bug report if the IDCed or null returned nil value is directly related to the value we are warning about. This was
not the case for nil receivers - we would suppress a bug report that had an IDCed nil receiver on the path regardless of how it’s
related to the warning.
1) Thread EnableNullFPSuppression parameter through the visitors to differentiate between tracking the value which
is directly responsible for the bug and other values that visitors are tracking (ex: general tracking of nil receivers).
2) in trackNullOrUndef specifically address the case when a value of the message send is nil due to the receiver being nil.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178309 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 697462881c4b9b704c7859f4bab0a6116c684bb1 |
28-Mar-2013 |
Anton Yartsev <anton.yartsev@gmail.com> |
[analyzer] For now assume all standard global 'operator new' functions allocate memory in heap.
+ Improved test coverage for cplusplus.NewDelete checker.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178244 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| b061720ddf88b4a1934dbbb1b874a424716cd7d7 |
27-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use evalBind for C++ new of scalar types.
These types will not have a CXXConstructExpr to do the initialization for
them. Previously we just used a simple call to ProgramState::bindLoc, but
that doesn't trigger proper checker callbacks (like pointer escape).
Found by Anton Yartsev.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178160 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 3655119ab1cb7b26926afeeb0f96cb21a21e410a |
27-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Cleanup: only get the PostStmt when we need the underlying Stmt + comment
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178153 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| 4a49df3be929d442535d6721ab8a2bbc8a7cd528 |
27-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Ensure that the node NilReceiverBRVisitor is looking for is not reclaimed
The visitor should look for the PreStmt node as the receiver is nil in the PreStmt and this is the node. Also, tag the nil
receiver nodes with a special tag for consistency.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178152 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 1533833e21ae5b3f5f39b168b3fbac109ee77008 |
27-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Make sure IDC works for ‘NSContainer value/key is nil’ checks.
Register the nil tracking visitors with the region and refactor trackNullOrUndefValue a bit.
Also adds the cast and paren stripping before checking if the value is an OpaqueValueExpr
or ExprWithCleanups.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178093 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 8a660eb1084294a903f6dcc00bf2fa4e3bc92cfc |
26-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Change inlining policy to inline small functions when reanalyzing ObjC methods as top level.
This allows us to better reason about(inline) small wrapper functions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178063 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| df5f80f8a34e26a4fb77f48f858c7838426a0785 |
26-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] micro optimization as per Jordan’s feedback on r177905.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178062 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 5db8fac5f304d9973f724d5aeb4108367d36f781 |
25-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Set concrete offset bindings to UnknownVal when processing symbolic offset binding, even if no bindings are present.
This addresses an undefined value false positive from concreteOffsetBindingIsInvalidatedBySymbolicOffsetAssignment.
Fixes PR14877; radar://12991168.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177905 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 8f7bfb40b72f478d83b018a280f99c0386576ae3 |
24-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Teach ConstraintManager to ignore NonLoc <> NonLoc comparisons.
These aren't generated by default, but they are needed when either side of
the comparison is tainted.
Should fix our internal buildbot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177846 91177308-0d34-0410-b5e6-96231b3b80d8
impleConstraintManager.cpp
|
| 4708b3dde86b06f40927ae9cf30a2de83949a8f2 |
23-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Teach constraint managers about unsigned comparisons.
In C, comparisons between signed and unsigned numbers are always done in
unsigned-space. Thus, we should know that "i >= 0U" is always true, even
if 'i' is signed. Similarly, "u >= 0" is also always true, even though '0'
is signed.
Part of <rdar://problem/13239003> (false positives related to std::vector)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177806 91177308-0d34-0410-b5e6-96231b3b80d8
PSIntType.cpp
angeConstraintManager.cpp
impleConstraintManager.cpp
|
| a339cd66be6202c6e86916f52a347d0289bf2eea |
23-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Loc-Loc operations (subtraction or comparison) produce a NonLoc.
For two concrete locations, we were producing another concrete location and
then casting it to an integer. We should just create a nonloc::ConcreteInt
to begin with.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177805 91177308-0d34-0410-b5e6-96231b3b80d8
Vals.cpp
impleSValBuilder.cpp
|
| 281698935f62ac1d35ddd3533a562c1589aadc8b |
23-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Also transform "a < b" to "(b - a) > 0" in the constraint manager.
We can support the full range of comparison operations between two locations
by canonicalizing them as subtraction, as in the previous commit.
This won't work (well) if either location includes an offset, or (again)
if the comparisons are not consistent about which region comes first.
<rdar://problem/13239003>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177803 91177308-0d34-0410-b5e6-96231b3b80d8
impleConstraintManager.cpp
|
| 8569281fb7ce9b5ca164a0528b876acbb45eb989 |
23-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
Add reverseComparisonOp and negateComparisonOp to BinaryOperator.
...and adopt them in the analyzer.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177802 91177308-0d34-0410-b5e6-96231b3b80d8
impleConstraintManager.cpp
impleSValBuilder.cpp
|
| 78114a58f8cf5e9b948e82448b2f0904f5b6c19e |
23-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Translate "a != b" to "(b - a) != 0" in the constraint manager.
Canonicalizing these two forms allows us to better model containers like
std::vector, which use "m_start != m_finish" to implement empty() but
"m_finish - m_start" to implement size(). The analyzer should have a
consistent interpretation of these two symbolic expressions, even though
it's not properly reasoning about either one yet.
The other unfortunate thing is that while the size() expression will only
ever be written "m_finish - m_start", the comparison may be written
"m_finish == m_start" or "m_start == m_finish". Right now the analyzer does
not attempt to canonicalize those two expressions, since it doesn't know
which length expression to pick. Doing this correctly will probably require
implementing unary minus as a new SymExpr kind (<rdar://problem/12351075>).
For now, the analyzer inverts the order of arguments in the comparison to
build the subtraction, on the assumption that "begin() != end()" is
written more often than "end() != begin()". This is purely speculation.
<rdar://problem/13239003>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177801 91177308-0d34-0410-b5e6-96231b3b80d8
angeConstraintManager.cpp
impleConstraintManager.cpp
impleConstraintManager.h
|
| 8958efacf8d52918cfe624116338bec62312582d |
23-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use SymExprs to represent '<loc> - <loc>' and '<loc> == <loc>'.
We just treat this as opaque symbols, but even that allows us to handle
simple cases where the same condition is tested twice. This is very common
in the STL, which means that any project using the STL gets spurious errors.
Part of <rdar://problem/13239003>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177800 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| 683d25656f28937f78c815f70545139c432f1ff3 |
23-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Correct the stale comment.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177788 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 0f3a34fb7fea37ebfbcba8b400ccb697b9559b49 |
22-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Break cycles (optionally) when trimming an ExplodedGraph."
The algorithm used here was ridiculously slow when a potential back-edge
pointed to a node that already had a lot of successors. The previous commit
makes this feature unnecessary anyway.
This reverts r177468 / f4cf6b10f863b9bc716a09b2b2a8c497dcc6aa9b.
Conflicts:
lib/StaticAnalyzer/Core/BugReporter.cpp
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177765 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
|
| 228094a28f81ddba94427239dea5c6e59ff6aabc |
22-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use a forward BFS instead of a reverse BFS to find shortest paths.
For a given bug equivalence class, we'd like to emit the report with the
shortest path. So far to do this we've been trimming the ExplodedGraph to
only contain relevant nodes, then doing a reverse BFS (starting at all the
error nodes) to find the shortest paths from the root. However, this is
fairly expensive when we are suppressing many bug reports in the same
equivalence class.
r177468-9 tried to solve this problem by breaking cycles during graph
trimming, then updating the BFS priorities after each suppressed report
instead of recomputing the whole thing. However, breaking cycles is not
a cheap operation because an analysis graph minus cycles is still a DAG,
not a tree.
This fix changes the algorithm to do a single forward BFS (starting from the
root) and to use that to choose the report with the shortest path by looking
at the error nodes with the lowest BFS priorities. This was Anna's idea, and
has the added advantage of requiring no update step: we can just pick the
error node with the next lowest priority to produce the next bug report.
<rdar://problem/13474689>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177764 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 1aa4f5019164592643bf46b7d61f15b6ef509c8e |
22-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Fix ExprEngine::ViewGraph to handle C++ initializers.
Debugging aid only, no functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177762 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| aa5573364b79bf4d85380aaec59cae2eeefcb322 |
20-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Appease buildbots: include template arguments in base class ref.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177583 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| f8e2c06cea1548c437761cb65cfbf97d50a057a7 |
20-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't invalidate globals when there's no call involved.
This fixes some mistaken condition logic in RegionStore that caused
global variables to be invalidated when /any/ region was invalidated,
rather than only as part of opaque function calls. This was only
being used by CStringChecker, and so users will now see that strcpy()
and friends do not invalidate global variables.
Also, add a test case we don't handle properly: explicitly-assigned
global variables aren't being invalidated by opaque calls. This is
being tracked by <rdar://problem/13464044>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177572 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 74f6982232c25ae723b1cc5abc59665a10867f21 |
20-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Track malloc'd memory into struct fields.
Due to improper modelling of copy constructors (specifically, their
const reference arguments), we were producing spurious leak warnings
for allocated memory stored in structs. In order to silence this, we
decided to consider storing into a struct to be the same as escaping.
However, the previous commit has fixed this issue and we can now properly
distinguish leaked memory that happens to be in a struct from a buffer
that escapes within a struct wrapper.
Originally applied in r161511, reverted in r174468.
<rdar://problem/12945937>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177571 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| f8ddc098981d4d85cad4e72fc6dfcfe83b842b66 |
20-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Invalidate regions indirectly accessible through const pointers.
In this case, the value of 'x' may be changed after the call to indirectAccess:
struct Wrapper {
int *ptr;
};
void indirectAccess(const Wrapper &w);
void test() {
int x = 42;
Wrapper w = { x };
clang_analyzer_eval(x == 42); // TRUE
indirectAccess(w);
clang_analyzer_eval(x == 42); // UNKNOWN
}
This is important for modelling return-by-value objects in C++, to show
that the contents of the struct are escaping in the return copy-constructor.
<rdar://problem/13239826>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177570 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
rogramState.cpp
egionStore.cpp
|
| e1a2e90876cbe2187250939374d26036ccba2ad6 |
20-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove strip of ElementRegion in CallEvent::invalidateRegions.
This is a bit of old code trying to deal with the fact that functions that
take pointers often use them to access an entire array via pointer
arithmetic. However, RegionStore already conservatively assumes you can use
pointer arithmetic to access any part of a region.
Some day we may want to go back to handling this specifically for calls,
but we can do that in the future.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177569 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 2110350909701fcd6b55c636e24a675f0a905fea |
20-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Re-apply "Do part of the work to find shortest bug paths up front".
With the assurance that the trimmed graph does not contain cycles,
this patch is safe (with a few tweaks), and provides the performance
boost it was intended to.
Part of performance work for <rdar://problem/13433687>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177469 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| f4cf6b10f863b9bc716a09b2b2a8c497dcc6aa9b |
20-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Break cycles (optionally) when trimming an ExplodedGraph.
Having a trimmed graph with no cycles (a DAG) is much more convenient for
trying to find shortest paths, which is exactly what BugReporter needs to do.
Part of the performance work for <rdar://problem/13433687>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177468 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
|
| 9f3495aeaa24da4eacf8f6c274adcef65e2f3617 |
19-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Do not believe lazy binding when symbolic region types do not match
This fixes a crash when analyzing LLVM that was exposed by r177220 (modeling of
trivial copy/move assignment operators).
When we look up a lazy binding for “Builder”, we see the direct binding of Loc at offset 0.
Previously, we believed the binding, which led to a crash. Now, we do not believe it as
the types do not match.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177453 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 239b6e47d282bd66c8b559ac47b8b42b34da619e |
19-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Do part of the work to find shortest bug paths up front."
The whole reason we were doing a BFS in the first place is because an
ExplodedGraph can have cycles. Unfortunately, my removeErrorNode "update"
doesn't work at all if there are cycles.
I'd still like to be able to avoid doing the BFS every time, but I'll come
back to it later.
This reverts r177353 / 481fa5071c203bc8ba4f88d929780f8d0f8837ba.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177448 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 15d68882f5fa4afae8333e75b2bfd5e2834c8aaf |
19-Mar-2013 |
Stephen Hines <srhines@google.com> |
Merge branch 'upstream' into merge_2013_03_18
Conflicts:
lib/Sema/SemaDeclAttr.cpp
Change-Id: I05e70941163ec5a461eba43ef78f6738cd5a1e69
|
| a5f80b2ea6d30c5055c067530d63bb0dcaf937d0 |
19-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Do part of the work to find shortest bug paths up front.
Splitting the graph trimming and the path-finding (r177216) already
recovered quite a bit of performance lost to increased suppression.
We can still do better by also performing the reverse BFS up front
(needed for shortest-path-finding) and only walking the shortest path
for each report. This does mean we have to walk back up the path and
invalidate all the BFS numbers if the report turns out to be invalid,
but it's probably still faster than redoing the full BFS every time.
More performance work for <rdar://problem/13433687>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177353 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 85a92cfa52ddf4c45fe2baca4d7fea0bdc5ed103 |
19-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Replace uses of assume() with isNull() in BR visitors.
Also, replace a std::string with a SmallString.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177352 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| a8d937e4bdd39cdf503f77454e9dc4c9c730a9f7 |
16-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Model trivial copy/move assignment operators with a bind as well.
r175234 allowed the analyzer to model trivial copy/move constructors as
an aggregate bind. This commit extends that to trivial assignment
operators as well. Like the last commit, one of the motivating factors here
is not warning when the right-hand object is partially-initialized, which
can have legitimate uses.
<rdar://problem/13405162>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177220 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 1efffab67364f5afcc25f5f5f77e0f7ba5d41055 |
16-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Separate graph trimming from creating the single-path graph.
When we generate a path diagnostic for a bug report, we have to take the
full ExplodedGraph and limit it down to a single path. We do this in two
steps: "trimming", which limits the graph to all the paths that lead to
this particular bug, and "creating the report graph", which finds the
shortest path in the trimmed path to any error node.
With BugReporterVisitor false positive suppression, this becomes more
expensive: it's possible for some paths through the trimmed graph to be
invalid (i.e. likely false positives) but others to be valid. Therefore
we have to run the visitors over each path in the graph until we find one
that is valid, or until we've ruled them all out. This can become quite
expensive.
This commit separates out graph trimming from creating the report graph,
performing the first only once per bug equivalence class and the second
once per bug report. It also cleans up that portion of the code by
introducing some wrapper classes.
This seems to recover most of the performance regression described in my
last commit.
<rdar://problem/13433687>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177216 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| c9963132736782d0c9178c744b3e2307cfb98a08 |
16-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Eliminate InterExplodedGraphMap class and NodeBackMap typedef.
...in favor of this typedef:
typedef llvm::DenseMap<const ExplodedNode *, const ExplodedNode *>
InterExplodedGraphMap;
Use this everywhere the previous class and typedef were used.
Took the opportunity to ArrayRef-ize ExplodedGraph::trim while I'm at it.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177215 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
xprEngine.cpp
|
| 9a9fe4068eed2fc72ec985e5ae393fb79a8fb9ad |
16-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't repeat a bug equivalence class if every report is invalid.
I removed this check in the recursion->iteration commit, but forgot that
generatePathDiagnostic may be called multiple times if there are multiple
PathDiagnosticConsumers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177214 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 74c0d6988462c2cb882e7a8b8050fe119a5af56f |
16-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Use isLiveRegion to determine when SymbolRegionValue is dead.
Fixes a FIXME, improves dead symbol collection, suppresses a false positive,
which resulted from reusing the same symbol twice for simulation of 2 calls to the same function.
Fixing this lead to 2 possible false negatives in CString checker. Since the checker is still alpha and
the solution will not require revert of this commit, move the tests to a FIXME section.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177206 91177308-0d34-0410-b5e6-96231b3b80d8
ymbolManager.cpp
|
| f510f5cd57fa9b7ea6f6e103c65c0df95a55d986 |
16-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] BugReporterVisitors: handle the case where a ternary operator is wrapped in a cast.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177205 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| f8ba81e8bbc4d0d424c3b4c3581a9467e972c4de |
16-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Address Jordan’s review of r177138 (a micro optimization)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177204 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 2f13eb116e62161c5e4d198f7831f226e5cea9da |
15-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Make GRBugReporter::generatePathDiagnostic iterative, not recursive.
The previous generatePathDiagnostic() was intended to be tail-recursive,
restarting and trying again if a report was marked invalid. However:
(1) this leaked all the cloned visitors, which weren't being deleted, and
(2) this wasn't actually tail-recursive because some local variables had
non-trivial destructors.
This was causing us to overflow the stack on inputs with large numbers of
reports in the same equivalence class, such as sqlite3.c. Being iterative
at least prevents us from blowing out the stack, but doesn't solve the
performance issue: suppressing thousands (yes, thousands) of paths in the
same equivalence class is expensive. I'm looking into that now.
<rdar://problem/13423498>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177189 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| cc08ca9b3cd2b715a699bcc772ce2e83a502915a |
15-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Collect stats on the max # of bug reports in an equivalence class.
We discovered that sqlite3.c currently has 2600 reports in a single
equivalence class; it would be good to know if this is a recent
development or what.
(For the curious, the different reports in an equivalence class represent
the same bug found along different paths. When we're suppressing false
positives, we need to go through /every/ path to make sure there isn't a
valid path to a bug. This is a flaw in our after-the-fact suppression,
made worse by the fact that that function isn't particularly optimized.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177188 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 05cb2eb0a79a05e6079106575fbf0dd58a388edf |
15-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Include opcode in dumping a SymSymExpr.
For debugging use only; no functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177187 91177308-0d34-0410-b5e6-96231b3b80d8
ymbolManager.cpp
|
| 6a15f39a6bfd7a30085c5fa8f67d0b64b74b132a |
15-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Look through ExprWhenCleanups when trying to track a NULL.
Silences a few false positives in LLVM.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177186 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 810169e7a1f858a787d2db050deebaee7e10c97f |
15-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Refactor checks in IDC visitor for consistency and speed
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177138 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| dc9c160dede7e2f5cc11755db6aaa57e7fccbcec |
15-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Teach trackNullOrUndef to look through ternary operators
Allows the suppression visitors trigger more often.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177137 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| a4bb4f6ca8dd31ad96cb9526a5abe1273f18ff40 |
14-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Change the way in which IDC Visitor decides to kick in and make sure it attaches in the given edge case
In the test case below, the value V is not constrained to 0 in ErrorNode but it is in node N.
So we used to fail to register the Suppression visitor.
We also need to change the way we determine that the Visitor should kick in because the node N belongs to
the ExplodedGraph and might not be on the BugReporter path that the visitor sees. Instead of trying to match the node,
turn on the visitor when we see the last node in which the symbol is ‘0’.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177121 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 6022c4e17c0d2ad9c43ef6bc830d394b670a4705 |
13-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] BugReporter - more precise tracking of C++ references
When BugReporter tracks C++ references involved in a null pointer violation, we
want to differentiate between a null reference and a reference to a null pointer. In the
first case, we want to track the region for the reference location; in the second, we want
to track the null pointer.
In addition, the core creates CXXTempObjectRegion to represent the location of the
C++ reference, so teach FindLastStoreBRVisitor about it.
This helps null pointer suppression to kick in.
(Patch by Anna and Jordan.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176969 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 1b125665bec87c85921c92ebec1d3f60404d1d86 |
13-Mar-2013 |
Ted Kremenek <kremenek@apple.com> |
Remove stray space.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176966 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| c5b9c8bc6d77175f6d41d898511b1e7b1e2f86f8 |
13-Mar-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Handle Objc Fast enumeration for "loop is executed 0 times".
Fixes <rdar://problem/12322528>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176965 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 77b72231a0316509cc939b052be35fafce606567 |
11-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Look for calls along with lvalue nodes in trackNullOrUndefValue.
r176737 fixed bugreporter::trackNullOrUndefValue to find nodes for an lvalue
even if the rvalue node had already been collected. This commit extends that
to call statement nodes as well, so that if a call is contained within
implicit casts we can still track the return value.
No test case because node reclamation is extremely finicky (dependent on
how the AST and CFG are built, and then on our current reclamation rules,
and /then/ on how many nodes were generated by the analyzer core and the
current set of checkers). I consider this a low-risk change, though, and
it will only happen in cases of reclamation when the rvalue node isn't
available.
<rdar://problem/13340764>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176829 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 0415998dd77986630efe8f1aed633519cc41e1f3 |
09-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Make Suppress IDC checker aware that it might not start from the same node it was registered at
The visitor used to assume that the value it’s tracking is null in the first node it examines. This is not true.
If we are registering the Suppress Inlined Defensive checks visitor while traversing in another visitor
(such as FindlastStoreVisitor). When we restart with the IDC visitor, the invariance of the visitor does
not hold since the symbol we are tracking no longer exists at that point.
I had to pass the ErrorNode when creating the IDC visitor, because, in some cases, node N is
neither the error node nor will be visible along the path (we had not finalized the path at that point
and are dealing with ExplodedGraph.)
We should revisit the other visitors which might not be aware that they might get nodes, which are
later in path than the trigger point.
This suppresses a number of inline defensive checks in JavaScriptCore.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176756 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 0183768813658d419e3124b576744b03ec8e9b55 |
09-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Look for lvalue nodes when tracking a null pointer.
r176010 introduced the notion of "interesting" lvalue expressions, whose
nodes are guaranteed never to be reclaimed by the ExplodedGraph. This was
used in bugreporter::trackNullOrUndefValue to find the region that contains
the null or undef value being tracked.
However, the /rvalue/ nodes (i.e. the loads from these lvalues that produce
a null or undef value) /are/ still being reclaimed, and if we couldn't
find the node for the rvalue, we just give up. This patch changes that so
that we look for the node for either the rvalue or the lvalue -- preferring
the former, since it lets us fall back to value-only tracking in cases
where we can't get a region, but allowing the latter as well.
<rdar://problem/13342842>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176737 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 8c84707fd0fbe9f6f7d17fadd5a9fe162dff8445 |
09-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't rely on finding the correct return statement for suppression.
Previously, ReturnVisitor waited to suppress a null return path until it
had found the inlined "return" statement. Now, it checks up front whether
the return value was NULL, and suppresses the warning right away if so.
We still have to wait until generating the path notes to invalidate the bug
report, or counter-suppression will never be triggered. (Counter-suppression
happens while generating path notes, but the generation won't happen for
reports already marked invalid.)
This isn't actually an issue today because we never reclaim nodes for
top-level statements (like return statements), but it could be an issue
some day in the future. (But, no expected behavioral change and no new
test case.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176736 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 962fbc46664f2486d6805549130fa6b310de6d60 |
07-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Clean up a few doc comments for ProgramState and CallEvent.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176600 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 713e07591995d761f65c7132289dce003a29870f |
06-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] IDC: Add config option; perform the idc check on first “null node” rather than last “non-null”.
The second modification does not lead to any visible result, but, theoretically, is what we should
have been looking at to begin with since we are checking if the node was assumed to be null in
an inlined function.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176576 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
|
| bd3aca04d304b9f31240b94af0aad818f6f932ab |
06-Mar-2013 |
Stephen Hines <srhines@google.com> |
Update build rules for Clang merge to version 176138.
Change-Id: Ib028329a591e6175998d969f11b5404bf3f19e81
ndroid.mk
|
| 450b86c0c9ff8307f5145ced621914600196c500 |
06-Mar-2013 |
Stephen Hines <srhines@google.com> |
Merge commit 'b58f810669d9c17bcc025b7560de01d162856f34' into merge_20130226
Conflicts:
include/clang/Basic/LangOptions.def
lib/Sema/SemaDeclAttr.cpp
Change-Id: Ia10b4d3b2c949a72d328cb58b113f90237d4a5d5
|
| 41f3f3a4792f46787632fdb94f952f6b3ce3f4ae |
05-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
Silence a number of static analyzer warnings with assertions and such.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176469 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| cc5dbdae70c6eb2423921f52a35ba4686d2969cf |
02-Mar-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Simple inline defensive checks suppression
Inlining brought a few "null pointer use" false positives, which occur because
the callee defensively checks if a pointer is NULL, whereas the caller knows
that the pointer cannot be NULL in the context of the given call.
This is a first attempt to silence these warnings by tracking the symbolic value
along the execution path in the BugReporter. The new visitor finds the node
in which the symbol was first constrained to NULL. If the node belongs to
a function on the active stack, the warning is reported, otherwise, it is
suppressed.
There are several areas for follow up work, for example:
- How do we differentiate the cases where the first check is followed by
another one, which does happen on the active stack?
Also, this only silences a fraction of null pointer use warnings. For example, it
does not do anything for the cases where NULL was assigned inside a callee.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176402 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
rogramState.cpp
|
| d764e20189dbb42b38ada383a0a159f6adc0d56c |
02-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Special-case bitfields when finding sub-region bindings.
Previously we were assuming that we'd never ask for the sub-region bindings
of a bitfield, since a bitfield cannot have subregions. However,
unification of code paths has made that assumption invalid. While we could
take advantage of this by just checking for the single possible binding,
it's probably better to do the right thing, so that if/when we someday
support unions we'll do the right thing there, too.
This fixes a handful of false positives in analyzing LLVM.
<rdar://problem/13325522>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176388 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
|
| 9abf1b4577b75ffcc46afbdfb55de334f68f05c0 |
01-Mar-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Suppress paths involving a reference whose rvalue is null.
Most map types have an operator[] that inserts a new element if the key
isn't found, then returns a reference to the value slot so that you can
assign into it. However, if the value type is a pointer, it will be
initialized to null. This is usually no problem.
However, if the user /knows/ the map contains a value for a particular key,
they may just use it immediately:
// From ClangSACheckersEmitter.cpp
recordGroupMap[group]->Checkers
In this case the analyzer reports a null dereference on the path where the
key is not in the map, even though the user knows that path is impossible
here. They could silence the warning by adding an assertion, but that means
splitting up the expression and introducing a local variable. (Note that
the analyzer has no way of knowing that recordGroupMap[group] will return
the same reference if called twice in a row!)
We already have logic that says a null dereference has a high chance of
being a false positive if the null came from an inlined function. This
patch simply extends that to references whose rvalues are null as well,
silencing several false positives in LLVM.
<rdar://problem/13239854>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176371 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| e33d852452c7008ccd0677aae88f1055cf1a9af1 |
28-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] RegionStore: collectSubRegionKeys -> collectSubRegionBindings
By returning the (key, value) binding pairs, we save lookups afterwards.
This also enables further work later on.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176230 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 6f4160828db75f36b22a204da202723c592644f3 |
27-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Teach FindLastStoreBRVisitor to understand stores of the same value.
Consider this case:
int *p = 0;
p = getPointerThatMayBeNull();
*p = 1;
If we inline 'getPointerThatMayBeNull', we might know that the value of 'p'
is NULL, and thus emit a null pointer dereference report. However, we
usually want to suppress such warnings as error paths, and we do so by using
FindLastStoreBRVisitor to see where the NULL came from. In this case, though,
because 'p' was NULL both before and after the assignment, the visitor
would decide that the "last store" was the initialization, not the
re-assignment.
This commit changes FindLastStoreBRVisitor to consider all PostStore nodes
that assign to this region. This still won't catches changes made directly
by checkers if they re-assign the same value, but it does handle the common
case in user-written code and will trigger ReturnVisitor's suppression
machinery as expected.
<rdar://problem/13299738>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176201 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| a11f22f60673c6c9556976b49e64bf7fa751f4eb |
27-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Turn on C++ constructor inlining by default.
This enables constructor inlining for types with non-trivial destructors.
The plan is to enable destructor inlining within the next month, but that
needs further verification.
<rdar://problem/12295329>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176200 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| b7a3f74bbb02788ad1b597fe3897db2d8a4fed43 |
27-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Add stop-gap patch to prevent assertion failure when analyzing LLVM codebase.
This potentially reduces a performance optimization of throwing away
PreStmtPurgeDeadSymbols nodes. I'll investigate the performance impact
soon and see if we need something better.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176149 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| deb8f5d533b7bcd962976ecdbc1464fe754b6de0 |
27-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] If a struct has a partial lazy binding, its fields aren't Undef.
This is essentially the same problem as r174031: a lazy binding for the first
field of a struct may stomp on an existing default binding for the
entire struct. Because of the way RegionStore is set up, we can't help
but lose the top-level binding, but then we need to make sure that accessing
one of the other fields doesn't come back as Undefined.
In this case, RegionStore is now correctly detecting that the lazy binding
we have isn't the right type, but then failing to follow through on the
implications of that: we don't know anything about the other fields in the
aggregate. This fix adds a test when searching for other kinds of default
values to see if there's a lazy binding we rejected, and if so returns
a symbolic value instead of Undefined.
The long-term fix for this is probably a new Store model; see
<rdar://problem/12701038>.
Fixes <rdar://problem/13292559>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176144 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
egionStore.cpp
|
| 4238f41d484729aca260140fbbc53a68769bf60a |
26-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Use 'MemRegion::printPretty()' instead of assuming the region is a VarRegion.
Fixes PR15358 and <rdar://problem/13295437>.
Along the way, shorten path diagnostics that say "Variable 'x'" to just
be "'x'". By the context, it is obvious that we have a variable,
and so this just consumes text space.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176115 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| eafb5c694cc5d165149fcb9453bc9355fb0d44a5 |
26-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't look through casts when creating pointer temporaries.
Normally, we need to look through derived-to-base casts when creating
temporary object regions (added in r175854). However, if the temporary
is a pointer (rather than a struct/class instance), we need to /preserve/
the base casts that have been applied.
This also ensures that we really do create a new temporary region when
we need to: MaterializeTemporaryExpr and lvalue CXXDefaultArgExprs.
Fixes PR15342, although the test case doesn't include the crash because
I couldn't isolate it.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176069 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
|
| 6f8e9b6caed0bf6108cf90f0d54fa637b60b3b9e |
25-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Recover all PreStmtPurgeDeadSymbols nodes with a single successor or predecessor.
These nodes are never consulted by any analyzer client code, so they are
used only for machinery for removing dead bindings. Once successor nodes
are generated they can be safely removed.
This greatly reduces the amount of nodes that are generated in some case,
lowering the memory regression when analyzing Sema.cpp introduced by
r176010 from 14% to 2%.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176050 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| 42f2309f739549bead6e5a6c34fd1be4d087998f |
25-Feb-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Address Jordan's code review of r175857.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176043 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| fbdbed3bde8577815826b9d15790e5effb913f7b |
25-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle reference parameters with default values.
r175026 added support for default values, but didn't take reference
parameters into account, which expect the default argument to be an
lvalue. Use createTemporaryRegionIfNeeded if we can evaluate the default
expr as an rvalue but the expected result is an lvalue.
Fixes the most recent report of PR12915. The original report predates
default argument support, so that can't be it.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176042 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
egionStore.cpp
|
| 6dc5c33fd4334ccf4a661c331f86e23829e51d55 |
25-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Base regions may be invalid when layered on symbolic regions.
While RegionStore checks to make sure casts on TypedValueRegions are valid,
it does not do the same for SymbolicRegions, which do not have perfect type
info anyway. Additionally, MemRegion::getAsOffset does not take a
ProgramState, so it can't use dynamic type info to determine a better type
for the regions. (This could also be dangerous if the type of a super-region
changes!)
Account for this by checking that a base object region is valid on top of a
symbolic region, and falling back to "symbolic offset" mode if not.
Fixes PR15345.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176034 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 6c5038cf8486d92ae53bf4513141bd40a5ae0734 |
25-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Relax assumption in FindLastStoreBRVisitor that the thing we are looking for is always a VarRegion.
This was triggering assertion failures when analyzing the LLVM codebase. This
is fallout from r175988.
I've got delta chewing away on a test case, but I wanted the fix to go
in now.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176011 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 4e9c0854382d37325771b50f6cf899a75119fa24 |
25-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] add the notion of an "interesting" lvalue expression for ExplodedNode pruning.
r175988 modified the ExplodedGraph trimming algorithm to retain all
nodes for "lvalue" expressions. This patch refines that notion to
only "interesting" expressions that would be used for diagnostics.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176010 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xplodedGraph.cpp
|
| 43b82b823a6113fdbee54243b280db9c55ef72cb |
24-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] tracking stores/constraints now works for ObjC ivars or struct fields.
This required more changes than I originally expected:
- ObjCIvarRegion implements "canPrintPretty" et al
- DereferenceChecker indicates the null pointer source is an ivar
- bugreporter::trackNullOrUndefValue() uses an alternate algorithm
to compute the location region to track by scouring the ExplodedGraph.
This allows us to get the actual MemRegion for variables, ivars,
fields, etc. We only hand construct a VarRegion for C++ references.
- ExplodedGraph no longer drops nodes for expressions that are marked
'lvalue'. This is to facilitate the logic in the previous bullet.
This may lead to a slight increase in size in the ExplodedGraph,
which I have not measured, but it is likely not to be a big deal.
I have validated each of the changed plist output.
Fixes <rdar://problem/12114812>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175988 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xplodedGraph.cpp
emRegion.cpp
|
| 0dd15d78fb0c99faa5df724139ba4c16a9a345c6 |
24-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
Add "KnownSVal" to represent SVals that cannot be UnknownSVal.
This provides a few sundry cleanups, and allows us to provide
a compile-time check for a case that was a runtime assertion.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175987 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| b07805485c603be3d8011f72611465324c9e664b |
23-Feb-2013 |
David Blaikie <dblaikie@gmail.com> |
Remove the CFGElement "Invalid" state.
Use Optional<CFG*> where invalid states were needed previously. In the one case
where that's not possible (beginAutomaticObjDtorsInsert) just use a dummy
CFGAutomaticObjDtor.
Thanks for the help from Jordan Rose & discussion/feedback from Ted Kremenek
and Doug Gregor.
Post commit code review feedback on r175796 by Ted Kremenek.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175938 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
allEvent.cpp
oreEngine.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
athDiagnostic.cpp
|
| ae7396c3891748762d01431e16541b3eb9125c4d |
22-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't canonicalize the RecordDecl used in CXXBaseObjectRegion.
This Decl shouldn't be the canonical Decl; it should be the Decl used by
the CXXBaseSpecifier in the subclass. Unfortunately, that means continuing
to throw getCanonicalDecl() on all comparisons.
This fixes MemRegion::getAsOffset's use of ASTRecordLayout when redeclarations
are involved.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175913 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| b04a2387ac23adfa063de03844cb16c0d77fb405 |
22-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Implement "Loop executed 0 times" diagnostic correctly.
Fixes <rdar://problem/13236549>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175863 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 8dadf15224f1a8df96793e5fc4e0b0e38a5ffbe4 |
22-Feb-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Place all inlining policy checks into one palce
Previously, we had the decisions about inlining spread out
over multiple functions.
In addition to the refactor, this commit ensures
that we will always inline BodyFarm functions as long as the Decl
is available. This fixes false positives due to those functions
not being inlined when no or minimal inlining is enabled such (as
shallow mode).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175857 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 5e5440ba9c135f523f72e7e7c5da59d390d697c5 |
22-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Make sure a materialized temporary matches its bindings.
This is a follow-up to r175830, which made sure a temporary object region
created for, say, a struct rvalue matched up with the initial bindings
being stored into it. This does the same for the case in which the AST
actually tells us that we need to create a temporary via a
MaterializeObjectExpr. I've unified the two code paths and moved a static
helper function onto ExprEngine.
This also caused a bit of test churn, causing us to go back to describing
temporary regions without a 'const' qualifier. This seems acceptable; it's
our behavior from a few months ago.
<rdar://problem/13265460> (part 2)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175854 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
|
| f08740ba5903d089a53cc315c19286e2189f9ff3 |
22-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
Fix regression in modeling assignments of an address of a variable to itself. Fixes <rdar://problem/13226577>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175852 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 87193dac8f2c6c8f7ee1aa9eeb64622ec75c881b |
22-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Fix buildbot by not reusing a variable name.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175848 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 9f1d541ef1aca8f953e5bb4e7177969f0a2062d5 |
22-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Make sure a temporary object region matches its initial bindings.
When creating a temporary region (say, when a struct rvalue is used as
the base of a member expr), make sure we account for any derived-to-base
casts. We don't actually record these in the LazyCompoundVal that
represents the rvalue, but we need to make sure that the temporary region
we're creating (a) matches the bindings, and (b) matches its expression.
Most of the time this will do exactly the same thing as before, but it
fixes spurious "garbage value" warnings introduced in r175234 by the use
of lazy bindings to model trivial copy constructors.
<rdar://problem/13265460>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175830 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| df1f94ebfac4578e27ad008522c7b333e977e51b |
22-Feb-2013 |
David Blaikie <dblaikie@gmail.com> |
Simplify code to use castAs rather than getAs + assert.
Post commit review feedback on r175812 from Jordan Rose.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175826 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 7a95de68c093991047ed8d339479ccad51b88663 |
21-Feb-2013 |
David Blaikie <dblaikie@gmail.com> |
Replace ProgramPoint llvm::cast support to be well-defined.
See r175462 for another example/more details.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175812 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
oreEngine.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
|
| fdf6a279c9a75c778eba382d9a156697092982a1 |
21-Feb-2013 |
David Blaikie <dblaikie@gmail.com> |
Replace CFGElement llvm::cast support to be well-defined.
See r175462 for another example/more details.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175796 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
allEvent.cpp
oreEngine.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
athDiagnostic.cpp
|
| 6d35b412fc0289681f320acc389f7a83066ec9e2 |
21-Feb-2013 |
NAKAMURA Takumi <geek4civic@gmail.com> |
StaticAnalyzer/Core: Suppress warnings. [-Wunused-variable, -Wunused-function]
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175721 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 79741c49fcc72aaa01e68f07d9d13f3d9130b11e |
21-Feb-2013 |
NAKAMURA Takumi <geek4civic@gmail.com> |
Whitespace.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175720 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 4411b423e91da0a2c879b70c0222aeba35f72044 |
21-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Record whether a base object region represents a virtual base.
This allows MemRegion and MemRegionManager to avoid asking over and over
again whether an class is a virtual base or a non-virtual base.
Minor optimization/cleanup; no functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175716 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
emRegion.cpp
tore.cpp
|
| 472b0613ff67e8598ef6a69bb478c721b21a9294 |
21-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Tidy up a few uses of Optional in RegionStore.
Some that I just added needed conversion to use 'None', others looked
better using Optional<SVal>::create.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175714 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 66874fb18afbffb8b2ca05576851a64534be3352 |
21-Feb-2013 |
David Blaikie <dblaikie@gmail.com> |
Use None rather than Optional<T>() where possible.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175705 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
egionStore.cpp
|
| 11f0cae4bf4f62dcc706d33c1f795d460cd64816 |
21-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Tighten up safety in the use of lazy bindings.
- When deciding if we can reuse a lazy binding, make sure to check if there
are additional bindings in the sub-region.
- When reading from a lazy binding, don't accidentally strip off casts or
base object regions. This slows down lazy binding reading a bit but is
necessary for type sanity when treating one class as another.
A bit of minor refactoring allowed these two checks to be unified in a nice
early-return-using helper function.
<rdar://problem/13239840>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175703 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| dc84cd5efdd3430efb22546b4ac656aa0540b210 |
20-Feb-2013 |
David Blaikie <dblaikie@gmail.com> |
Include llvm::Optional in clang/Basic/LLVM.h
Post-commit CR feedback from Jordan Rose regarding r175594.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175679 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
allEvent.cpp
nvironment.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineObjC.cpp
emRegion.cpp
athDiagnostic.cpp
rogramState.cpp
egionStore.cpp
ValBuilder.cpp
Vals.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
tore.cpp
|
| 0b9c328bb47b38ef6ff877a42e8a90a31ab0e2e1 |
20-Feb-2013 |
David Blaikie <dblaikie@gmail.com> |
Use op-> directly rather than via Optional<T>::getPointer.
Post-commit CR feedback from Jordan Rose regarding r175594.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175677 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 5251abea41b446c26e3239c8dd6c7edea6fc335d |
20-Feb-2013 |
David Blaikie <dblaikie@gmail.com> |
Replace SVal llvm::cast support to be well-defined.
See r175462 for another example/more details.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175594 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
allEvent.cpp
nvironment.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
emRegion.cpp
athDiagnostic.cpp
rogramState.cpp
egionStore.cpp
ValBuilder.cpp
Vals.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
tore.cpp
|
| 206f49966f66ad7cbfe3d37c14fa7e6e7410f3be |
20-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Account for the "interesting values" hash table resizing.
RegionStoreManager::getInterestingValues() returns a pointer to a
std::vector that lives inside a DenseMap, which is constructed on demand.
However, constructing one such value can lead to constructing another
value, which will invalidate the reference created earlier.
Fixed by delaying the new entry creation until the function returns.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175582 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 65f991ccbec43b4a860f70594c92528ee8fb7c6f |
19-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't accidentally strip off base object regions for lazy bindings.
If a base object is at a 0 offset, RegionStoreManager may find a lazy
binding for the entire object, then try to attach a FieldRegion or
grandparent CXXBaseObjectRegion on top of that (skipping the intermediate
region). We now preserve as many layers of base object regions necessary
to make the types match.
<rdar://problem/13239840>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175556 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| ada0d224fcff5ff07c9dd846379592f92ccf5ee7 |
15-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't assert when mixing reinterpret_cast and derived-to-base casts.
This just adds a very simple check that if a DerivedToBase CastExpr is
operating on a value with known C++ object type, and that type is not the
base type specified in the AST, then the cast is invalid and we should
return UnknownVal.
In the future, perhaps we can have a checker that specifies that this is
illegal, but we still shouldn't assert even if the user turns that checker
off.
PR14872
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175239 91177308-0d34-0410-b5e6-96231b3b80d8
tore.cpp
|
| bc403861bc4e6f7ad1371e9e129f0f25b38b3a9a |
15-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
Re-apply "[analyzer] Model trivial copy/move ctors with an aggregate bind."
...after a host of optimizations related to the use of LazyCompoundVals
(our implementation of aggregate binds).
Originally applied in r173951.
Reverted in r174069 because it was causing hangs.
Re-applied in r174212.
Reverted in r174265 because it was /still/ causing hangs.
If this needs to be reverted again it will be punted to far in the future.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175234 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 28743b006bd88cd7d0ea97b4f17646f8fc429b89 |
15-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Cache the bindings accessible through a LazyCompoundVal.
This means we don't have to recompute them all later for every
removeDeadSymbols check.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175233 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| ef9e6d66574393310da7e7508a5a363eb9f6c4d1 |
15-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Scan the correct store when finding symbols in a LazyCompoundVal.
Previously, we were scanning the current store. Now, we properly scan the
store that the LazyCompoundVal came from, which may have very different
live symbols.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175232 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| fcfcd80cd1de38fe272e1a8ae8faa3cfb6b2e37e |
15-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Tweak LazyCompoundVal reuse check to ignore qualifiers.
This is optimization only; no behavioral change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175231 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 0a0f1309d0fbeb0e77edbbc4e0b15cc330c3a28c |
15-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use collectSubRegionKeys to make removeDeadBindings faster.
Previously, whenever we had a LazyCompoundVal, we crawled through the
entire store snapshot looking for bindings within the LCV's region. Now, we
just ask for the subregion bindings of the lazy region and only visit those.
This is an optimization (so no test case), but it may allow us to clean up
more dead bindings than we were previously.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175230 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 9d688e219caa37e60975ec8d5bebe74a176c9c2b |
15-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Refactor RegionStore's sub-region bindings traversal.
This is going to be used in the next commit.
While I'm here, tighten up assumptions about symbolic offset
BindingKeys, and make offset calculation explicitly handle all
MemRegion kinds.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175228 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
|
| 697a68590a75f5cd2326c8f686a6c666b51688b6 |
14-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Try constant-evaluation for all variables, not just globals.
In C++, constants captured by lambdas (and blocks) are not actually stored
in the closure object, since they can be expanded at compile time. In this
case, they will have no binding when we go to look them up. Previously,
RegionStore thought they were uninitialized stack variables; now, it checks
to see if they are a constant we know how to evaluate, using the same logic
as r175026.
This particular code path is only for scalar variables. Constant arrays and
structs are still unfortunately unhandled; we'll need a stronger solution
for those.
This may have a small performance impact, but only for truly-undefined
local variables, captures in a non-inlined block, and non-constant globals.
Even then, in the non-constant case we're only doing a quick type check.
<rdar://problem/13105553>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175194 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 38f68ef19cb51d5876e9025b5fceb44b33ec9ed7 |
13-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use Clang's evaluation for global constants and default arguments.
Previously, we were handling only simple integer constants for globals and
the smattering of implicitly-valued expressions handled by Environment for
default arguments. Now, we can use any integer constant expression that
Clang can evaluate, in addition to everything we handled before.
PR15094 / <rdar://problem/12830437>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175026 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
egionStore.cpp
|
| 04870edbea6cf88412c8c9c1eba65f7fc1fa12d9 |
13-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use makeZeroVal in RegionStore's lazy evaluation of statics.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175025 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| f07e815823e03c046bbc186ec2b41d656e9cac7f |
09-Feb-2013 |
NAKAMURA Takumi <geek4civic@gmail.com> |
clang/lib/StaticAnalyzer/Core/BugReporter.cpp: Appease old msvc in std::pair(0, 0).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174792 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 8185674528423e2504a1fae35c28c24104846510 |
08-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
Teach BugReporter (extensive diagnostics) to emit a diagnostic when a loop body is skipped.
Fixes <rdar://problem/12322528>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174736 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 19df705c75ba341b3ae8f2ff3e3f411d5f49887c |
08-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
Remove stale instance variable.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174730 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 8135886ab74d852a6702b1f5656a0b146abe210a |
08-Feb-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Remove redundant check as per Jordan's feedback.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174680 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 233e26acc0ff2a1098f4c813f69286fce840a422 |
08-Feb-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add pointer escape type param to checkPointerEscape callback
The checkPointerEscape callback previously did not specify how a
pointer escaped. This change includes an enum which describes the
different ways a pointer may escape. This enum is passed to the
checkPointerEscape callback when a pointer escapes. If the escape
is due to a function call, the call is passed. This changes
previous behavior where the call is passed as NULL if the escape
was due to indirectly invalidating the region the pointer referenced.
A patch by Branden Archer!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174677 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
|
| 2b6876173b36d92aaf379c29cb339d91b4d358ee |
08-Feb-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Don't reinitialize static globals more than once along a path
This patch makes sure that we do not reinitialize static globals when
the function is called more than once along a path. The motivation is
code with initialization patterns that rely on 2 static variables, where
one of them has an initializer while the other does not. Currently, we
reset the static variables with initializers on every visit to the
function along a path.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174676 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| b98c6fe8877b809d4da3020692c9b38f972b92cf |
06-Feb-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer]Revert part of r161511; suppresses leak false positives in C++
This is a "quick fix".
The underlining issue is that when a const pointer to a struct is passed
into a function, we do not invalidate the pointer fields. This results
in false positives that are common in C++ (since copy constructors are
prevalent). (Silences two llvm false positives.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174468 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 5846720f08a6b225484bfe663599c2b057a99bc8 |
05-Feb-2013 |
Ted Kremenek <kremenek@apple.com> |
Change subexpressions to be visited in the CFG from left-to-right.
This is a more natural order of evaluation, and it is very important
for visualization in the static analyzer. Within Xcode, the arrows
will not jump from right to left, which looks very visually jarring.
It also provides a more natural location for dataflow-based diagnostics.
Along the way, we found a case in the analyzer diagnostics where we
needed to indicate that a variable was "captured" by a block.
-fsyntax-only timings on sqlite3.c show no visible performance change,
although this is just one test case.
Fixes <rdar://problem/13016513>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174447 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
emRegion.cpp
|
| beca02fc66db76eacdaced9df3bc79530c064842 |
05-Feb-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Teach the analyzer to use a symbol for p when evaluating
(void*)p.
Addresses the false positives similar to the test case.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174436 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
|
| 2a3fe34b4a2a1b6ceab8838b896435378ae0e692 |
02-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Model trivial copy/move ctors with an aggregate bind."
...again. The problem has not been fixed and our internal buildbot is still
getting hangs.
This reverts r174212, originally applied in r173951, then reverted in r174069.
Will not re-apply until the entire project analyzes successfully on my
local machine.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174265 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 453cb859a3c8dcafe79ae840dfc35ff8eae1b4b3 |
02-Feb-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Always inline functions with bodies generated by BodyFarm.
Inlining these functions is essential for correctness. We often have
cases where we do not inline calls. For example, the shallow mode and
when reanalyzing previously inlined ObjC methods as top level.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174245 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 135d0fe1ae89c39e3de9849cceda98253b063f14 |
02-Feb-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix typo.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174243 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| 5500fc193af4b786bbbbee6ece743f523448e90b |
01-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
Re-apply "[analyzer] Model trivial copy/move ctors with an aggregate bind."
With the optimization in the previous commit, this should be safe again.
Originally applied in r173951, then reverted in r174069.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174212 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 978aeac1a90020b2a0ae6c7eb7fe65aa8226f74a |
01-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Reuse a LazyCompoundVal if its type matches the new region.
This allows us to keep from chaining LazyCompoundVals in cases like this:
CGRect r = CGRectMake(0, 0, 640, 480);
CGRect r2 = r;
CGRect r3 = r2;
Previously we only made this optimization if the struct did not begin with
an aggregate member, to make sure that we weren't picking up an LCV for
the first field of the struct. But since LazyCompoundVals are typed, we can
make that inference directly by comparing types.
This is a pure optimization; the test changes are to guard against possible
future regressions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174211 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
Vals.cpp
|
| 33e83b6cf776875be5716d214710717a898325c0 |
31-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Model trivial copy/move ctors with an aggregate bind."
It's causing hangs on our internal analyzer buildbot. Will restore after
investigating.
This reverts r173951 / baa7ca1142990e1ad6d4e9d2c73adb749ff50789.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174069 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 0e450cbd94e5936fdecf42b810069e7becd3938d |
31-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] If a lazy binding is undefined, pretend that it's unknown instead.
This is a hack to work around the fact that we don't track extents for our
default bindings:
CGPoint p;
p.x = 0.0;
p.y = 0.0;
rectParam.origin = p;
use(rectParam.size); // warning: uninitialized value in rectParam.size.width
In this case, the default binding for 'p' gets copied into 'rectParam',
because the 'origin' field is at offset 0 within CGRect. From then on,
rectParam's old default binding (in this case a symbol) is lost.
This patch silences the warning by pretending that lazy bindings are never
made from uninitialized memory, but not only is that not true, the original
default binding is still getting overwritten (see FIXME test cases).
The long-term solution is tracked in <rdar://problem/12701038>
PR14765 and <rdar://problem/12875012>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174031 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 5255f27362ffbfedea889870bf8d5812dae97553 |
31-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a bug in region store that lead to undefined value false
positives.
The includeSuffix was only set on the first iteration through the
function, resulting in invalid regions being produced by getLazyBinding
(ex: zoomRegion.y).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174016 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| ac3a3e7a402cd349dd2b7d70cd92c5fe702ae831 |
30-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Make shallow mode more shallow.
Redefine the shallow mode to inline all functions for which we have a
definite definition (ipa=inlining). However, only inline functions that
are up to 4 basic blocks large and cut the max exploded nodes generated
per top level function in half.
This makes shallow faster and allows us to keep inlining small
functions. For example, we would keep inlining wrapper functions and
constructors/destructors.
With the new shallow, it takes 104s to analyze sqlite3, whereas
the deep mode is 658s and previous shallow is 209s.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173958 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| 6bbe1442a5f3f5f761582a9005e9edf1d49c4da2 |
30-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Use analyzer config for max-inlinable-size option.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173957 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
|
| 86ff12c8a8a356ca284ca7687749216fbfd74519 |
30-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Move report false positive suppression to report visitors.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173956 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
|
| ce32890df08387b50a960f785da79ac5582b7f74 |
30-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Remove further references to analyzer-ipa.
Thanks Jordan!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173955 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| baa7ca1142990e1ad6d4e9d2c73adb749ff50789 |
30-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Model trivial copy/move ctors with an aggregate bind.
This is faster for the analyzer to process than inlining the constructor
and performing a member-wise copy, and it also solves the problem of
warning when a partially-initialized POD struct is copied.
Before:
CGPoint p;
p.x = 0;
CGPoint p2 = p; <-- assigned value is garbage or undefined
After:
CGPoint p;
p.x = 0;
CGPoint p2 = p; // no-warning
This matches our behavior in C, where we don't see a field-by-field copy.
<rdar://problem/12305288>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173951 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 07c52d2813a6b5e4025276d3687bd25f75fd51b9 |
26-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] C++ initializers may require cleanups; look through these.
When the analyzer sees an initializer, it checks if the initializer
contains a CXXConstructExpr. If so, it trusts that the CXXConstructExpr
does the necessary work to initialize the object, and performs no further
initialization.
This patch looks through any implicit wrapping expressions like
ExprWithCleanups to find the CXXConstructExpr inside.
Fixes PR15070.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173557 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| dede2fd56d053a114a65ba72583981ce7aab27da |
26-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] bugreporter::getDerefExpr now takes a Stmt, not an ExplodedNode.
This allows it to be used in places where the interesting statement
doesn't match up with the current node. No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173546 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| aeca2cc3a6f486abff3fdfb4e82903cd3ca4267e |
26-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add 'prune-paths' config option to disable path pruning.
This should be used for testing only. Path pruning is still on by default.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173545 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporter.cpp
|
| 7ee8906295d56ceb84b8b3da502cdc8770509868 |
26-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Rename PruneNullReturnPaths to SuppressNullReturnPaths.
"Prune" is the term for eliminating pieces of a path that are not
relevant to the user. "Suppress" means don't show that path at all.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173544 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
|
| d130140cb7bce73b4350c5d50495443abe38418a |
25-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add "-analyzer-config mode=[deep|shallow] ".
The idea is to introduce a higher level "user mode" option for
different use scenarios. For example, if one wants to run the analyzer
for a small project each time the code is built, they would use
the "shallow" mode.
The user mode option will influence the default settings for the
lower-level analyzer options. For now, this just influences the ipa
modes, but we plan to find more optimal settings for them.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173386 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| bfa9ab8183e2fdc74f8633d758cb0c6201314320 |
25-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Replace "-analyzer-ipa" with "-analyzer-config ipa".
The idea is to eventually place all analyzer options under
"analyzer-config". In addition, this lays the ground for introduction of
a high-level analyzer mode option, which will influence the
default setting for IPAMode.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173385 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
|
| 73f0563009a6715a5d3d41f664f5bfab5096d51f |
25-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] refactor: access IPAMode through the accessor.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173384 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
|
| 15bb58edc9d053aa49c28167deb41ff0409ddabc |
21-Jan-2013 |
Stephen Hines <srhines@google.com> |
Merge commit 'd130fd2e141f1fef412c2d58e7385370801bd718' into merge-llvm
Conflicts:
lib/Basic/Targets.cpp
Change-Id: I90a669a33ffe4de8b32c8459016fd0b2a55da0ad
|
| 187f8bd88bfc92cf3fea62b7d8db5f92edce410a |
21-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Show notes inside implicit calls at the last explicit call site.
Before:
struct Wrapper { <-- 2. Calling default constructor for 'NonTrivial'.
NonTrivial m;
};
Wrapper w; <-- 1. Calling implicit default constructor for 'Wrapper'.
After:
struct Wrapper {
NonTrivial m;
};
Wrapper w; <-- 1. Calling implicit default constructor for 'Wrapper'.
^-- 2. Calling default constructor for 'NonTrivial'.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173067 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| e6b9d802fb7b16d93474c4f1c179ab36202e8a8b |
20-Jan-2013 |
Guy Benyei <guy.benyei@intel.com> |
Implement OpenCL event_t as Clang builtin type, including event_t related OpenCL restrictions (OpenCL 1.2 spec 6.9)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172973 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 2b9de0bc05e3e1092a9d1880e62aeaa54dc343e3 |
19-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't show "Entered 'foo'" if 'foo' is implicit.
Before:
Calling implicit default constructor for 'Foo' (where Foo is constructed)
Entered call from 'test' (at "=default" or 'Foo' declaration)
Calling default constructor for 'Bar' (at "=default" or 'Foo' declaration)
After:
Calling implicit default constructor for 'Foo' (where Foo is constructed)
Calling default constructor for 'Bar' (at "=default" or 'Foo' declaration)
This only affects the plist diagnostics; this note is never shown in the
other diagnostics.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172915 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 1dfebd9f995066a229c34516eb14bc69c6bcde2c |
19-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Suppress warnings coming out of macros defined in sys/queue.h
Suppress the warning by just not emitting the report. The sink node
would get generated, which is fine since we did reach a bad state.
Motivation
Due to the way code is structured in some of these macros, we do not
reason correctly about it and report false positives. Specifically, the
following loop reports a use-after-free. Because of the way the code is
structured inside of the macro, the analyzer assumes that the list can
have cycles, so you end up with use-after-free in the loop, that is
safely deleting elements of the list. (The user does not have a way to
teach the analyzer about shape of data structures.)
SLIST_FOREACH_SAFE(item, &ctx->example_list, example_le, tmpitem) {
if (item->index == 3) { // if you remove each time, no complaints
assert((&ctx->example_list)->slh_first == item);
SLIST_REMOVE(&ctx->example_list, item, example_s, example_le);
free(item);
}
}
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172883 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| e02be97811c785f91ac43a0feed2db862de1867f |
18-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Special path notes for C++ special member functions.
Examples:
Calling implicit default constructor for Foo
Calling defaulted move constructor for Foo
Calling copy constructor for Foo
Calling implicit destructor for Foo
Calling defaulted move assignment operator for Foo
Calling copy assignment operator for Foo
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172833 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| dc47c9a71c99ce2e5b9d84f1cd3487b6852b3543 |
18-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Do a better job describing C++ member functions in the call stack.
Examples:
Calling constructor for 'Foo'
Entered call from 'Foo::create'
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172832 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 16303fcc569ea149dc2de38ff9e367d2d4831cee |
15-Jan-2013 |
David Greene <greened@obbligato.org> |
Fix Cast
Properly use const_cast to fix a cast-away-const error.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172561 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| bdc691f1d61765dd806d5ae3b75ae004f676a7c9 |
14-Jan-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add ProgramStatePartialTrait<const void *>.
This should fix cast-away-const warnings reported by David Greene.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172446 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| cfa88f893915ceb8ae4ce2f17c46c24a4d67502f |
12-Jan-2013 |
Dmitri Gribenko <gribozavr@gmail.com> |
Remove useless 'llvm::' qualifier from names like StringRef and others that are
brought into 'clang' namespace by clang/Basic/LLVM.h
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172323 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
heckerRegistry.cpp
xprEngine.cpp
athDiagnostic.cpp
listDiagnostics.cpp
egionStore.cpp
|
| 9195caf28f2a5dcef1e299bf3e5232a018ca1c68 |
12-Jan-2013 |
Ted Kremenek <kremenek@apple.com> |
Refine analyzer's handling of unary '!' and floating types to not assert.
Fixes PR 14634 and <rdar://problem/12903080>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172274 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 707a8659a546d32cf976d4c3927c793a643b18e1 |
11-Jan-2013 |
Ted Kremenek <kremenek@apple.com> |
Correctly propagate uninitialized values within logical expressions.
Fixes assertion failure reported in PR 14635 and
<rdar://problem/12902945> respectively.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172263 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| beac9e3772e255f89dad0abe34811953121912b2 |
09-Jan-2013 |
Ted Kremenek <kremenek@apple.com> |
Do not model loads from complex types, since we don't accurately model the imaginary and real parts yet.
Fixes false positive reported in <rdar://problem/12964481>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171987 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 6dfb96045bebe00212d251da1dad4660cb8652ac |
08-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Only include uniqueling location as issue_hash when available
This makes us more optimistic when matching reports in a changing code
base. Addresses Jordan's feedback for r171825.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171884 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| 97bfb558f69c09b01a5c1510f08dc91eb62329a7 |
08-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Include the bug uniqueing location in the issue_hash.
The issue here is that if we have 2 leaks reported at the same line for
which we cannot print the corresponding region info, they will get
treated as the same by issue_hash+description. We need to AUGMENT the
issue_hash with the allocation info to differentiate the two issues.
Add the "hash" (offset from the beginning of a function) representing
allocation site to solve the issue.
We might want to generalize solution in the future when we decide to
track more than just the 2 locations from the diagnostics.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171825 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
listDiagnostics.cpp
|
| c1c6a4981a4b50476d71c88f8dac81a1430885ed |
08-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Plist: change the type of issue_hash from int to string.
This gives more flexibility to what could be stored as issue_hash.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171824 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| 344c77aac25e5d960aced3f45fbaa09853383f6d |
03-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Rename callback EndPath -> EndFunction
This better reflects when callback is called and what the checkers
are relying on. (Both names meant the same pre-IPA.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171432 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
|
| b99083e60325a28063fb588f458a871151971fdc |
02-Jan-2013 |
Chandler Carruth <chandlerc@gmail.com> |
Re-sort #include lines using the llvm/utils/sort_includes.py script.
Removes a duplicate #include as well as cleaning up some sort order
regressions since I last ran the script over Clang.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171364 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| 87aa2fbc75a897e7c4a4082374aaba3f50db6f0f |
21-Dec-2012 |
Roman Divacky <rdivacky@freebsd.org> |
Remove duplicate includes.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170903 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 1655bcd052a67a3050fc55df8ecce57342352e68 |
21-Dec-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Address Jordan's nitpicks as per code review of r170625.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170832 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngine.cpp
rogramState.cpp
|
| bf53dfac8195835028bd6347433f7dbebcc29fc1 |
20-Dec-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add the pointer escaped callback.
Instead of using several callbacks to identify the pointer escape event,
checkers now can register for the checkPointerEscape.
Converted the Malloc checker to use the new callback.
SimpleStreamChecker will be converted next.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170625 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerManager.cpp
xprEngine.cpp
rogramState.cpp
egionStore.cpp
|
| 9fcc2ab2ec5e00802880e205568ff3afbd70a773 |
19-Dec-2012 |
Ted Kremenek <kremenek@apple.com> |
Pass AnalyzerOptions to PathDiagnosticConsumer to make analyzer options accessible there.
This is plumbing needed for later functionality changes.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170488 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
|
| 7959671d456c916706a5f61af609d8f1fc95decf |
17-Dec-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Implement "do not inline large functions many times"
performance heuristic
After inlining a function with more than 13 basic blocks 32 times, we
are not going to inline it anymore. The idea is that inlining large
functions leads to drastic performance implications. Since the function
has already been inlined, we know that we've analyzed it in many
contexts.
The following metrics are used:
- Large function is a function with more than 13 basic blocks (we
should switch to another metric, like cyclomatic complexity)
- We consider that we've inlined a function many times if it's been
inlined 32 times. This number is configurable with -analyzer-config
max-times-inline-large=xx
This heuristic addresses a performance regression introduced with
inlining on one benchmark. The analyzer on this benchmark became 60
times slower with inlining turned on. The heuristic allows us to analyze
it in 24% of the time. The performance improvements on the other
benchmarks I've tested with are much lower - under 10%, which is
expected.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170361 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
|
| d74324371465a152387ac45e737ab7d23e543552 |
14-Dec-2012 |
Anton Yartsev <anton.yartsev@gmail.com> |
fixed line endings
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170238 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 2bfa166a26edb6f26915abe38caa551dbb05ad19 |
14-Dec-2012 |
Anton Yartsev <anton.yartsev@gmail.com> |
added post-statement callback to CXXNewExpr and pre-statement callback to CXXDeleteExpr
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170234 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 12b3e3199c530b72f3cc44dd24a1e20ed6086292 |
14-Dec-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Propagate the checker's state from checkBranchCondition
Fixes a bug, where we were dropping the state modifications from the
checkBranchCondition checker callback.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170232 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| b0abacf2f1f77214e4c77d6ec8a02b097bb98f7a |
14-Dec-2012 |
Ted Kremenek <kremenek@apple.com> |
Refactor dump methods to make RegionBindingsRef printable in the debugger.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170170 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 4f69eb4daa3c5ce8b88535fc560f2ee102a580f4 |
12-Dec-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't crash running destructors for multidimensional arrays.
We don't handle array destructors correctly yet, but we now apply the same
hack (explicitly destroy the first element, implicitly invalidate the rest)
for multidimensional arrays that we already use for linear arrays.
<rdar://problem/12858542>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@170000 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 75f31c4862643ab09479c979fabf754e7ffe1460 |
07-Dec-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Optimization heuristic: do not reanalyze every ObjC method as
top level.
This heuristic is already turned on for non-ObjC methods
(inlining-mode=noredundancy). If a method has been previously analyzed,
while being inlined inside of another method, do not reanalyze it as top
level.
This commit applies it to ObjCMethods as well. The main caveat here is
that to catch the retain release errors, we are still going to reanalyze
all the ObjC methods but without inlining turned on.
Gives 21% performance increase on one heavy ObjC benchmark, which
suffered large performance regressions due to ObjC inlining.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169639 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| afa7cae15b117c4b75794c6c32424953d94b4359 |
07-Dec-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Fix r168019 to work with unpruned paths as well.
This is the case where the analyzer tries to print out source locations
for code within a synthesized function body, which of course does not have
a valid source location. The previous fix attempted to do this during
diagnostic path pruning, but some diagnostics have pruning disabled, and
so any diagnostic with a path that goes through a synthesized body will
either hit an assertion or emit invalid output.
<rdar://problem/12657843> (again)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169631 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 18f860ee6cc43c8fc80834073b097eb5c02b22cf |
07-Dec-2012 |
Ted Kremenek <kremenek@apple.com> |
Reduce conversions between Store <-> ImmutableMapRef in RegionStore.
This reduces canonicalization of ImmutableMaps. This reduces analysis time
of one heavy Objective-C file by another 1%.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169630 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 0c312a90c5b9d27e1425bf8d0448e133a97806ce |
07-Dec-2012 |
Ted Kremenek <kremenek@apple.com> |
Add helper method to convert from a RegionStoreRefBindings to a Store.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169622 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| bf25fb1e2eaea0eadb90d1a9ce91e7d510c8972a |
07-Dec-2012 |
Ted Kremenek <kremenek@apple.com> |
Cache queries to lookupPrivateMethod() within ObjCMethodCall::getRuntimeDefinition().
The same queries can happen thousands of times. This reduces the analysis
time on one heavy Objective-C file by 2.4%.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169589 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 23dca7d88f3e9a7925bfb2c5449499900c906633 |
07-Dec-2012 |
Ted Kremenek <kremenek@apple.com> |
Further reduce analysis time by 0.2% on a heavy Objective-C example by avoiding over-eager canonicalization of clusters.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169586 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 75191fdbc3d3eec5f3447b285acf6cfcc2054b25 |
07-Dec-2012 |
David Blaikie <dblaikie@gmail.com> |
Unbreak the GCC (4.4 & other bot) builds from r169571.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169581 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 29f5ccd7ef9bc066cb5894834945eaad2c4c7e53 |
07-Dec-2012 |
Ted Kremenek <kremenek@apple.com> |
Change RegionStore to always use ImmutableMapRef for processing cluster bindings.
This reduces analysis time by 1.2% on one test case (Objective-C), but
also cleans up some of the code conceptually as well. We can possible
just make RegionBindingsRef -> RegionBindings, but I wanted to stage
things.
After this, we should revisit Jordan's optimization of not canonicalizing
the immutable AVL trees for the cluster bindings as well.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169571 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 14491490a5276ff4da9b28100fb8e7d442944288 |
06-Dec-2012 |
Ted Kremenek <kremenek@apple.com> |
Revert "[analyzer] Aggressively cut back on the canonicalization in RegionStore."
Jordan and I discussed this, and we are going to do this another way.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169538 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| c39f9fa39c472a6663111788b89c67fd365271d8 |
06-Dec-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove isa<> followed by dyn_cast<>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169530 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| 9428723d6730f4fd257e15b78d24991ae95bbd84 |
06-Dec-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove unused fields from ExprEngine.
'currStmt', 'CleanedState', and 'EntryNode' were being set, but only ever
used locally.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169529 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineObjC.cpp
|
| e9cd031c77a92015571425b6445e8867816997cd |
06-Dec-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove checks that predate the linearized CFG.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169528 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 4ecca28e20410f5e2816c5ddff5cdeaf45fb74b5 |
06-Dec-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use a smarter algorithm to find the last block in an inlined call.
Previously we would search for the last statement, then back up to the
entrance of the block that contained that statement. Now, while we're
scanning for the statement, we just keep track of which blocks are being
exited (in reverse order).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169526 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 6960d08b4ddf389d7c81504df7f16dc645120482 |
06-Dec-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use optimized assumeDual for branches.
This doesn't seem to make much of a difference in practice, but it does
have the potential to avoid a trip through the constraint manager.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169524 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 426cc12317468d42ba4e603731ebe5971af098a6 |
06-Dec-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Aggressively cut back on the canonicalization in RegionStore.
Whenever we touch a single bindings cluster multiple times, we can delay
canonicalizing it until the final access. This has some interesting
implications, in particular that we shouldn't remove an /empty/ cluster
from the top-level map until canonicalization.
This is good for a 2% speedup or so on the test case in
<rdar://problem/12810842>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169523 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 7affe151f5689b2d3547b8947c4099532c78a021 |
06-Dec-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove bindExprAndLocation, which does extra work for no gain.
This feature was probably intended to improve diagnostics, but was currently
only used when dumping the Environment. It shows what location a given value
was loaded from, e.g. when evaluating an LValueToRValue cast.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169522 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
rogramState.cpp
|
| e3ce2c10c3f6ae7b26700d758de909deab190d42 |
06-Dec-2012 |
Ted Kremenek <kremenek@apple.com> |
Only provide explicit getCapturedRegion() and getOriginalRegion() from referenced_vars_iterator.
This is a nice conceptual cleanup.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169480 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 24570c4c258545f8310e4bc96503a5668982cf67 |
06-Dec-2012 |
Ted Kremenek <kremenek@apple.com> |
Pull logic to map from VarDecl* to captured region using a helper function. WIP.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169479 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 55fc873017f10f6f566b182b70f6fc22aefa3464 |
04-Dec-2012 |
Chandler Carruth <chandlerc@gmail.com> |
Sort all of Clang's files under 'lib', and fix up the broken headers
uncovered.
This required manually correcting all of the incorrect main-module
headers I could find, and running the new llvm/utils/sort_includes.py
script over the files.
I also manually added quite a few missing headers that were uncovered by
shuffling the order or moving headers up to be main-module-headers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169237 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporter.cpp
ugReporterVisitors.cpp
allEvent.cpp
heckerManager.cpp
oreEngine.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
TMLDiagnostics.cpp
emRegion.cpp
athDiagnostic.cpp
listDiagnostics.cpp
rogramState.cpp
angeConstraintManager.cpp
ValBuilder.cpp
impleSValBuilder.cpp
tore.cpp
extPathDiagnostics.cpp
|
| a93d0f280693b8418bc88cf7a8c93325f7fcf4c6 |
01-Dec-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Include pruning and general cleanup.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169095 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
allEvent.cpp
heckerRegistry.cpp
nvironment.cpp
athDiagnostic.cpp
Vals.cpp
|
| 9852f58f50b4fc20914fbce5b4454135a42343f4 |
01-Dec-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Don't include Type.h in DeclarationName.h.
Recursively prune some includes.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169094 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 2fa67efeaf66a9332c30a026dc1c21bef6c33a6c |
01-Dec-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Pull the Attr iteration parts out of Attr.h, so including DeclBase.h doesn't pull in all the generated Attr code.
Required to pull some functions out of line, but this shouldn't have a perf impact.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169092 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
|
| 9c0466603f2051fec9270686dfcd270630e62530 |
29-Nov-2012 |
Ted Kremenek <kremenek@apple.com> |
Correctly handle IntegralToBool casts in C++ in the static analyzer. Fixes <rdar://problem/12759044>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168843 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| 3881866dc782c5e13b21031bd363e93fbf367167 |
28-Nov-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove workaround in RegionStore in r168741 since it is handled more generally by r168757.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168774 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 1994e3993e5e2c606f4ab22563768af6f03dad30 |
28-Nov-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix another false positive due to a CXX temporary object appearing in a C initializer.
The stop-gap here is to just drop such objects when processing the InitListExpr.
We still need a better solution.
Fixes <rdar://problem/12755044>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168757 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| bd8a11e224c3ec6cbc4bb9b1fc70a8aa3a633e43 |
28-Nov-2012 |
Ted Kremenek <kremenek@apple.com> |
Provide stop-gap solution to crash reported in PR 14436.
This was also covered by <rdar://problem/12753384>. The static analyzer
evaluates a CXXConstructExpr within an initializer expression and
RegionStore doesn't know how to handle the resulting CXXTempObjectRegion
that gets created. We need a better solution than just dropping the
value, but we need to better understand how to implement the right
semantics here.
Thanks to Jordan for his help diagnosing the behavior here.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168741 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| dac6cd533d90fa1f75e66f83f7d5ebc12e34bfb7 |
26-Nov-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a crash reported in PR 14400.
The AllocaRegion did not have the superRegion (based on LocationContext)
as part of it's hash. As a consequence, the AllocaRegions from
different frames were uniqued to be the same region.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168599 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 84e1513beb8450f31d9589dcdfc33b0890405ab6 |
15-Nov-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Fix a use-after-free introduced in r168019.
In code like this:
void foo() {
bar();
baz();
}
...the location for the call to 'bar()' was being used as a backup location
for the call to 'baz()'. This is fine unless the call to 'bar()' is deemed
uninteresting and that part of the path deleted.
(This looks like a logic error as well, but in practice the only way 'baz()'
could have an invalid location is if the entire body of 'foo()' is
synthesized, meaning the call to 'bar()' will be using the location of the
call to 'foo()' anyway. Nevertheless, the new version better matches the
intent of the code.)
Found by Matt Beaumont-Gay using ASan. Thanks, Matt!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168080 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 63bc186d6ac0b44ba4ec6fccb5f471b05c79b666 |
15-Nov-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Report leaks at the closing brace of a function body.
This fixes a few cases where we'd emit path notes like this:
+---+
1| v
p = malloc(len);
^ |2
+---+
In general this should make path notes more consistent and more correct,
especially in cases where the leak happens on the false branch of an if
that jumps directly to the end of the function. There are a couple places
where the leak is reported farther away from the cause; these are usually
cases where there are several levels of nested braces before the end of
the function. This still matches our current behavior for when there /is/
a statement after all the braces, though.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168070 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
|
| 84c484545c5906ba55143e212b4a5275ab55889f |
15-Nov-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Mark symbol values as dead in the environment.
This allows us to properly remove dead bindings at the end of the top-level
stack frame, using the ReturnStmt, if there is one, to keep the return value
live. This in turn removes the need for a check::EndPath callback in leak
checkers.
This does cause some changes in the path notes for leak checkers. Previously,
a leak would be reported at the location of the closing brace in a function.
Now, it gets reported at the last statement. This matches the way leaks are
currently reported for inlined functions, but is less than ideal for both.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168066 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| 368f3b070e8cb657a65bfa443d60256676d269e7 |
15-Nov-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Make sure calls in synthesized functions have valid path locations.
We do this by using the "most recent" good location: if a synthesized
function 'A' calls another function 'B', the path notes for the call to 'B'
will be placed at the same location as the path note for calling 'A'.
Similarly, the call to 'A' will have a note saying "Entered call from...",
and now we just don't emit that (since the user doesn't have a body to look
at anyway).
Previously, we were doing this for the "Calling..." notes, but not for the
"Entered call from..." or "Returning to caller". This caused a crash when
the path entered and then exiting a call within a synthesized body.
<rdar://problem/12657843>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168019 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
|
| bae930d4c69a624881e66f1628ee615e149362f7 |
13-Nov-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Address Jordan's feedback for r167780.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167790 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| d51db4935736fd943bfd46dfa74d41e9a3c2d41f |
13-Nov-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Follow up to r167762 - precisely determine the adjustment
conditions.
The adjustment is needed only in case of dynamic dispatch performed by
the analyzer - when the runtime declaration is different from the static
one.
Document this explicitly in the code (by adding a helper). Also, use
canonical Decls to avoid matching against the case where the definition
is different from found declaration.
This fix suppresses the testcase I added in r167762, so add another
testcase to make sure we do test commit r167762.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167780 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| e7ad14e18247ec6fc3d46b208829e3dac6d85a1d |
12-Nov-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a regression (from r 165079): compare canonical types.
Suppresses a leak false positive (radar://12663777).
In addition, we'll need to rewrite the adjustReturnValue() method not to
return UnknownVal by default, but rather assert in cases we cannot
handle. To make it possible, we need to correctly handle some of the
edge cases we already know about.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167762 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 4e674f77150b52d8e6ae82faf64fbdac79d675d3 |
10-Nov-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] When invalidating symbolic offset regions, take fields into account.
Previously, RegionStore was being VERY conservative in saying that because
p[i].x and p[i].y have a concrete base region of 'p', they might overlap.
Now, we check the chain of fields back up to the base object and check if
they match.
This only kicks in when dealing with symbolic offset regions because
RegionStore's "base+offset" representation of concrete offset regions loses
all information about fields. In cases where all offsets are concrete
(s.x and s.y), RegionStore will already do the right thing, but mixing
concrete and symbolic offsets can cause bindings to be invalidated that
are known to not overlap (e.g. p[0].x and p[i].y).
This additional refinement is tracked by <rdar://problem/12676180>.
<rdar://problem/12530149>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167654 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 40d8551890bc8454c4e0a28c9072c9c1d1dd588a |
05-Nov-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Move convenience REGISTER_*_WITH_PROGRAMSTATE to CheckerContext.h
As Anna pointed out, ProgramStateTrait.h is a relatively obscure header,
and checker writers may not know to look there to add their own custom
state.
The base macro that specializes the template remains in ProgramStateTrait.h
(REGISTER_TRAIT_WITH_PROGRAMSTATE), which allows the analyzer core to keep
using it.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167385 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
rogramState.cpp
angeConstraintManager.cpp
|
| 0a591c242b867844d483091cae546e294bbee312 |
03-Nov-2012 |
NAKAMURA Takumi <geek4civic@gmail.com> |
StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp: Appease msvc.
0 (as nullptr) is incompatible to pointer in type matching on msvc.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167355 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 8501b7a1c4c4a9ba0ea6cb8e500e601ef3759deb |
03-Nov-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Run remove dead on end of path.
This will simplify checkers that need to register for leaks. Currently,
they have to register for both: check dead and check end of path.
I've modified the SymbolReaper to consider everything on the stack dead
if the input StackLocationContext is 0.
(This is a bit disruptive, so I'd like to flash out all the issues
asap.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167352 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCallAndReturn.cpp
egionStore.cpp
ymbolManager.cpp
|
| b355be838a22a511d078504b2277f70aea52ca85 |
03-Nov-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Refactor: Remove Pred from NodeBuilderContext.
Node builders should manage the nodes, not the context.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167350 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
oreEngine.cpp
xprEngine.cpp
|
| 2f3017f9cbd3774f690c979410bfec38423d03af |
03-Nov-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add some convenience accessors to CallEvent, and use them.
These are CallEvent-equivalents of helpers already accessible in
CheckerContext, as part of making it easier for new checkers to be written
using CallEvent rather than raw CallExprs.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167338 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerContext.cpp
|
| d624607d4196e4b37d235daa14699bcb3c1012a6 |
03-Nov-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] isCLibraryFunction: check that the function is at TU-scope.
Also, Decls already carry a pointer to the ASTContext, so there's no need
to pass an extra argument to the predicate.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167337 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
|
| 166d502d5367ceacd1313a33cac43b1048b8524d |
02-Nov-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use nice macros for the common ProgramStateTraits (map, set, list).
Also, move the REGISTER_*_WITH_PROGRAMSTATE macros to ProgramStateTrait.h.
This doesn't get rid of /all/ explicit uses of ProgramStatePartialTrait,
but it does get a lot of them.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167276 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
rogramState.cpp
angeConstraintManager.cpp
|
| 785950e59424dca7ce0081bebf13c0acd2c4fff6 |
02-Nov-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Rename 'EmitReport' to 'emitReport'.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167275 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| c45bb4dcb648cd8b5250492afe7df254e4157aaa |
31-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Let ConstraintManager subclasses provide a more efficient checkNull.
Previously, every call to a ConstraintManager's isNull would do a full
assumeDual to test feasibility. Now, ConstraintManagers can override
checkNull if they have a cheaper way to do the same thing.
RangeConstraintManager can do this in less than half the work.
<rdar://problem/12608209>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167138 91177308-0d34-0410-b5e6-96231b3b80d8
onstraintManager.cpp
angeConstraintManager.cpp
|
| 3719ed248b7b7e239b1b435dd569b007aaea9d26 |
31-Oct-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer]Don't invalidate const arguments when there is no
IdentifierInfo.
Ee: C++ copy constructors.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167092 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 6a329ee7567cf3267ffab2bc755ea8c773d967e7 |
29-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] New option to not suppress null return paths if an argument is null.
Our one basic suppression heuristic is to assume that functions do not
usually return NULL. However, when one of the arguments is NULL it is
suddenly much more likely that NULL is a valid return value. In this case,
we don't suppress the report here, but we do attach /another/ visitor to
go find out if this NULL argument also comes from an inlined function's
error path.
This new behavior, controlled by the 'avoid-suppressing-null-argument-paths'
analyzer-config option, is turned off by default. Turning it on produced
two false positives and no new true positives when running over LLVM/Clang.
This is one of the possible refinements to our suppression heuristics.
<rdar://problem/12350829>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166941 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
athDiagnostic.cpp
|
| 09f7bf14d25bdc55cb715bc8d40600906848a409 |
29-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use the CallEnter node to get a value for tracked null arguments.
Additionally, don't collect PostStore nodes -- they are often used in
path diagnostics.
Previously, we tried to track null arguments in the same way as any other
null values, but in many cases the necessary nodes had already been
collected (a memory optimization in ExplodedGraph). Now, we fall back to
using the value of the argument at the time of the call, which may not
always match the actual contents of the region, but often will.
This is a precursor to improving our suppression heuristic.
<rdar://problem/12350829>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166940 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xplodedGraph.cpp
|
| 3800165e56107df7430520aa98afdf7065db2dd2 |
26-Oct-2012 |
Ted Kremenek <kremenek@apple.com> |
Add comments for RemoveRedundantMsgs, rename it to removeRedundantMsgs() per Jordan's feedback.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166778 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| b85cce094887ab5cf1c47acfe306e2fb1d3cfbb1 |
26-Oct-2012 |
Ted Kremenek <kremenek@apple.com> |
TrackConstraintBRVisitor and ConditionBRVisitor can emit similar
path notes for cases where a value may be assumed to be null, etc.
Instead of having redundant diagnostics, do a pass over the generated
PathDiagnostic pieces and remove notes from TrackConstraintBRVisitor
that are already covered by ConditionBRVisitor, whose notes tend
to be better.
Fixes <rdar://problem/12252783>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166728 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
|
| 603513d2294c437b37bcf47f326b686e31bd9e84 |
24-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle 'SomeVar.SomeEnumConstant', which is legal in C++.
This caused assertion failures analyzing LLVM.
<rdar://problem/12560282>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166529 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 4d9e497a2b1eab3b1214848216050c64fc3acfd6 |
24-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Replace -analyzer-no-eagerly-trim-egraph with graph-trim-interval.
After every 1000 CFGElements processed, the ExplodedGraph trims out nodes
that satisfy a number of criteria for being "boring" (single predecessor,
single successor, and more). Rather than controlling this with a cc1 option,
which can only disable this behavior, we now have an analyzer-config option,
'graph-trim-interval', which can change this interval from 1000 to something
else. Setting the value to 0 disables reclamation.
The next commit relies on this behavior to actually test anything.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166528 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xplodedGraph.cpp
xprEngine.cpp
|
| b59b580a57a36df9d146473098d14c64508ff319 |
20-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Assume 'new' never returns NULL if it could throw an exception.
This is actually required by the C++ standard in
[basic.stc.dynamic.allocation]p3:
If an allocation function declared with a non-throwing
exception-specification fails to allocate storage, it shall return a
null pointer. Any other allocation function that fails to allocate
storage shall indicate failure only by throwing an exception of a type
that would match a handler of type std::bad_alloc.
We don't bother checking for the specific exception type, but just go off
the operator new prototype. This should help with a certain class of lazy
initalization false positives.
<rdar://problem/12115221>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166363 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| d4ce811ae08398e357c8ce3e707ba5f2aa0041a5 |
17-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] When binding to a ParenExpr, bind to its inner expression instead.
This actually looks through several kinds of expression, such as
OpaqueValueExpr and ExprWithCleanups. The idea is that binding and lookup
should be consistent, and so if the environment needs to be modified later,
the code doing the modification will not have to manually look through these
"transparent" expressions to find the real binding to change.
This is necessary for proper updating of struct rvalues as described in
the previous commit.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166121 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
|
| f1e67d75fc922ff905de9faa6326bb1a96685ec1 |
17-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Create a temporary region when accessing a struct rvalue.
In C++, rvalues that need to have their address taken (for example, to be
passed to a function by const reference) will be wrapped in a
MaterializeTemporaryExpr, which lets CodeGen know to create a temporary
region to store this value. However, MaterializeTemporaryExprs are /not/
created when a method is called on an rvalue struct, even though the 'this'
pointer needs a valid value. CodeGen works around this by creating a
temporary region anyway; now, so does the analyzer.
The analyzer also does this when accessing a field of a struct rvalue.
This is a little unfortunate, since the rest of the struct will soon be
thrown away, but it does make things consistent with the rest of the
analyzer.
This allows us to bring back the assumption that all known 'this' values
are Locs. This is a revised version of r164828-9, reverted in r164876-7.
<rdar://problem/12137950>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166120 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngine.cpp
|
| f238aa4f556c0aa3024abebaf3bdbf5f3f68fb94 |
16-Oct-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Embed the analyzer version into the plist output.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165994 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| e5a934d3c840872d58724383a83443ed38f1d831 |
13-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove the "direct bindings only" Environment lookup.
This was only used by OSAtomicChecker and makes it more
difficult to update values for expressions that the environment
may look through instead (it's not the same as IgnoreParens).
With this gone, we can have bindExpr bind to the inner
expression that getSVal will find.
Groundwork for <rdar://problem/12137950>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165866 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
|
| 42e95acef35f4633119be1c1381e88878c966502 |
13-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove unneeded 'inlineCall' checker callback.
I believe the removed assert in CheckerManager says it best:
InlineCall is a special hacky callback to allow intrusive
evaluation of the call (which simulates inlining). It is
currently only used by OSAtomicChecker and should go away
at some point.
OSAtomicChecker has gone away; inlineCall can now go away as well!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165865 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
|
| 786e6204e55cc01094a3e86104c82932a65fb2ca |
11-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
Reapply "[analyzer] Treat fields of unions as having symbolic offsets."
This time, actually uncomment the code that's supposed to fix the problem.
This reverts r165671 / 8ceb837585ed973dc36fba8dfc57ef60fc8f2735.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165676 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 8ceb837585ed973dc36fba8dfc57ef60fc8f2735 |
11-Oct-2012 |
Eric Christopher <echristo@gmail.com> |
Temporarily Revert "[analyzer] Treat fields of unions as having symbolic offsets."
Author: Jordan Rose <jordan_rose@apple.com>
Date: Wed Oct 10 21:31:21 2012 +0000
[analyzer] Treat fields of unions as having symbolic offsets.
This allows only one field to be active at a time in RegionStore.
This isn't quite the correct behavior for unions, but it at least
would handle the case of "value goes in, value comes out" from the
same field.
RegionStore currently has a number of places where any access to a union
results in UnknownVal being returned. However, it is clearly missing
some cases, or the original issue wouldn't have occurred. It is probably
now safe to remove those changes, but that's a potentially destabilizing
change that should wait for more thorough testing.
Fixes PR14054.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165660 91177308-0d34-0410-b5e6-96231b3b80d8
This reverts commit cf9030e480f77ab349672f00ad302e216c26c92c.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165671 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| cf9030e480f77ab349672f00ad302e216c26c92c |
10-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Treat fields of unions as having symbolic offsets.
This allows only one field to be active at a time in RegionStore.
This isn't quite the correct behavior for unions, but it at least
would handle the case of "value goes in, value comes out" from the
same field.
RegionStore currently has a number of places where any access to a union
results in UnknownVal being returned. However, it is clearly missing
some cases, or the original issue wouldn't have occurred. It is probably
now safe to remove those changes, but that's a potentially destabilizing
change that should wait for more thorough testing.
Fixes PR14054.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165660 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| cf4ce93caedca1d91ec5824981f9e45eda20b261 |
06-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle implicit statements used for end-of-path nodes' source locs.
Some implicit statements, such as the implicit 'self' inserted for "free"
Objective-C ivar access, have invalid source locations. If one of these
statements is the location where an issue is reported, we'll now look at
the enclosing statements for a valid source location.
<rdar://problem/12446776>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165354 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 48314cf6a289bc5a082d8c769c58a38f924c93b7 |
03-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Adjust the return type of an inlined devirtualized method call.
In C++, overriding virtual methods are allowed to specify a covariant
return type -- that is, if the return type of the base method is an
object pointer type (or reference type), the overriding method's return
type can be a pointer to a subclass of the original type. The analyzer
was failing to take this into account when devirtualizing a method call,
and anything that relied on the return value having the proper type later
would crash.
In Objective-C, overriding methods are allowed to specify ANY return type,
meaning we can NEVER be sure that devirtualizing will give us a "safe"
return value. Of course, a program that does this will most likely crash
at runtime, but the analyzer at least shouldn't crash.
The solution is to check and see if the function/method being inlined is
the function that static binding would have picked. If not, check that
the return value has the same type. If the types don't match, see if we
can fix it with a derived-to-base cast (the C++ case). If we can't,
return UnknownVal to avoid crashing later.
<rdar://problem/12409977>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165079 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| aa66b08d2d8bbf05bae8c68f58724f754ab57b35 |
03-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Push evalDynamicCast and evalDerivedToBase up to Store.
These functions are store-agnostic, and would benefit from information in
DynamicTypeInfo but gain nothing from the store type.
No intended functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165078 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
tore.cpp
|
| 041ce8e00afd1185549a25d5c2b97d219ae032d9 |
03-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
Teach getCXXRecordDeclForPointerType about references.
Then, rename it getPointeeCXXRecordDecl and give it a nice doc comment,
and actually use it.
No intended functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165077 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 86e7b7e4421eacdd5ae610a0fb2d8ea5dec5e644 |
02-Oct-2012 |
Ted Kremenek <kremenek@apple.com> |
Silence -Wunused-value warning.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165059 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| 48d05e6d776f4b68f3db4016eb5680ac041c2b7d |
02-Oct-2012 |
Ted Kremenek <kremenek@apple.com> |
Refactor clients of AnalyzerOptions::getBooleanOption() to have
an intermediate helper method to query and populate the Optional value.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165043 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| 94bb74cef72a33d77c5d6739abfc0840c781eb8e |
02-Oct-2012 |
Ted Kremenek <kremenek@apple.com> |
Tweak AnalyzerOptions::getOptionAsInteger() to populate the string
table, making it printable with the ConfigDump checker. Along the
way, fix a really serious bug where the value was getting parsed
from the string in code that was in an assert() call. This means
in a Release-Asserts build this code wouldn't work as expected.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165041 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| 9e28fe60bbfa5de196ce4aa396210bf10fc5c266 |
02-Oct-2012 |
Ted Kremenek <kremenek@apple.com> |
Change AnalyzerOptions::mayInlineCXXMemberFunction to default populate
the config string table. Also setup a test for dumping the analyzer
configuration for C++.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165040 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| e606e3d224d3fa8f6d4358ec66858d46754457a0 |
01-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Allow ObjC ivar lvalues where the base is nil.
By analogy with C structs, this seems to be legal, if probably discouraged.
It's only if the ivar is read from or written to that there's a problem.
Running a program that gets the "address" of an instance variable does in
fact return the offset when the base "object" is nil.
This isn't a full revert because r164442 includes some diagnostic tweaks
as well; those have been kept.
This partially reverts r164442 / 08965091770c9b276c238bac2f716eaa4da2dca4.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164960 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineObjC.cpp
|
| d27a368f4800b447b970b7c438d0fb4da00838dc |
01-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Check that a member expr is valid even when the result is an lvalue."
The original intent of this commit was to catch potential null dereferences
early, but it breaks the common "home-grown offsetof" idiom (PR13927):
(((struct Foo *)0)->member - ((struct foo *)0))
As it turns out, this appears to be legal in C, per a footnote in
C11 6.5.3.2: "Thus, &*E is equivalent to E (even if E is a null pointer)".
In C++ this issue is still open:
http://www.open-std.org/jtc1/sc22/wg21/docs/cwg_active.html#232
We'll just have to make sure we have good path notes in the future.
This reverts r164441 / 9be016dcd1ca3986873a7b66bd4bc027309ceb59.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164958 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 622b6fb0a1d280c16e135c7e427b79cafffbde1f |
01-Oct-2012 |
Ted Kremenek <kremenek@apple.com> |
Have AnalyzerOptions::getBooleanOption() stick the matching config
string in the config table so that it can be dumped as part of the
config dumper. Add a test to show that these options are sticking
and can be cross-checked using FileCheck.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164954 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
|
| 0504a598a5dc8f3f45e79d4f8ea206a926507859 |
01-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
Reapply "[analyzer] Handle inlined constructors for rvalue temporaries correctly."
This is related to but not blocked by <rdar://problem/12137950>
("Return-by-value structs do not have associated regions")
This reverts r164875 / 3278d41e17749dbedb204a81ef373499f10251d7.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164952 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| ca5d78d0bc3010164f2f9682967d64d7e305a167 |
01-Oct-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Make ProgramStateManager's SubEngine parameter optional.
It is possible and valid to have a state manager and associated objects
without having a SubEngine or checkers.
Patch by Olaf Krzikalla!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164947 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
rogramState.cpp
angeConstraintManager.cpp
impleConstraintManager.cpp
impleConstraintManager.h
|
| ce6644bc1e921833f9b3c10cf7d4a0b78e8d5dc9 |
29-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Create a temporary region for rvalue structs when accessing fields"
This reverts commit 6f61df3e7256413dcb99afb9673f4206e3c4992c.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164877 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 20aa40342bd74895128860c081aa84cd85bfa68d |
29-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Create a temp region when a method is called on a struct rvalue."
This reverts commit 0006ba445962621ed82ec84400a6b978205a3fbc.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164876 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 846c898cebf02cb753125633c52e0d1d7fd94b4b |
29-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Handle inlined constructors for rvalue temporaries correctly."
This reverts commit 580cd17f256259f39a382e967173f34d68e73859.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164875 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 580cd17f256259f39a382e967173f34d68e73859 |
28-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle inlined constructors for rvalue temporaries correctly.
Previously the analyzer treated all inlined constructors like lvalues,
setting the value of the CXXConstructExpr to the newly-constructed
region. However, some CXXConstructExprs behave like rvalues -- in
particular, the implicit copy constructor into a pass-by-value argument.
In this case, we want only the /contents/ of a temporary object to be
passed, so that we can use the same "copy each argument into the
parameter region" algorithm that we use for scalar arguments.
This may change when we start modeling destructors of temporaries,
but for now this is the last part of <rdar://problem/12137950>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164830 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 0006ba445962621ed82ec84400a6b978205a3fbc |
28-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Create a temp region when a method is called on a struct rvalue.
An rvalue has no address, but calling a C++ member function requires a
'this' pointer. This commit makes the analyzer create a temporary region
in which to store the struct rvalue and use as a 'this' pointer whenever
a member function is called on an rvalue, which is essentially what
CodeGen does.
More of <rdar://problem/12137950>. The last part is tracking down the
C++ FIXME in array-struct-region.cpp.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164829 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 6f61df3e7256413dcb99afb9673f4206e3c4992c |
28-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Create a temporary region for rvalue structs when accessing fields
Struct rvalues are represented in the analyzer by CompoundVals,
LazyCompoundVals, or plain ConjuredSymbols -- none of which have associated
regions. If the entire structure is going to persist, this is not a
problem -- either the rvalue will be assigned to an existing region, or
a MaterializeTemporaryExpr will be present to create a temporary region.
However, if we just need a field from the struct, we need to create the
temporary region ourselves.
This is inspired by the way CodeGen handles calls to temporaries;
support for that in the analyzer is coming next.
Part of <rdar://problem/12137950>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164828 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| b35007cc4de8256b39dc1ed9abdeb8b2458c3c01 |
26-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Revert "Use sep instead of ' '."
This isn't correct, as Jordan correctly points out.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164711 91177308-0d34-0410-b5e6-96231b3b80d8
angeConstraintManager.cpp
|
| fb9a0ede96023d18af24ee98854db9606fdafb5c |
26-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Use sep instead of ' '.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164709 91177308-0d34-0410-b5e6-96231b3b80d8
angeConstraintManager.cpp
|
| 732cdf383f9030ff2b9fb28dfbdae2285ded80c6 |
26-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove unnecessary ASTContext& parameter from SymExpr::getType().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164661 91177308-0d34-0410-b5e6-96231b3b80d8
onstraintManager.cpp
emRegion.cpp
rogramState.cpp
angeConstraintManager.cpp
egionStore.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
ymbolManager.cpp
|
| 0073a5c7ce38e98365c00921316030627b3d129f |
25-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
Reapply "[analyzer] Remove constraints on dead symbols as part of removeDeadBindings."
Previously, we'd just keep constraints around forever, which means we'd
never be able to merge paths that differed only in constraints on dead
symbols.
Because we now allow constraints on symbolic expressions, not just single
symbols, this requires changing SymExpr::symbol_iterator to include
intermediate symbol nodes in its traversal, not just the SymbolData leaf
nodes.
This depends on the previous commit to be correct. Originally applied in
r163444, reverted in r164275, now being re-applied.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164622 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
ymbolManager.cpp
|
| 6e3bf21f20d4d744fdf5acd719e9f442f4a144fc |
25-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Calculate liveness for symbolic exprs as well as atomic symbols.
No tests, but this allows the optimization of removing dead constraints.
We can then add tests that we don't do this prematurely.
<rdar://problem/12333297>
Note: the added FIXME to investigate SymbolRegionValue liveness is
tracked by <rdar://problem/12368183>. This patch does not change the
existing behavior.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164621 91177308-0d34-0410-b5e6-96231b3b80d8
ymbolManager.cpp
|
| 05c3b9ac74e12238e7ec5f237132e2348a8b5f4e |
24-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer]Prevent infinite recursion(assume->checker:evalAssume->assume)
(Unfortunately, I do not have a good reduced test case for this.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164541 91177308-0d34-0410-b5e6-96231b3b80d8
impleConstraintManager.cpp
|
| b9d4e5e3bb235f1149e99d3c833ff7cb3474c9f1 |
22-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Suppress bugs whose paths go through the return of a null pointer.
This is a heuristic intended to greatly reduce the number of false
positives resulting from inlining, particularly inlining of generic,
defensive C++ methods that live in header files. The suppression is
triggered in the cases where we ask to track where a null pointer came
from, and it turns out that the source of the null pointer was an inlined
function call.
This change brings the number of bug reports in LLVM from ~1500 down to
around ~300, a much more manageable number. Yes, some true positives may
be hidden as well, but from what I looked at the vast majority of silenced
reports are false positives, and many of the true issues found by the
analyzer are still reported.
I'm hoping to improve this heuristic further by adding some exceptions
next week (cases in which a bug should still be reported).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164449 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
ugReporterVisitors.cpp
|
| 53221da865144db0ba6bd89ab30bcf81de0fe5d2 |
22-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Track a null value back through FindLastStoreBRVisitor.
Also, tidy up the other tracking visitors so that they mark the right
things as interesting and don't do extra work.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164448 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| d632d6fc606f0be438c3b6fe5c43f1b3f5db98b1 |
22-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Always allow BugReporterVisitors to see the bug path.
Before, PathDiagnosticConsumers that did not support actual path output
would (sensibly) cause the generation of the full path to be skipped.
However, BugReporterVisitors may want to see the path in order to mark a
BugReport as invalid.
Now, even for a path generation scheme of 'None' we will still create a
trimmed graph and walk backwards through the bug path, doing no work other
than passing the nodes to the BugReporterVisitors. This isn't cheap, but
it's necessary to properly do suppression when the first path consumer does
not support path notes.
In the future, we should try only generating the path and visitor-provided
path notes once, or at least only creating the trimmed graph once.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164447 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 8347d3d45e6f128bba19821f0d2f54cadd4d49bb |
22-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Allow a BugReport to be marked "invalid" during path generation.
This is intended to allow visitors to make decisions about whether a
BugReport is likely a false positive. Currently there are no visitors
making use of this feature, so there are no tests.
When a BugReport is marked invalid, the invalidator must provide a key
that identifies the invaliation (intended to be the visitor type and a
context pointer of some kind). This allows us to reverse the decision
later on. Being able to reverse a decision about invalidation gives us more
flexibility, and allows us to formulate conditions like "this report is
invalid UNLESS the original argument is 'foo'". We can use this to
fine-tune our false-positive suppression (coming soon).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164446 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
|
| 6686b6694a7998623550ff6529f2f53bfee94328 |
22-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Look through OpaqueValueExprs when tracking a nil value.
This allows us to show /why/ a particular object is nil, even when it is
wrapped in an OpaqueValueExpr.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164445 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 85e99373835fe1b4cec624bc48dc8dfe14c2a783 |
22-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Better path notes for null pointers passed as arguments.
Rather than saying "Null pointer value stored to 'foo'", we now say
"Passing null pointer value via Nth parameter 'foo'", which is much better.
The note is also now on the argument expression as well, rather than the
entire call.
This paves the way for continuing to track arguments back to their sources.
<rdar://problem/12211490>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164444 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 615a092a511cd2dfe1a5364ebf5f80e55e33034d |
22-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
Use llvm::getOrdinalSuffix to print ordinal numbers in diagnostics.
Just a refactoring of common infrastructure. No intended functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164443 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 991bcb4370fe849603346ebbddc8dd47bc29d235 |
22-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Check that an ObjCIvarRefExpr's base is non-null even as an lvalue.
Like with struct fields, we want to catch cases like this early,
so that we can produce better diagnostics and path notes:
PointObj *p = nil;
int *px = &p->_x; // should warn here
*px = 1;
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164442 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xprEngineObjC.cpp
|
| dd1d7d88f1fe6d7d7e79acaec3f83bc10d9f7b97 |
22-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Check that a member expr is valid even when the result is an lvalue.
We want to catch cases like this early, so that we can produce better
diagnostics and path notes:
Point *p = 0;
int *px = &p->x; // should warn here
*px = 1;
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164441 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 938869941e5a01049fb301fbf82f3caa4c7efa09 |
21-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Re-enable faux-bodies by default.
Try this again, now that r164392 is in place.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164393 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| 1cc9a80f8df979d5ff26739ebf3c134c4e6a4ed0 |
21-Sep-2012 |
NAKAMURA Takumi <geek4civic@gmail.com> |
Revert r164364, "Flip "faux-bodies" in the analyzer on by default to flush out bugs."
It crashed test/Analysis/Output/blocks.m on some hosts.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164368 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| 85cb7a5696f93f8b98604d3e72525921a32537f0 |
21-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Flip "faux-bodies" in the analyzer on by default to flush out bugs.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164364 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| ddc0c4814788dda4ef224cd4d22d07154a6ede49 |
21-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Simplify getRuntimeDefinition() back to taking no arguments.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164363 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
|
| a43df9539644bf1c258e12710cd69d79b0b078cd |
21-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Implement faux-body-synthesis of well-known functions in the static analyzer when
their implementations are unavailable. Start by simulating dispatch_sync().
This change is largely a bunch of plumbing around something very simple. We
use AnalysisDeclContext to conjure up a fake function body (using the
current ASTContext) when one does not exist. This is controlled
under the analyzer-config option "faux-bodies", which is off by default.
The plumbing in this patch is largely to pass the necessary machinery
around. CallEvent needs the AnalysisDeclContextManager to get
the function definition, as one may get conjured up lazily.
BugReporter and PathDiagnosticLocation needed to be relaxed to handle
invalid locations, as the conjured body has no real source locations.
We do some primitive recovery in diagnostic generation to generate
some reasonable locations (for arrows and events), but it can be
improved.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164339 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
nalyzerOptions.cpp
ugReporter.cpp
allEvent.cpp
xprEngineCallAndReturn.cpp
|
| 8e289bb59c5c1c29900604b86238c3088f506782 |
20-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Remove constraints on dead symbols as part of removeDeadBindings."
While we definitely want this optimization in the future, we're not
currently handling constraints on symbolic /expressions/ correctly.
These should stay live even if the SymExpr itself is no longer referenced
because could recreate an identical SymExpr later. Only once the SymExpr
can no longer be recreated -- i.e. a component symbol is dead -- can we
safely remove the constraints on it.
This liveness issue is tracked by <rdar://problem/12333297>.
This reverts r163444 / 24c7f98828e039005cff3bd847e7ab404a6a09f8.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164275 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
ymbolManager.cpp
|
| 5fc1d0c4532c55cc47ba6628f296bf5b86d2eaf0 |
17-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Teach the analyzer about implicit initialization of statics
in ObjCMethods.
Extend FunctionTextRegion to represent ObjC methods as well as
functions. Note, it is not clear what type ObjCMethod region should
return. Since the type of the FunctionText region is not currently used,
defer solving this issue.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164046 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
Vals.cpp
|
| 5f7c0add1ea1d8e1d2f920d77fd1a7b6160c2d93 |
13-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Don't reimplement an existing function.
Thanks Jordan.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163762 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 4ef19205b6912316296db74a9073ad6fa60e4cca |
13-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Refactor logic in ExprEngine for detecting 'noreturn' methods
in NSException to a helper object in libAnalysis that can also
be used by Sema. Not sure if the predicate name 'isImplicitNoReturn'
is the best one, but we can massage that later.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163759 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineObjC.cpp
|
| 16e6a7cb41319459ded69b4d47f405c1035dd347 |
13-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Do not report use of undef on "return foo();" when the return type is void.
Fixes a false positive found by analyzing LLVM code base.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163750 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 522fc21f3adc647817edc8017e6928a64c96899b |
13-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Teach UndefOrNullArgVisitor to track parent regions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163748 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
emRegion.cpp
|
| 1a7bcc41efb73d80fd45eb71494b073f388d333c |
13-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Fix another use of the address of a temporary, like r163402.
Again, GCC is more aggressive about reusing temporary space than we are,
leading to Release build crashes for this undefined behavior.
PR13710 (though it may not be the only problem there)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163747 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| d66b3c56a5da1cbaf5ec12811ee7221231b6c301 |
12-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle when the dynamic type is worse than the static type.
Currently we don't update the dynamic type of a C++ object when it is
cast. This can cause the situation above, where the static type of the
region is now known to be a subclass of the dynamic type.
Once we start updating DynamicTypeInfo in response to the various kinds
of casts in C++, we can re-add this assert to make sure we don't miss
any cases. This work is tracked by <rdar://problem/12287087>.
In -Asserts builds, we will simply not return any runtime definition
when our DynamicTypeInfo is known to be incorrect like this.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163745 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| fe3769dbb448edf8e5ece13b14017608558d4763 |
12-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Use the static type for a virtual call if the dynamic type is worse."
Using the static type may be inconsistent with later calls. We should just
report that there is no inlining definition available if the static type is
better than the dynamic type. See next commit.
This reverts r163644 / 19d5886d1704e24282c86217b09d5c6d35ba604d.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163744 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| f57a2aa02c0578c5bd834fec0d44c16ad9908620 |
12-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix regression where "looping back to the head of" PathDiagnosticEvents
were not emitted.
Fixes <rdar://problem/12280665>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163683 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 9a4db032ecd991626d236a502e770126db32bd31 |
12-Sep-2012 |
Richard Smith <richard-llvm@metafoo.co.uk> |
PR13811: Add a FunctionParmPackExpr node to handle references to function
parameter packs where the reference is not being expanded but the pack has
been. Previously, Clang would segfault in such cases.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163672 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| e9f1f234932e80bb83be9b094e163ca4c47a3086 |
11-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Disable STL inlining. Blocked by PR13724."
While PR13724 is still an issue, it's not actually an issue in the STL.
We can keep this option around in case there turn out to be widespread
false positives due to poor modeling of the C++ standard library functions,
but for now we'd like to get more data.
This reverts r163633 / c6baadceec1d5148c20ee6c902a102233c547f62.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163647 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| 19d5886d1704e24282c86217b09d5c6d35ba604d |
11-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use the static type for a virtual call if the dynamic type is worse.
reinterpret_cast does not provide any of the usual type information that
static_cast or dynamic_cast provide -- only the new type. This can get us
in a situation where the dynamic type info for an object is actually a
superclass of the static type, which does not match what CodeGen does at all.
In these cases, just fall back to the static type as the best possible type
for devirtualization.
Should fix the crashes on our internal buildbot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163644 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| c6baadceec1d5148c20ee6c902a102233c547f62 |
11-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Disable STL inlining. Blocked by PR13724.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163633 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| e5cc4c967178669dd19832bc0fb03b293d5d969f |
11-Sep-2012 |
Stephen Hines <srhines@google.com> |
Merge up through LLVM r163557.
New CommentCommandInfo and CommentHTMLTagsProperties targets for TableGen.
Updated Android.mk source files for AST, StaticAnalyzer/Checkers,
StaticAnalyzer/Core, driver, and TableGen.
Split Rewrite/Android.mk into Core and Frontend sub-libraries.
Change-Id: Ia114939e242a79570c41a519f4f3cc712a0ed9a8
ndroid.mk
|
| 00b4f64ecb26b031c1f4888f39be6c706156356a |
11-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Member function calls that use qualified names are non-virtual.
C++11 [expr.call]p1: ...If the selected function is non-virtual, or if the
id-expression in the class member access expression is a qualified-id,
that function is called. Otherwise, its final overrider in the dynamic type
of the object expression is called.
<rdar://problem/12255556>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163577 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 9f0b1324a5352713337c75ef4a5acffd96609c6c |
11-Sep-2012 |
Stephen Hines <srhines@google.com> |
Merge branch 'upstream' into merge-2012_09_10
|
| e08dcbe75eb9b3ffe6f1f60ac2b216b4c878606a |
11-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Turn stl inlining back on.
The one reported bug, which was exposed by stl inlining, is addressed in
r163558.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163574 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| 4ea9b89ff6dc50d5404eb56cad5e5870bce49ef2 |
11-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Do not count calls to small functions when computing stack
depth.
We only want to count how many substantial functions we inlined. This
is an improvement to r163558.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163571 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 57330eed3fbe530cb05996e4a346cc5fc217c0d9 |
11-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add an option to enable/disable objc inlining.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163562 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
|
| 7229d0011766c174beffe6a846d78f448f845b39 |
11-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add ipa-always-inline-size option (with 3 as the default).
The option allows to always inline very small functions, whose size (in
number of basic blocks) is set using -analyzer-config
ipa-always-inline-size option.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163558 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
|
| 978869aa6e31a4bc6afdf5446ffb717aad3f7d97 |
10-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Make the defaults explicit for each of the new config options.
Also, document both new inlining options in IPA.txt.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163551 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
|
| 81fb50e8b120fc95dc0245b4112972d4d7cca3b5 |
10-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] For now, don't inline C++ standard library functions.
This is a (heavy-handed) solution to PR13724 -- until we know we can do
a good job inlining the STL, it's best to be consistent and not generate
more false positives than we did before. We can selectively whitelist
certain parts of the 'std' namespace that are known to be safe.
This is controlled by analyzer config option 'c++-stdlib-inlining', which
can be set to "true" or "false".
This commit also adds control for whether or not to inline any templated
functions (member or non-member), under the config option
'c++-template-inlining'. This option is currently on by default.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163548 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
xprEngineCallAndReturn.cpp
|
| 15f9f74f0cc7c2923b1977c6d33059251e6df204 |
10-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix another case where we should be using isBeforeInTranslationUnit().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163533 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| d727d39ca779920898d77f5dcbbb3980175594ef |
10-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Add a few more cases where we should be using isBeforeInTranslationUnit().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163531 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| acc714ba6c448e6dc278acf9b6eafee44d7f48a7 |
10-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Revert "Revert Ted's r163489 and r163490, due to breakage."
I need to see how this breaks on other platforms when I fix the issue
that Benjamin Kramer pointed out.
This includes r163489 and r163490, plus a two line change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163512 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 2343b3d0c29356583a013d900f2817083ac2d4a0 |
10-Sep-2012 |
NAKAMURA Takumi <geek4civic@gmail.com> |
Revert Ted's r163489 and r163490, due to breakage.
r163489, "Take another crack at stabilizing the emission order of analyzer"
r163490, "Use isBeforeInTranslationUnitThan() instead of operator<."
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163497 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| c265cddad7f9ca9eda1e7d08c2595ec73acec724 |
10-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Use isBeforeInTranslationUnitThan() instead of operator<.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163490 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 4dfd141350009c742f4949a753ffe4a1524a2792 |
10-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Take another crack at stabilizing the emission order of analyzer
diagnostics without using FoldingSetNodeIDs. This is done
by doing a complete recursive comparison of the PathDiagnostics.
Note that the previous method of comparing FoldingSetNodeIDs did
not end up relying on unstable things such as pointer addresses, so
I suspect this may still have some issues on various buildbots because
I'm not sure if the true source of non-determinism has been eliminated.
The tests pass for me, so the only way to know is to commit this change
and see what happens.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163489 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 7c06f036a3092a7e019979e1ca836a1fbe14edc7 |
10-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Indent the "message" key in analyzer plist output.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163487 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| ce15cce38c34ae73348457da73c52df81cde3588 |
09-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove dead method ProgramState::MarshalState().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163479 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| 22505ef15e32db31a4f834a387cf73a913bc8f66 |
08-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix bug in BugReporter::RemoveUneededCalls() where "prunable"
PathDiagnosticEventPieces were *always* pruned. Instead, they
are suppose to only be pruned if the entire call gets pruned.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163460 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
|
| 0187a1b8b9b2b7657de0ba8b0d4f67d30bec83e8 |
08-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Attempt (again) to stabilize the order of the emission of diagnostics
of the analyzer by using the FullProfile() of a PathDiagnostic
for ordering them.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163455 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 82f2ad456a82da1b9cb7ddfc994c8f5fa44b59e6 |
08-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] ObjCSelfInitChecker should always clean up in postCall checks.
ObjCSelfInitChecker stashes information in the GDM to persist it across
function calls; it is stored in pre-call checks and retrieved post-call.
The post-call check is supposed to clear out the stored state, but was
failing to do so in cases where the call did not have a symbolic return
value.
This was actually causing the inappropriate cache-out from r163361.
Per discussion with Anna, we should never actually cache out when
assuming the receiver of an Objective-C message is non-nil, because
we guarded that node generation by checking that the state has changed.
Therefore, the only states that could reach this exact ExplodedNode are
ones that should have merged /before/ making this assumption.
r163361 has been reverted and the test case removed, since it won't
actually test anything interesting now.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163449 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineObjC.cpp
|
| e157ae53772e90a3ee3cba3eaa7da3300eb249eb |
08-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Revert "Attempt to make the PathDiagnostic emission order more deterministic by"
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163446 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 62a456312ad633169528d5fc85063704dc8f5d0f |
08-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Revert "Further tweaks to hopefully make the PathDiagnostic emission more deterministic."
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163445 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 24c7f98828e039005cff3bd847e7ab404a6a09f8 |
08-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove constraints on dead symbols as part of removeDeadBindings.
Previously, we'd just keep constraints around forever, which means we'd
never be able to merge paths that differed only in constraints on dead
symbols.
Because we now allow constraints on symbolic expressions, not just single
symbols, this requires changing SymExpr::symbol_iterator to include
intermediate symbol nodes in its traversal, not just the SymbolData leaf
nodes.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163444 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
ymbolManager.cpp
|
| f6d05bbedd482e634507a099e3416fa05cbc0e78 |
08-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Symbolic regions are live if any subregions are live.
RegionStoreManager was only treating a SymbolicRegion's symbel as live
if there was a binding referring to the region itself.
No test case because constraints are currently not being cleaned out
of the constraint manager at all (even if the symbol is legitimately dead).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163443 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 9874f597ef5d5748695c88daaa9a3208f95c2032 |
08-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Cast the result of a placement new-expression to the correct type.
This is necessary because further analysis will assume that the SVal's
type matches the AST type. This caused a crash when trying to perform
a derived-to-base cast on a C++ object that had been new'd to be another
object type.
Yet another crash in PR13763.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163442 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| ec5fda4dedbc249b61be032f710e8c9d6396fee8 |
08-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Further tweaks to hopefully make the PathDiagnostic emission more deterministic.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163430 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 47cbd0f3892c7965cf16a58393f9f17a22d4d4d9 |
08-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove ProgramState::getSymVal(). It was being misused by Checkers,
with at least one subtle bug in MacOSXKeyChainAPIChecker where the
calling the method was a substitute for assuming a symbolic value
was null (which is not the case).
We still keep ConstraintManager::getSymVal(), but we use that as
an optimization in SValBuilder and ProgramState::getSVal() to
constant-fold SVals. This is only if the ConstraintManager can
provide us with that information, which is no longer a requirement.
As part of this, introduce a default implementation of
ConstraintManager::getSymVal() which returns null.
For Checkers, introduce ConstraintManager::isNull(), which queries
the state to see if the symbolic value is constrained to be a null
value. It does this without assuming it has been implicitly constant
folded.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163428 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
onstraintManager.cpp
rogramState.cpp
impleConstraintManager.cpp
impleSValBuilder.cpp
|
| b4b4523cc52bebc5ed47cc501959ab31286a1065 |
08-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Attempt to make the PathDiagnostic emission order more deterministic by
looking at PathPieces.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163427 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| ace64b5f6a338111084bf4a7c9b7488a9965ef4e |
08-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove ConstraintManager:isEqual(). It is no longer used.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163425 91177308-0d34-0410-b5e6-96231b3b80d8
angeConstraintManager.cpp
|
| 9198c71a626e2f0d29d92152832f3e80f4af59b3 |
07-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use cast<> instead of getAs<> for a CFGElement known to be a CFGStmt.
When adding the next statement to the CoreEngine's work list, we take care
of all the special cases first. We certainly shouldn't be building
PostStmts with null statements (the diagnostics machinery assumes such
StmtPoints do not exist), and we should find out sooner if we're missing
a special case.
A refinement of r163402 that should help prevent further issues like PR13760.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163409 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
|
| b5204ee30229c76f8a0be48800508483737ceb5a |
07-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't use the address of a temporary CFGElement.
GCC destroys temporary objects more aggressively than clang, so this
results in incorrect behavior when compiling GCC Release builds.
We could avoid this issue under C++11 by preventing getAs from being
called when 'this' is an rvalue:
template<class ElemTy> const ElemTy *getAs() const & { ... }
template<class ElemTy> const ElemTy *getAs() const && = delete;
Unfortunately, we do not have compatibility macros for this behavior yet.
This will hopefully fix PR13760 and PR13762.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163402 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
|
| 99d68e9b4cc4a6bdb526722469d3f7412abd82be |
07-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Explain why we need condition 8.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163394 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| 62bde3e0a0699a72f9dbd1045dc4a3c554a46dd3 |
07-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
ExplodedGraph::shouldCollectNode() should not collect nodes for non-Expr Stmts
(as this previously was the case before this was refactored). We also shouldn't
need to specially handle BinaryOperators since the eagerly-assume heuristic tags
such nodes.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163374 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| c47dc1b9734ea9bebb281499d58d22c2647713a9 |
07-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix bug in ConditionBRVisitor where for C++ (and not C) we were not ignoring
implicit pointer-to-boolean conversions in condition expressions. This would
result in inconsistent diagnostic emission between C and C++.
A consequence of this is now ConditionBRVisitor and TrackConstraintBRVisitor may
emit redundant diagnostics, for example:
"Assuming pointer value is null" (TrackConstraintBRVisitor)
"Assuming 'p' is null" (ConditionBRVisitor)
We need to reconcile the two, and perhaps prefer one over the other in some
cases.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163372 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 8f0d0fef5f90b16600cdb802d5d7344417c34aad |
07-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Fail gracefully when the dynamic type is outside the hierarchy.
With some particularly evil casts, we can get an object whose dynamic type
is not actually a subclass of its static type. In this case, we won't even
find the statically-resolved method as a devirtualization candidate.
Rather than assert that this situation cannot occur, we now simply check
that the dynamic type is not an ancestor or descendent of the static type,
and leave it at that.
This error actually occurred analyzing LLVM: CallEventManager uses a
BumpPtrAllocator to allocate a concrete subclass of CallEvent
(FunctionCall), but then casts it to the actual subclass requested
(such as ObjCMethodCall) to perform the constructor.
Yet another crash in PR13763.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163367 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 5601c9aac3bf7be5e1ea8a76149090933d2d3c78 |
07-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't crash if we cache out while evaluating an ObjC message.
A bizarre series of coincidences led us to generate a previously-seen
node in the middle of processing an Objective-C message, where we assume
the receiver is non-nil. We were assuming that such an assumption would
never "cache out" like this, and blithely went on using a null ExplodedNode
as the predecessor for the next step in evaluation.
Although the test case committed here is complicated, this could in theory
happen in other ways as well, so the correct fix is just to test if the
non-nil assumption results in an ExplodedNode we've seen before.
<rdar://problem/12243648>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163361 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineObjC.cpp
|
| 200fa2e70d52ae6d620e81cd45536071fdde70c0 |
06-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't attempt to devirtualize calls to base class destructors.
CXXDestructorCall now has a flag for when it is a base destructor call.
Other kinds of destructor calls (locals, fields, temporaries, and 'delete')
all behave as "whole-object" destructors and do not behave differently
from one another (specifically, in these cases we /should/ try to
devirtualize a call to a virtual destructor).
This was causing crashes in both our internal buildbot, the crash still
being tracked in PR13765, and some of the crashes being tracked in PR13763,
due to a assertion failure. (The behavior under -Asserts happened to be
correct anyway.)
Adding this knowledge also allows our DynamicTypePropagation checker to do
a bit less work; the special rules about virtual method calls during a
destructor only require extra handling during base destructors.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163348 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngine.cpp
xprEngineCXX.cpp
|
| 31ba6135375433b617a8587ea6cc836a014ebd86 |
06-Sep-2012 |
Roman Divacky <rdivacky@freebsd.org> |
Dont cast away const needlessly. Found by gcc48 -Wcast-qual.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163325 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
emRegion.cpp
egionStore.cpp
|
| 9b925ac059089dfe74e3b8fa5effe519fb9ee885 |
06-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Enhance the member expr tracking to account for references.
As per Jordan's suggestion. (Came out of code review for r163261.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163269 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 5a1ffe98b04120846a15f7105905b5f363b08635 |
06-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Always include destructors in the analysis CFG.
While destructors will continue to not be inlined (unless the analyzer
config option 'c++-inlining' is set to 'destructors'), leaving them out
of the CFG is an incomplete model of the behavior of an object, and
can cause false positive warnings (like PR13751, now working).
Destructors for temporaries are still not on by default, since
(a) we haven't actually checked this code to be sure it's fully correct
(in particular, we probably need to be very careful with regard to
lifetime-extension when a temporary is bound to a reference,
C++11 [class.temporary]p5), and
(b) ExprEngine doesn't actually do anything when it sees a temporary
destructor in the CFG -- not even invalidate the object region.
To enable temporary destructors, set the 'cfg-temporary-dtors' analyzer
config option to '1'. The old -cfg-add-implicit-dtors cc1 option, which
controlled all implicit destructors, has been removed.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163264 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
nalyzerOptions.cpp
|
| 352c657f789d5633b07d56d76cf78fda05c31353 |
06-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a crash PR13762.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163262 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| d91696e8680bbe89df1076fded1bc54104526060 |
06-Sep-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] NullOrUndef diagnostics: track symbols binded to regions.
If a region is binded to a symbolic value, we should track the symbol.
(The code I changed was not previously exercised by the regression
tests.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163261 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 6ebea89be233eaba5e29de8cf3524ad150c860bb |
05-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Be more forgiving about calling methods on struct rvalues.
The problem is that the value of 'this' in a C++ member function call
should always be a region (or NULL). However, if the object is an rvalue,
it has no associated region (only a conjured symbol or LazyCompoundVal).
For now, we handle this in two ways:
1) Actually respect MaterializeTemporaryExpr. Before, it was relying on
CXXConstructExpr to create temporary regions for all struct values.
Now it just does the right thing: if the value is not in a temporary
region, create one.
2) Have CallEvent recognize the case where its 'this' pointer is a
non-region, and just return UnknownVal to keep from confusing clients.
The long-term problem is being tracked internally in <rdar://problem/12137950>,
but this makes many test cases pass.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163220 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCXX.cpp
|
| 4e45dba1c0234eec7b7c348dbbf568c5ac9fc471 |
05-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Clean up a couple uses of getPointeeType().
No intended functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163219 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
egionStore.cpp
impleSValBuilder.cpp
|
| fd11957f02da689480618d5fc642ef14164e9cdc |
05-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Treat all struct values as regions (even rvalues)."
This turned out to have many implications, but what eventually seemed to
make it unworkable was the fact that we can get struct values (as
LazyCompoundVals) from other places besides return-by-value function calls;
that is, we weren't actually able to "treat all struct values as regions"
consistently across the entire analyzer core.
Hopefully we'll be able to come up with an alternate solution soon.
This reverts r163066 / 02df4f0aef142f00d4637cd851e54da2a123ca8e.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163218 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ymbolManager.cpp
|
| 791dd0a3f855b61ee97387dca67af86a1edff9f2 |
04-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't use makeIntVal to create a floating-point value.
SimpleSValBuilder processes a couple trivial identities, including 'x - x'
and 'x ^ x' (both 0). However, the former could appear with arguments of
floating-point type, and we weren't checking for that. This started
triggering an assert with r163069, which checks that a constant value is
actually going to be used as an integer or pointer.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163159 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| 568ba871bbac959029671b81f8e531edb7e0d7d6 |
04-Sep-2012 |
Joao Matos <ripzonetriton@gmail.com> |
Revert r163083 per chandlerc's request.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163149 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 5be92de217a1940d0e109abd0f401df4480c1a4b |
02-Sep-2012 |
Joao Matos <ripzonetriton@gmail.com> |
Implemented parsing and AST support for the MS __leave exception statement. Also a minor fix to __except printing in StmtPrinter.cpp. Thanks to Aaron Ballman for review.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163083 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 9eb214a691663a04ee61197e7d605128c85e09f7 |
01-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Silence unused variable warnings in NDEBUG builds.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163073 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 91ab900a939e95d965e18299b66928fdbe2aa38d |
01-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Disallow creation of int vals with explicit bit width / signedness.
All clients of BasicValueFactory should be using QualTypes instead, and
indeed it seems they are. This caught the (fortunately harmless) bug
fixed in the previous commit.
No intended functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163069 91177308-0d34-0410-b5e6-96231b3b80d8
asicValueFactory.cpp
|
| d04713598ee8af6e01b925dca4e38bfd78227dad |
01-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't attempt to create a floating-point value of "1" for ++/--.
The current logic would actually create a float- or double-sized signed
integer value of 1, which is not at all the same.
No test because the value would be swallowed by an Unknown as soon as it
gets added or subtracted to the original value, but it enables the cleanup
in the next patch.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163068 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 02df4f0aef142f00d4637cd851e54da2a123ca8e |
01-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Treat all struct values as regions (even rvalues).
This allows us to correctly symbolicate the fields of structs returned by
value, as well as get the proper 'this' value for when methods are called
on structs returned by value.
This does require a moderately ugly hack in the StoreManager: if we assign
a "struct value" to a struct region, that now appears as a Loc value being
bound to a region of struct type. We handle this by simply "dereferencing"
the struct value region, which should create a LazyCompoundVal.
This should fix recent crashes analyzing LLVM and on our internal buildbot.
<rdar://problem/12137950>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163066 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
ymbolManager.cpp
|
| 5699f62df144545702b91e91836a63db4e5f2627 |
01-Sep-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Always derive a CallEvent's return type from its origin expr.
Previously, we preferred to get a result type by looking at the callee's
declared result type. This allowed us to handlereferences, which are
represented in the AST as lvalues of their pointee type. (That is, a call
to a function returning 'int &' has type 'int' and value kind 'lvalue'.)
However, this results in us preferring the original type of a function
over a casted type. This is a problem when a function pointer is casted
to another type, because the conjured result value will have the wrong
type. AdjustedReturnValueChecker is supposed to handle this, but still
doesn't handle the case where there is no "original function" at all,
i.e. where the callee is unknown.
Now, we instead look at the call expression's value kind (lvalue, xvalue,
or prvalue), and adjust the expr's type accordingly. This will have no
effect when the function is inlined, and will conjure the value that will
actually be used when it is not.
This makes AdjustedReturnValueChecker /nearly/ unnecessary; unfortunately,
the cases where it would still be useful are where we need to cast the
result of an inlined function or a checker-evaluated function, and in these
cases we don't know what we're casting /from/ by the time we can do post-
call checks. In light of that, remove AdjustedReturnValueChecker, which
was already not checking quite a few calls.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163065 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 305c613af6cfc40e519c75d9d2c84c6fa9a841c0 |
01-Sep-2012 |
Ted Kremenek <kremenek@apple.com> |
Split library clangRewrite into clangRewriteCore and clangRewriteFrontend.
This is similar to how we divide up the StaticAnalyzer libraries to separate
core functionality to what is clearly associated with Frontend actions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163050 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
TMLDiagnostics.cpp
|
| de5277fc555551857602bd7a7e5e616274e2d4a6 |
31-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Though C++ inlining is enabled, don't inline ctors and dtors.
More generally, this adds a new configuration option 'c++-inlining', which
controls which C++ member functions can be considered for inlining. This
uses the new -analyzer-config table, so the cc1 arguments will look like this:
... -analyzer-config c++-inlining=[none|methods|constructors|destructors]
Note that each mode implies that all the previous member function kinds
will be inlined as well; it doesn't make sense to inline destructors
without inlining constructors, for example.
The default mode is 'methods'.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163004 91177308-0d34-0410-b5e6-96231b3b80d8
nalyzerOptions.cpp
MakeLists.txt
xprEngineCallAndReturn.cpp
|
| 3a46f5fd1709f6df03bbb8b0abf84052dc0f39ff |
31-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Ensure that PathDiagnostics profile the same regardless of path.
PathDiagnostics are actually profiled and uniqued independently of the
path on which the bug occurred. This is used to merge diagnostics that
refer to the same issue along different paths, as well as by the plist
diagnostics to reference files created by the HTML diagnostics.
However, there are two problems with the current implementation:
1) The bug description is included in the profile, but some
PathDiagnosticConsumers prefer abbreviated descriptions and some
prefer verbose descriptions. Fixed by including both descriptions in
the PathDiagnostic objects and always using the verbose one in the profile.
2) The "minimal" path generation scheme provides extra information about
which events came from macros that the "extensive" scheme does not.
This resulted not only in different locations for the plist and HTML
diagnostics, but also in diagnostics being uniqued in the plist output
but not in the HTML output. Fixed by storing the "end path" location
explicitly in the PathDiagnostic object, rather than trying to find the
last piece of the path when the diagnostic is requested.
This should hopefully finish unsticking our internal buildbot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162965 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
|
| 8c916ee23c7c16e859eb55a907385f94039f8b27 |
31-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Fix a crash in plist-html generation introduced in r162939.
Basically, do the correct thing to fix the XML generation error, rather
than making it even worse by unilaterally dereferencing a null pointer.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162964 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| a6c66cedc022c9e5d45a937d6b8cff491a6bf81b |
31-Aug-2012 |
Eli Friedman <eli.friedman@gmail.com> |
Change the representation of builtin functions in the AST
(__builtin_* etc.) so that it isn't possible to take their address.
Specifically, introduce a new type to represent a reference to a builtin
function, and a new cast kind to convert it to a function pointer in the
operand of a call. Fixes PR13195.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162962 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| fbcb3f11fc90e9f00e6074e9b118b8dc11ca604c |
31-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Refactor the logic that determines if a functions should be
reanalyzed.
The policy on what to reanalyze should be in AnalysisConsumer with the
rest of visitation order logic.
There is no reason why ExprEngine needs to pass the Visited set to
CoreEngine, it can populate it itself.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162957 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| f9f5fdbbeff3f60c5e8c0461df48d84365d56fd7 |
30-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Plist diagnostics: Fix a case where we fail to close an XML tag.
If the current path diagnostic does /not/ have files associated with it, we
were simply skipping on to the next diagnostic with 'continue'. But that
also skipped the close tag for the diagnostic's <dict> node.
Part of fixing our internal analyzer buildbot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162939 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| 2fa9d72d4d23ccdcd4137946e5ebafac7a04f04c |
30-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Rename 'MaxLoop' to 'maxBlockVisitOnPath' to reflect reality. We
should consider renaming the command line option as well.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162932 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 0caa2d47b84337e942b3f6652adfafe4ae506cfe |
30-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Rename AnalyzerOptions 'EagerlyAssume' to 'eagerlyAssumeBinOpBifurcation'.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162930 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
xprEngine.cpp
|
| 255d4d4226b24036ceb11228fbb74286e58620f7 |
30-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Store const& to AnalyzerOptions in AnalysisManager instead of copying
individual flags.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162929 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| 28694c1fe44082970cd53ca7ffef25f668e4c545 |
30-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fixup 162863.
Thanks Jordan.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162875 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 80de487e03dd0f44e4572e2122ebc1aa6a3961f5 |
29-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Improved diagnostic pruning for calls initializing values.
This heuristic addresses the case when a pointer (or ref) is passed
to a function, which initializes the variable (or sets it to something
other than '0'). On the branch where the inlined function does not
set the value, we report use of undefined value (or NULL pointer
dereference). The access happens in the caller and the path
through the callee would get pruned away with regular path pruning. To
solve this issue, we previously disabled diagnostic pruning completely
on undefined and null pointer dereference checks, which entailed very
verbose diagnostics in most cases. Furthermore, not all of the
undef value checks had the diagnostic pruning disabled.
This patch implements the following heuristic: if we pass a pointer (or
ref) to the region (on which the error is reported) into a function and
it's value is either undef or 'NULL' (and is a pointer), do not prune
the function.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162863 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
|
| 7b73e0832b20af1f43601a3d19e76d02d9f4dce5 |
29-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Add new -cc1 driver option -analyzer-config, which allows one to specify
a comma separated collection of key:value pairs (which are strings). This
allows a general way to provide analyzer configuration data from the command line.
No clients yet.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162827 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
|
| 827eeb63614309bafac9d77a5a3a7ca81f1e4751 |
28-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Teach CallEventManager that CXXTemporaryObjectExpr is also a ctor.
Specifically, CallEventManager::getCaller was looking at the call site for
an inlined call and trying to see what kind of call it was, but it only
checked for CXXConstructExprClass. (It's not using an isa<> here to avoid
doing three more checks on the the statement class.)
This caused an unreachable when we actually did inline the constructor of a
temporary object.
PR13717
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162792 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 632e5022f68fcae3b68bbc90538a60f3ba20229f |
28-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] When we look for the last stmt in a function, skip implicit dtors.
When exiting a function, the analyzer looks for the last statement in the
function to see if it's a return statement (and thus bind the return value).
However, the search for "the last statement" was accepting statements that
were in implicitly-generated inlined functions (i.e. destructors). So we'd
go and get the statement from the destructor, and then say "oh look, this
function had no explicit return...guess there's no return value". And /that/
led to the value being returned being declared dead, and all our leak
checkers complaining.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162791 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 65e209ad795aeb3908760a45b1cbda0748cc0658 |
28-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't purge dead symbols at the end of calls if -analyzer-purge=none.
No test case since this is a debug option that we will never turn on by
default since it makes the leak checkers much less useful. (We'll only report
leaks at the end of analysis if -analyzer-purge=none.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162772 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| a1f81bb0e55749a1414b1b5124bb83b9052ff2ac |
28-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Rename addTrackNullOrUndefValueVisitor to trackNullOrUndefValue.
This helper function (in the clang::ento::bugreporter namespace) may add more
than one visitor, but conceptually it's tracking a single use of a null or
undefined value and should do so as best it can.
Also, the BugReport parameter has been made a reference to underscore that
it is non-optional.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162720 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 166b7bd43551964d65bcf4918f51a167b8374e2a |
28-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Refactor FindLastStoreBRVisitor to not find the store ahead of time.
As Anna pointed out to me offline, it's a little silly to walk backwards through
the graph to find the store site when BugReporter will do the exact same walk
as part of path diagnostic generation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162719 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 7aba1171b32265b2206f3fa8f8886953051b58f5 |
28-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] If the last store into a region came from a function, step into it.
Previously, if we were tracking stores to a variable 'x', and came across this:
x = foo();
...we would simply emit a note here and stop. Now, we'll step into 'foo' and
continue tracking the returned value from there.
<rdar://problem/12114689>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162718 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 6062334cc388bce69fb3978c4ecb26c6485a5c2b |
28-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Rename CallEvent::mayBeInlined to CallEvent::isCallStmt.
The two callers are using this in order to be conservative, so let's just
clarify the information that's actually being provided here. This is not
related to inlining decisions in any way.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162717 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xplodedGraph.cpp
xprEngine.cpp
|
| 364b9f95fa47b0ca7f1cc694195f7a9953652f81 |
27-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Look through casts when trying to track a null pointer dereference.
Also, add comments to addTrackNullOrUndefValueVisitor.
Thanks for the review, Anna!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162695 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 6fe4dfbc9e5a7018763b1d898876d9b2b8ec3425 |
27-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't inline constructors for objects allocated with operator new.
Because the CXXNewExpr appears after the CXXConstructExpr in the CFG, we don't
actually have the correct region to construct into at the time we decide
whether or not to inline. The long-term fix (discussed in PR12014) might be to
introduce a new CFG node (CFGAllocator) that appears before the constructor.
Tracking the short-term fix in <rdar://problem/12180598>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162689 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 210f5a28227c90d739298e3e6729e827858fe397 |
27-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] More internal stats collection.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162687 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| c210cb7a358d14cdd93b58562f33ff5ed2d895c1 |
27-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Inline constructors for any object with a trivial destructor.
This allows us to better reason about status objects, like Clang's own
llvm::Optional (when its contents are trivially destructible), which are
often intended to be passed around by value.
We still don't inline constructors for temporaries in the general case.
<rdar://problem/11986434>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162681 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 3682f1ea9c7fddc7dcbc590891158ba40f7fca16 |
25-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use the common evalBind infrastructure for initializers.
This allows checkers (like the MallocChecker) to process the effects of the
bind. Previously, using a memory-allocating function (like strdup()) in an
initializer would result in a leak warning.
This does bend the expectations of checkBind a bit; since there is no
assignment expression, the statement being used is the initializer value.
In most cases this shouldn't matter because we'll use a PostInitializer
program point (rather than PostStmt) for any checker-generated nodes, though
we /will/ generate a PostStore node referencing the internal statement.
(In theory this could have funny effects if someone actually does an
assignment within an initializer; in practice, that seems like it would be
very rare.)
<rdar://problem/12171711>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162637 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
heckerManager.cpp
xprEngine.cpp
|
| df5faf5e7ae6823d0af0b801c4ac26d47f2cee97 |
25-Aug-2012 |
Chad Rosier <mcrosier@apple.com> |
[ms-inline asm] As part of a larger refactoring, rename AsmStmt to GCCAsmStmt.
No functional change intended.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162632 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| b75e2602e246b44bb285be8cc31166302d77998f |
24-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Rework how PathDiagnosticConsumers pass knowledge of what files they
generated for a given diagnostic to another. Because PathDiagnostics
are specific to a give PathDiagnosticConsumer, store in
a FoldingSet a unique hash for a PathDiagnostic (that will be the same
for the same bug for different PathDiagnosticConsumers) that
stores a list of files generated. This can then be read by the
other PathDiagnosticConsumers.
This fixes breakage in the PLIST-HTML output.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162580 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
|
| 23df2437a47ff129d2923ae325d42e79682a7f14 |
24-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] If we dereference a NULL that came from a function, show the return.
More generally, any time we try to track where a null value came from, we
should show if it came from a function. This usually isn't necessary if
the value is symbolic, but if the value is just a constant we previously
just ignored its origin entirely. Now, we'll step into the function and
recursively add a visitor to the returned expression.
<rdar://problem/12114609>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162563 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 8eba6f194484c38ed724375aeab27de556113a84 |
23-Aug-2012 |
Stephen Hines <srhines@google.com> |
Add new files for merge to upstream r162325.
Change-Id: I44af8265445bd67d7985164e2e3117b8c3d8d3c1
ndroid.mk
|
| 80ea4bc944eb01c220eeaa004b21ad709ba928e1 |
24-Aug-2012 |
Stephen Hines <srhines@google.com> |
Merge branch 'upstream' into merge_2
Conflicts:
lib/Sema/SemaDeclAttr.cpp
Change-Id: If47d0d39459760017258502b4d9e859ac36a273b
|
| 5a90193ad825656d4a03099cd5e9c928d1782b5e |
24-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Make analyzer less aggressive when dealing with [self init].
With inlining, retain count checker starts tracking 'self' through the
init methods. The analyser results were too noisy if the developer
did not follow 'self = [super init]' pattern (which is common
especially in older code bases) - we reported self init anti-pattern AND
possible use-after-free. This patch teaches the retain count
checker to assume that [super init] does not fail when it's not consumed
by another expression. This silences the retain count warning that warns
about possibility of use-after-free when init fails, while preserving
all the other checking on 'self'.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162508 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 0156439a3d718ea0ef5922c38d189a60829c8a86 |
24-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] For now, treat pointers-to-members as non-null void * symbols.
Until we have full support for pointers-to-members, we can at least
approximate some of their use by tracking null and non-null values.
We thus treat &A::m_ptr as a non-null void * symbol, and MemberPointer(0)
as a pointer-sized null constant.
This enables support for what is sometimes called the "safe bool" idiom,
demonstrated in the test case.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162495 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
|
| c386d8f148c1a9d4992c64188e2873fcbc6da20d |
24-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle UserDefinedConversion casts in C++.
This is trivial; the UserDefinedConversion always wraps a CXXMemberCallExpr
for the appropriate conversion function, so it's just a matter of
propagating that value to the CastExpr itself.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162494 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| b66529d04727dc686b97ea3d937fc9785792f505 |
23-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Support C++ default arguments if they are literal values.
A CXXDefaultArgExpr wraps an Expr owned by a ParmVarDecl belonging to the
called function. In general, ExprEngine and Environment ought to treat this
like a ParenExpr or other transparent wrapper expression, with the inside
expression evaluated first.
However, if we call the same function twice, we'd produce a CFG that contains
the same wrapped expression twice, and we're not set up to handle that. I've
added a FIXME to the CFG builder to come back to that, but meanwhile we can
at least handle expressions that don't need to be explicitly evaluated:
literals. This probably handles many common uses of default parameters:
true/false, null, etc.
Part of PR13385 / <rdar://problem/12156507>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162453 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
|
| a8eaf008e92759142982f7b40720b2b2674bd663 |
23-Aug-2012 |
Richard Smith <richard-llvm@metafoo.co.uk> |
Fix undefined behavior: member function calls where 'this' is a null pointer.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162430 91177308-0d34-0410-b5e6-96231b3b80d8
ymbolManager.cpp
|
| ad0fe03b897f9486191e75c8d90c3ffa9b4fd6a5 |
23-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix an assortment of doxygen comment issues found by -Wdocumentation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162412 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| efb3d56720654f5355ff8fc666499cc6554034f4 |
22-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Despite me asking Jordan to do r162313, revert it. We can provide
another way to whitelist these special cases. This is an intermediate patch.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162386 91177308-0d34-0410-b5e6-96231b3b80d8
angeConstraintManager.cpp
impleConstraintManager.cpp
|
| e3f3825bd82f84f2a1ae0a02274a33298bb720b3 |
22-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove BasicConstraintManager. It hasn't been in active service for a while.
As part of this change, I discovered that a few of our tests were not testing
the RangeConstraintManager. Luckily all of those passed when I moved them
over to use that constraint manager.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162384 91177308-0d34-0410-b5e6-96231b3b80d8
asicConstraintManager.cpp
MakeLists.txt
|
| 56a46b51df691f857f7120aaf2d4deeff0b014de |
22-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Rename 'unbindLoc()' (in ProgramState) and 'Remove()' to
'killBinding()'. The name is more specific, and one just forwarded
to the other.
Add some doxygen comments along the way.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162350 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
egionStore.cpp
|
| 66c486f275531df6362b3511fc3af6563561801b |
22-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Rename 'currentX' to 'currX' throughout analyzer and libAnalysis.
Also rename 'getCurrentBlockCounter()' to 'blockCount()'.
This ripples a bunch of code simplifications; mostly aesthetic,
but makes the code a bit tighter.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162349 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
|
| 3b1df8bb941a18c4a7256d7cfcbccb9de7e39995 |
22-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Rename 'getConjuredSymbol*' to 'conjureSymbol*'.
No need to have the "get", the word "conjure" is a verb too!
Getting a conjured symbol is the same as conjuring one up.
This shortening is largely cosmetic, but just this simple changed
cleaned up a handful of lines, making them less verbose.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162348 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
egionStore.cpp
ValBuilder.cpp
ymbolManager.cpp
|
| 32a549a64922af0903bdb777613ae7ae4490b70f |
22-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove Store::bindDecl() and Store::bindDeclWithNoInit(), and
all forwarding methods.
This functionality is already covered by bindLoc().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162346 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
rogramState.cpp
egionStore.cpp
|
| 5be88dc79d2768d67371103b6535fb8c4a6f27a1 |
22-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Rename 'BindCompoundLiteral' to 'bindCompoundLiteral' and
add doxygen comments.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162345 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
egionStore.cpp
|
| ab9c04fda542d096c667d6a3746d94c884f80e7b |
22-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Consilidate SmallPtrSet count() followed by insert() into a single insert().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162330 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 12e2fb0db76ca2705ce5169e04d9cd52762fc685 |
22-Aug-2012 |
Matt Beaumont-Gay <matthewbg@google.com> |
Add an llvm_unreachable to pacify GCC's -Wreturn-type.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162325 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| c568e2f801a62e442cbbd823b71f70175715661f |
21-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Set the default IPA mode to 'basic-inlining', which excludes C++.
Under -analyzer-ipa=basic-inlining, only C functions, blocks, and C++ static
member functions are inlined -- essentially, the calls that behave like simple
C function calls. This is essentially the behavior in Xcode 4.4.
C++ support still has some rough edges, and we don't want users to be worried
about them if they download and run their own checker. (In particular, the
massive number of false positives for analyzing LLVM comes from inlining
defensively-written code in contexts where more aggressive assumptions are
implicitly made. This problem is not unique to C++, but it is exacerbated by
the higher proportion of code that lives in header files in C++.)
The eventual goal is to be comfortable enough with C++ support (and simple
Objective-C support) to advance to -analyzer-ipa=inlining as the default
behavior. See the IPA design notes for more details.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162318 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 58fc86d68d53eb6c47cc34974b6f37627a5f386c |
21-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Push "references are non-null" knowledge up to the common parent.
This reduces duplication across the Basic and Range constraint managers, and
keeps their internals free of dealing with the semantics of C++. It's still
a little unfortunate that the constraint manager is dealing with this at all,
but this is pretty much the only place to put it so that it will apply to all
symbolic values, even when embedded in larger expressions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162313 91177308-0d34-0410-b5e6-96231b3b80d8
asicConstraintManager.cpp
angeConstraintManager.cpp
impleConstraintManager.cpp
|
| a34d4f47321324187ed57948628f5938357ae034 |
21-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Assume that reference symbols are non-null.
By doing this in the constraint managers, we can ensure that ANY reference
whose value we don't know gets the effect, even if it's not a top-level
parameter.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162246 91177308-0d34-0410-b5e6-96231b3b80d8
asicConstraintManager.cpp
angeConstraintManager.cpp
|
| 1833d284346b9fa11aae4e6aa07381347c04745c |
20-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add comments to ExplodedNode::NodeGroup.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162216 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| fa06f0464a04bb7fce1fcfb3780d151bb029e00c |
20-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Replace boolean IsSink parameters with 'generateSink' methods.
Generating a sink is significantly different behavior from generating a
normal node, and a simple boolean parameter can be rather opaque. Per
offline discussion with Anna, adding new generation methods is the
clearest way to communicate intent.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162215 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineObjC.cpp
|
| 7f839a6b35e5007964b538423b0a570eed26fc10 |
20-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] The result of && or || is always a 1 or 0.
Forgetting to at least cast the result was giving us Loc/NonLoc problems
in SValBuilder (hitting an assertion). But the standard (both C and C++)
does actually guarantee that && and || will result in the actual values
1 and 0, typed as 'int' in C and 'bool' in C++, and we can easily model that.
PR13461
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162209 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| c32a453e40b2c8878fed10512fb2f570b7aba576 |
18-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Treat C++ 'throw' as a sink.
Our current handling of 'throw' is all CFG-based: it jumps to a 'catch' block
if there is one and the function exit block if not. But this doesn't really
get the right behavior when a function is inlined: execution will continue on
the caller's side, which is always the wrong thing to do.
Even within a single function, 'throw' completely skips any destructors that
are to be run. This is essentially the same problem as @finally -- a CFGBlock
that can have multiple entry points, whose exit points depend on whether it
was entered normally or exceptionally.
Representing 'throw' as a sink matches our current (non-)handling of @throw.
It's not a perfect solution, but it's better than continuing analysis in an
inconsistent or even impossible state.
<rdar://problem/12113713>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162157 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 19275bdec34b2ec5d77a78c0ea393a45ab05e128 |
18-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Treat @throw as a sink (stop processing).
The CFG approximates @throw as a return statement, but that's not good
enough in inlined functions. Moreover, since Objective-C exceptions are
usually considered fatal, we should be suppressing leak warnings like we
do for calls to noreturn functions (like abort()).
The comments indicate that we were probably intending to do this all along;
it may have been inadvertantly changed during a refactor at one point.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162156 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 46e778145c56cd9b42cb399795a294b29cb78b62 |
18-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use PointerUnion to implement ExplodedNode::NodeGroup.
We shouldn't be reinventing our own wheels. This also paves the way for
marking different kinds of sinks.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162154 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| 27762243921cd0b8105b7ee5b7c614590363082f |
16-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove #if 0 that has been around for a long time.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162030 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
|
| 2b2c49d2ac5adb34f900f7a854a3ad5a6b0dff3c |
16-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove "range_iterator" from PathDiagnosticPiece and just use ArrayRef<SourceRange> for ranges. This
removes conceptual clutter, and can allow us to easy migrate to C++11 style for-range loops if we
ever move to using C++11 in Clang.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162029 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
|
| c4bac8e376b98d633bb00ee5f510d5e58449753c |
16-Aug-2012 |
Ted Kremenek <kremenek@apple.com> |
Allow multiple PathDiagnosticConsumers to be used with a BugReporter at the same time.
This fixes several issues:
- removes egregious hack where PlistDiagnosticConsumer would forward to HTMLDiagnosticConsumer,
but diagnostics wouldn't be generated consistently in the same way if PlistDiagnosticConsumer
was used by itself.
- emitting diagnostics to the terminal (using clang's diagnostic machinery) is no longer a special
case, just another PathDiagnosticConsumer. This also magically resolved some duplicate warnings,
as we now use PathDiagnosticConsumer's diagnostic pruning, which has scope for the entire translation
unit, not just the scope of a BugReporter (which is limited to a particular ExprEngine).
As an interesting side-effect, diagnostics emitted to the terminal also have their trailing "." stripped,
just like with diagnostics emitted to plists and HTML. This required some tests to be updated, but now
the tests have higher fidelity with what users will see.
There are some inefficiencies in this patch. We currently generate the report graph (from the ExplodedGraph)
once per PathDiagnosticConsumer, which is a bit wasteful, but that could be pulled up higher in the
logic stack. There is some intended duplication, however, as we now generate different PathDiagnostics (for the same issue)
for different PathDiagnosticConsumers. This is necessary to produce the diagnostics that a particular
consumer expects.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162028 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
ugReporter.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
|
| d1420c6fa788669e49f21e184927c7833881e399 |
16-Aug-2012 |
Richard Smith <richard-llvm@metafoo.co.uk> |
Store SourceManager pointer on PrintingPolicy in the case where we're dumping,
and remove ASTContext reference (which was frequently bound to a dereferenced
null pointer) from the recursive lump of printPretty functions. In so doing,
fix (at least) one case where we intended to use the 'dump' mode, but that
failed because a null ASTContext reference had been passed in.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162011 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| e6cd0548fd8f52bcda917add482770fa418c619b |
16-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Look through all casts when trying to track constraints.
Previously, we were losing path notes (in both text and plist form)
because the interesting DeclRefExpr was buried in a cast.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161999 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| da29ac527063fc9714547088bf841bfa30557bf0 |
15-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Even if we are not inlining a virtual call, still invalidate!
Fixes a mistake introduced in r161916.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161987 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 4e79fdfe22db1c982e8fdf8397fee426a8c57821 |
15-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Correctly devirtualize virtual method calls in constructors.
This is the other half of C++11 [class.cdtor]p4 (the destructor side
was added in r161915). This also fixes an issue with post-call checks
where the 'this' value was already being cleaned out of the state, thus
being omitted from a reconstructed CXXConstructorCall.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161981 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
|
| fc87350ce0b279c82b1c9d2647063f4acf48a978 |
15-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't try to devirtualize if the class is incomplete.
A similar issue to the previous commit, introduced by r161915.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161961 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 9f6441ad92c30028032eb3df6f4a7f2ebe393a68 |
15-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Only adjust the type of 'this' when we devirtualize a method call.
With reinterpret_cast, we can get completely unrelated types in a region
hierarchy together; this was resulting in CXXBaseObjectRegions being layered
directly on an (untyped) SymbolicRegion, whose symbol was from a completely
different type hierarchy. This was what was causing the internal buildbot to
fail.
Reverts r161911, which merely masked the problem.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161960 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
emRegion.cpp
|
| b763ede873c23c8651bd18eba0c62e929b496ba5 |
15-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't inline dynamic-dispatch methods unless -analyzer-ipa=dynamic.
Previously we were checking -analyzer-ipa=dynamic-bifurcate only, and
unconditionally inlining everything else that had an available definition,
even under -analyzer-ipa=inlining (but not under -analyzer-ipa=none).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161916 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 0ad36baedc516005cb6ea97d96327517ebfe5138 |
15-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Correctly devirtualize virtual method calls in destructors.
C++11 [class.cdtor]p4: When a virtual function is called directly or
indirectly from a constructor or from a destructor, including during
the construction or destruction of the class’s non-static data members,
and the object to which the call applies is the object under
construction or destruction, the function called is the final overrider
in the constructor's or destructor's class and not one overriding it in
a more-derived class.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161915 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
rogramState.cpp
|
| cd6873e5c6b89caefa0baeb21c4ad94976fa1b8a |
15-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] A base class needs a complete definition to provide offsets.
No test case yet; trying to reduce one from a failing internal buildbot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161911 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 38aee3bb4ffe14c8323785ae2fafed6f627fb577 |
14-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer]Assume that the properties cannot be overridden when dot
syntax is used.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161889 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 42c72c258e08ca79c9267346b4badcddd8fcd001 |
14-Aug-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Do NOT use inline functions with LLVM_ATTRIBUTE_USED.
The function will be emitted into every single TU including the header!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161872 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| f41c0dd023b2990eee0296390a88641d157777f7 |
14-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Look up DynamicTypeInfo by region instead of symbol.
This allows us to store type info for non-symbolic regions.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161811 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| 645baeed6800f952e9ad1d5666e01080385531a2 |
14-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Reduce code duplication: make CXXDestructorCall a CXXInstanceCall.
While there is now some duplication between SimpleCall and the CXXInstanceCall
sub-hierarchy, this is much better than copy-and-pasting the devirtualization
logic shared by both instance methods and destructors.
An unfortunate side effect is that there is no longer a single CallEvent type
that corresponds to "calls written as CallExprs". For the most part this is a
good thing, but the checker callback eval::Call still takes a CallExpr rather
than a CallEvent (since we're not sure if we want to allow checkers to
evaluate other kinds of calls). A mistake here will be caught by a cast<> in
CheckerManager::runCheckersForEvalCall.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161809 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerManager.cpp
xprEngineCallAndReturn.cpp
|
| 8ec104b9fffb917924c495ce3dd25694e4e3087a |
14-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Be more careful when downcasting for devirtualization.
Virtual base regions are never layered, so simply stripping them off won't
necessarily get you to the correct casted class. Instead, what we want is
the same logic for evaluating dynamic_cast: strip off base regions if possible,
but add new base regions if necessary.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161808 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 0a5629812019ce8bef86ade5425ac261bb544fd8 |
14-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle dynamic_casts that turn out to be upcasts.
This can occur with multiple inheritance, which jumps from one parent to
the other, and with virtual inheritance, since virtual base regions always
wrap the actual object and can't be nested within other base regions.
This also exposed some incorrect logic for multiple inheritance: even if B
is known not to derive from C, D might still derive from both of them.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161798 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| b11a3ada9a22e146c6edd33bcc6301e221fedd7a |
14-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't strip CXXBaseObjectRegions when checking dynamic_casts.
...and /do/ strip CXXBaseObjectRegions when casting to a virtual base class.
This allows us to enforce the invariant that a CXXBaseObjectRegion can always
provide an offset for its base region if its base region has a known class
type, by only allowing virtual bases and direct non-virtual bases to form
CXXBaseObjectRegions.
This does mean some slight problems for our modeling of dynamic_cast, which
needs to be resolved by finding a path from the current region to the class
we're trying to cast to.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161797 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
emRegion.cpp
egionStore.cpp
Vals.cpp
|
| b6d2bea04801cb66263de2f3fe99ef8e1dcd9f53 |
11-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Strip CXXBaseObjectRegions when devirtualizing method calls.
This was causing a crash when we tried to re-apply a base object region to
itself. It probably also caused incorrect offset calculations in RegionStore.
PR13569 / <rdar://problem/12076683>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161710 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 9584f67b6da17283a31dedf0a1cab2d83a3d121c |
11-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Try to devirtualize even if the static callee has no definition.
This mostly affects pure virtual methods, but would also affect parent
methods defined inline in the header when analyzing the child's source file.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161709 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 54918ba02ba900c0e0bb4fd3d749b6b1ac4e50a9 |
10-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Track if a region can be a subclass in the dynamic type info.
When object is allocated with alloc or init, we assume it cannot be a
subclass (currently used only for bifurcation purposes).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161682 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 3f558af01643787d209a133215b0abec81b5fe30 |
10-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Optimize dynamic dispatch bifurcation by detecting the cases
when we don't need to split.
In some cases we know that a method cannot have a different
implementation in a subclass:
- the class is declared in the main file (private)
- all the method declarations (including the ones coming from super
classes) are in the main file.
This can be improved further, but might be enough for the heuristic.
(When we are too aggressive splitting the state, efficiency suffers.
When we fail to split the state coverage might suffer.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161681 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| d1a4f68a4301d1ee3098cc9db0cd507b96dd1bee |
10-Aug-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Fix a couple of pedantic gcc warnings.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161656 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 5ad76c073e1822d11901a8552c6aa9372038b5f0 |
10-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Merge RegionStore's KillStruct and CopyLazyBindings: BindAggregate.
Both methods need to clear out existing bindings and provide a new default
binding. Originally KillStruct always provided UnknownVal as the default,
but it's allowed symbolic values for quite some time (for handling returned
structs in C).
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161637 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 1e934431adba0f459668a59c6059b9596fd627b4 |
10-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Cluster bindings in RegionStore by base region.
This should speed up activities that need to access bindings by cluster,
such as invalidation and dead-bindings cleaning. In some cases all we save
is the cost of building the region cluster map, but other times we can
actually avoid traversing the rest of the store.
In casual testing, this produced a speedup of nearly 10% analyzing SQLite,
with /less/ memory used.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161636 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
|
| 824e07ac8f5c9efdddb4254de0203b9675b1ef0b |
10-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Cache the "concrete offset base" for regions with symbolic offsets.
This makes it faster to access and invalidate bindings with symbolic offsets
by only computing this information once.
No intended functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161635 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
|
| 2c5f8d79ed128892fa548a3308a938a3a53fbb5e |
09-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] A CXXBaseObjectRegion should correspond to a DIRECT base.
An ASTContext's RecordLayoutInfo can only be used to look up offsets of
direct base classes, and we need the offset to make non-symbolic bindings
in RegionStore. This change makes sure that we have one layer of
CXXBaseObjectRegion for each base we are casting through.
This was causing crashes on an internal buildbot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161621 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
tore.cpp
|
| d4fe57f7f7a8793227effc1274d70ec44cee9a4f |
09-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Rename the function to better reflect what it actually does.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161617 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| 6960f6e53b0d9a69a460c99ec199470271ff9603 |
09-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Clarify the values in Dyn. Dispatch Bifurcation map.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161616 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 5960f4aeac9760198c80e05d70d8dadb1db0ff0e |
09-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Improve readability of the dyn. dispatch bifurcation patch
r161552.
As per Jordan's feedback.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161603 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
|
| fc05decf08feefd2ffe8cc250219aee6eab3119c |
09-Aug-2012 |
Anna Zaks <ganna@apple.com> |
Unbreak the build.
Declaring "const Decl *Decl" is not a good idea.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161567 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
|
| e90d3f847dcce76237078b67db8895eb7a24189e |
09-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Bifurcate the path with dynamic dispatch.
This is an initial (unoptimized) version. We split the path when
inlining ObjC instance methods. On one branch we always assume that the
type information for the given memory region is precise. On the other we
assume that we don't have the exact type info. It is important to check
since the class could be subclassed and the method can be overridden. If
we always inline we can loose coverage.
Had to refactor some of the call eval functions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161552 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
|
| 919e8a1c6698bfa6848571d366430126bced727d |
08-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Clean up the printing of FieldRegions for leaks.
Unfortunately, generalized region printing is very difficult:
- ElementRegions are used both for casting and as actual elements.
- Accessing values through a pointer means going through an intermediate
SymbolRegionValue; symbolic regions are untyped.
- Referring to implicitly-defined variables like 'this' and 'self' could be
very confusing if they come from another stack frame.
We fall back to simply not printing the region name if we can't be sure it
will print well. This will allow us to improve in the future.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161512 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 0d53ab4024488d0c6cd283992be3fd4b67099bd3 |
08-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Track malloc'd regions stored in structs.
The main blocker on this (besides the previous commit) was that
ScanReachableSymbols was not looking through LazyCompoundVals.
Once that was fixed, it's easy enough to clear out malloc data on return,
just like we do when we bind to a global region.
<rdar://problem/10872635>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161511 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| e0d24eb1060a213ec9820dc02c45f26b2d5b348b |
08-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Revamp RegionStore to distinguish regions with symbolic offsets.
RegionStore currently uses a (Region, Offset) pair to describe the locations
of memory bindings. However, this representation breaks down when we have
regions like 'array[index]', where 'index' is unknown. We used to store this
as (SubRegion, 0); now we mark them specially as (SubRegion, SYMBOLIC).
Furthermore, ProgramState::scanReachableSymbols depended on the existence of
a sub-region map, but RegionStore's implementation doesn't provide for such
a thing. Moving the store-traversing logic of scanReachableSymbols into the
StoreManager allows us to eliminate the notion of SubRegionMap altogether.
This fixes some particularly awkward broken test cases, now in
array-struct-region.c.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161510 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
rogramState.cpp
egionStore.cpp
tore.cpp
|
| 8ed21ef726be89ef7151b5ff397631379bd8a537 |
07-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Address Jordan's review of DynamicTypePropagation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161391 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| c7ecc43c33a21b82c49664910b19fcc1f555aa51 |
07-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add a checker to manage dynamic type propagation.
Instead of sprinkling dynamic type info propagation throughout
ExprEngine, the added checker would add the more precise type
information on known APIs (Ex: ObjC alloc, new) and propagate
the type info in other cases (ex: ObjC init method, casts (the second is
not implemented yet)).
Add handling of ObjC alloc, new and init to the checker.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161357 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineC.cpp
rogramState.cpp
|
| 563ea2335d7d0df44bbfe8941f64523e8af1fc14 |
04-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Update initializer assertion for delegating constructors.
Like base constructors, delegating constructors require no further
processing in the CFGInitializer node.
Also, add PrettyStackTraceLoc to the initializer and destructor logic
so we can get better stack traces in the future.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161283 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
|
| 685379965c1b105ce89cf4f6c60810932b7f4d0d |
04-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] When a symbol is null, we should track its constraints.
Because of this, we would previously emit NO path notes when a parameter
is constrained to null (because there are no stores). Now we show where we
made the assumption, which is much more useful.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161280 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| b0e1badc2a9b8275b48dfb15c6907a282b949b02 |
04-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Flatten path diagnostics for text output like we do for HTML.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161279 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
extPathDiagnostics.cpp
|
| 9da59a67a27a4d3fc9d59552f07808a32f85e9d3 |
04-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Track null/uninitialized C++ objects used in method calls.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161278 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 7ad4848d4744b8d60289f3e359250cebdaaf7114 |
04-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Provide useful PathDiagnosticLocations for CallEnter/Exit events.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161277 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 20165e796c16311a83911db74c04d797e93471b2 |
04-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] FindLastStoreBRVisitor was not actually finding stores.
The visitor walks back through the ExplodedGraph as expected, but
it wasn't actually keeping track of when a value was assigned. This
meant that it only worked when the value was assigned when the variable
was defined.
Tests in the next commit (dependent on another change).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161276 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| c1290e006045a72120329ad23aa43c66fbe300be |
03-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fixup: remove the extra whitespace
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161265 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| 148fee988e32efcad45ecf7b3bf714880c657dda |
03-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] ObjC Inlining: Start tracking dynamic type info in the GDM
In the following code, find the type of the symbolic receiver by
following it and updating the dynamic type info in the state when we
cast the symbol from id to MyClass *.
MyClass *a = [[self alloc] init];
return 5/[a testSelf];
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161264 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
rogramState.cpp
|
| 5b978519d2c5f5b4541768a827b675e997d4cd34 |
03-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a typo. Thanks Jordan.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161249 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| ee959355b93c0648fea88dc986d196e3705407dc |
03-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
Apply changes to migrate to CLANG-160673-20120724.
Change-Id: I00d23ac9b893c62dca281ec771eeb5f911854bae
ndroid.mk
|
| 08fc8eb5a1cc9c01af67e016ab21c9b905711eb1 |
03-Aug-2012 |
Shih-wei Liao <sliao@google.com> |
Merge with Clang upstream r160673 (Jul 24th 2012)
Conflicts:
lib/Sema/SemaDeclAttr.cpp
Change-Id: I37f02f20642a037b9da8d35fefa01986cd250b14
|
| d015f4febe85d3e3340172d70042840c51bbd836 |
03-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Solve another source of non-determinism in the diagnostic
engine.
The code that was supposed to split the tie in a deterministic way is
not deterministic. Most likely one of the profile methods uses a
pointer. After this change we do finally get the consistent diagnostic
output. Testing this requires running the analyzer on large code bases
and diffing the results.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161224 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
|
| 207c408b14f0c29d65d6ad311456be94b812d5dd |
02-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Also emit Prev/Next links for macros in HTML output. Oops.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161154 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
|
| b23b711ad3dfb96dc9c457bd55c6e959bd1e0b8a |
02-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add Prev/Next links to the HTML output.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161153 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
|
| 0eb6c37dd4e4ad8fa2363003dea270f9fd6c2969 |
02-Aug-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Flush bug reports in deterministic order.
This makes the diagnostic output order deterministic.
1) This makes order of text diagnostics consistent from run to run.
2) Also resulted in different bugs being reported (from one run to
another) with plist-html output.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161151 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 2f9c40a915593849f6b0f5c4de516e2f597d0d66 |
31-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Control C++ inlining with a macro in ExprEngineCallAndReturn.cpp.
For now this will stay on, but this way it's easy to switch off if we need
to pull back our support for a while.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161064 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| e1ce783708b65eaa832ffad03d239264046dd0eb |
31-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Turn -cfg-add-initializers on by default, and remove the flag.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161060 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
|
| 4fe64ad383c056774087113561063429103ac9a6 |
31-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't try to inline if there's no region for a message receiver.
While usually we'd use a symbolic region rather than a straight-up Unknown,
we can still generate unknowns via array subscripts with symbolic indexes.
(And if this ever changes in the future, we still shouldn't crash.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161059 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 6d8ab45a203eb701c2fd1104492cb4bd7557a3e9 |
31-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add a FIXME about devirtualization in ctors/dtors.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161058 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 6b4be2ef4ce49717ff972434975ce3c34c9a1c4c |
31-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Getting an lvalue for a reference field still requires a load.
This was causing a crash in our array-to-pointer logic, since the region
was clearly not an array.
PR13440 / <rdar://problem/11977113>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161051 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| ef15831780b705475e7b237ac16418e9b53cb7a6 |
31-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Let CallEvent decide what goes in an inital stack frame.
This removes explicit checks for 'this' and 'self' from
Store::enterStackFrame. It also removes getCXXThisRegion() as a virtual
method on all CallEvents; it's now only implemented in the parts of the
hierarchy where it is relevant. Finally, it removes the option to ask
for the ParmVarDecls attached to the definition of an inlined function,
saving a recomputation of the result of getRuntimeDefinition().
No visible functionality change!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161017 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
xprEngineCallAndReturn.cpp
tore.cpp
|
| f0324d33967f28758f7243c7bb1a469c5a0394b6 |
31-Jul-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Handle inlining of instance calls to super.
Use self-init.m for testing. (It used to have a bunch of failing tests
with dynamic inlining turned on.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161012 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| 57c033621dacd8720ac9ff65a09025f14f70e22f |
31-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Perform post-call checks for all inlined calls.
Previously, we were only checking the origin expressions of inlined calls.
Checkers using the generic postCall and older postObjCMessage callbacks were
ignored. Now that we have CallEventManager, it is much easier to create
a CallEvent generically when exiting an inlined function, which we can then
use for post-call checks.
No test case because we don't (yet) have any checkers that depend on this
behavior (which is why it hadn't been fixed before now).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161005 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerManager.cpp
xprEngineCallAndReturn.cpp
|
| 2d18419a7c8f9a2975d4ed74a202de6467308ad1 |
30-Jul-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Very simple ObjC instance method inlining
- Retrieves the type of the object/receiver from the state.
- Binds self during stack setup.
- Only explores the path on which the method is inlined (no
bifurcation to explore the path on which the method is not inlined).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160991 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
rogramState.cpp
tore.cpp
|
| e13056a8bb532ddfdc07952a13169aa422bacd3b |
30-Jul-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add -analyzer-ipa=dynamic option for inlining dynamically
dispatched methods.
Disabled by default for now.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160988 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| d563d3fb73879df7147b8a5302c3bf0e1402ba18 |
30-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Only allow CallEvents to be created by CallEventManager.
This ensures that it is valid to reference-count any CallEvents, and we
won't accidentally try to reclaim a CallEvent that lives on the stack.
It also hides an ugly switch statement for handling CallExprs!
There should be no functionality change here.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160986 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
heckerManager.cpp
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
|
| 972a3680bdd95f2e9d6316b391f1c47513dc78cc |
30-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Introduce a CallEventManager to keep a pool of CallEvents.
This allows us to get around the C++ "virtual constructor" problem
when we'd like to create a CallEvent from an ExplodedNode, an inlined
StackFrameContext, or another CallEvent. The solution has three parts:
- CallEventManager uses a BumpPtrAllocator to allocate CallEvent-sized
memory blocks. It also keeps a cache of freed CallEvents for reuse.
- CallEvents all have protected copy constructors, along with cloneTo()
methods that use placement new to copy into CallEventManager-managed
memory, vtables intact.
- CallEvents owned by CallEventManager are now wrapped in an
IntrusiveRefCntPtr. Going forwards, it's probably a good idea to create
ALL CallEvents through the CallEventManager, so that we don't accidentally
try to reclaim a stack-allocated CallEvent.
All of this machinery is currently unused but will be put into use shortly.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160983 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| 11abf2ad01f64ede7c0555167f41a1c5852f80c6 |
27-Jul-2012 |
NAKAMURA Takumi <geek4civic@gmail.com> |
clang/lib: [CMake] Update tblgen'd dependencies.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160851 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
|
| 69a0e5021c5c49a34aa25cd89b1e613a52097e65 |
27-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Look through SubstNonTypeTemplateParmExprs.
We were treating this like a CXXDefaultArgExpr, but
SubstNonTypeTemplateParmExpr actually appears when a template is
instantiated, i.e. we have all the information necessary to evaluate it.
This allows us to inline functions like llvm::array_lengthof.
<rdar://problem/11949235>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160846 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
|
| 979f098cfa808cc9236b39658cc3757a39dfa459 |
27-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use a stack-based local AGAIN to fix the build for real.
It's a good thing CallEvents aren't created all over the place yet.
I checked all the uses this time and the private copy constructor
/really/ shouldn't cause any more problems.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160845 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| e3fd87c18b865a1bf61d3b977051580f9315f2a5 |
27-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use a stack-based local instead of a temporary to fix build.
Passing a temporary via reference parameter still requires a visible
copy constructor.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160840 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 6da60499eae46caf9f92f7ba35c607043dc3f7fa |
27-Jul-2012 |
Ted Kremenek <kremenek@apple.com> |
Look at the preceding CFGBlock for the expression to load from in ExprEngine::VisitGuardedExpr
instead of walking to the preceding PostStmt node. There are cases where the last evaluated
expression does not appear in the ExplodedGraph.
Fixes PR 13466.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160819 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 7c99aa385178c630e29f671299cdd9c104f1c885 |
26-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] CallEvent is no longer a value object.
After discussion, the type-based dispatch was decided to be bad for
maintenance and made it very easy for subtle bugs to creep in. Instead,
we'll just be very careful when we do have to allocate these on the heap.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160817 91177308-0d34-0410-b5e6-96231b3b80d8
allEvent.cpp
|
| f540c54701e3eeb34cb619a3a4eb18f1ac70ef2d |
26-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Rename Calls.{h,cpp} to CallEvent.{h,cpp}. No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160815 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
allEvent.cpp
alls.cpp
heckerManager.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
egionStore.cpp
tore.cpp
|
| 1d3ca251f9891623fac0dbe70eece42564e274ed |
26-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't crash on implicit statements inside initializers.
Our BugReporter knows how to deal with implicit statements: it looks in
the ParentMap until it finds a parent with a valid location. However, since
initializers are not in the body of a constructor, their sub-expressions are
not in the ParentMap. That was easy enough to fix in AnalysisDeclContext.
...and then even once THAT was fixed, there's still an extra funny case
of Objective-C object pointer fields under ARC, which are initialized with
a top-level ImplicitValueInitExpr. To catch these cases,
PathDiagnosticLocation will now fall back to the start of the current
function if it can't find any other valid SourceLocations. This isn't great,
but it's miles better than a crash.
(All of this is only relevant when constructors and destructors are being
inlined, i.e. under -cfg-add-initializers and -cfg-add-implicit-dtors.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160810 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| e460c46c5d602f65354cab0879c458890273591c |
26-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't crash on array constructors and destructors.
This workaround is fairly lame: we simulate the first element's constructor
and destructor and rely on the region invalidation to "initialize" the rest
of the elements.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160809 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 3a0a9e3e8bbaa45f3ca22b1e20b3beaac0f5861e |
26-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle C++ member initializers and destructors.
This uses CFG to tell if a constructor call is for a member, and uses
the member's region appropriately.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160808 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 075f6fbcb4d858c09e9b138f8dc10d8d3d43d935 |
26-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use the CFG to see if a constructor is for a local variable.
Previously we were using ParentMap and crawling through the parent DeclStmt.
This should be at least slightly cheaper (and is also more flexible).
No (intended) functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160807 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 888c90ac0ef6baf7d47e86cf5cc4715707d223b1 |
26-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle base class initializers and destructors.
Most of the logic here is fairly simple; the interesting thing is that
we now distinguish complete constructors from base or delegate constructors.
We also make sure to cast to the base class before evaluating a constructor
or destructor, since non-virtual base classes may behave differently.
This includes some refactoring of VisitCXXConstructExpr and VisitCXXDestructor
in order to keep ExprEngine.cpp as clean as possible (leaving the details for
ExprEngineCXX.cpp).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160806 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
|
| 183ba8e19d49ab1ae25d3cdd0a19591369c5ab9f |
26-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Show paths for destructor calls.
This modifies BugReporter and friends to handle CallEnter and CallExitEnd
program points that came from implicit call CFG nodes (read: destructors).
This required some extra handling for nested implicit calls. For example,
the added multiple-inheritance test case has a call graph that looks like this:
testMultipleInheritance3
~MultipleInheritance
~SmartPointer
~Subclass
~SmartPointer
***bug here***
In this case we correctly notice that we started in an inlined function
when we reach the CallEnter program point for the second ~SmartPointer.
However, when we reach the next CallEnter (for ~Subclass), we were
accidentally re-using the inner ~SmartPointer call in the diagnostics.
Rather than guess if we saw the corresponding CallExitEnd based on the
contents of the active path, we now just ask the PathDiagnostic if there's
any known stack before popping off the top path.
(A similar issue could have occured without multiple inheritance, but there
wasn't a test case for it.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160804 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
|
| da5fc53d6b024872c4c1d2c8c5da11e08bf116aa |
26-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Inline ctors + dtors when the CFG is built for them.
At the very least this means initializer nodes for constructors and
automatic object destructors are present in the CFG.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160803 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| df51fb91c5c2a265019c3f24bf2993149abc79f8 |
26-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] PostImplicitCall can also occur between CFGElements.
This avoids an assertion crash when we invalidate on a destructor call
instead of inlining it.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160802 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
|
| 9dc5167e4017ef4c8b327abb6f72225eec2e0f19 |
26-Jul-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Inline ObjC class methods.
- Some cleanup(the TODOs) will be done after ObjC method inlining is
complete.
- Simplified CallEvent::getDefinition not to require ISDynamicDispatch
parameter.
- Also addressed Jordan's comments from r160530.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160768 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
|
| a2ad394dad8c90fb0374756a331d4a141f4a227d |
26-Jul-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove the ability to stash arbitrary pointers into UndefinedVal (no longer needed).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160764 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
|
| 829846b5002d7f8d6a54b9c58c3ecf7cac56d2cc |
25-Jul-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove ExprEngine::MarkBranch(), as it is no longer needed.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160761 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 469841a8e0967f038aa0f78e1926ce82e06248c7 |
25-Jul-2012 |
Ted Kremenek <kremenek@apple.com> |
Update ExprEngine's handling of ternary operators to find the ternary expression
value by scanning the path, rather than assuming we have visited the '?:' operator
as a terminator (which sets a value indicating which expression to grab the
final ternary expression value from).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160760 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| bed28ac1d1463adca3ecf24fca5c30646fa9dbb2 |
23-Jul-2012 |
Sylvestre Ledru <sylvestre@debian.org> |
Fix a typo (the the => the)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160622 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
|
| c9dce4dbec86bff12c546586087a903c7b151dbd |
21-Jul-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Remove unused private member variable uncovered by the recent changes to clang's -Wunused-private-field.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160584 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| e81ce256b62717dd846bd19aecc4115a0dcd4995 |
20-Jul-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Refactor VisitObjCMessage and VisitCallExpr to rely on the
same implementation for call evaluation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160530 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
|
| 7c30427afb4c2171ee4d336477f5e4d7c277ccb4 |
19-Jul-2012 |
Richard Smith <richard-llvm@metafoo.co.uk> |
Silence another GCC warning.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160488 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
|
| 8919e688dc610d1f632a4d43f7f1489f67255476 |
18-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Combine all ObjC message CallEvents into ObjCMethodCall.
As pointed out by Anna, we only differentiate between explicit message sends
This also adds support for ObjCSubscriptExprs, which are basically the same
as properties in many ways. We were already checking these, but not emitting
nice messages for them.
This depends on the llvm::PointerIntPair change in r160456.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160461 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| 4b3918e9534e46f9ac067c6e0018f94613292efa |
18-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Rename addExtraInvalidatedRegions to get...Regions
Per Anna's comment that "add..." sounds like a method that modifies
the receiver, rather than its argument.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160460 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
|
| b7a23e05d1d8f07f2a6edce5c88c728fe894c2c7 |
18-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Make CallEvent a value object.
We will need to be able to easily reconstruct a CallEvent from an ExplodedNode
for diagnostic purposes, and that's exactly what factory functions are for.
CallEvent objects are small enough (four pointers and a SourceLocation) that
returning them through the stack is fairly cheap. Clients who just need to use
existing CallEvents can continue to do so using const references.
This uses the same sort of "kind-field-dispatch" as SVal, though most of the
nastiness is contained in the DISPATCH and DISPATCH_ARG macros at the end of
the file. (We can't use a template for this because member-pointers to base
class methods don't call derived-class methods even when casting to the
derived class. We can't use variadic macros because they're a C99 feature.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160459 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
|
| 4ccc4cc5d4e7c5c436d5f45065d3639cfc7c6e48 |
18-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove obsolete ObjCPropRef SVal kind.
ObjC properties are handled through their semantic form of ObjCMessageExprs
and their wrapper PseudoObjectExprs, and have been for quite a while. The
syntactic ObjCPropertyRefExprs do not appear in the CFG and are not visited
by ExprEngine.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160458 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
Vals.cpp
|
| 7ff8f5e9b1b8d87a64853735fc4218a6a9f70652 |
18-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove unused ExprEngine::VisitCXXTemporaryObjectExpr.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160457 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 21625c69e88d232e71a3bd4ba9d4bbb484183bf1 |
18-Jul-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix crash in RegionStoreManager::evalDerivedToBase() due to not handling references
(in uses of dynamic_cast<>).
Fixes <rdar://problem/11817693>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160427 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| a6a1abac4701a3d08dc61070acd46b6a19be95ea |
17-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove stale result type lvalue code.
This code has been moved around multiple times, but seems to have been
obsolete ever since we started handled references like pointers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160375 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
|
| 89e5aaf57e20b39e35b0d068ebbc09ae736f2e1e |
17-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle new-expressions with initializers for scalars.
<rdar://problem/11818967>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160328 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
xprEngineCXX.cpp
|
| f85f60ae3a6aad0f2b92154bf3a9601cf9a245c0 |
16-Jul-2012 |
Daniel Jasper <djasper@google.com> |
Prevent unused-variable warning in optimized builds.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160257 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 3f635c08b2d0b2d5bafb38da09589cb238407faa |
14-Jul-2012 |
Ted Kremenek <kremenek@apple.com> |
Refine CFG so that '&&' and '||' don't lead to extra confluence points when used in a branch, but
instead push the terminator for the branch down into the basic blocks of the subexpressions of '&&' and '||'
respectively. This eliminates some artifical control-flow from the CFG and results in a more
compact CFG.
Note that this patch only alters the branches 'while', 'if' and 'for'. This was complex enough for
one patch. The remaining branches (e.g., do...while) can be handled in a separate patch, but they
weren't immediately tackled because they were less important.
It is possible that this patch introduces some subtle bugs, particularly w.r.t. to destructor placement.
I've tried to audit these changes, but it is also known that the destructor logic needs some refinement
in the area of '||' and '&&' regardless (i.e., their are known bugs).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160218 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
|
| c36b30c92c78b95fd29fb5d9d6214d737b3bcb02 |
12-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't inline virtual calls unless we can devirtualize properly.
Previously we were using the static type of the base object to inline
methods, whether virtual or non-virtual. Now, we try to see if the base
object has a known type, and if so ask for its implementation of the method.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160094 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngineCallAndReturn.cpp
emRegion.cpp
|
| 0ffbfd1a7f80f9a3c07317cb8f44c562f2ba1ba5 |
11-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add debug.DumpCalls, which prints out any CallEvents it sees.
This is probably not so useful yet because it is not path-sensitive, though
it does try to show inlining with indentation.
This also adds a dump() method to CallEvent, which should be useful for
debugging.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160030 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
|
| 48b6247804eacc262cc5508e0fbb74ed819fbb6e |
11-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Construct stack variables directly in their VarDecl.
Also contains a number of tweaks to inlining that are necessary
for constructors and destructors. (I have this enabled on a private
branch, but it is very much unstable.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160023 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineCallAndReturn.cpp
tore.cpp
|
| e54cfc7b9990acffd0a8a4ba381717b4bb9f3011 |
11-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use CallEvent for building inlined stack frames.
In order to accomplish this, we now build the callee's stack frame
as part of the CallEnter node, rather than the subsequent BlockEdge node.
This should not have any effect on perceived behavior or diagnostics.
This makes it safe to re-enable inlining of member overloaded operators.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160022 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngineCallAndReturn.cpp
rogramState.cpp
egionStore.cpp
tore.cpp
|
| 852aa0d2c5d2d1faf2d77b5aa3c0848068a342c5 |
11-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Make CallEnter, CallExitBegin, and CallExitEnd not be StmtPoints
These ProgramPoints are used in inlining calls,
and not all calls have associated statements anymore.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160021 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
oreEngine.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
|
| 8d276d38c258dfc572586daf6c0e8f8fce249c0e |
11-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add a CXXDestructorCall CallEvent.
While this work is still fairly tentative (destructors are still left out of
the CFG by default), we now handle destructors in the same way as any other
calls, instead of just automatically trying to inline them.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160020 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 28038f33aa2db4833881fea757a1f0daf85ac02b |
11-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add new PreImplicitCall and PostImplicitCall ProgramPoints.
These are currently unused, but are intended to be used in lieu of PreStmt
and PostStmt when the call is implicit (e.g. an automatic object destructor).
This also modifies the Data1 field of ProgramPoints to allow storing any
pointer-sized value, as opposed to only aligned pointers. This is necessary
to store SourceLocations.
There is currently no BugReporter support for these; they should be skipped
over in any diagnostic output.
This commit also tags checkers that currently rely on function calls only
occurring at StmtPoints.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160019 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
heckerManager.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| ee158bc29bc12ce544996f7cdfde14aba63acf4d |
09-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] When inlining, make sure we use the definition decl.
This was a regression introduced during the CallEvent changes; a call to
FunctionDecl::hasBody was also being used to replace the decl found by
lookup with the actual definition. To keep from making this mistake again
(particularly if/when we start inlining Objective-C methods), this commit
adds a "getDefinition()" method to CallEvent, which should do the right
thing under any circumstances.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159940 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 752bee2493ec2931bd18899753552e3a47dc85fe |
06-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Be careful about LazyCompoundVals, which may be for the first field.
We use LazyCompoundVals to avoid copying the contents of structs and arrays
around in the store, and when we need to pass a struct around that already
has a LazyCompoundVal we just use the original one. However, it's possible
that the first field of a struct may have a LazyCompoundVal of its own, and
we currently can't distinguish a LazyCompoundVal for the first element of a
struct from a LazyCompoundVal for the entire struct. In this case we should
just drop the optimization and make a new LazyCompoundVal that encompasses
the old one.
PR13264 / <rdar://problem/11802440>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159866 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 8d3ba23f2d9e6c87794d059412a0808c9cbacb25 |
06-Jul-2012 |
Dmitri Gribenko <gribozavr@gmail.com> |
Implement AST classes for comments, a real parser for Doxygen comments and a
very simple semantic analysis that just builds the AST; minor changes for lexer
to pick up source locations I didn't think about before.
Comments AST is modelled along the ideas of HTML AST: block and inline content.
* Block content is a paragraph or a command that has a paragraph as an argument
or verbatim command.
* Inline content is placed within some block. Inline content includes plain
text, inline commands and HTML as tag soup.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159790 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
|
| 478851c3ed6bd784e7377dffd8e57b200c1b9ba9 |
04-Jul-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Drop the ASTContext.h include from Stmt.h and fix up transitive users.
This required moving the ctors for IntegerLiteral and FloatingLiteral out of
line which shouldn't change anything as they are usually called through Create
methods that are already out of line.
ASTContext::Deallocate has been a nop for a long time, drop it from ASTVector
and make it independent from ASTContext.h
Pass the StorageAllocator directly to AccessedEntity so it doesn't need to
have a definition of ASTContext around.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159718 91177308-0d34-0410-b5e6-96231b3b80d8
asicValueFactory.cpp
|
| fdaa33818cf9bad8d092136e73bd2e489cb821ba |
04-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] For now, don't inline non-static member overloaded operators.
Our current inlining support (specifically RegionStore::enterStackFrame)
doesn't know that calls to overloaded operators may be calls to non-static
member functions, and that in these cases the first argument should be
treated as 'this'. This caused incorrect results and sometimes crashes.
The long-term fix will be to rewrite RegionStore::enterStackFrame to use
CallEvent and its subclasses, but for now we can just disable these
problematic calls by classifying them under a new CallEvent,
CXXMemberOperatorCall.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159692 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngineCallAndReturn.cpp
|
| 70cbf3cc09eb21db1108396d30a414ea66d842cc |
03-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Introduce CXXAllocatorCall to handle placement arg invalidation.
This is NOT full-blown support for operator new, but removes some nasty
duplicated code introduced in r158784.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159608 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
|
| 840c9842ed8b3a2b1276519a80f89e7d409fc148 |
02-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
Revert "Remove unused member (& consequently unused parameter) in SA's Call code."
...and instead add an accessor. We're not using this today, but it's something
that should probably stay in the source for potential clients, and it doesn't
cost a lot. (ObjCPropertyAccess is only created on the stack, and right now
there's only ever one alive at a time.)
This reverts r159581 / commit 8e674e1da34a131faa7d43dc3fcbd6e49120edbe.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159595 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 8e674e1da34a131faa7d43dc3fcbd6e49120edbe |
02-Jul-2012 |
David Blaikie <dblaikie@gmail.com> |
Remove unused member (& consequently unused parameter) in SA's Call code.
This member became unused in r159559.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159581 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| d4aeb8050a1d0fe47c53a73361c8b0b8ac310f46 |
02-Jul-2012 |
Ted Kremenek <kremenek@apple.com> |
Bail out the LiveVariables analysis when the CFG is very large, as
we are encountering some scalability issues with memory usage. The
appropriate long term fix is to make the analysis more scalable, but
this will at least prevent the analyzer swapping when
analyzing very large functions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159578 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 96479da6ad9d921d875e7be29fe1bfa127be8069 |
02-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add generic preCall and postCall checks.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159562 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
|
| 362a31cacc19764f3630928a9e4779af2576e074 |
02-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Convert CXXConstructExpr over to use CallEvent for evaluation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159561 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 69f87c956b3ac2b80124fd9604af012e1061473a |
02-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Use CallEvent for inlining and call default-evaluation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159560 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
heckerManager.cpp
xprEngineCallAndReturn.cpp
|
| de507eaf3cb54d3cb234dc14499c10ab3373d15f |
02-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Finish replacing ObjCMessage with ObjCMethodDecl and friends.
The preObjCMessage and postObjCMessage callbacks now take an ObjCMethodCall
argument, which can represent an explicit message send (ObjCMessageSend) or an
implicit message generated by a property access (ObjCPropertyAccess).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159559 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
heckerManager.cpp
xprEngine.cpp
xprEngineObjC.cpp
|
| cde8cdbd6a662c636164465ad309b5f17ff01064 |
02-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Begin replacing ObjCMessage with ObjCMethodCall and friends.
Previously, the CallEvent subclass ObjCMessageInvocation was just a wrapper
around the existing ObjCMessage abstraction (over message sends and property
accesses). Now, we have abstract CallEvent ObjCMethodCall with subclasses
ObjCMessageSend and ObjCPropertyAccess.
In addition to removing yet another wrapper object, this should make it easy
to add a ObjCSubscriptAccess call event soon.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159558 91177308-0d34-0410-b5e6-96231b3b80d8
alls.cpp
xprEngine.cpp
xprEngineObjC.cpp
|
| 85d7e01cf639b257d70f8a129709a2d7594d7b22 |
02-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Move the last bits of CallOrObjCMessage over to CallEvent.
This involved refactoring some common pointer-escapes code onto CallEvent,
then having MallocChecker use those callbacks for whether or not to consider
a pointer's /ownership/ as escaping. This still needs to be pinned down, and
probably we want to make the new argumentsMayEscape() function a little more
discerning (content invalidation vs. ownership/metadata invalidation), but
this is a good improvement.
As a bonus, also remove CallOrObjCMessage from the source completely.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159557 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
alls.cpp
xplodedGraph.cpp
xprEngine.cpp
bjCMessage.cpp
|
| 740d490593e0de8732a697c9f77b90ddd463863b |
02-Jul-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add a new abstraction over all types of calls: CallEvent
This is intended to replace CallOrObjCMessage, and is eventually intended to be
used for anything that cares more about /what/ is being called than /how/ it's
being called. For example, inlining destructors should be the same as inlining
blocks, and checking __attribute__((nonnull)) should apply to the allocator
calls generated by operator new.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159554 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
alls.cpp
heckerManager.cpp
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
rogramState.cpp
egionStore.cpp
|
| 8d0f528afd9fcb9ebb8ccb4b8a529a05375b628e |
29-Jun-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add a test that we are, in fact, doing a DFS on the ExplodedGraph.
Previously:
...the comment said DFS...
...the WorkList being instantiated said BFS...
...and the implementation was actually DFS...
...due to an unintentional change in 2010...
...and everything kept working anyway.
This fixes our std::deque implementation of BFS, but switches back to a
SmallVector-based implementation of DFS.
We should probably still investigate the ramifications of DFS vs. BFS,
especially for large functions (and especially when we hit our block path
limit), since this might completely change our memory use. It can also mask
some bugs and reveal others depending on when we halt analysis. But at least
we will not have this kind of little mistake creep in again.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159397 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
|
| 4715ed95e3e710db097bfdd9a38b67bd7e86aced |
27-Jun-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Remove unneeded helper function (it's in ASTContext.h)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159244 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 10f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2 |
23-Jun-2012 |
Ted Kremenek <kremenek@apple.com> |
Implement initial static analysis inlining support for C++ methods.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159047 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
egionStore.cpp
ValBuilder.cpp
|
| 0206425d9f13486bc18ad4fbd84c4a76d2535dc4 |
23-Jun-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Remove a statistic - it's too expensive.
(Committed in r159038 by mistake.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159040 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| 1e548f12f7cd6631a3e688a9580ede92898d9e69 |
23-Jun-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer]scan-build: report the total number of steps analyzer performs
This would be useful to investigate performance issues.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159038 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| df19fe7cafcb02859efeb6963cddeafef4350ddf |
23-Jun-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Report the cumulative number of steps the analyzer performs.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159036 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
|
| 6c234b1fd1da64a14a77433cb805cb1aa798512a |
22-Jun-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Check for +raise:format: on subclasses of NSException as well.
We don't handle exceptions yet, so we treat them as sinks. ExprEngine
hardcodes messages that are known to raise Objective-C exceptions like -raise,
but it was only checking for +raise:format: and +raise:format:arguments: on
NSException itself, not subclasses.
<rdar://problem/11724201>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@159010 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineObjC.cpp
|
| b0d8671f95fe08a220118bca29063ba4d11a9dac |
21-Jun-2012 |
Chandler Carruth <chandlerc@gmail.com> |
Remove a goofy CMake hack and use the standard CMake facilities to
express library-level dependencies within Clang.
This is no more verbose really, and plays nicer with the rest of the
CMake facilities. It should also have no change in functionality.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158888 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
|
| e38c1c2c449529e60f48e740cb8662e68e5a5330 |
20-Jun-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Invalidate placement args; return the pointer given to placement new
The default global placement new just returns the pointer it is given.
Note that other custom 'new' implementations with placement args are not
guaranteed to do this.
In addition, we need to invalidate placement args, since they may be updated by
the allocator function. (Also, right now we don't properly handle the
constructor inside a CXXNewExpr, so we need to invalidate the placement args
just so that callers know something changed!)
This invalidation is not perfect because CallOrObjCMessage doesn't support
CXXNewExpr, and all of our invalidation callbacks expect that if there's no
CallOrObjCMessage, the invalidation is happening manually (e.g. by a direct
assignment) and shouldn't affect checker-specific metadata (like malloc state);
hence the malloc test case in new-fail.cpp. But region values are now
properly invalidated, at least.
The long-term solution to this problem is to rework CallOrObjCMessage into
something more general, rather than the morass of branches it is today.
<rdar://problem/11679031>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158784 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 333e05f24717c79637e83806fd5142c752a86afa |
18-Jun-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add a comment: why we treat array compound literals as lvalues.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158681 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 3083d3c550dedf68101dd9133905c3c7d35662bd |
16-Jun-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Array CompoundLiteralExprs need to be treated like lvalues.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158588 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 9955e708ffadb479b82b26d93dfcf0f5a2a6e372 |
16-Jun-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Return an UnknownVal when we try to get the binding for a VLA.
This happens in C++ mode right at the declaration of a struct VLA;
MallocChecker sees a bind and tries to get see if it's an escaping bind.
It's likely that our handling of this is still incomplete, but it fixes a
crash on valid without disturbing anything else for now.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158587 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 2e6f5b823912ae76211427cb8684c9eaa6e53a1f |
16-Jun-2012 |
James Dennett <jdennett@google.com> |
Documentation cleanup: fix a type, LocatioinE -> LocationE
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158566 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 5b8c69494881b7d35bc6244b4a19be0cc2eab368 |
12-Jun-2012 |
Jordan Rose <jordan_rose@apple.com> |
Revert "[analyzer] Treat LValueBitCasts like regular pointer bit casts."
This does not actually give us the right behavior for reinterpret_cast
of references. Reverting so I can think about it some more.
This reverts commit 50a75a6e26a49011150067adac556ef978639fe6.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158341 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
egionStore.cpp
|
| 570d03c6831a8e19447dc863aa94ffff020077eb |
12-Jun-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Treat LValueBitCasts like regular pointer bit casts.
These casts only appear in very well-defined circumstances, in which the
target of a reinterpret_cast or a function formal parameter is an lvalue
reference. According to the C++ standard, the following are equivalent:
reinterpret_cast<T&>( x)
*reinterpret_cast<T*>(&x)
[expr.reinterpret.cast]p11
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158338 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
egionStore.cpp
|
| 8cd64b4c5553fa6284d248336cb7c82dc960a394 |
11-Jun-2012 |
Chad Rosier <mcrosier@apple.com> |
Etch out the code path for MS-style inline assembly.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158325 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 1895a0a6936001374f66adbdfcf8abe5edf912ea |
11-Jun-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Add ObjCLoopChecker: objects from NSArray et al are non-nil.
While collections containing nil elements can still be iterated over in an
Objective-C for-in loop, the most common Cocoa collections -- NSArray,
NSDictionary, and NSSet -- cannot contain nil elements. This checker adds
that assumption to the analyzer state.
This was the cause of some minor false positives concerning CFRelease calls
on objects in an NSArray.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158319 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineObjC.cpp
|
| a64fae162fd1ca9398f6f4ecb27648d965e01587 |
08-Jun-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add experimental "issue hash" to the plist diagnostic.
CmpRuns.py can be used to compare issues from different analyzer runs.
Since it uses the issue line number to unique 2 issues, adding a new
line to the beginning of a file makes all issues in the file reported as
new.
The hash will be an opaque value which could be used (along with the
function name) by CmpRuns to identify the same issues. This way, we only
fail to identify the same issue from two runs if the function it appears
in changes (not perfect, but much better than nothing).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158180 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| 783f0087ecb5af27d2f8caed7d6b904797c3d752 |
07-Jun-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fixit for r158136.
I falsely assumed that the memory spaces are equal when we reach this
point, they might not be when memory space of one or more is stack or
Unknown. We don't want a region from Heap space alias something with
another memory space.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158165 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| e17fdb2d5dbf0ffefd417587003eebbe5baf5984 |
07-Jun-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Anti-aliasing: different heap allocations do not alias
Add a concept of symbolic memory region belonging to heap memory space.
When comparing symbolic regions allocated on the heap, assume that they
do not alias.
Use symbolic heap region to suppress a common false positive pattern in
the malloc checker, in code that relies on malloc not returning the
memory aliased to other malloc allocations, stack.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158136 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
ValBuilder.cpp
impleSValBuilder.cpp
|
| 36397dc6c1bf1513a3bac4eabe9209e5b2295a55 |
06-Jun-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Provide debug descriptions for all memory space regions.
Patch by Guillem Marpons!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158106 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| 581deb3da481053c4993c7600f97acf7768caac5 |
06-Jun-2012 |
David Blaikie <dblaikie@gmail.com> |
Revert Decl's iterators back to pointer value_type rather than reference value_type
In addition, I've made the pointer and reference typedef 'void' rather than T*
just so they can't get misused. I would've omitted them entirely but
std::distance likes them to be there even if it doesn't use them.
This rolls back r155808 and r155869.
Review by Doug Gregor incorporating feedback from Chandler Carruth.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158104 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
impleSValBuilder.cpp
|
| facde171ae4b8926622a1bffa833732a06f1875b |
06-Jun-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Remove unused private member variables found by clang's new -Wunused-private-field.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158086 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
|
| 7453a72cd0dcc70f29006ba488b743f078072bc7 |
06-Jun-2012 |
Ted Kremenek <kremenek@apple.com> |
PlistDiagnostics: force the ranges for control-flow edges to be single locations, forcing
adjacent edges to have compatible ranges. This simplifies the layout logic for some clients.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@158028 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| 0344e5423db6dbb614f057887be714d2c0f7f0f6 |
04-Jun-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a diagnostics bug which lead to a crash on the buildbot.
This bug was triggered by r157851. It only happens in the case where we
don't perform optimal diagnostic pruning.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157950 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| c0e71a15bce9bb8c0d4ec1c42fab70c03140f9e0 |
02-Jun-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Rely on canBeInlined utility instead of checking CallExpr
explicitly.
This will make it easier to add inlining support to more expressions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157870 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
xprEngine.cpp
|
| 183ff2aaacbc1995ed64d5e2ffea4456fd871633 |
02-Jun-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a spurious undef value warning.
When we timeout or exceed a max number of blocks within an inlined
function, we retry with no inlining starting from a node right before
the CallEnter node. We assume the state of that node is the state of the
program before we start evaluating the call. However, the node pruning
removes this node as unimportant.
Teach the node pruning to keep the predecessors of the call enter nodes.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157860 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| 144e52be486a3906aec90c51b0ac94a30313152e |
02-Jun-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix lack of coverage after empty inlined function.
We should not stop exploring the path after we return from an empty
function.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157859 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 7fa9b4f258636d89342eda28f21a986c8ac353b1 |
01-Jun-2012 |
Ted Kremenek <kremenek@apple.com> |
static analyzer: add inlining support for directly called blocks.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157833 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
emRegion.cpp
rogramState.cpp
egionStore.cpp
|
| ed7948b55fa4b2505f240cc5287137f451172b4c |
31-May-2012 |
Ted Kremenek <kremenek@apple.com> |
Allow some BugReports to opt-out of PathDiagnostic callstack pruning until we have significantly
improved the pruning heuristics. The current heuristics are pretty good, but they make diagnostics
for uninitialized variables warnings particularly useless in some cases.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157734 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| e41458c37923c77fdae39676b3b4bce9f6c80def |
25-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Don't crash on LValBitCast
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157478 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 17eb65f1bfcc33d2a9ecefe32368cb374155dbdc |
24-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Treat cast of array to reference in the same way as array to
pointer.
Fixes one of the crashes reported in PR12874.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157401 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
|
| 13dd47a0c01f8b4a6b3fbe379218f7ba8e692d0f |
22-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Bind UnknownVal to InitListExpr for unsupported types
(ex: float).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157211 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| b7824d9919c3588e898c22f47a5248f10a7a084d |
21-May-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Analyzer: Fix PR12905, a crash when encountering a call to a function named "C".
While there clean up indentation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157204 91177308-0d34-0410-b5e6-96231b3b80d8
bjCMessage.cpp
|
| 591b5f53c0e11d87401b4804bb1be1a53f95c619 |
19-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] For locations, use isGLValue() instead of isLValue().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157088 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineC.cpp
xprEngineCallAndReturn.cpp
bjCMessage.cpp
|
| 719b429e3ed660cfd9cce88397b29c695a25fa50 |
19-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a c++11 crash: xvalues can be locations (VisitMemberExpr)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@157082 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 70fdbc366da85880aae5baebd3351e993ca05603 |
12-May-2012 |
Jordy Rose <jediknil@belkadan.com> |
[analyzer] RetainCountChecker: track ObjC boxed expression objects.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156699 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| df8755884e039d3f313ee0fea42b955257b5e240 |
11-May-2012 |
Argyrios Kyrtzidis <akyrtzi@gmail.com> |
The Lexer constructor expects a source location at the start of the
file buffer, not at the start of lexing.
Fixes assertion hit in format diagnostics. rdar://11418366
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156647 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
|
| 51d18cab1f55df33d85137868b59fec0c4a8776a |
11-May-2012 |
Ted Kremenek <kremenek@apple.com> |
Include line that was meant to be in my last commit.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156582 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 8667052a53a47a6290dc9ae98e5c3d9277df5f4a |
11-May-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix insidious RegionStore bug where we (a) didn't handle vector types and (b) had
a horrible bug in GetLazyBindings where we falsely appended a field suffix when traversing 3 or more
layers of lazy bindings. I don't have a reduced test case yet; but I have added the original source
to an internal regression test suite. I'll see about coming up with a reduced test case.
Fixes <rdar://problem/11405978> (for real).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156580 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| b3b1ae85757a8722caccb742b73ca31b4b53bb0a |
10-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Exit early if constraint solver is given a non-integer symbol
to reason about.
As part of taint propagation, we now allow creation of non-integer
symbolic expressions like a cast from int to float.
Addresses PR12511 (radar://11215362).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156578 91177308-0d34-0410-b5e6-96231b3b80d8
impleConstraintManager.cpp
|
| 50b5a5c32e07301e4edcc01aca1f8a49a128c66c |
09-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Simplify r156446, as per Ted's review.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156482 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| caa62af79db9be0ef0843aa77cbc216108842855 |
09-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Allow pointers to escape through selector callbacks.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156481 91177308-0d34-0410-b5e6-96231b3b80d8
bjCMessage.cpp
|
| a8f2362307b436023095e66efd678ae591c02184 |
09-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] We currently do not fully support CompoundLiterals in
RegionStore, so be explicit about it and generate UnknownVal().
This is a hack to ensure we never produce undefined values for a value
coming from a compound value. (The undefined values can lead to
false positives.)
radar://10127782
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156446 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 4213e389d6f8fa96ab30eec0d932e4e3eee32997 |
08-May-2012 |
Ted Kremenek <kremenek@apple.com> |
Having RegionStore lower field bindings to raw offsets, just like ElementRegions. This is a bit
disruptive, but it allows RegionStore to better "see" through casts that reinterpret arrays of values
as structs. Fixes <rdar://problem/11405978>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156428 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 7dbbc2178fb487f3a8bff03a2c9e87f727bf2b98 |
08-May-2012 |
Ted Kremenek <kremenek@apple.com> |
When creating lazy bindings in RegionStore, propagate existing lazy bindings instead of creating new ones.
This is a functionality optimization.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156427 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 6341931b144cbf369ab816e871322c99ee62bea7 |
08-May-2012 |
Ted Kremenek <kremenek@apple.com> |
Include address of Store in graphviz output of ExplodedGraph.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156426 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| c319c585c0d5899cba0dca2272e6e4909c8b9f16 |
08-May-2012 |
Ted Kremenek <kremenek@apple.com> |
Teach the analyzer about CXXScaleValueInitExpr.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156369 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
|
| 2cbc12fa24482889159926aab79e361ebe2e7f91 |
08-May-2012 |
Jordy Rose <jediknil@belkadan.com> |
[analyzer] BasicConstraintManager: drop NE-constraints once we have a value.
This could conceivably cut down on state proliferation, although we don't
use BasicConstraintManager by default anymore. No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156362 91177308-0d34-0410-b5e6-96231b3b80d8
asicConstraintManager.cpp
|
| 1d8db493f86761df9470254a2ad572fc6abf1bf6 |
08-May-2012 |
Jordy Rose <jediknil@belkadan.com> |
[analyzer] Rework both constraint managers to handle mixed-type comparisons.
This involves keeping track of three separate types: the symbol type, the
adjustment type, and the comparison type. For example, in "$x + 5 > 0ULL",
if the type of $x is 'signed char', the adjustment type is 'int' and the
comparison type is 'unsigned long long'. Most of the time these three types
will be the same, but we should still do the right thing when the
comparison value is out of range, and wraparound should be calculated in
the adjustment type.
This also re-disables an out-of-bounds test; we were extracting the symbol
from non-additive SymIntExprs, but then throwing away the integer.
Sorry for the large patch; both the basic and range constraint managers needed
to be updated together, since they share code in SimpleConstraintManager.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156361 91177308-0d34-0410-b5e6-96231b3b80d8
PSIntType.cpp
asicConstraintManager.cpp
MakeLists.txt
angeConstraintManager.cpp
impleConstraintManager.cpp
impleConstraintManager.h
|
| d3b6d99cd57522b15dcec0eb771a97d9599d4db2 |
08-May-2012 |
Jordy Rose <jediknil@belkadan.com> |
[analyzer] Add an abstraction for the bit width and signedness of an APSInt. No functionality change.
There are more parts of the analyzer that could use the convenience of APSIntType, particularly the constraint engine, but that needs a fair amount of rewriting to handle mixed-type constraints anyway.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156360 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| 6400f02ab2048eb9aa2bc31b26db9f19a99d35f4 |
07-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a crash in triggered by OSAtomicChecker.
SValBuilder should return an UnknownVal() when comparison of int and ptr
fails. Previous to this commit, it went on assuming that we are dealing
with pointer arithmetic.
PR12509, radar://11390991
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156320 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| 3127d48cd8572d88d16e2b2d16045bdb3f7a4a98 |
07-May-2012 |
David Blaikie <dblaikie@gmail.com> |
Remove variable made unused by r156270.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156273 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| c838fd2ab889ffbb82c90da0cd634ef75b614b2c |
07-May-2012 |
Jordy Rose <jediknil@belkadan.com> |
[analyzer] Reduce parallel code paths in SimpleSValBuilder::evalBinOpNN, and handle mixed-type operations more generally.
The logical change is that the integers in SymIntExprs may not have the same type as the symbols they are paired with. This was already the case with taint-propagation expressions created by SValBuilder::makeSymExprValNN, but I think those integers may never have been used. SimpleSValBuilder should be able to handle mixed-integer-type SymIntExprs fine now, though, and the constraint managers were already being defensive (though not entirely correct). All existing tests pass.
The logic in evalBinOpNN has been simplified so that conversion is done as late as possible. As a result, most of the switch cases have been reduced to do the minimal amount of work, delegating to another case when they can by substituting ConcreteInts and (as before) reversing the left and right arguments when useful.
Comparisons require special handling in two places (building SymIntExprs and evaluating constant-constant operations) because we don't /know/ the best type for comparing the two values. I've approximated the rules in Sema [C99 6.3.1.8] but it'd be nice to refactor Sema's actual algorithm into ASTContext.
This is also groundwork for handling mixed-type constraints better than we do now.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156270 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| 85d87df66a50a15a1957f7213802000b451a8ec9 |
04-May-2012 |
Ted Kremenek <kremenek@apple.com> |
Explicitly model capturing variables for blocks in the static analyzer. Fixes <rdar://problem/11125868>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156211 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
emRegion.cpp
egionStore.cpp
|
| 84d43848e39eab9e3386cbfb3906ba2d6a382f24 |
04-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer]Fixup r156134: Handle the case when FunctionDecl isn't avail.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156183 91177308-0d34-0410-b5e6-96231b3b80d8
bjCMessage.cpp
|
| b79d862af66d8dd9d059863813b9a27d744bd990 |
04-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Assume pointer escapes when a callback is passed inside
a struct.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156135 91177308-0d34-0410-b5e6-96231b3b80d8
bjCMessage.cpp
|
| aca0ac58d2ae80d764e3832456667d7322445e0c |
04-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Allow pointers escape through calls containing callback args.
(Since we don't have a generic pointer escape callback, modify
ExprEngineCallAndReturn as well as the malloc checker.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156134 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
bjCMessage.cpp
|
| 90a7126f76b7511b0a073cbbcde40d1334b40542 |
03-May-2012 |
Jordy Rose <jediknil@belkadan.com> |
[analyzer] When promoting constant integers in a comparison, use the larger width of the two to avoid truncation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156089 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| 14d20b1dff6370f76279fcfb0fd780e2e5eb57bb |
03-May-2012 |
Jordy Rose <jediknil@belkadan.com> |
[analyzer] Equality ops are like relational ops in that the arguments shouldn't be converted to the result type. Fixes PR12206 and dupe PR12510.
This was probably the original intent of r133041 (also me, a year ago).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156062 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| e55a14a025c38800d07f1ab0db7dbbe4a2fe1605 |
03-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Conjure a symbol to ensure we can identify pointer arithmetic
We need to identify the value of ptr as
ElementRegion (result of pointer arithmetic) in the following code.
However, before this commit '(2-x)' evaluated to Unknown value, and as
the result, 'p + (2-x)' evaluated to Unknown value as well.
int *p = malloc(sizeof(int));
ptr = p + (2-x);
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156052 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| da3960347a5d563d6746cb363b25466282a09ce3 |
03-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Do not assert on constructing SymSymExpr with diff types.
The resulting type info is stored in the SymSymExpr, so no reason not to
support construction of expression with different subexpression types.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156051 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
impleSValBuilder.cpp
|
| baeaa9ad120f60b1c5b6f1a84286b507dbe2b55d |
03-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add a complexity bound on history tracking.
(Currently, this is only relevant for tainted data.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156050 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
ymbolManager.cpp
|
| 31595e22b7e0d21b0b7c4c4fb196e97d3edc2a08 |
03-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Revert the functional part of r155944.
The change resulted in multiple issues on the buildbot, so it's not
ready for prime time. Only enable history tracking for tainted
data(which is experimental) for now.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@156049 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
|
| 11abcecc8c919673237cf37384290a1ef1943976 |
02-May-2012 |
Ted Kremenek <kremenek@apple.com> |
Refine analyzer diagnostics by adding an expression "cone-of-influence" to reverse track interesting
values through interesting expressions. This allows us to map from interesting values in a caller
to interesting values in a caller, thus recovering some precision in diagnostics lost from IPA.
Fixes <rdar://problem/11327497>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155971 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
|
| 2a6e30d9ec947e26df55b4ea4eb5b583bb85ee96 |
02-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix an assertion failure triggered by the analyzer buildbot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155964 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
|
| 140d0c64417e2fb5fc4dd40ce0d46b037ac11b02 |
01-May-2012 |
Ted Kremenek <kremenek@apple.com> |
Teach SValBuilder to handle casts of symbolic pointer values to an integer twice. Fixes <rdar://problem/11212866>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155950 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
|
| e2241cbb0455a60ba27d6c4b9d601ffef3ed103f |
01-May-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Construct a SymExpr even when the constraint solver cannot
reason about the expression.
This essentially keeps more history about how symbolic values were
constructed. As an optimization, previous to this commit, we only kept
the history if one of the symbols was tainted, but it's valuable keep
the history around for other purposes as well: it allows us to avoid
constructing conjured symbols.
Specifically, we need to identify the value of ptr as
ElementRegion (result of pointer arithmetic) in the following code.
However, before this commit '(2-x)' evaluated to Unknown value, and as
the result, 'p + (2-x)' evaluated to Unknown value as well.
int *p = malloc(sizeof(int));
ptr = p + (2-x);
This change brings 2% slowdown on sqlite. Fixes radar://11329382.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155944 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
impleSValBuilder.cpp
|
| 262bc18e32500558af7cb0afa205b34bd37bafed |
30-Apr-2012 |
David Blaikie <dblaikie@gmail.com> |
Remove the ref/value inconsistency in filter_decl_iterator.
filter_decl_iterator had a weird mismatch where both op* and op-> returned T*
making it difficult to generalize this filtering behavior into a reusable
library of any kind.
This change errs on the side of value, making op-> return T* and op* return
T&.
(reviewed by Richard Smith)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155808 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
egionStore.cpp
impleSValBuilder.cpp
|
| 8f40afbf7740c39fccaa4b8cc5aa2814d5ed6fdc |
26-Apr-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] check lazy bindings in RegionStore first before looking for default values. Fixes <rdar://problem/11269741>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155615 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 28c9e5720dea5f7b9a4d154ee49886c69de8ae29 |
24-Apr-2012 |
Shih-wei Liao <sliao@google.com> |
Migrate external/clang to CLANG-155088-20120419.
Change-Id: I7e31d8b22ef405f54838a8582c78291fa45ca344
ndroid.mk
|
| fa784da5b9039ead42323bfe9ae6d33ab3c5c6b3 |
24-Apr-2012 |
Shih-wei Liao <sliao@google.com> |
Merge with CLANG upstream r155088.
Conflicts:
lib/Basic/Targets.cpp
Change-Id: Id80f069ae25e623967b705e9fa11cfd94dd2461c
|
| 0b3ade86a1c60cf0c7b56aa238aff458eb7f5974 |
20-Apr-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Run remove dead bindings right before leaving a function.
This is needed to ensure that we always report issues in the correct
function. For example, leaks are identified when we call remove dead
bindings. In order to make sure we report a callee's leak in the callee,
we have to run the operation in the callee's context.
This change required quite a bit of infrastructure work since:
- We used to only run remove dead bindings before a given statement;
here we need to run it after the last statement in the function. For
this, we added additional Program Point and special mode in the
SymbolReaper to remove all symbols in context lower than the current
one.
- The call exit operation turned into a sequence of nodes, which are
now guarded by CallExitBegin and CallExitEnd nodes for clarity and
convenience.
(Sorry for the long diff.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155244 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
heckerManager.cpp
oreEngine.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
athDiagnostic.cpp
ymbolManager.cpp
|
| eb382ec1507cf2c8c12d7443d0b67c076223aec6 |
19-Apr-2012 |
Patrick Beard <pcbeard@mac.com> |
Implements boxed expressions for Objective-C. <rdar://problem/10194391>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155082 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 01561d1039bfdda61edd20eed939011a8632c7c7 |
17-Apr-2012 |
Ted Kremenek <kremenek@apple.com> |
Change ExprEngine::shouldInlineDecl() to be defensive in checking if the CFG of the callee is valid. Fixes <rdar://problem/11257631>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154896 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 534986f2b21e6050bf00163cd6423fd92155a6ed |
14-Apr-2012 |
Richard Smith <richard-llvm@metafoo.co.uk> |
Add an AttributedStmt type to represent a statement with C++11 attributes
attached. Since we do not support any attributes which appertain to a statement
(yet), testing of this is necessarily quite minimal.
Patch by Alexander Kornienko!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154723 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 87e154c09bbb060a0620bc988d7723bee64fb79c |
13-Apr-2012 |
Douglas Gregor <dgregor@apple.com> |
Remove the unused, unmaintained, incomplete 'Index' library.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154672 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
oreEngine.cpp
|
| 6a86082f3a06a2dcceaaf63f78a0e52d64bcbaa3 |
13-Apr-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] PCH deserialization optimization.
We should not deserialize unused declarations from the PCH file. Achieve
this by storing the top level declarations during parsing
(HandleTopLevelDecl ASTConsumer callback) and analyzing/building a call
graph only for those.
Tested the patch on a sample ObjC file that uses PCH. With the patch,
the analyzes is 17.5% faster and clang consumes 40% less memory.
Got about 10% overall build/analyzes time decrease on a large Objective
C project.
A bit of CallGraph refactoring/cleanup as well..
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154625 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 7ea1c5639764aa3ebe124f4350c5f2b3be795667 |
12-Apr-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] dynamic_cast Simplify null value generation.
As per Jordy's review. Creating a symbol here is more flexible; however
I could not come up with an example where it was needed. (What
constrains can be added on of the symbol constrained to 0?)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154542 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| a2c8d2edfff1573450c6feba876830dd746ffaad |
10-Apr-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] dynamic_cast: Better model cast from a reference.
Generate a sink when the dynamic_cast from a reference fails to
represent a thrown exception.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154438 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
egionStore.cpp
|
| e19f86edab8fb3c2c1e99e0e9815b6058504df9b |
10-Apr-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add support for C++ dynamic_cast.
Simulate the C++ dynamic_cast in the analyzer.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154434 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
egionStore.cpp
|
| bd613137499b1d4c3b63dccd0aa21f6add243f4f |
07-Apr-2012 |
Ted Kremenek <kremenek@apple.com> |
Rework ExprEngine::evalLoad and clients (e.g. VisitBinaryOperator) so that when we generate a new ExplodedNode
we use the same Expr* as the one being currently visited. This is preparation for transitioning to having
ProgramPoints refer to CFGStmts.
This required a bit of trickery. We wish to keep the old Expr* bindings in the Environment intact,
as plenty of logic relies on it and there is no reason to change it, but we sometimes want the Stmt* for
the ProgramPoint to be different than the Expr* being used for bindings. This requires adding an extra
argument for some functions (e.g., evalLocation). This looks a bit strange for some clients, but
it will look a lot cleaner when were start using CFGStmt* in the appropriate places.
As some fallout, the diagnostics arrows are a bit difference, since some of the node locations have changed.
I have audited these, and they look reasonable.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154214 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineObjC.cpp
|
| 6fd4505ad67a186da8cc26fdb493c93fe4937555 |
05-Apr-2012 |
Ted Kremenek <kremenek@apple.com> |
Require that all static analyzer issues have a category. As part of this change,
consolidate some commonly used category strings into global references (more of this can be done, I just did a few).
Fixes <rdar://problem/11191537>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154121 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| b98b998e9a5637012ab39ad1dabdad7c798721e8 |
05-Apr-2012 |
Ted Kremenek <kremenek@apple.com> |
Handle symbolicating a reference in an initializer expression that we don't understand.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154084 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 907344e4977ac704f248d82ef235b88be08584d5 |
05-Apr-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Change warding in a path diagnostic:
"No method actually called because receiver is nil" ->
"No method is called because receiver is nil"
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154077 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 4f4705faae9fc10e21be95eb39317f714cf8307f |
05-Apr-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Remove redundant if statement (pointed out by Ted).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154075 91177308-0d34-0410-b5e6-96231b3b80d8
Vals.cpp
|
| 07189521a15d9c088216b943649cb9fe231cbb57 |
04-Apr-2012 |
Ted Kremenek <kremenek@apple.com> |
Include the "issue context" (e.g. function or method) where a static analyzer issue occurred in the plist output.
Fixes <rdar://problem/11004527>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154030 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
listDiagnostics.cpp
|
| 88fc18120ca14b82bef695d6440f51e4c468916c |
04-Apr-2012 |
Ted Kremenek <kremenek@apple.com> |
Change BugReporter's usage of IsCachedDiagnostic to only impact pruning diagnostics emitted to the
console, and leave it up to PathDiagnosticConsumer to unique reports with the shortest path.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153987 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| e62f048960645b79363408fdead53fec2a063c52 |
03-Apr-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Record the basic blocks covered by the analyzes run.
Store this info inside the function summary generated for all analyzed
functions. This is useful for coverage stats and can be helpful for
analyzer state space search strategies.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153923 91177308-0d34-0410-b5e6-96231b3b80d8
MakeLists.txt
oreEngine.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
unctionSummary.cpp
|
| 31b57628576a2355428fd4b57f828a3aa8423000 |
03-Apr-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix another false positive in RegionStore involving doing loads from symbolic offsets. We still don't
properly reason about such accesses, but we shouldn't emit bogus "uninitialized value" warnings
either. Fixes <rdar://problem/11127008>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153913 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| d9b795524eb3dc035523f82f135d0a8adf15cd72 |
02-Apr-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix potential null dereference in the static analyzer when inlining a call that has already been inlined. Unfortunately I have no test case.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153900 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 4a5f724538cbc275370c9504e8169ce92503256c |
01-Apr-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Analyzer: Store BugReports directly in a ilist instead of adding another layer of inderection with std::list
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153847 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| 62a5c34ddc54696725683f6c5af1c8e1592c5c38 |
30-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer]Malloc,RetainRelease: Allow pointer to escape via NSMapInsert.
Fixes a false positive (radar://11152419). The current solution of
adding the info into 3 places is quite ugly. Pending a generic pointer
escapes callback.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153731 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 3bbd8cd831788c506f2980293eb3c7e1b3ca2501 |
30-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Do not inline functions which previously reached max block
count.
This is an optimization for "retry without inlining" option. Here, if we
failed to inline a function due to reaching the basic block max count,
we are going to store this information and not try to inline it
again in the translation unit. This can be viewed as a function summary.
On sqlite, with this optimization, we are 30% faster then before and
cover 10% more basic blocks (partially because the number of times we
reach timeout is decreased by 20%).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153730 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| b47dbcbc12430fdf3e5a5b9f59cdec5480e89e75 |
28-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Enable retry exhausted without inlining by default.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153591 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
xprEngine.cpp
|
| 253955ca25c7e7049963b5db613c0cd15d66e4f8 |
28-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyser] Stats checker: do not mark a node as exhausted if we will
retry without inlining.
(+ other minor cleanups)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153581 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngine.cpp
|
| 6488dc31153be6f98b404c7860be6c66bb4ec917 |
28-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix suspicious comparison reported by PVS-Studio!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153568 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 5903a373db3d27794c90b25687e0dd6adb0e497d |
27-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add an option to re-analyze a dead-end path without inlining.
The analyzer gives up path exploration under certain conditions. For
example, when the same basic block has been visited more than 4 times.
With inlining turned on, this could lead to decrease in code coverage.
Specifically, if we give up inside the inlined function, the rest of
parent's basic blocks will not get analyzed.
This commit introduces an option to enable re-run along the failed path,
in which we do not inline the last inlined call site. This is done by
enqueueing the node before the processing of the inlined call site
with a special policy encoded in the state. The policy tells us not to
inline the call site along the path.
This lead to ~10% increase in the number of paths analyzed. Even though
we expected a much greater coverage improvement.
The option is turned off by default for now.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153534 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
oreEngine.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| 560ad31c413724fafd13d6fd723e403f28daa132 |
22-Mar-2012 |
Shih-wei Liao <sliao@google.com> |
Migrate external/clang to CLANG-153220-20120321.
Change-Id: I3b469a42a5048f05f06d14aba34419119047e1a9
ndroid.mk
|
| d316862f4fb281ec08a2e45cd3e5580574adb889 |
24-Mar-2012 |
Shih-wei Liao <sliao@google.com> |
Merge branch 'upstream' into sliao_d
|
| 3bc75ca0a636efdc93471c9b6bad43085a22bf3a |
24-Mar-2012 |
Jordy Rose <jediknil@belkadan.com> |
[analyzer] Restart path diagnostic generation if any of the visitors change the report configuration while walking the path.
This required adding a change count token to BugReport, but also allowed us to ditch ImmutableList as the BugReporterVisitor data type.
Also, remove the hack from MallocChecker, now that visitors appear in the opposite order. This is not exactly a fix, but the common case -- custom diagnostics after generic ones -- is now the default behavior.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153369 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 514f2c9dcb9e04b52929c5b141a6fe88bd68b33f |
23-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
Avoid applying retain/release effects twice in RetainCountChecker when a function call was inlined (i.e., we do not need to apply summaries in such cases).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153309 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngineCallAndReturn.cpp
|
| 5aac0b6ae95f137b1783f3e6227241fb457b8f8b |
22-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix static analyzer crash on code taking the address of a field. Fixes PR 11146.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153283 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 638e2d31fceed041e7e16aada4188c94cb5797bb |
22-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add the stat for the number of successfully explored paths.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153281 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
|
| 749bbe6f5f23676244f12a0d41511c8e73516feb |
22-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add stats useful for coverage investigations.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153280 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 3d7c44e01d568e5d5c0fac9c6ccb3f080157ba19 |
21-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Malloc: Utter the name of the leaked variable.
Specifically, we use the last store of the leaked symbol in the leak diagnostic.
(No support for struct fields since the malloc checker doesn't track those
yet.)
+ Infrastructure to track the regions used in store evaluations.
This approach is more precise than iterating the store to
obtain the region bound to the symbol, which is used in RetainCount
checker. The region corresponds to what is uttered in the code in the
last store and we do not rely on the store implementation to support
this functionality.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153212 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
emRegion.cpp
|
| 27b867ea1c9cb4b40f9b817c303d6df3ee753da9 |
21-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyser] Factor out FindUniqueBinding from RetainCount checker.
So that others could use it as well. No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@153211 91177308-0d34-0410-b5e6-96231b3b80d8
tore.cpp
|
| 8fe4525680ce72e90cee3e58b5654e3ae955447f |
17-Mar-2012 |
NAKAMURA Takumi <geek4civic@gmail.com> |
StaticAnalyzer: Fix abuse of StringRef in r152962.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152982 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| fbd58743fa6c793b84ed60a0e2325335a53da6c4 |
17-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Shorten the stack hint diagnostic.
Do not display the standard "Returning from 'foo'", when a stack hint is
available.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152964 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 56a938ff85a444eb3d30d2634d92ce5b1f6fae56 |
17-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Create symbol-aware stack hints (building upon r152837).
The symbol-aware stack hint combines the checker-provided message
with the information about how the symbol was passed to the callee: as
a parameter or a return value.
For malloc, the generated messages look like this :
"Returning from 'foo'; released memory via 1st parameter"
"Returning from 'foo'; allocated memory via 1st parameter"
"Returning from 'foo'; allocated memory returned"
"Returning from 'foo'; reallocation of 1st parameter failed"
(We are yet to handle cases when the symbol is a field in a struct or
an array element.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152962 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
|
| 076add680e281709cf081052be0dcb822dc8f37d |
17-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] +Comments
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152961 91177308-0d34-0410-b5e6-96231b3b80d8
Vals.cpp
|
| 131579f198f9cc9e6405adbe6159110c283ec5a4 |
17-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add a statistic for the number of times we reach the max
number of steps in the work list.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152960 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
|
| ce612f5a7d306f919c7ae57fcd8c5ecb5d83d54e |
16-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
Fix analyzer crash on analyzing 'catch' with no condition variable.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152900 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 8ec588e2ac57311604cf80608c7d4b3fb3b022f7 |
15-Mar-2012 |
Jordy Rose <jediknil@belkadan.com> |
[analyzer] If a metadata symbol is interesting, its region is interesting as well.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152868 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| d7b83148ac0a537f5ec9be9d87bbec62b75435f4 |
15-Mar-2012 |
Jordy Rose <jediknil@belkadan.com> |
[analyzer] Remove AggExprVisitor, a dead class that assisted in visiting C++ expressions with a "base object", because the CFG is now linearized.
The only use of AggExprVisitor was in #if 0 code (the analyzer's incomplete C++ support), so there is no actual behavioral change anyway.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152856 91177308-0d34-0410-b5e6-96231b3b80d8
ggExprVisitor.cpp
MakeLists.txt
xprEngineCXX.cpp
|
| 368a0d565f078666ca5bfb7fe08d04648688e4bc |
15-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Allow checkers to supply call stack diagnostic hints for the
BugVisitor DiagnosticPieces.
When checkers create a DiagnosticPieceEvent, they can supply an extra
string, which will be concatenated with the call exit message for every
call on the stack between the diagnostic event and the final bug report.
(This is a simple version, which could be/will be further enhanced.)
For example, this is used in Malloc checker to produce the ",
which allocated memory" in the following example:
static char *malloc_wrapper() { // 2. Entered call from 'use'
return malloc(12); // 3. Memory is allocated
}
void use() {
char *v;
v = malloc_wrapper(); // 1. Calling 'malloc_wrappers'
// 4. Returning from 'malloc_wrapper', which allocated memory
} // 5. Memory is never released; potential
memory leak
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152837 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
|
| 59e7f4e6e69872d2fc4031f66b47b8ad64967e51 |
15-Mar-2012 |
Matt Beaumont-Gay <matthewbg@google.com> |
'#if 0' out a variable that's only used in other preprocessor-disabled code.
(Why are we keeping all of this code around anyway? Say the word and I'll
start swinging the delete hammer.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152749 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 9373937945e1e075dfa08169eaccc1ad0b31f699 |
14-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Diagnostics: Supply Caller information even if the bug occurs
in the callee.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152734 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
|
| e711d7e7875920fee4180a26bfc67d67f0f71a2c |
14-Mar-2012 |
Erik Verbruggen <erikjv@me.com> |
[Analyser] Remove unnecessary recursive visits for ExprWithCleanups and
MaterializeTemporaryExpr.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152730 91177308-0d34-0410-b5e6-96231b3b80d8
ggExprVisitor.cpp
xprEngine.cpp
|
| e5049d29f74183d88a332ce4868e84a9c12893f0 |
14-Mar-2012 |
Erik Verbruggen <erikjv@me.com> |
[Analyser] Removes more recursive visitations in ExprEngine that are no
longer needed as the CFG is fully linearized.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152720 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 6cc0969ab37c614d6cf496f2ed6d2fca397a0133 |
13-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyser] Refactor shouldInline logic into a helper.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152677 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| fc544e3d52c43746b1b273f38ec7d65461f0064a |
13-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Call enter/exit diagnostic should refer to caller/callee,
respectively.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152676 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 29af3c7425b791daf5c9ec0a820d6b5baab2ddcc |
13-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
Add new analyzer diagnostic mode where plists can have bugs that span multiple files.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152586 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| e881efe78596a6ce9219237b737ced4adb1f8251 |
12-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Include inlining call stack depth in plist output.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152584 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| 4e4d08403ca5cfd4d558fa2936215d3a4e5a528d |
11-Mar-2012 |
David Blaikie <dblaikie@gmail.com> |
Unify naming of LangOptions variable/get function across the Clang stack (Lex to AST).
The member variable is always "LangOpts" and the member function is always "getLangOpts".
Reviewed by Chris Lattner
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152536 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
heckerContext.cpp
xprEngineC.cpp
TMLDiagnostics.cpp
emRegion.cpp
listDiagnostics.cpp
|
| f4b88a45902af1802a1cb42ba48b1c474474f228 |
10-Mar-2012 |
John McCall <rjmccall@apple.com> |
Remove BlockDeclRefExpr and introduce a bit on DeclRefExpr to
track whether the referenced declaration comes from an enclosing
local context. I'm amenable to suggestions about the exact meaning
of this bit.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152491 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 337e4dbc6859589b8878146a88bebf754e916702 |
10-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] fix regression in analyzer of NOT actually aborting on Stmts it doesn't understand. We registered
as aborted, but didn't treat such cases as sinks in the ExplodedGraph.
Along the way, add basic support for CXXCatchStmt, expanding the set of code we actually analyze (hopefully correctly).
Fixes: <rdar://problem/10892489>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152468 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngine.cpp
xprEngineCXX.cpp
ValBuilder.cpp
|
| 3fd5f370a28552976c52e76c3035d79012d78dda |
09-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add support for NoRedundancy inlining mode.
We do not reanalyze a function, which has already been analyzed as an
inlined callee. As per PRELIMINARY testing, this gives over
50% run time reduction on some benchmarks without decreasing of the
number of bugs found.
Turning the mode on by default.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152440 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngine.cpp
|
| 76aadc346c3a4c363238a1e1232f324c3355d9e0 |
09-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions.
Essentially, a bug centers around a story for various symbols and regions. We should only include
the path diagnostic events that relate to those symbols and regions.
The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which
can be modified at BugReport creation or by BugReporterVisitors.
This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as
having desired behavior. The only regression is a missing null check diagnostic for the return
value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix,
and I have added a FIXME to the test case.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152361 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
|
| 66253352131e3e7a22b3bfd0e180607aa2bfb988 |
09-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Rework inlining related command line options.
- Remove -analyzer-inline-call.
- Add -analyzer-ipa=[none|inlining]
- Add -analyzer-inlining-mode to allow experimentation for
different performance tuning methods.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152351 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
|
| 9fcce65e7e1307b5b8da9be13e4092d6bb94dc1d |
07-Mar-2012 |
Richard Smith <richard-llvm@metafoo.co.uk> |
AST representation for user-defined literals, plus just enough of semantic
analysis to make the AST representation testable. They are represented by a
new UserDefinedLiteral AST node, which is a sugared CallExpr. All semantic
properties, including full CodeGen support, are achieved for free by this
representation.
UserDefinedLiterals can never be dependent, so no custom instantiation
behavior is required. They are mangled as if they were direct calls to the
underlying literal operator. This matches g++'s apparent behavior (but not its
actual mangling, which is broken for literal-operator-ids).
User-defined *string* literals are now fully-operational, but the semantic
analysis is quite hacky and needs more work. No other forms of user-defined
literal are created yet, but the AST support for them is present.
This patch committed after midnight because we had already hit the quota for
new kinds of literal yesterday.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152211 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 1a45a5ff5d495cb6cd9a3d4d06317af79c0f634d |
06-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
Add static analyzer support for new NSArray/NSDictionary/NSNumber literals.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152139 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
|
| 097ebb3d8ce55d1f78a3f1e7a0978dbde5ee2898 |
06-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] add a diagnostic event when entering a call via inlining, within the callee, and add an edge.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152086 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
athDiagnostic.cpp
listDiagnostics.cpp
|
| 2dd17abf11ae64339fa6bfaa57d76e13a5fbe5b8 |
06-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] 'Looping back to the head of the loop' diagnostics are prunable.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152083 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| a99f874bf2ade1e32f0feda7d5b8211171440f02 |
06-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
Teach SimpleSValBuilder that (in the absence of more information) stack memory doesn't alias symbolic memory. This is a heuristic/hack, but works well in practice. Fixes <rdar://problem/10978247>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152065 91177308-0d34-0410-b5e6-96231b3b80d8
impleSValBuilder.cpp
|
| 361035524dc26094825134f30c07311f38f4f8b1 |
06-Mar-2012 |
Stephen Hines <srhines@google.com> |
Merge with upstream Clang @152062.
Added include/clang/Config/config.h
(note the ANDROID_CONFIG_H header guard because CONFIG_H is already taken)
Added support for AttrTemplateInstantiate TableGen rules.
Added libLLVMVectorize dependency.
Build
-HostInfo.cpp
-CallGraph.cpp
+GlobalCallGraph.cpp
-MultiInitializer.cpp
+PPCallbacks.cpp
+SemaConsumer.cpp
+ChainedDiagnosticConsumer.cpp
+DependencyGraph.cpp
+DiagnosticRenderer.cpp
+LayoutOverrideSource.cpp
+WindowsToolChain.cpp
+SemaLambda.cpp
+BoolAssignmentChecker.cpp
+LambdaMangleContext.cpp
+CStringSyntaxChecker.cpp
+ObjCContainersASTChecker.cpp
+ObjCContainersChecker.cpp
+VirtualCallChecker.cpp
+Dominators.cpp
+SubEngine.cpp
+RewriteModernObjC.cpp
Change-Id: Ifda805ce87ae132f055131f4f83692b5c3d63d17
ndroid.mk
|
| 91932089c31e1233f0c478b03412e90a65e07ad2 |
05-Mar-2012 |
Stephen Hines <srhines@google.com> |
Merge branch 'upstream' into merge-20120305
Conflicts:
lib/Basic/Targets.cpp
Change-Id: Ib76c138030a701355ce39a6eda1a89a79f401667
|
| a81d3d434e6581ff354eaf5b2a3c25c75771a792 |
04-Mar-2012 |
Erik Verbruggen <erikjv@me.com> |
Remove a recursive visitation in ExprEngine that is no longer needed because the CFG is fully linearized.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152007 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 4ba86bc53bb280ba46a08459eda7d283d513b61f |
02-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer diagnostics] flush locations *before* popping the current path when visiting a CallEnter.
Fixes <rdar://problem/10967815>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151938 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 8235f9c9c8b3d1737d1c6bd57f7ba3f616b92392 |
02-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Bound the size of the functions being inlined + provide
command line options for inlining tuning.
This adds the option for stack depth bound as well as function size
bound.
+ minor doxygenification
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151930 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
xprEngineCallAndReturn.cpp
|
| 77d09441e59d3bced6c3d55505eb3a67a784fe02 |
02-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer diagnostics] Change CompactPathDiagnostic to recursively compact diagnostics in calls into macro pieces.
Also fix handling of macros within calls in the HTMLDiagnostics.
This also adds a test case for r151774.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151872 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
TMLDiagnostics.cpp
|
| cc2c4b293d8590346f26b7ecc16d299226b8794f |
02-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
Teach the analyzer to just ignore CXXBindTemporaryExpr. There's nothing special to do with it, since destructors are represented explicitly in the CFG.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151856 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| b2c60b04a597cc5ba4154837cf8e0a155a376fd7 |
01-Mar-2012 |
Argyrios Kyrtzidis <akyrtzi@gmail.com> |
Move llvm/ADT/SaveAndRestore.h -> llvm/Support/SaveAndRestore.h.
Needs llvm update.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151829 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 3edf02f66d339a3ae6d06aeb96c78d9089b53bc1 |
01-Mar-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Diagnostics - do not try to cleanup the path with macros, it
will be done by the general cleanup later on.
A Patch by Ted.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151784 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 725167443808efdc39a99f4eb132a0ae64ac5118 |
01-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
Change if...else if...else if... to a switch.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151775 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 62ff52868976a8494224a2914f1869329777944c |
01-Mar-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] when scanning FIDs in a PathDiagnostic, correctly recurse calls and macros.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151774 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
listDiagnostics.cpp
|
| ca23eb212c78ac5bc62d0881635579dbe7095639 |
29-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Malloc: A pointer might escape through CFContainers APIs,
funopen, setvbuf.
Teach the checker and the engine about these APIs to resolve malloc
false positives. As I am adding more of these APIs, it is clear that all
this should be factored out into a separate callback (for example,
region escapes). Malloc, KeyChainAPI and RetainRelease checkers could
all use it.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151737 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 4fafeb6452a79794726a1adc53fb5e2a5887c5f9 |
29-Feb-2012 |
Erik Verbruggen <erikjv@me.com> |
Remove a recursive visitiation in ExprEngine that is no longer needed
because the CFG is fully linearized.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151711 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 56d8fd0b8a65a7ccae3669cd650ca443cf24b73e |
29-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer diagnostics] Refactor filtration for PathDiagnosticConsumers that don't support cross-file diagnostics
into a common place. Currently enable this filtration for Plist diagnostics as well.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151664 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
athDiagnostic.cpp
|
| c89f4b05721f53cfbaf32fc0c4919a4616e68440 |
29-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer diagnostics] start prototyping stripping PathDiagnostics of unnecessary cruft caused by path inlining.
This introduces a concept of a "prunable" PathDiagnosticEvent. Currently this is a flag, but
we may evolve the concept to make this more dynamically inferred.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151663 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
|
| c2994283aa7538b7420c8e398cde7afa328d7042 |
28-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Stats: Add the stats about remove dead bindings, correct the
test.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151656 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 07d39a479cf8f20294407e749f9933da34ebecb7 |
28-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix Malloc False Positive (PR 12100)
When allocated buffer is passed to CF/NS..NoCopy functions, the
ownership is transfered unless the deallocator argument is set to
'kCFAllocatorNull'.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151608 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 4c62b557e269a27515dfca1f754ae936c8fdb824 |
28-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] teach analyzer about ObjC literals, thus trimming out a false positive with the malloc() checker involving
comparing literal addresses to nil.
Fixes <rdar://problem/10579586>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151602 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
emRegion.cpp
tore.cpp
|
| e739a29c62c67eaec0af5c4d5c75f9e8f11228bd |
28-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Don't generate an explicit ExplodedNode for StringLiterals; have the SVal lazily generated from Environment::getSVal().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151589 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xprEngine.cpp
|
| d45d361f2ce5c37824052357e2218e8a5509eba5 |
27-Feb-2012 |
Argyrios Kyrtzidis <akyrtzi@gmail.com> |
Move "clang/Analysis/Support/SaveAndRestore.h" to "llvm/ADT/SaveAndRestore.h"
to make it more widely available.
Depends on llvm commit r151564
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151566 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| ff80afcfb2b00ccffcb6cb10528bec565fc59edd |
24-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Run remove dead bindings before each call.
This ensures that we report the bugs associated with symbols going
out of scope in the correct function context.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151369 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| e55b03a6e44b99c1cd77b8ea5e4d836c28948904 |
24-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] We were silently stopping exploring the path after
visiting 'return;' statement!
This most likely caused us to skip a bunch of code when analyzing with
inlining.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151368 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 4ca8ac2e61c37ddadf37024af86f3e1019af8532 |
24-Feb-2012 |
Douglas Gregor <dgregor@apple.com> |
Implement a new type trait __is_trivially_constructible(T, Args...)
that provides the behavior of the C++11 library trait
std::is_trivially_constructible<T, Args...>, which can't be
implemented purely as a library.
Since __is_trivially_constructible can have zero or more arguments, I
needed to add Yet Another Type Trait Expression Class, this one
handling arbitrary arguments. The next step will be to migrate
UnaryTypeTrait and BinaryTypeTrait over to this new, more general
TypeTrait class.
Fixes the Clang side of <rdar://problem/10895483> / PR12038.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151352 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 59950d3aa54ca5066b1fb08a8c79ebfe10e0919b |
24-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Make PathDiagnosticBuilder sensitive to varying LocationContexts, thus fixing a bug in the inlining diagnostics where the wrong location could be used.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151349 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 2042fc1f36d471f437023e8899f0c4fadded2341 |
24-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Reapply r151317, but when computing the PathDiagnostic profile and size keep into account the nested structure. Also fix a problem with how
inlining impacted Plist diagnostics, and adjust some ranges in the Plist output due to richer information.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151346 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
|
| 68fbb3ee8ae374b6505885e907af92b30eef707f |
24-Feb-2012 |
Chad Rosier <mcrosier@apple.com> |
Revert r151317 - Rework PathDiagnostics creation.. - to appease buildbots.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151338 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
|
| 4970ef8e3527ac356c3e9fde0710561fcb63e424 |
24-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Rework PathDiagnostic creation so that call stacks are captured by a nested PathDiagnosticCallPiece.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151317 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
|
| ca8e36eb637e232475ef31c3f22d5da907390917 |
23-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Malloc: unique leak reports by allocation site.
When we find two leak reports with the same allocation site, report only
one of them.
Provide a helper method to BugReporter to facilitate this.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151287 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 0d389b819c33bdf0375694a8f141c8f02e002b18 |
23-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Invalidate the region passed to pthread_setspecific() call.
Make this call an exception in ExprEngine::invalidateArguments:
'int pthread_setspecific(ptheread_key k, const void *)' stores
a value into thread local storage. The value can later be retrieved
with 'void *ptheread_getspecific(pthread_key)'. So even thought the
parameter is 'const void *', the region escapes through the
call.
(Here we just blacklist the call in the ExprEngine's default
logic. Another option would be to add a checker which evaluates
the call and triggers the call to invalidate regions.)
Teach the Malloc Checker, which treats all system calls as safe about
the API.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151220 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| ac1303eca6cbe3e623fb5ec6fe7ec184ef4b0dfa |
22-Feb-2012 |
Douglas Gregor <dgregor@apple.com> |
Generate an AST for the conversion from a lambda closure type to a
block pointer that returns a block literal which captures (by copy)
the lambda closure itself. Some aspects of the block literal are left
unspecified, namely the capture variable (which doesn't actually
exist) and the body (which will be filled in by IRgen because it can't
be written as an AST).
Because we're switching to this model, this patch also eliminates
tracking the copy-initialization expression for the block capture of
the conversion function, since that information is now embedded in the
synthesized block literal. -1 side tables FTW.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151131 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 7f9b1d963d4b7e2faff7305733e3453130b402fe |
21-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Have ScanReachableSymbols reported reachable regions. Fixes a false positive with nested array literals. <rdar://problem/10686586>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151012 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
rogramState.cpp
|
| c93dc7889644293e318e19d82830ea2acc45b678 |
20-Feb-2012 |
Dylan Noblesmith <nobled@dreamwidth.org> |
Basic: import IntrusiveRefCntPtr<> into clang namespace
The class name is long enough without the llvm:: added.
Also bring in RefCountedBase and RefCountedBaseVPTR.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150958 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 99c06be61f13c6bfe41586b59f5747d644f1b2ac |
18-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Teach analyzer that blocks with no captures are globals. Fixes <rdar://problem/10348049>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150896 91177308-0d34-0410-b5e6-96231b3b80d8
emRegion.cpp
|
| b673a41c92aa276f2e37164d0747be1cfb0c402b |
18-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Adopt ExprEngine and checkers to ObjC property refactoring. Everything was working, but now diagnostics are aware of message expressions implied by uses of properties. Fixes <rdar://problem/9241180>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150888 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
xprEngineObjC.cpp
bjCMessage.cpp
|
| 3133f79cf451e6302dd05262b4bb53a3e4fd6300 |
18-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Have conjured symbols depend on LocationContext, to add context sensitivity for functions called more than once.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150849 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
rogramState.cpp
egionStore.cpp
ValBuilder.cpp
ymbolManager.cpp
|
| 998e2754281b19bb1db19299ae16c2fd5947bcc0 |
17-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Generalize function name checking in CString checker.
(Ex: It was not treating __inline_strcpy as strcpy. Will add tests that
rely on this later on.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150845 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
|
| bdd4c848349d4091d66b052efa453e6d69a77e36 |
16-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Add checker visitation hooks in ExprEngine::Visit() for common no-op expressions. To be used later.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150723 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| 2ac58b7c09938bb28c51c7cd2deada609b75f94c |
16-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Revert "Move ExplodedNode reclaimation out of ExprEngine and into CoreEngine. Also have it based on adding predecessors/successors, not node allocation. No measurable performance change."
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150722 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xplodedGraph.cpp
xprEngine.cpp
|
| 437ee81e54f39c2363d5fe0ea155604c28adc615 |
16-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Move ExplodedNode reclaimation out of ExprEngine and into CoreEngine. Also have it based on adding predecessors/successors, not node allocation. No measurable performance change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150720 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xplodedGraph.cpp
xprEngine.cpp
|
| 626719bd2c09e27fe7c182724a812d27f59e3819 |
16-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Minor cleanup to node data structures in ExplodedGraph. No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150719 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xplodedGraph.cpp
|
| 2aed8b88613863f3c439cdfb205bdf8b608fb205 |
16-Feb-2012 |
Sebastian Redl <sebastian.redl@getdesigned.at> |
Revert "Revert "Make CXXNewExpr contain only a single initialier, and not hold the used constructor itself.""
This reintroduces commit r150682 with a fix for the Bullet benchmark crash.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150685 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 1548d14f4092a817f7d90ad3e7a65266dc85fbc5 |
16-Feb-2012 |
Sebastian Redl <sebastian.redl@getdesigned.at> |
Revert "Make CXXNewExpr contain only a single initialier, and not hold the used constructor itself."
It leads to a compiler crash in the Bullet benchmark.
This reverts commit r12014.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150684 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 5f688f4b15d02aa7ad159c46b1f78fe59d412f12 |
16-Feb-2012 |
Sebastian Redl <sebastian.redl@getdesigned.at> |
Make CXXNewExpr contain only a single initialier, and not hold the used constructor itself.
Holding the constructor directly makes no sense when list-initialized arrays come into play. The constructor is now held in a CXXConstructExpr, if construction is what is done. The new design can also distinguish properly between list-initialization and direct-initialization, as well as implicit default-initialization constructors and explicit value-initialization constructors. Finally, doing it this way removes redundance from the AST because CXXNewExpr doesn't try to handle both the allocation and the initialization responsibilities.
This breaks the static analysis of new expressions. I've filed PR12014 to track this.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150682 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCXX.cpp
|
| 5a0917d1367115d5fddfe7551f8634759217b54b |
16-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Diagnostics: Ensure that the default end of diagnostic path
piece can always be generated.
The default end of diagnostic path piece was failing to generate on a
BlockEdge that was outgoing from a basic block without a terminator,
resulting in a very simple diagnostic being rendered (ex: no path
highlighting or custom visitors). Reuse another function, which is
essentially doing the same thing and correct it not to fail when a block
has no terminator.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150659 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
athDiagnostic.cpp
|
| 4d4e5c1ae83f4510caa486b3ad19de13048f9f04 |
15-Feb-2012 |
John McCall <rjmccall@apple.com> |
Split reinterpret_casts of member pointers out from CK_BitCast; this
is general goodness because representations of member pointers are
not always equivalent across member pointer types on all ABIs
(even though this isn't really standard-endorsed).
Take advantage of the new information to teach IR-generation how
to do these reinterprets in constant initializers. Make sure this
works when intermingled with hierarchy conversions (although
this is not part of our motivating use case). Doing this in the
constant-evaluator would probably have been better, but that would
require a *lot* of extra structure in the representation of
constant member pointers: you'd really have to track an arbitrary
chain of hierarchy conversions and reinterpretations in order to
get this right. Ultimately, this seems less complex. I also
wasn't quite sure how to extend the constant evaluator to handle
foldings that we don't actually want to treat as extended
constant expressions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150551 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 66c40400e7d6272b0cd675ada18dd62c1f0362c7 |
14-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Make Malloc Checker optimistic in presence of inlining.
(In response of Ted's review of r150112.)
This moves the logic which checked if a symbol escapes through a
parameter to invalidateRegionCallback (instead of post CallExpr visit.)
To accommodate the change, added a CallOrObjCMessage parameter to
checkRegionChanges callback.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150513 91177308-0d34-0410-b5e6-96231b3b80d8
heckerManager.cpp
xprEngine.cpp
rogramState.cpp
|
| 9050e3ad959d08fb53446a5e261e66aaa97d9fc8 |
14-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove recusive expression visitation in ExprEngine::VisitIncrementDecrementOperator().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150511 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| a91ac5bae3944e0eed9ef25294dfb2b8681b8159 |
14-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove recursive visitation in ExprEngine for UO_Not, UO_Minus, UO_LNot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150509 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 224c48945b1687489a8079fb4fcc42b409823400 |
14-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove recursive visitation in ExprEngine for UO_Deref, UO_AddrOf, and UO_Extension.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150506 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| c1e08dc876d7944678214f0ba222e258d62c9953 |
14-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove ExprEngine recursive visitation of unary UO_Imag operation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150505 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 019316636b0a2d2273b945a98e52d454acee66ef |
14-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Further remove some recursive visitiation in ExprEngine that is no longer needed because the CFG is fully linearized.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150504 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 10520d76044e8fff71d414f30c21b449fd104960 |
09-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Proactively avoid inlining vararg functions and blocks until we properly support them.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150207 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| af84f8fea486dde096466e85f4bca7c8d3ff4571 |
08-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove explicit delete of PathDiagnosticMacroPiece, as it is now reference counted.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150110 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| 802e02463b880f53a6e645bde78cc412481ce9e0 |
08-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Change PathDiagnosticPieces to be reference counted (simplifying their management), and introduce 'PathPieces' as a common container for PathDiagnosticPieces.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150054 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
|
| eb2303c76971f3cc89bbb367ce77564ccb7042c1 |
08-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Refactor pieces of PathDiagnostic into its own data structure. No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150053 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| d7a3e2c5f61cd4893f95b69a424fe4def3aa0f69 |
07-Feb-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Revert my patches which removed Diagnostic.h includes by moving some operator overloads out of line.
This seems to negatively affect compile time onsome ObjC tests
(which use a lot of partial diagnostics I assume). I have to come
up with a way to keep them inline without including Diagnostic.h
everywhere. Now adding a new diagnostic requires a full rebuild
of e.g. the static analyzer which doesn't even use those diagnostics.
This reverts commit 6496bd10dc3a6d5e3266348f08b6e35f8184bc99.
This reverts commit 7af19b817ba964ac560b50c1ed6183235f699789.
This reverts commit fdd15602a42bbe26185978ef1e17019f6d969aa7.
This reverts commit 00bd44d5677783527d7517c1ffe45e4d75a0f56f.
This reverts commit ef9b60ffed980864a8db26ad30344be429e58ff5.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150006 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
ugReporter.cpp
heckerRegistry.cpp
extPathDiagnostics.cpp
|
| a59d20b135bfde058a5a69045bab5ec4e2553f74 |
07-Feb-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Print NamedDecls directly to a raw_ostream where possible.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149982 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 01d08018b7cf5ce1601707cfd7a84d22015fc04e |
07-Feb-2012 |
Douglas Gregor <dgregor@apple.com> |
Introduce basic ASTs for lambda expressions. This covers:
- Capturing variables by-reference and by-copy within a lambda
- The representation of lambda captures
- The creation of the non-static data members in the lambda class
that store the captured variables
- The initialization of the non-static data members from the
captured variables
- Pretty-printing lambda expressions
There are a number of FIXMEs, both explicit and implied, including:
- Creating a field for a capture of 'this'
- Improved diagnostics for initialization failures when capturing
variables by copy
- Dealing with temporaries created during said initialization
- Template instantiation
- AST (de-)serialization
- Binding and returning the lambda expression; turning it into a
proper temporary
- Lots and lots of semantic constraints
- Parameter pack captures
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149977 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngine.cpp
|
| a6215b93c45ee5931536b57d10b987747143313b |
07-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Create PathDiagnosticCallEnter and PathDiagnosticCallExit, to remark calls in PathDiagnostics from other events. This will
have potential uses later.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149960 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
|
| 5de4fdb8de700f95b0b863a9e5a4a508de17a034 |
07-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Tweak BugReporter extensive diagnostics to not add edges between function calls.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149959 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
|
| b9201d2d138dca631cdc43f8e57d9e9e6248c25c |
07-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Quote name of function in path diagnostics.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149958 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 0cf3d471546251b12bdceff360f66c079c40526c |
07-Feb-2012 |
Ted Kremenek <kremenek@apple.com> |
Add basic BugReporter support for CallEnter/CallExit. WIP.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149939 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
|
| f7ccbad5d9949e7ddd1cbef43d482553b811e026 |
05-Feb-2012 |
Dylan Noblesmith <nobled@dreamwidth.org> |
Basic: import SmallString<> into clang namespace
(I was going to fix the TODO about DenseMap too, but
that would break self-host right now. See PR11922.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149799 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
|
| 6f42b62b6194f53bcbc349f5d17388e1936535d7 |
05-Feb-2012 |
Dylan Noblesmith <nobled@dreamwidth.org> |
Basic: import OwningPtr<> into clang namespace
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149798 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
xplodedGraph.cpp
listDiagnostics.cpp
egionStore.cpp
|
| 8fe83e1df954d72c0f4ffc15d20a5222ec151c21 |
04-Feb-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Move a method from IdentifierTable.h out of line and remove the SmallString include.
Fix all the transitive include users.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149783 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
|
| fdd15602a42bbe26185978ef1e17019f6d969aa7 |
04-Feb-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Remove Diagnostic.h include from Preprocessor.h.
- Move the offending methods out of line and fix transitive includers.
- This required changing an enum in the PPCallback API into an unsigned.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149782 91177308-0d34-0410-b5e6-96231b3b80d8
extPathDiagnostics.cpp
|
| 00bd44d5677783527d7517c1ffe45e4d75a0f56f |
04-Feb-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
Move various diagnostic operator<< overloads out of line and remove includes of Diagnostic.h.
Fix all the files that depended on transitive includes of Diagnostic.h.
With this patch in place changing a diagnostic no longer requires a full rebuild of the StaticAnalyzer.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149781 91177308-0d34-0410-b5e6-96231b3b80d8
nalysisManager.cpp
ugReporter.cpp
heckerRegistry.cpp
|
| 84aac9acc7a73360a7553c46f8da72773adbdd17 |
01-Feb-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a crash in CheckerContext::isCLibraryFunction for C++
declarations with special names.
A patch by Dmitri Gribenko.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149525 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
|
| e00575f12cf280621ef0ed4d69e909bdfc9fef62 |
31-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add checks for common anti-patterns in strncat.
(Since this is syntax only, might be a good candidate for turning into a
compiler warning.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149407 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
|
| a5888f61be9f8d76e9b48a453dbced50523bd2e0 |
31-Jan-2012 |
Argyrios Kyrtzidis <akyrtzi@gmail.com> |
Reapply r149311 which I reverted by mistake.
Original log:
Convert ProgramStateRef to a smart pointer for managing the reference counts of ProgramStates. This leads to a slight memory
improvement, and a simplification of the logic for managing ProgramState objects.
# Please enter the commit message for your changes. Lines starting
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149339 91177308-0d34-0410-b5e6-96231b3b80d8
hecker.cpp
xprEngine.cpp
rogramState.cpp
|
| b9b0f6fb6e113b5e6be3ed9754c4bf01186a17bf |
31-Jan-2012 |
Argyrios Kyrtzidis <akyrtzi@gmail.com> |
Revert r149311 which failed to compile.
Original log:
Convert ProgramStateRef to a smart pointer for managing the reference counts of ProgramStates. This leads to a slight memory
improvement, and a simplification of the logic for managing ProgramState objects.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149336 91177308-0d34-0410-b5e6-96231b3b80d8
hecker.cpp
xprEngine.cpp
rogramState.cpp
|
| 841c96a885789afea9d32d1d842033768c6d2b19 |
31-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
Minor refactor within ExplodedGraph::reclaimRecentlyAllocatedNodes(). No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149320 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| 72e93068c9f2a2f05f5932cdd917c0d2961f11d9 |
31-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
Convert ProgramStateRef to a smart pointer for managing the reference counts of ProgramStates. This leads to a slight memory
improvement, and a simplification of the logic for managing ProgramState objects.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149311 91177308-0d34-0410-b5e6-96231b3b80d8
hecker.cpp
xprEngine.cpp
rogramState.cpp
|
| af5f550de34525b27f0ff31dafce792caf8158b6 |
30-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add index out of bounds check for CFArrayGetArrayAtIndex.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149228 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| c35fb7d67d515659ad2325b4f6ec97c9fe64fb63 |
28-Jan-2012 |
Benjamin Kramer <benny.kra@googlemail.com> |
StaticAnalyzer: Move ObjC- and CXX-specific methods out of line so checkers that don't care about the language don't have to pull in all the headers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149178 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
nvironment.cpp
xprEngineCXX.cpp
xprEngineObjC.cpp
emRegion.cpp
ValBuilder.cpp
tore.cpp
|
| 8bef8238181a30e52dea380789a7e2d760eac532 |
26-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
Change references to 'const ProgramState *' to typedef 'ProgramStateRef'.
At this point this is largely cosmetic, but it opens the door to replace
ProgramStateRef with a smart pointer that more eagerly acts in the role
of reclaiming unused ProgramState objects.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@149081 91177308-0d34-0410-b5e6-96231b3b80d8
asicConstraintManager.cpp
ugReporter.cpp
ugReporterVisitors.cpp
heckerContext.cpp
heckerManager.cpp
oreEngine.cpp
nvironment.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineC.cpp
xprEngineCXX.cpp
xprEngineCallAndReturn.cpp
xprEngineObjC.cpp
rogramState.cpp
angeConstraintManager.cpp
egionStore.cpp
ValBuilder.cpp
impleConstraintManager.cpp
impleConstraintManager.h
impleSValBuilder.cpp
tore.cpp
|
| bac341346f3c8e713a8f165120fd54b500ee3189 |
26-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
Rework flushing of diagnostics to PathDiagnosticConsumer. Now all the reports are batched up before being flushed
to the underlying consumer implementation. This allows us to unique reports across analyses to multiple functions (which
shows up with inlining).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148997 91177308-0d34-0410-b5e6-96231b3b80d8
TMLDiagnostics.cpp
athDiagnostic.cpp
listDiagnostics.cpp
extPathDiagnostics.cpp
|
| d2e7090f97042ba8272f4f27ac243d8bf4151ecd |
25-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
Post open source analyzer build checker-259.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148988 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporterVisitors.cpp
|
| 9d0064e802e81d0833e8ccab8978b17c0bac3625 |
25-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
Reduce peak memory usage of the static analyzer on sqlite3 (when using inlining) by 30%.
This is accomplished by periodically reclaiming nodes in the graph. This was an optimization
done before the CFG was linearized, but the CFG linearization destroyed that optimization since each
freshly created node couldn't be reclaimed and we only looked at a window of nodes created between
each ProcessStmt. This optimization can be reclaimed my merely expanding the window to N number of nodes.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148888 91177308-0d34-0410-b5e6-96231b3b80d8
xplodedGraph.cpp
|
| 3026348bd4c13a0f83b59839f64065e0fcbea253 |
20-Jan-2012 |
David Blaikie <dblaikie@gmail.com> |
More dead code removal (using -Wunreachable-code)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148577 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
nvironment.cpp
xprEngine.cpp
impleConstraintManager.cpp
|
| be97b7edb112520d764c24e8b9a159cdc692bcb6 |
20-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Skip casts when determining taint dependencies + pretty
printing.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148517 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| 461af1e502c9bd88330bbf17d449a7593fc0d624 |
20-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add a utility method that allows to find the macro name used
at the given location.
This could be useful when checkers' logic depends on whether a function
is called with a given macro argument.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148516 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
|
| 9b0c749a20d0f7d0e63441d76baa15def3f37fdb |
18-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Taint: add taint propagation rules for string and memory copy
functions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148370 91177308-0d34-0410-b5e6-96231b3b80d8
heckerContext.cpp
|
| 561d3abc881033776ece385a01a510e1cbc1fa92 |
17-Jan-2012 |
David Blaikie <dblaikie@gmail.com> |
Remove unnecessary default cases in switches over enums.
This allows -Wswitch-enum to find switches that need updating when these enums are modified.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148281 91177308-0d34-0410-b5e6-96231b3b80d8
Vals.cpp
|
| 7a7ee3033e44b45630981355460ef89efa0bdcc4 |
16-Jan-2012 |
David Chisnall <csdavec@swan.ac.uk> |
Some improvements to the handling of C11 atomic types:
- Add atomic-to/from-nonatomic cast types
- Emit atomic operations for arithmetic on atomic types
- Emit non-atomic stores for initialisation of atomic types, but atomic stores and loads for every other store / load
- Add a __atomic_init() intrinsic which does a non-atomic store to an _Atomic() type. This is needed for the corresponding C11 stdatomic.h function.
- Enables the relevant __has_feature() checks. The feature isn't 100% complete yet, but it's done enough that we want people testing it.
Still to do:
- Make the arithmetic operations on atomic types (e.g. Atomic(int) foo = 1; foo++;) use the correct LLVM intrinsic if one exists, not a loop with a cmpxchg.
- Add a signal fence builtin
- Properly set the fenv state in atomic operations on floating point values
- Correctly handle things like _Atomic(_Complex double) which are too large for an atomic cmpxchg on some platforms (this requires working out what 'correctly' means in this context)
- Fix the many remaining corner cases
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148242 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineC.cpp
|
| 52e4c60e31fee851e2988f7909aebf488e57fc12 |
16-Jan-2012 |
David Blaikie <dblaikie@gmail.com> |
Refactor variables unused under non-assert builds.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148229 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| b71d1570417d81de7b064ad788bea690e2c89111 |
13-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Unwrap the pointers when ignoring the const cast.
radar://10686991
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148081 91177308-0d34-0410-b5e6-96231b3b80d8
ValBuilder.cpp
|
| ce8ef16b1c58a304b7b59fad9836ad32d6ed020c |
13-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] RegionStoreManager::getBinding() should not crash when
looking up value at a CodeTextRegion even when the type is not provided.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148079 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| dba241df071c4a15ac97e5cadd2d581998662809 |
13-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Fix a typo in a warning message.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148078 91177308-0d34-0410-b5e6-96231b3b80d8
listDiagnostics.cpp
|
| 0849ade4bb3e90c2fc0ce01ccd330f76f91da732 |
12-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] fix inlining's handling of mapping actual to formal arguments and limit the call stack depth. The analyzer can now accurately simulate factorial for limited depths.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148036 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
rogramState.cpp
egionStore.cpp
tore.cpp
|
| 1437425a62dbf7bdb0a855d3ed3b05ed2019ec1e |
12-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Rename Store::Retrieve() -> getBinding().
+ all the other Retrieve..() methods + a comment for ElementRegion.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148011 91177308-0d34-0410-b5e6-96231b3b80d8
egionStore.cpp
|
| 256ef642f8feef22fd53be7efa868e8e34752eed |
11-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
Remove '#if 0' from ExprEngine::InlineCall(), and start fresh by wiring up inlining for straight C calls.
My hope is to reimplement this from first principles based on the simplifications of removing unneeded node builders
and re-evaluating how C++ calls are handled in the CFG. The hope is to turn inlining "on-by-default" as soon as possible
with a core set of things working well, and then expand over time.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147904 91177308-0d34-0410-b5e6-96231b3b80d8
nvironment.cpp
xplodedGraph.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| f660f4b1bedd6b614acf52108894b805b807c50d |
10-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
Make PathDiagnosticLocation more resilient to null Stmt pointers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147854 91177308-0d34-0410-b5e6-96231b3b80d8
athDiagnostic.cpp
|
| 9f03b62036a7abc0a227b17f4a49b9eefced9450 |
07-Jan-2012 |
Anna Zaks <ganna@apple.com> |
[analyzer] Add basic format string vulnerability checking.
We already have a more conservative check in the compiler (if the
format string is not a literal, we warn). Still adding it here for
completeness and since this check is stronger - only triggered if the
format string is tainted.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147714 91177308-0d34-0410-b5e6-96231b3b80d8
rogramState.cpp
|
| 3070e13dca5bbefa32acb80ce4a7b217a6220983 |
07-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Remove CallEnterNodeBuilder and simplify ExprEngine::processCallEnter().
This removes analysis of other translation units, but that was an experimental feature anyway that we will revisit later.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147705 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngine.cpp
xprEngineCallAndReturn.cpp
|
| 242384ddb0e0b65dd7e9e0ac0cf3c31cf98b06a6 |
07-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
Correctly enqueue successors in ExprEngine::processCallExit().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147698 91177308-0d34-0410-b5e6-96231b3b80d8
xprEngineCallAndReturn.cpp
|
| 894212e9510299abb203801e014fec76b7926a05 |
07-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Remove CallExitNodeBuilder, and have ExprEngine::processCallExit() do the work manually. This is a nice simplification.
Along the way, fix Exprengine::processCallExit() to also perform the postStmt callback for checkers for CallExprs.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147697 91177308-0d34-0410-b5e6-96231b3b80d8
oreEngine.cpp
xprEngineCallAndReturn.cpp
|
| 5eca482fe895ea57bc82410222e6426c09e63284 |
06-Jan-2012 |
Ted Kremenek <kremenek@apple.com> |
[analyzer] Make the entries in 'Environment' context-sensitive by making entries map from
(Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals.
This is needed to support basic IPA via inlining. Without this, we cannot tell
if a Stmt* binding is part of the current analysis scope (StackFrameContext) or
part of a parent context.
This change introduces an uglification of the use of getSVal(), and thus takes
two steps forward and one step back. There are also potential performance implications
of enlarging the Environment. Both can be addressed going forward by refactoring the
APIs and optimizing the internal representation of Environment. This patch
mainly introduces the functionality upon when we want to build upon (and clean up).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147688 91177308-0d34-0410-b5e6-96231b3b80d8
ugReporter.cpp
ugReporterVisitors.cpp
heckerContext.cpp
nvironment.cpp
xprEngine.cpp
xprEngineC.cpp
xp |