Cross Reference: /external/clang/test/Analysis/inlining/

History log of /external/clang/test/Analysis/inlining/
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
ef8225444452a1486bd721f3285301fe84643b00	21-Jul-2014	Stephen Hines <srhines@google.com>	Update Clang for rebase to r212749. This also fixes a small issue with arm_neon.h not being generated always. Includes a cherry-pick of: r213450 - fixes mac-specific header issue r213126 - removes a default -Bsymbolic on Android Change-Id: I2a790a0f5d3b2aab11de596fc3a74e7cbc99081d ontainers.cpp ath-notes.cpp
651f13cea278ec967336033dd032faef0e9fc2ec	24-Apr-2014	Stephen Hines <srhines@google.com>	Updated to Clang 3.5a. Change-Id: I8127eb568f674c2e72635b639a3295381fe8af82 yn-dispatch-bifurcate.cpp ath-notes.cpp tl.cpp
fda9dbf1f4d15baaedffdd4b4bb529e06172f73d	15-Nov-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Silence warnings coming from allocators used by std::basic_string. This is similar to r194004: because we can't reason about the data structure invariants of std::basic_string, the analyzer decides it's possible for an allocator to be used to deallocate the string's inline storage. Just ignore this by walking up the stack, skipping past methods in classes with "allocator" in the name, and seeing if we reach std::basic_string that way. PR17866 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@194764 91177308-0d34-0410-b5e6-96231b3b80d8 tl.cpp
bdc0bf3f84b8771572d8401c66903c56a2e1318e	04-Nov-2013	Anna Zaks <ganna@apple.com>	[analyzer] Suppress warnings coming out of std::basic_string. The analyzer cannot reason about the internal invariances of the data structure (radar://15194597). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@194004 91177308-0d34-0410-b5e6-96231b3b80d8 tl.cpp
2a648169f9ad854536814515cba1780fd02586d2	31-Oct-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Don't crash when a path goes through a 'delete' destructor call. This was just left unimplemnted from r191381; the fix is to report this call location as the location of the 'delete' expr. PR17746 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@193783 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
9b072b31ee2f41b8e30d1d22142c9ab72ac5ff1f	28-Sep-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Make inlining decisions based on the callee being variadic. ...rather than trying to figure it out from the call site, and having people complain that we guessed wrong and that a prototype-less call is the same as a variadic call on their system. More importantly, fix a crash when there's no decl at the call site (though we could have just returned a default value). <rdar://problem/15037033> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@191599 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCClassMethod.m
d8188f8ad5d584b5f6e1f58e5a4882586cc630d4	02-Aug-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Don't process autorelease counts in synthesized function bodies. We process autorelease counts when we exit functions, but if there's an issue in a synthesized body the report will get dropped. Just skip the processing for now and let it get handled when the caller gets around to processing autoreleases. (This is still suboptimal: objects autoreleased in the caller context should never be warned about when exiting a callee context, synthesized or not.) Second half of <rdar://problem/14611722> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187625 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.m
cd007b18ba218925923a82ad4462fecf903f4a93	02-Aug-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Silently drop all reports within synthesized bodies. Much of our diagnostic machinery is set up to assume that the report end path location is valid. Moreover, the user may be quite confused when something goes wrong in our BodyFarm-synthesized function bodies, which may be simplified or modified from the real implementations. Rather than try to make this all work somehow, just drop the report so that we don't try to go on with an invalid source location. Note that we still handle reports whose /paths/ go through invalid locations, just not those that are reported in one. We do have to be careful not to lose warnings because of this. The impetus for this change was an autorelease being processed within the synthesized body, and there may be other possible issues that are worth reporting in some way. We'll take these as they come, however. <rdar://problem/14611722> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@187624 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.m
8b625a3f7764959d0a2ac3cd860ce1e168e0fc9b	04-Jul-2013	Anna Zaks <ganna@apple.com>	[analyzer] Suppress reports reported in std::list The motivation is to suppresses false use-after-free reports that occur when calling std::list::pop_front() or std::list::pop_back() twice. The analyzer does not reason about the internal invariants of the list implementation, so just do not report any of warnings in std::list. Fixes radar://14317928. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185609 91177308-0d34-0410-b5e6-96231b3b80d8 tl.cpp
7f79b78351af03a392ee16d8ec557d47746c33c6	04-Jul-2013	Anna Zaks <ganna@apple.com>	[analyzer] Make sure that inlined defensive checks work on div by zero. This suppresses a false positive in std::hash_map. Fixes radar://14255587. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@185608 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.c nline-defensive-checks.c
053c88bd93e6b2f4e498fd835155f955127d3489	21-Jun-2013	Jordan Rose <jordan_rose@apple.com>	Revert "[analyzer] Handle zeroing CXXConstructExprs." Per review from Anna, this really should have been two commits, and besides it's causing problems on our internal buildbot. Reverting until these have been worked out. This reverts r184511 / 98123284826bb4ce422775563ff1a01580ec5766. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184561 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
98123284826bb4ce422775563ff1a01580ec5766	21-Jun-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Handle zeroing CXXConstructExprs. Certain expressions can cause a constructor invocation to zero-initialize its object even if the constructor itself does no initialization. The analyzer now handles that before evaluating the call to the constructor, using the same "default binding" mechanism that calloc() uses, rather than simply ignoring the zero-initialization flag. As a bonus, trivial default constructors are now no longer inlined; they are instead processed explicitly by ExprEngine. This has a (positive) effect on the generated path edges: they no longer stop at a default constructor call unless there's a user-provided implementation. <rdar://problem/14212563> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184511 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
048eeea6852043990c87e52938b53b5337bd098e	04-Jun-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Enable the new edge algorithm by default. ...but don't yet migrate over the existing plist tests. Some of these would be trivial to migrate; others could use a bit of inspection first. In any case, though, the new edge algorithm seems to have proven itself, and we'd like more coverage (and more usage) of it going forwards. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183165 91177308-0d34-0410-b5e6-96231b3b80d8 ager-reclamation-path-notes.c ager-reclamation-path-notes.cpp ath-notes.c ath-notes.cpp ath-notes.m
b9814c867e69d542ea6b90c756814dab462019c7	24-May-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Fix test for r182677. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182678 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.m
d474da062565596015558856333423199aed5eb1	24-May-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Treat analyzer-synthesized function bodies like implicit bodies. When generating path notes, implicit function bodies are shown at the call site, so that, say, copying a POD type in C++ doesn't jump you to a header file. This is especially important when the synthesized function itself calls another function (or block), in which case we should try to jump the user around as little as possible. By checking whether a called function has a body in the AST, we can tell if the analyzer synthesized the body, and if we should therefore collapse the call down to the call site like a true implicitly-defined function. <rdar://problem/13978414> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182677 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.m
14040142a3b3c1029092bc1f7c51e347c3fa8f89	15-May-2013	Fariborz Jahanian <fjahanian@apple.com>	improve of note message and minor refactoring of my last patch (r181847). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181896 91177308-0d34-0410-b5e6-96231b3b80d8 ynDispatchBifurcate.m
9f00b1d3962147a2fe049b8b45f70680bc12fbc1	15-May-2013	Fariborz Jahanian <fjahanian@apple.com>	Objective-C [diagnostics] [QOI], when method is not found for a receiver, note where receiver class is declaraed (this is most common when receiver is a forward class). // rdar://3258331 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181847 91177308-0d34-0410-b5e6-96231b3b80d8 ynDispatchBifurcate.m
ef202c35b37c137e32fe30f4453915b6d3b525d7	14-May-2013	Anna Zaks <ganna@apple.com>	[analyzer] Refactor: address Jordan’s code review of r181738. (Modifying the checker to record that the values are no longer nil will be done separately.) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181744 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.m
636478e288b88396d860f6b01b48b47953e3d5e9	07-May-2013	Anna Zaks <ganna@apple.com>	[analyzer] Fix a crash triggered by printing a note on a default argument Instead, use the location of the call to print the note. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181337 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
2faee99ab67105e834d11df7db80a78a3e3ed37b	03-May-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Check the stack frame when looking for a var's initialization. FindLastStoreBRVisitor is responsible for finding where a particular region gets its value; if the region is a VarRegion, it's possible that value was assigned at initialization, i.e. at its DeclStmt. However, if a function is called recursively, the same DeclStmt may be evaluated multiple times in multiple stack frames. FindLastStoreBRVisitor was not taking this into account and just picking the first one it saw. <rdar://problem/13787723> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180997 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.c
dcd6224911e234ab3657b7d0b79a2add1ae4fdd8	03-May-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Fix trackNullOrUndef when tracking args that have nil receivers. There were actually two bugs here: - if we decided to look for an interesting lvalue or call expression, we wouldn't go find its node if we also knew we were at a (different) call. - if we looked through one message send with a nil receiver, we thought we were still looking at an argument to the original call. Put together, this kept us from being able to track the right values, which means sub-par diagnostics and worse false-positive suppression. Noticed by inspection. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180996 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.m ath-notes.m
776d3bb65c90278b9c65544b235d2ac40aea1d6e	02-May-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Don't inline the [cd]tors of C++ iterators. This goes with r178516, which instructed the analyzer not to inline the constructors and destructors of C++ container classes. This goes a step further and does the same thing for iterators, so that the analyzer won't falsely decide we're trying to construct an iterator pointing to a nonexistent element. The heuristic for determining whether something is an iterator is the presence of an 'iterator_category' member. This is controlled under the same -analyzer-config option as container constructor/destructor inlining: 'c++-container-inlining'. <rdar://problem/13770187> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180890 91177308-0d34-0410-b5e6-96231b3b80d8 ontainers.cpp
0f8579274a010f360a371b53101859d9d6052314	24-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Refactor BugReport::getLocation and PathDiagnosticLocation::createEndOfPath for greater code reuse The 2 functions were computing the same location using different logic (each one had edge case bugs that the other one did not). Refactor them to rely on the same logic. The location of the warning reported in text/command line output format will now match that of the plist file. There is one change in the plist output as well. When reporting an error on a BinaryOperator, we use the location of the operator instead of the beginning of the BinaryOperator expression. This matches our output on command line and looks better in most cases. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180165 91177308-0d34-0410-b5e6-96231b3b80d8 ager-reclamation-path-notes.c ath-notes.c ath-notes.cpp ath-notes.m
fbc4444eb2675934b44f3720ef9a5f368ecbeb0a	22-Apr-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Type information from C++ new expressions is perfect. This improves our handling of dynamic_cast and devirtualization for objects allocated by 'new'. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@180051 91177308-0d34-0410-b5e6-96231b3b80d8 yn-dispatch-bifurcate.cpp
8ef064d53fb33b5a8f8743bcbb0a2fd5c3e97be1	20-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Ensure BugReporterTracking works on regions with pointer arithmetic Introduce a new helper function, which computes the first symbolic region in the base region chain. The corresponding symbol has been used for assuming that a pointer is null. Now, it will also be used for checking if it is null. This ensures that we are tracking a null pointer correctly in the BugReporter. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179916 91177308-0d34-0410-b5e6-96231b3b80d8 nline-defensive-checks.c
10391c2890be5309d8b166507a0ed967eb9e5586	20-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Correct the comment git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179914 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
62fba4f08af16ff17b5cbe8816061349504317e4	18-Apr-2013	Ted Kremenek <kremenek@apple.com>	[analyzer] Refine 'nil receiver' diagnostics to mention the name of the method not called. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179776 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.m
86f1745be24c834175e7a8a51b12f9a0063d532e	18-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Tweak getDerefExpr more to track DeclRefExprs to references. In the committed example, we now see a note that tells us when the pointer was assumed to be null. This is the only case in which getDerefExpr returned null (failed to get the dereferenced expr) throughout our regression tests. (There were multiple occurrences of this one.) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179736 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
1e1d011874340f33b807ac90609424f90f72488a	18-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Improve dereferenced expression tracking for MemberExpr with a dot and non-reference base git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179734 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
441625e6c7f8bf58e62a284ae1f855dafde31ec2	18-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Gain more precision retrieving the right SVal by specifying the type of the expression. Thanks to Jordan for suggesting the fix. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179732 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
07d8470effc0b0364801adddb6ff92bd22334402	16-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Add pretty printing to CXXBaseObjectRegion. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179573 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
79d0cceb8847bfe6dc9da8eb2ea2f3c6bb73b813	16-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Address code review for r179395 Mostly refactoring + handle the nested fields by printing the innermost field only. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179572 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
82dd4396fcd2517d06382b7170f393d1b6351c7f	16-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Add more specialized error messages for corner cases as per Jordan's code review for r179396 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179571 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
8713e1a5c3f6658d54061e176b5baa9fadf14675	12-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Print a diagnostic note even if the region cannot be printed. There are few cases where we can track the region, but cannot print the note, which makes the testing limited. (Though, I’ve tested this manually by making all regions non-printable.) Even though the applicability is limited now, the enhancement will be more relevant as we start tracking more regions. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179396 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
9e2f5977a180ae927d05e844c65b8a7873be48a4	12-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer]Print field region even when the base region is not printable git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179395 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
7be2245487f9cd7d04f013db92280d9ccd323586	12-Apr-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Show "Returning from ..." note at caller's depth, not callee's. Before: 1. Calling 'foo' 2. Doing something interesting 3. Returning from 'foo' 4. Some kind of error here After: 1. Calling 'foo' 2. Doing something interesting 3. Returning from 'foo' 4. Some kind of error here The location of the note is already in the caller, not the callee, so this just brings the "depth" attribute in line with that. This only affects plist diagnostic consumers (i.e. Xcode). It's necessary for Xcode to associate the control flow arrows with the right stack frame. <rdar://problem/13634363> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179351 91177308-0d34-0410-b5e6-96231b3b80d8 ager-reclamation-path-notes.cpp ath-notes.c ath-notes.cpp ath-notes.m
3ea09a802f973c2726b2a489ae08a4bded93410b	12-Apr-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Don't emit extra context arrow after returning from an inlined call. In this code int getZero() { return 0; } void test() { int problem = 1 / getZero(); // expected-warning {{Division by zero}} } we generate these arrows: +-----------------+ \| v int problem = 1 / getZero(); ^ \| +---+ where the top one represents the control flow up to the first call, and the bottom one represents the flow to the division.* It turns out, however, that we were generating the top arrow twice, as if attempting to "set up context" after we had already returned from the call. This resulted in poor highlighting in Xcode. * Arguably the best location for the division is the '/', but that's a different problem. <rdar://problem/13326040> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179350 91177308-0d34-0410-b5e6-96231b3b80d8 ager-reclamation-path-notes.c ager-reclamation-path-notes.cpp ath-notes.c ath-notes.cpp ath-notes.m
4b69feb6d90eb120d04f5d54f6b28cc295a46098	06-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Fix null tracking for the given test case, by using the proper state and removing redundant code. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178933 91177308-0d34-0410-b5e6-96231b3b80d8 nline-defensive-checks.cpp
610f79cbab4d752349b5c81a94682a6a82b102e7	05-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Show path diagnostic for C++ initializers Also had to modify the PostInitializer ProgramLocation to contain the field region. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178826 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
702077f14100f2d7acdb12ad49b53e64efc37d72	03-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Allow tracknullOrUndef look through the ternary operator even when condition is unknown Improvement of r178684 and r178685. Jordan has pointed out that I should not rely on the value of the condition to know which expression branch has been taken. It will not work in cases the branch condition is an unknown value (ex: we do not track the constraints for floats). The better way of doing this would be to find out if the current node is the right or left successor of the node that has the ternary operator as a terminator (which is how this is done in other places, like ConditionBRVisitor). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178701 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.c
cabc3fddae63f5eb3bd44bdecce7a3fbd69421a9	03-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] make peelOffOuterExpr in BugReporterVisitors recursively peel off select Exprs git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178685 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.c
c1bef5671e682de5a573c7c6b66871b36de0ec61	03-Apr-2013	Anna Zaks <ganna@apple.com>	[analyzer] Properly handle the ternary operator in trackNullOrUndefValue 1) Look for the node where the condition expression is live when checking if it is constrained to true or false. 2) Fix a bug in ProgramState::isNull, which was masking the problem. When the expression is not a symbol (,which is the case when it is Unknown) return unconstrained value, instead of value constrained to “false”! (Thankfully other callers of isNull have not been effected by the bug.) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178684 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.c
c63a460d78a7625ff38d2b3580f78030c44f07db	02-Apr-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] For now, don't inline [cd]tors of C++ containers. This is a heuristic to make up for the fact that the analyzer doesn't model C++ containers very well. One example is modeling that 'std::distance(I, E) == 0' implies 'I == E'. In the future, it would be nice to model this explicitly, but for now it just results in a lot of false positives. The actual heuristic checks if the base type has a member named 'begin' or 'iterator'. If so, we treat the constructors and destructors of that type as opaque, rather than inlining them. This is intended to drastically reduce the number of false positives reported with experimental destructor support turned on. We can tweak the heuristic in the future, but we'd rather err on the side of false negatives for now. <rdar://problem/13497258> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178516 91177308-0d34-0410-b5e6-96231b3b80d8 ontainers.cpp tl.cpp
84e8a960ad76b3c7ca550b4cc92a1b90ed16d5c1	29-Mar-2013	Anna Zaks <ganna@apple.com>	[analyzer] Address Jordan’s review of r178309 - do not register an extra visitor for nil receiver We can check if the receiver is nil in the node that corresponds to the StmtPoint of the message send. At that point, the receiver is guaranteed to be live. We will find at least one unreclaimed node due to my previous commit (look for StmtPoint instead of PostStmt) and the fact that the nil receiver nodes are tagged. + a couple of extra tests. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178381 91177308-0d34-0410-b5e6-96231b3b80d8 nline-defensive-checks.m
aabb4c5eacca6d78ef778f33ec5cd4c755d71a39	29-Mar-2013	Anna Zaks <ganna@apple.com>	[analyzer] Apply the suppression rules to the nil receiver only if the value participates in the computation of the nil we warn about. We should only suppress a bug report if the IDCed or null returned nil value is directly related to the value we are warning about. This was not the case for nil receivers - we would suppress a bug report that had an IDCed nil receiver on the path regardless of how it’s related to the warning. 1) Thread EnableNullFPSuppression parameter through the visitors to differentiate between tracking the value which is directly responsible for the bug and other values that visitors are tracking (ex: general tracking of nil receivers). 2) in trackNullOrUndef specifically address the case when a value of the message send is nil due to the receiver being nil. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178309 91177308-0d34-0410-b5e6-96231b3b80d8 nline-defensive-checks.m
03af377b2755fb2ddb0621dea5dd91cd5fda631d	22-Mar-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Fix test to actually test what was intended. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177763 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.cpp
f510f5cd57fa9b7ea6f6e103c65c0df95a55d986	16-Mar-2013	Anna Zaks <ganna@apple.com>	[analyzer] BugReporterVisitors: handle the case where a ternary operator is wrapped in a cast. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177205 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.c
6a15f39a6bfd7a30085c5fa8f67d0b64b74b132a	15-Mar-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Look through ExprWhenCleanups when trying to track a NULL. Silences a few false positives in LLVM. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177186 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.cpp
dc9c160dede7e2f5cc11755db6aaa57e7fccbcec	15-Mar-2013	Anna Zaks <ganna@apple.com>	[analyzer] Teach trackNullOrUndef to look through ternary operators Allows the suppression visitors trigger more often. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177137 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.c
a4bb4f6ca8dd31ad96cb9526a5abe1273f18ff40	14-Mar-2013	Anna Zaks <ganna@apple.com>	[analyzer] Change the way in which IDC Visitor decides to kick in and make sure it attaches in the given edge case In the test case below, the value V is not constrained to 0 in ErrorNode but it is in node N. So we used to fail to register the Suppression visitor. We also need to change the way we determine that the Visitor should kick in because the node N belongs to the ExplodedGraph and might not be on the BugReporter path that the visitor sees. Instead of trying to match the node, turn on the visitor when we see the last node in which the symbol is ‘0’. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@177121 91177308-0d34-0410-b5e6-96231b3b80d8 nline-defensive-checks.cpp
6022c4e17c0d2ad9c43ef6bc830d394b670a4705	13-Mar-2013	Anna Zaks <ganna@apple.com>	[analyzer] BugReporter - more precise tracking of C++ references When BugReporter tracks C++ references involved in a null pointer violation, we want to differentiate between a null reference and a reference to a null pointer. In the first case, we want to track the region for the reference location; in the second, we want to track the null pointer. In addition, the core creates CXXTempObjectRegion to represent the location of the C++ reference, so teach FindLastStoreBRVisitor about it. This helps null pointer suppression to kick in. (Patch by Anna and Jordan.) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176969 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.cpp
0415998dd77986630efe8f1aed633519cc41e1f3	09-Mar-2013	Anna Zaks <ganna@apple.com>	[analyzer] Make Suppress IDC checker aware that it might not start from the same node it was registered at The visitor used to assume that the value it’s tracking is null in the first node it examines. This is not true. If we are registering the Suppress Inlined Defensive checks visitor while traversing in another visitor (such as FindlastStoreVisitor). When we restart with the IDC visitor, the invariance of the visitor does not hold since the symbol we are tracking no longer exists at that point. I had to pass the ErrorNode when creating the IDC visitor, because, in some cases, node N is neither the error node nor will be visible along the path (we had not finalized the path at that point and are dealing with ExplodedGraph.) We should revisit the other visitors which might not be aware that they might get nodes, which are later in path than the trigger point. This suppresses a number of inline defensive checks in JavaScriptCore. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176756 91177308-0d34-0410-b5e6-96231b3b80d8 nline-defensive-checks.cpp
0183768813658d419e3124b576744b03ec8e9b55	09-Mar-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Look for lvalue nodes when tracking a null pointer. r176010 introduced the notion of "interesting" lvalue expressions, whose nodes are guaranteed never to be reclaimed by the ExplodedGraph. This was used in bugreporter::trackNullOrUndefValue to find the region that contains the null or undef value being tracked. However, the /rvalue/ nodes (i.e. the loads from these lvalues that produce a null or undef value) /are/ still being reclaimed, and if we couldn't find the node for the rvalue, we just give up. This patch changes that so that we look for the node for either the rvalue or the lvalue -- preferring the former, since it lets us fall back to value-only tracking in cases where we can't get a region, but allowing the latter as well. <rdar://problem/13342842> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176737 91177308-0d34-0410-b5e6-96231b3b80d8 ager-reclamation-path-notes.cpp
c236b7327f989c1e7fe6b08a188bfef86727513d	07-Mar-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Check for returning null references in ReturnUndefChecker. Officially in the C++ standard, a null reference cannot exist. However, it's still very easy to create one: int &getNullRef() { int p = 0; return p; } We already check that binds to reference regions don't create null references. This patch checks that we don't create null references by returning, either. <rdar://problem/13364378> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176601 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.cpp ath-notes.cpp
42773d64f98db0dd5cc80181c3b2d561851668f7	06-Mar-2013	Anna Zaks <ganna@apple.com>	[analyzer] Pass the correct Expr to the bug reporter visitors when dealing with CompoundLiteralExpr This allows us to trigger the IDC visitor in the added test case. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176577 91177308-0d34-0410-b5e6-96231b3b80d8 nline-defensive-checks.m
713e07591995d761f65c7132289dce003a29870f	06-Mar-2013	Anna Zaks <ganna@apple.com>	[analyzer] IDC: Add config option; perform the idc check on first “null node” rather than last “non-null”. The second modification does not lead to any visible result, but, theoretically, is what we should have been looking at to begin with since we are checking if the node was assumed to be null in an inlined function. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176576 91177308-0d34-0410-b5e6-96231b3b80d8 nline-defensive-checks.c
cc5dbdae70c6eb2423921f52a35ba4686d2969cf	02-Mar-2013	Anna Zaks <ganna@apple.com>	[analyzer] Simple inline defensive checks suppression Inlining brought a few "null pointer use" false positives, which occur because the callee defensively checks if a pointer is NULL, whereas the caller knows that the pointer cannot be NULL in the context of the given call. This is a first attempt to silence these warnings by tracking the symbolic value along the execution path in the BugReporter. The new visitor finds the node in which the symbol was first constrained to NULL. If the node belongs to a function on the active stack, the warning is reported, otherwise, it is suppressed. There are several areas for follow up work, for example: - How do we differentiate the cases where the first check is followed by another one, which does happen on the active stack? Also, this only silences a fraction of null pointer use warnings. For example, it does not do anything for the cases where NULL was assigned inside a callee. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176402 91177308-0d34-0410-b5e6-96231b3b80d8 nline-defensive-checks.c ath-notes.c
9abf1b4577b75ffcc46afbdfb55de334f68f05c0	01-Mar-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Suppress paths involving a reference whose rvalue is null. Most map types have an operator[] that inserts a new element if the key isn't found, then returns a reference to the value slot so that you can assign into it. However, if the value type is a pointer, it will be initialized to null. This is usually no problem. However, if the user /knows/ the map contains a value for a particular key, they may just use it immediately: // From ClangSACheckersEmitter.cpp recordGroupMap[group]->Checkers In this case the analyzer reports a null dereference on the path where the key is not in the map, even though the user knows that path is impossible here. They could silence the warning by adding an assertion, but that means splitting up the expression and introducing a local variable. (Note that the analyzer has no way of knowing that recordGroupMap[group] will return the same reference if called twice in a row!) We already have logic that says a null dereference has a high chance of being a false positive if the null came from an inlined function. This patch simply extends that to references whose rvalues are null as well, silencing several false positives in LLVM. <rdar://problem/13239854> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176371 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.cpp ath-notes.cpp
6f4160828db75f36b22a204da202723c592644f3	27-Feb-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Teach FindLastStoreBRVisitor to understand stores of the same value. Consider this case: int p = 0; p = getPointerThatMayBeNull(); p = 1; If we inline 'getPointerThatMayBeNull', we might know that the value of 'p' is NULL, and thus emit a null pointer dereference report. However, we usually want to suppress such warnings as error paths, and we do so by using FindLastStoreBRVisitor to see where the NULL came from. In this case, though, because 'p' was NULL both before and after the assignment, the visitor would decide that the "last store" was the initialization, not the re-assignment. This commit changes FindLastStoreBRVisitor to consider all PostStore nodes that assign to this region. This still won't catches changes made directly by checkers if they re-assign the same value, but it does handle the common case in user-written code and will trigger ReturnVisitor's suppression machinery as expected. <rdar://problem/13299738> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176201 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.c
4238f41d484729aca260140fbbc53a68769bf60a	26-Feb-2013	Ted Kremenek <kremenek@apple.com>	[analyzer] Use 'MemRegion::printPretty()' instead of assuming the region is a VarRegion. Fixes PR15358 and <rdar://problem/13295437>. Along the way, shorten path diagnostics that say "Variable 'x'" to just be "'x'". By the context, it is obvious that we have a variable, and so this just consumes text space. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176115 91177308-0d34-0410-b5e6-96231b3b80d8 ager-reclamation-path-notes.c ath-notes.c ath-notes.m
db061e40d639da0d938f915f0eef9e9772019c22	25-Feb-2013	Anna Zaks <ganna@apple.com>	[analyzer] Restrict ObjC type inference to methods that have related result type. This addresses a case when we inline a wrong method due to incorrect dynamic type inference. Specifically, when user code contains a method from init family, which creates an instance of another class. Use hasRelatedResultType() to find out if our inference rules should be triggered. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@176054 91177308-0d34-0410-b5e6-96231b3b80d8 bjCDynTypePopagation.m
44ec3f00e64199667edf9f12c0f31f66916c95fe	26-Jan-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Track null object lvalues back through C++ method calls. The expression 'a->b.c()' contains a call to the 'c' method of 'a->b'. We emit an error if 'a' is NULL, but previously didn't actually track the null value back through the 'a->b' expression, which caused us to miss important false-positive-suppression cases, including <rdar://problem/12676053>. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173547 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.cpp
bfa9ab8183e2fdc74f8633d758cb0c6201314320	25-Jan-2013	Anna Zaks <ganna@apple.com>	[analyzer] Replace "-analyzer-ipa" with "-analyzer-config ipa". The idea is to eventually place all analyzer options under "analyzer-config". In addition, this lays the ground for introduction of a high-level analyzer mode option, which will influence the default setting for IPAMode. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173385 91177308-0d34-0410-b5e6-96231b3b80d8 ynDispatchBifurcate.m nlineObjCClassMethod.m bjCDynTypePopagation.m bjCImproperDynamictallyDetectableCast.m etainCountExamples.m ssume-super-init-does-not-return-nil.m yn-dispatch-bifurcate.cpp etain-count-self-init.m tl.cpp est_objc_inlining_option.m
141b90cd3d095b638045d9bc2a070af37d32e1e1	21-Jan-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Fix test for r173067. Note to self: don't remove comments /after/ updating the line-sensitive part of a test. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173070 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
187f8bd88bfc92cf3fea62b7d8db5f92edce410a	21-Jan-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Show notes inside implicit calls at the last explicit call site. Before: struct Wrapper { <-- 2. Calling default constructor for 'NonTrivial'. NonTrivial m; }; Wrapper w; <-- 1. Calling implicit default constructor for 'Wrapper'. After: struct Wrapper { NonTrivial m; }; Wrapper w; <-- 1. Calling implicit default constructor for 'Wrapper'. ^-- 2. Calling default constructor for 'NonTrivial'. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@173067 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
2b9de0bc05e3e1092a9d1880e62aeaa54dc343e3	19-Jan-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Don't show "Entered 'foo'" if 'foo' is implicit. Before: Calling implicit default constructor for 'Foo' (where Foo is constructed) Entered call from 'test' (at "=default" or 'Foo' declaration) Calling default constructor for 'Bar' (at "=default" or 'Foo' declaration) After: Calling implicit default constructor for 'Foo' (where Foo is constructed) Calling default constructor for 'Bar' (at "=default" or 'Foo' declaration) This only affects the plist diagnostics; this note is never shown in the other diagnostics. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172915 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
e02be97811c785f91ac43a0feed2db862de1867f	18-Jan-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Special path notes for C++ special member functions. Examples: Calling implicit default constructor for Foo Calling defaulted move constructor for Foo Calling copy constructor for Foo Calling implicit destructor for Foo Calling defaulted move assignment operator for Foo Calling copy assignment operator for Foo git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172833 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
dc47c9a71c99ce2e5b9d84f1cd3487b6852b3543	18-Jan-2013	Jordan Rose <jordan_rose@apple.com>	[analyzer] Do a better job describing C++ member functions in the call stack. Examples: Calling constructor for 'Foo' Entered call from 'Foo::create' git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172832 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.cpp
c1c6a4981a4b50476d71c88f8dac81a1430885ed	08-Jan-2013	Anna Zaks <ganna@apple.com>	[analyzer] Plist: change the type of issue_hash from int to string. This gives more flexibility to what could be stored as issue_hash. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171824 91177308-0d34-0410-b5e6-96231b3b80d8 ager-reclamation-path-notes.c ath-notes.c ath-notes.m
afa7cae15b117c4b75794c6c32424953d94b4359	07-Dec-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Fix r168019 to work with unpruned paths as well. This is the case where the analyzer tries to print out source locations for code within a synthesized function body, which of course does not have a valid source location. The previous fix attempted to do this during diagnostic path pruning, but some diagnostics have pruning disabled, and so any diagnostic with a path that goes through a synthesized body will either hit an assertion or emit invalid output. <rdar://problem/12657843> (again) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169631 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.m
368f3b070e8cb657a65bfa443d60256676d269e7	15-Nov-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Make sure calls in synthesized functions have valid path locations. We do this by using the "most recent" good location: if a synthesized function 'A' calls another function 'B', the path notes for the call to 'B' will be placed at the same location as the path note for calling 'A'. Similarly, the call to 'A' will have a note saying "Entered call from...", and now we just don't emit that (since the user doesn't have a body to look at anyway). Previously, we were doing this for the "Calling..." notes, but not for the "Entered call from..." or "Returning to caller". This caused a crash when the path entered and then exiting a call within a synthesized body. <rdar://problem/12657843> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168019 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.m
d51db4935736fd943bfd46dfa74d41e9a3c2d41f	13-Nov-2012	Anna Zaks <ganna@apple.com>	[analyzer] Follow up to r167762 - precisely determine the adjustment conditions. The adjustment is needed only in case of dynamic dispatch performed by the analyzer - when the runtime declaration is different from the static one. Document this explicitly in the code (by adding a helper). Also, use canonical Decls to avoid matching against the case where the definition is different from found declaration. This fix suppresses the testcase I added in r167762, so add another testcase to make sure we do test commit r167762. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167780 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCInstanceMethod.m
6a329ee7567cf3267ffab2bc755ea8c773d967e7	29-Oct-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] New option to not suppress null return paths if an argument is null. Our one basic suppression heuristic is to assume that functions do not usually return NULL. However, when one of the arguments is NULL it is suddenly much more likely that NULL is a valid return value. In this case, we don't suppress the report here, but we do attach /another/ visitor to go find out if this NULL argument also comes from an inlined function's error path. This new behavior, controlled by the 'avoid-suppressing-null-argument-paths' analyzer-config option, is turned off by default. Turning it on produced two false positives and no new true positives when running over LLVM/Clang. This is one of the possible refinements to our suppression heuristics. <rdar://problem/12350829> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166941 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.c
09f7bf14d25bdc55cb715bc8d40600906848a409	29-Oct-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Use the CallEnter node to get a value for tracked null arguments. Additionally, don't collect PostStore nodes -- they are often used in path diagnostics. Previously, we tried to track null arguments in the same way as any other null values, but in many cases the necessary nodes had already been collected (a memory optimization in ExplodedGraph). Now, we fall back to using the value of the argument at the time of the call, which may not always match the actual contents of the region, but often will. This is a precursor to improving our suppression heuristic. <rdar://problem/12350829> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166940 91177308-0d34-0410-b5e6-96231b3b80d8 ager-reclamation-path-notes.c
b85cce094887ab5cf1c47acfe306e2fb1d3cfbb1	26-Oct-2012	Ted Kremenek <kremenek@apple.com>	TrackConstraintBRVisitor and ConditionBRVisitor can emit similar path notes for cases where a value may be assumed to be null, etc. Instead of having redundant diagnostics, do a pass over the generated PathDiagnostic pieces and remove notes from TrackConstraintBRVisitor that are already covered by ConditionBRVisitor, whose notes tend to be better. Fixes <rdar://problem/12252783> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166728 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
8e8fb3be5bd78f0564444eca02b404566a5f3b5d	19-Oct-2012	Andy Gibbs <andyg1001@hotmail.co.uk>	Prior to adding the new "expected-no-diagnostics" directive to VerifyDiagnosticConsumer, make the necessary adjustment to 580 test-cases which will henceforth require this new directive. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@166280 91177308-0d34-0410-b5e6-96231b3b80d8 est_objc_inlining_option.m
ff63227817217cd33c587e054d4892285b8e00c6	03-Oct-2012	Jordan Rose <jordan_rose@apple.com>	Revert "InlineObjCInstanceMethod.m: Remove lines introduced in r165079." ...and fix the run line so that the expected warnings are the same on all platforms. This reverts r165088 / d09074f0ca06626914108f1c0d4e70adeb851e01. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165124 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCInstanceMethod.m
d09074f0ca06626914108f1c0d4e70adeb851e01	03-Oct-2012	NAKAMURA Takumi <geek4civic@gmail.com>	InlineObjCInstanceMethod.m: Remove lines introduced in r165079. It broke some builds, on FreeBSD, Linux and Windows. error: 'warning' diagnostics expected but not seen: Line 94: types are incompatible 1 error generated. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165088 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCInstanceMethod.m
48314cf6a289bc5a082d8c769c58a38f924c93b7	03-Oct-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Adjust the return type of an inlined devirtualized method call. In C++, overriding virtual methods are allowed to specify a covariant return type -- that is, if the return type of the base method is an object pointer type (or reference type), the overriding method's return type can be a pointer to a subclass of the original type. The analyzer was failing to take this into account when devirtualizing a method call, and anything that relied on the return value having the proper type later would crash. In Objective-C, overriding methods are allowed to specify ANY return type, meaning we can NEVER be sure that devirtualizing will give us a "safe" return value. Of course, a program that does this will most likely crash at runtime, but the analyzer at least shouldn't crash. The solution is to check and see if the function/method being inlined is the function that static binding would have picked. If not, check that the return value has the same type. If the types don't match, see if we can fix it with a derived-to-base cast (the C++ case). If we can't, return UnknownVal to avoid crashing later. <rdar://problem/12409977> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165079 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCInstanceMethod.m
0be2638cc5809bbf8645a2721e80507abd076790	26-Sep-2012	Anna Zaks <ganna@apple.com>	[analyzer] Commit a test case for r164579. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164715 91177308-0d34-0410-b5e6-96231b3b80d8 ynDispatchBifurcate.m
70e5b575e187beb10f4a10667d9f4f5227131c40	24-Sep-2012	Anna Zaks <ganna@apple.com>	[analyzer] Really turn on dynamic-bifurcation on by default. Thanks to Byoungyoung for realizing taht we are not passing the default option correctly. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164543 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCInstanceMethod.m
b9d4e5e3bb235f1149e99d3c833ff7cb3474c9f1	22-Sep-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Suppress bugs whose paths go through the return of a null pointer. This is a heuristic intended to greatly reduce the number of false positives resulting from inlining, particularly inlining of generic, defensive C++ methods that live in header files. The suppression is triggered in the cases where we ask to track where a null pointer came from, and it turns out that the source of the null pointer was an inlined function call. This change brings the number of bug reports in LLVM from ~1500 down to around ~300, a much more manageable number. Yes, some true positives may be hidden as well, but from what I looked at the vast majority of silenced reports are false positives, and many of the true issues found by the analyzer are still reported. I'm hoping to improve this heuristic further by adding some exceptions next week (cases in which a bug should still be reported). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164449 91177308-0d34-0410-b5e6-96231b3b80d8 alse-positive-suppression.c ath-notes.c ath-notes.m
53221da865144db0ba6bd89ab30bcf81de0fe5d2	22-Sep-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Track a null value back through FindLastStoreBRVisitor. Also, tidy up the other tracking visitors so that they mark the right things as interesting and don't do extra work. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164448 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
6686b6694a7998623550ff6529f2f53bfee94328	22-Sep-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Look through OpaqueValueExprs when tracking a nil value. This allows us to show /why/ a particular object is nil, even when it is wrapped in an OpaqueValueExpr. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@164445 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.m
3225d072a348658cb67c45cdb46a981b09d1f562	12-Sep-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Re-add reinterpret_cast virtual call test case from r163644. We mostly just don't want to crash analyzing this test case; it's likely the code found here will actually crash if compiled and run. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163746 91177308-0d34-0410-b5e6-96231b3b80d8 yn-dispatch-bifurcate.cpp
fe3769dbb448edf8e5ece13b14017608558d4763	12-Sep-2012	Jordan Rose <jordan_rose@apple.com>	Revert "[analyzer] Use the static type for a virtual call if the dynamic type is worse." Using the static type may be inconsistent with later calls. We should just report that there is no inlining definition available if the static type is better than the dynamic type. See next commit. This reverts r163644 / 19d5886d1704e24282c86217b09d5c6d35ba604d. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163744 91177308-0d34-0410-b5e6-96231b3b80d8 yn-dispatch-bifurcate.cpp
1b22cec353bc6112653d50b060a1d78d70c51527	12-Sep-2012	Chandler Carruth <chandlerc@gmail.com>	Adjust some analyzer tests to place widely shared inputs inside of an 'Inputs' subdirectory. The general desire has been to have essentially all of the non-test input files live in such directories, with some exceptions for obvious and common patterns like 'foo.c' using 'foo.h'. This came up because our distributed test runner couldn't find some of the headers, for example with stl.cpp. No functionality changed, just shuffling around here. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163674 91177308-0d34-0410-b5e6-96231b3b80d8 tl.cpp
19d5886d1704e24282c86217b09d5c6d35ba604d	11-Sep-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Use the static type for a virtual call if the dynamic type is worse. reinterpret_cast does not provide any of the usual type information that static_cast or dynamic_cast provide -- only the new type. This can get us in a situation where the dynamic type info for an object is actually a superclass of the static type, which does not match what CodeGen does at all. In these cases, just fall back to the static type as the best possible type for devirtualization. Should fix the crashes on our internal buildbot. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163644 91177308-0d34-0410-b5e6-96231b3b80d8 yn-dispatch-bifurcate.cpp
e08dcbe75eb9b3ffe6f1f60ac2b216b4c878606a	11-Sep-2012	Anna Zaks <ganna@apple.com>	[analyzer] Turn stl inlining back on. The one reported bug, which was exposed by stl inlining, is addressed in r163558. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163574 91177308-0d34-0410-b5e6-96231b3b80d8 tl.cpp
4ea9b89ff6dc50d5404eb56cad5e5870bce49ef2	11-Sep-2012	Anna Zaks <ganna@apple.com>	[analyzer] Do not count calls to small functions when computing stack depth. We only want to count how many substantial functions we inlined. This is an improvement to r163558. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163571 91177308-0d34-0410-b5e6-96231b3b80d8 est-always-inline-size-option.c
57330eed3fbe530cb05996e4a346cc5fc217c0d9	11-Sep-2012	Anna Zaks <ganna@apple.com>	[analyzer] Add an option to enable/disable objc inlining. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163562 91177308-0d34-0410-b5e6-96231b3b80d8 est_objc_inlining_option.m
7229d0011766c174beffe6a846d78f448f845b39	11-Sep-2012	Anna Zaks <ganna@apple.com>	[analyzer] Add ipa-always-inline-size option (with 3 as the default). The option allows to always inline very small functions, whose size (in number of basic blocks) is set using -analyzer-config ipa-always-inline-size option. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163558 91177308-0d34-0410-b5e6-96231b3b80d8 est-always-inline-size-option.c
81fb50e8b120fc95dc0245b4112972d4d7cca3b5	10-Sep-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] For now, don't inline C++ standard library functions. This is a (heavy-handed) solution to PR13724 -- until we know we can do a good job inlining the STL, it's best to be consistent and not generate more false positives than we did before. We can selectively whitelist certain parts of the 'std' namespace that are known to be safe. This is controlled by analyzer config option 'c++-stdlib-inlining', which can be set to "true" or "false". This commit also adds control for whether or not to inline any templated functions (member or non-member), under the config option 'c++-template-inlining'. This option is currently on by default. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163548 91177308-0d34-0410-b5e6-96231b3b80d8 tl.cpp
0187a1b8b9b2b7657de0ba8b0d4f67d30bec83e8	08-Sep-2012	Ted Kremenek <kremenek@apple.com>	Attempt (again) to stabilize the order of the emission of diagnostics of the analyzer by using the FullProfile() of a PathDiagnostic for ordering them. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163455 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
dc601f4a9f69315521abddbca04d4652deee5fdb	31-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Fixup for r162935 as per Jordan's review. Thanks for catching this! git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162949 91177308-0d34-0410-b5e6-96231b3b80d8 ssume-super-init-does-not-return-nil.m
05fcbd3dc28f4cba4a6d33e7aeaabb5f6f7837e3	30-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Do not propagate the [super init] could be nil assumption from callee to caller. radar://12109638 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162935 91177308-0d34-0410-b5e6-96231b3b80d8 ssume-super-init-does-not-return-nil.m
554067f290282f366ccf65a27e0b914aa67a52c6	30-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Stop tracking symbols based on a retain count summary of inlined function. This resolves retain count checker false positives that are caused by inlining ObjC and other methods. Essentially, if we are passing an object to a method with "delegate" in the selector or a function pointer as another argument, we should stop tracking the other parameters/return value as far as the retain count checker is concerned. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162876 91177308-0d34-0410-b5e6-96231b3b80d8 etainCountExamples.m
7aba1171b32265b2206f3fa8f8886953051b58f5	28-Aug-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] If the last store into a region came from a function, step into it. Previously, if we were tracking stores to a variable 'x', and came across this: x = foo(); ...we would simply emit a note here and stop. Now, we'll step into 'foo' and continue tracking the returned value from there. <rdar://problem/12114689> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162718 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
364b9f95fa47b0ca7f1cc694195f7a9953652f81	27-Aug-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Look through casts when trying to track a null pointer dereference. Also, add comments to addTrackNullOrUndefValueVisitor. Thanks for the review, Anna! git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162695 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
23df2437a47ff129d2923ae325d42e79682a7f14	24-Aug-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] If we dereference a NULL that came from a function, show the return. More generally, any time we try to track where a null value came from, we should show if it came from a function. This usually isn't necessary if the value is symbolic, but if the value is just a constant we previously just ignored its origin entirely. Now, we'll step into the function and recursively add a visitor to the returned expression. <rdar://problem/12114609> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162563 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
5a90193ad825656d4a03099cd5e9c928d1782b5e	24-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Make analyzer less aggressive when dealing with [self init]. With inlining, retain count checker starts tracking 'self' through the init methods. The analyser results were too noisy if the developer did not follow 'self = [super init]' pattern (which is common especially in older code bases) - we reported self init anti-pattern AND possible use-after-free. This patch teaches the retain count checker to assume that [super init] does not fail when it's not consumed by another expression. This silences the retain count warning that warns about possibility of use-after-free when init fails, while preserving all the other checking on 'self'. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162508 91177308-0d34-0410-b5e6-96231b3b80d8 etainCountExamples.m etain-count-self-init.m
ee04959f88e26ed38dccf4aed2ff10cad1f703c9	21-Aug-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] -analyzer-ipa=inlining is now the default. Remove it from tests. The actual change here is a little more complicated than the summary above. What we want to do is have our generic inlining tests run under whatever mode is the default. However, there are some tests that depend on the presence of C++ inlining, which still has some rough edges. These tests have been explicitly marked as -analyzer-ipa=inlining in preparation for a new mode that limits inlining to C functions and blocks. This will be the default until the false positives for C++ have been brought down to manageable levels. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@162317 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
b763ede873c23c8651bd18eba0c62e929b496ba5	15-Aug-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Don't inline dynamic-dispatch methods unless -analyzer-ipa=dynamic. Previously we were checking -analyzer-ipa=dynamic-bifurcate only, and unconditionally inlining everything else that had an available definition, even under -analyzer-ipa=inlining (but not under -analyzer-ipa=none). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161916 91177308-0d34-0410-b5e6-96231b3b80d8 yn-dispatch-bifurcate.cpp
38aee3bb4ffe14c8323785ae2fafed6f627fb577	14-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer]Assume that the properties cannot be overridden when dot syntax is used. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161889 91177308-0d34-0410-b5e6-96231b3b80d8 ynDispatchBifurcate.m
95b277e38875ac06faaf8570b5f7594bb6d99e21	14-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Address Jordan's comments for r161822, r161683. Add a TODO test case for r161822 - calling self from a class method. Remove a TODO comment for r161683 - value2 is not a property - we just have method names that look like they are getters/setters for a property. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161884 91177308-0d34-0410-b5e6-96231b3b80d8 ynDispatchBifurcate.m nlineObjCClassMethod.m
c739406d37b9b1dc95bc3a3d899024e5ce31e5d5	14-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Teach live variable analyzes that super uses self pointer. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161822 91177308-0d34-0410-b5e6-96231b3b80d8 etainCountExamples.m
5498e3a01be0446f38c102278847566176f6507f	10-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] ObjC Inlining: add tests for ivars and properties. TODO: - Handle @syncronized properties. - Always inline properties declared publicly (do not split the path). This is tricky since there is no mapping from a Decl to the property in the AST as far as I can tell. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161683 91177308-0d34-0410-b5e6-96231b3b80d8 ynDispatchBifurcate.m nlineObjCInstanceMethod.h
54918ba02ba900c0e0bb4fd3d749b6b1ac4e50a9	10-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Track if a region can be a subclass in the dynamic type info. When object is allocated with alloc or init, we assume it cannot be a subclass (currently used only for bifurcation purposes). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161682 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCClassMethod.m nlineObjCInstanceMethod.h nlineObjCInstanceMethod.m bjCDynTypePopagation.m bjCImproperDynamictallyDetectableCast.m
3f558af01643787d209a133215b0abec81b5fe30	10-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Optimize dynamic dispatch bifurcation by detecting the cases when we don't need to split. In some cases we know that a method cannot have a different implementation in a subclass: - the class is declared in the main file (private) - all the method declarations (including the ones coming from super classes) are in the main file. This can be improved further, but might be enough for the heuristic. (When we are too aggressive splitting the state, efficiency suffers. When we fail to split the state coverage might suffer.) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161681 91177308-0d34-0410-b5e6-96231b3b80d8 ynDispatchBifurcate.m nlineObjCInstanceMethod.h
e90d3f847dcce76237078b67db8895eb7a24189e	09-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Bifurcate the path with dynamic dispatch. This is an initial (unoptimized) version. We split the path when inlining ObjC instance methods. On one branch we always assume that the type information for the given memory region is precise. On the other we assume that we don't have the exact type info. It is important to check since the class could be subclassed and the method can be overridden. If we always inline we can loose coverage. Had to refactor some of the call eval functions. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161552 91177308-0d34-0410-b5e6-96231b3b80d8 ynDispatchBifurcate.m
acac844992d9b28d30f2801711bd92f353ada084	07-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] + New line at end of file git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161392 91177308-0d34-0410-b5e6-96231b3b80d8 bjCImproperDynamictallyDetectableCast.m
8ed21ef726be89ef7151b5ff397631379bd8a537	07-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Address Jordan's review of DynamicTypePropagation. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161391 91177308-0d34-0410-b5e6-96231b3b80d8 bjCDynTypePopagation.m
340868161576d892f0e1d8f17a044502a98d3373	07-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] DynTypes: Add a test for improper cast performed by user. Dynamic type inference does the right thing in this case. However, as Jordan suggested, it would be nice to add a warning here as well. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161365 91177308-0d34-0410-b5e6-96231b3b80d8 bjCImproperDynamictallyDetectableCast.m
c4c647c88ced2e953f15f8987952ede9b96aa969	07-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Dynamic type info - propagate through implicit casts. I currently have a bit of redundancy with the cast kind switch statement inside the ImplicitCast callback, but I might be adding more casts going forward. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161358 91177308-0d34-0410-b5e6-96231b3b80d8 bjCDynTypePopagation.m
c7ecc43c33a21b82c49664910b19fcc1f555aa51	07-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] Add a checker to manage dynamic type propagation. Instead of sprinkling dynamic type info propagation throughout ExprEngine, the added checker would add the more precise type information on known APIs (Ex: ObjC alloc, new) and propagate the type info in other cases (ex: ObjC init method, casts (the second is not implemented yet)). Add handling of ObjC alloc, new and init to the checker. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161357 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCInstanceMethod.m bjCDynTypePopagation.m
a801acd9773cacdbe16690269ecb47bd127440c5	06-Aug-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Add plist output checks for all four "path notes" tests. No functionality change, but from now on, any new path notes should be tested both with plain-text output (for ease of human auditing) and with plist output (to ensure control flow and events are being correctly represented in Xcode). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161351 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
685379965c1b105ce89cf4f6c60810932b7f4d0d	04-Aug-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] When a symbol is null, we should track its constraints. Because of this, we would previously emit NO path notes when a parameter is constrained to null (because there are no stores). Now we show where we made the assumption, which is much more useful. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161280 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
b0e1badc2a9b8275b48dfb15c6907a282b949b02	04-Aug-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Flatten path diagnostics for text output like we do for HTML. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161279 91177308-0d34-0410-b5e6-96231b3b80d8 ath-notes.c
148fee988e32efcad45ecf7b3bf714880c657dda	03-Aug-2012	Anna Zaks <ganna@apple.com>	[analyzer] ObjC Inlining: Start tracking dynamic type info in the GDM In the following code, find the type of the symbolic receiver by following it and updating the dynamic type info in the state when we cast the symbol from id to MyClass . MyClass a = [[self alloc] init]; return 5/[a testSelf]; git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161264 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCInstanceMethod.m
4fe64ad383c056774087113561063429103ac9a6	31-Jul-2012	Jordan Rose <jordan_rose@apple.com>	[analyzer] Don't try to inline if there's no region for a message receiver. While usually we'd use a symbolic region rather than a straight-up Unknown, we can still generate unknowns via array subscripts with symbolic indexes. (And if this ever changes in the future, we still shouldn't crash.) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161059 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCInstanceMethod.m
2d18419a7c8f9a2975d4ed74a202de6467308ad1	30-Jul-2012	Anna Zaks <ganna@apple.com>	[analyzer] Very simple ObjC instance method inlining - Retrieves the type of the object/receiver from the state. - Binds self during stack setup. - Only explores the path on which the method is inlined (no bifurcation to explore the path on which the method is not inlined). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160991 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCInstanceMethod.h nlineObjCInstanceMethod.m
e13056a8bb532ddfdc07952a13169aa422bacd3b	30-Jul-2012	Anna Zaks <ganna@apple.com>	[analyzer] Add -analyzer-ipa=dynamic option for inlining dynamically dispatched methods. Disabled by default for now. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160988 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCClassMethod.m
bccc594946d439351174831949a6a2cf7ff04f66	27-Jul-2012	Anna Zaks <ganna@apple.com>	[analyzer] Another false positive in Class method inlining. We are currently not setting the self object to the calling class object during inlining nor do we reason about [AAA class]. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160884 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCClassMethod.m
6fbe0317aa38dbac22a29f7519c52db838aa1990	27-Jul-2012	Anna Zaks <ganna@apple.com>	[analyzer] Address Jordan's and Fariborz's review of r160768. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160883 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCClassMethod.m
9dc5167e4017ef4c8b327abb6f72225eec2e0f19	26-Jul-2012	Anna Zaks <ganna@apple.com>	[analyzer] Inline ObjC class methods. - Some cleanup(the TODOs) will be done after ObjC method inlining is complete. - Simplified CallEvent::getDefinition not to require ISDynamicDispatch parameter. - Also addressed Jordan's comments from r160530. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160768 91177308-0d34-0410-b5e6-96231b3b80d8 nlineObjCClassMethod.m