| 9122025df6682a29ba4bdfc4330d2caebb8ea4de |
|
20-Jun-2013 |
Pavel Labath <labath@google.com> |
Fix static analyzer crash when casting from an incomplete type
Summary:
When doing a reinterpret+dynamic cast from an incomplete type, the analyzer
would crash (bug #16308). This fix makes the dynamic cast evaluator ignore
incomplete types, as they can never be used in a dynamic_cast. Also adding a
regression test.
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1006
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184403 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|
| f2edbec1d9817df109304f9c19ae2b34fec1feea |
|
22-Apr-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Treat reinterpret_cast like a base cast in certain cases.
The analyzer represents all pointer-to-pointer bitcasts the same way, but
this can be problematic if an implicit base cast gets layered on top of a
manual base cast (performed with reinterpret_cast instead of static_cast).
Fix this (and avoid a valid assertion) by looking through cast regions.
Using reinterpret_cast this way is only valid if the base class is at the
same offset as the derived class; this is checked by -Wreinterpret-base-class.
In the interest of performance, the analyzer doesn't repeat this check
anywhere; it will just silently do the wrong thing (use the wrong offsets
for fields of the base class) if the user code is wrong.
PR15394
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180052 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|
| ae7396c3891748762d01431e16541b3eb9125c4d |
|
22-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't canonicalize the RecordDecl used in CXXBaseObjectRegion.
This Decl shouldn't be the canonical Decl; it should be the Decl used by
the CXXBaseSpecifier in the subclass. Unfortunately, that means continuing
to throw getCanonicalDecl() on all comparisons.
This fixes MemRegion::getAsOffset's use of ASTRecordLayout when redeclarations
are involved.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175913 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|
| 11f0cae4bf4f62dcc706d33c1f795d460cd64816 |
|
21-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Tighten up safety in the use of lazy bindings.
- When deciding if we can reuse a lazy binding, make sure to check if there
are additional bindings in the sub-region.
- When reading from a lazy binding, don't accidentally strip off casts or
base object regions. This slows down lazy binding reading a bit but is
necessary for type sanity when treating one class as another.
A bit of minor refactoring allowed these two checks to be unified in a nice
early-return-using helper function.
<rdar://problem/13239840>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175703 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|
| 65f991ccbec43b4a860f70594c92528ee8fb7c6f |
|
19-Feb-2013 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't accidentally strip off base object regions for lazy bindings.
If a base object is at a 0 offset, RegionStoreManager may find a lazy
binding for the entire object, then try to attach a FieldRegion or
grandparent CXXBaseObjectRegion on top of that (skipping the intermediate
region). We now preserve as many layers of base object regions necessary
to make the types match.
<rdar://problem/13239840>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175556 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|
| bfa9ab8183e2fdc74f8633d758cb0c6201314320 |
|
25-Jan-2013 |
Anna Zaks <ganna@apple.com> |
[analyzer] Replace "-analyzer-ipa" with "-analyzer-config ipa".
The idea is to eventually place all analyzer options under
"analyzer-config". In addition, this lays the ground for introduction of
a high-level analyzer mode option, which will influence the
default setting for IPAMode.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173385 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|
| ee04959f88e26ed38dccf4aed2ff10cad1f703c9 |
|
21-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] -analyzer-ipa=inlining is now the default. Remove it from tests.
The actual change here is a little more complicated than the summary above.
What we want to do is have our generic inlining tests run under whatever
mode is the default. However, there are some tests that depend on the
presence of C++ inlining, which still has some rough edges. These tests have
been explicitly marked as -analyzer-ipa=inlining in preparation for a new
mode that limits inlining to C functions and blocks. This will be the
default until the false positives for C++ have been brought down to
manageable levels.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162317 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|
| 0a5629812019ce8bef86ade5425ac261bb544fd8 |
|
14-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Handle dynamic_casts that turn out to be upcasts.
This can occur with multiple inheritance, which jumps from one parent to
the other, and with virtual inheritance, since virtual base regions always
wrap the actual object and can't be nested within other base regions.
This also exposed some incorrect logic for multiple inheritance: even if B
is known not to derive from C, D might still derive from both of them.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161798 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|
| b11a3ada9a22e146c6edd33bcc6301e221fedd7a |
|
14-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] Don't strip CXXBaseObjectRegions when checking dynamic_casts.
...and /do/ strip CXXBaseObjectRegions when casting to a virtual base class.
This allows us to enforce the invariant that a CXXBaseObjectRegion can always
provide an offset for its base region if its base region has a known class
type, by only allowing virtual bases and direct non-virtual bases to form
CXXBaseObjectRegions.
This does mean some slight problems for our modeling of dynamic_cast, which
needs to be resolved by finding a path from the current region to the class
we're trying to cast to.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161797 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|
| 2c5f8d79ed128892fa548a3308a938a3a53fbb5e |
|
09-Aug-2012 |
Jordan Rose <jordan_rose@apple.com> |
[analyzer] A CXXBaseObjectRegion should correspond to a DIRECT base.
An ASTContext's RecordLayoutInfo can only be used to look up offsets of
direct base classes, and we need the offset to make non-symbolic bindings
in RegionStore. This change makes sure that we have one layer of
CXXBaseObjectRegion for each base we are casting through.
This was causing crashes on an internal buildbot.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161621 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|
| c4d2c9074be6eb2091086eddd6c8f052f3b245c8 |
|
28-Feb-2011 |
Argyrios Kyrtzidis <akyrtzi@gmail.com> |
[analyzer] Remove '-analyzer-check-objc-mem' flag, the nominee for best misnomer award.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@126676 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|
| 4fd56816e0925c04f2c92e75399f5c9018d5d6fb |
|
26-Nov-2010 |
Zhongxing Xu <xuzhongxing@gmail.com> |
Regionstore: support derived-to-base cast by creating a CXXBaseObjectRegion.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@120173 91177308-0d34-0410-b5e6-96231b3b80d8
/external/clang/test/Analysis/derived-to-base.cpp
|