- Add ConversionSpecifier::consumesDataArgument() as a helper method
to determine if a conversion specifier requires a matching argument.
- Add support for glibc-specific '%m' conversion
- Add an extra callback to HandleNull() for locations within the
format specifier that have a null character
llvm-svn: 94834
In addition, move ParseFormatString() and FormatStringHandler() from
the clang::analyze_printf to the clang namespace. Hopefully this will
resolve some link errors on Linux.
llvm-svn: 94794
strings than what we currently have in Sema. This is both an
experiment and a WIP.
The idea is simple: parse the format string incrementally,
constructing a well-structure representation of each format specifier.
Each format specifier is then handed back one-by-one to a client via a
callback. Malformed format strings are also handled with callbacks.
The idea is to separate the parsing of the format string from the
emission of diagnostics. Currently what we have in Sema for handling
format strings is a mongrel of both that is hard to follow and
difficult to modify (I can apply this label since I'm the original
author of that code).
This is in libAnalysis as it is reasonable generic and can potentially
be used both by libSema and libChecker.
Comments welcome.
llvm-svn: 94702
(1) libAnalysis is a generic analysis library that can be used by
Sema. It defines the CFG, basic dataflow analysis primitives, and
inexpensive flow-sensitive analyses (e.g. LiveVariables).
(2) libChecker contains the guts of the static analyzer, incuding the
path-sensitive analysis engine and domain-specific checks.
Now any clients that want to use the frontend to build their own tools
don't need to link in the entire static analyzer.
This change exposes various obvious cleanups that can be made to the
layout of files and headers in libChecker. More changes pending. :)
This change also exposed a layering violation between AnalysisContext
and MemRegion. BlockInvocationContext shouldn't explicitly know about
BlockDataRegions. For now I've removed the BlockDataRegion* from
BlockInvocationContext (removing context-sensitivity; although this
wasn't used yet). We need to have a better way to extend
BlockInvocationContext (and any LocationContext) to add
context-sensitivty.
llvm-svn: 94406
CallExprs as those edges help cause a n^2 explosion in the number of
destructor calls. Other consumers, such as static analysis, that
would like to have more a more complete CFG can select the inclusion
of those edges as CFG build time.
This also fixes up the two compilation users of CFGs to be tolerant of
having or not having those edges. All catch code is assumed be to
live if we didn't generate the exceptional edges for CallExprs.
llvm-svn: 94074
"ASTContext::getTypeSize() / 8". Replace [u]int64_t variables with CharUnits
ones as appropriate.
Also rename RawType, fromRaw(), and getRaw() in CharUnits to QuantityType,
fromQuantity(), and getQuantity() for clarity.
llvm-svn: 93153
value bindings. Along with a small change to OSAtomicChecker, this
resolves <rdar://problem/7527292> and resolves some long-standing
issues with how values can be bound to the same physical address by
not have the same "key". This change is only a beginning; logically
RegionStore needs to better handle loads from addresses where the
stored value is larger/smaller/different type than the loaded value.
We handle these cases in an approximate fashion now (via
CastRetrievedVal and help in SimpleSValuator), but it could be made
much smarter.
llvm-svn: 93137
(1) Introduce a new 'BindingKey' class to match 'BindingValue'. This
gives us the flexibility to change the current key value from 'const
MemRegion*' to something more interesting.
(2) Rework additions/removals/lookups from the store to use new
'Remove', 'Add', 'Lookup' utility methods.
No "real" functionality change; just prep work and abstraction.
llvm-svn: 93136
CallExpr/ObjCMessageExpr can be visited in an "lvalue" context if it
returns a struct temporary. Currently the analyzer doesn't reason
about struct temporary returned by function calls, but we shouldn't
crash here either.
llvm-svn: 93081
when the default case is winnowed down to be infeasible. When all
cases were ruled out (and the analysis state for the default case
would be infeasible) we would still consider the default case
possible. This fixes PR 5969.
llvm-svn: 93017
GRStateManager. Having these references was an abstraction violation,
as they really should only be known about GRExprEngine.
This change required adding a new 'ProcessAssume' callback in
GRSubEngine. GRExprEngine implements this callback by calling
'EvalAssume' on all registered Checker objects as well as the
registered GRTransferFunc object.
llvm-svn: 92549
Add new states for symbolic regions tracked by malloc checker. This enables us
to do malloc checking more accurately. See test case.
Based on Lei Zhang's patch and discussion.
llvm-svn: 92342
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
Remove isPod() from DenseMapInfo, splitting it out to its own
isPodLike type trait. This is a generally useful type trait for
more than just DenseMap, and we really care about whether something
acts like a pod, not whether it really is a pod.
llvm-svn: 91422
now, don't construct CFGs that contain C++ try/catch statements, and
have GRExprEngine abort a path if it encounters a C++ construct it
doesn't understand (which is mostly everything at this point).
llvm-svn: 91389
Otherwise, even when real evaluation occurs, the previous fake auto
transitions would still be in the destination set, causing fake state
bifurcation.
llvm-svn: 90967
by the test case in PR 5627. Essentially we shouldn't clear the
ExplodedNodeSet where we deposit newly constructed nodes if that set
is the 'Dst' set passed in. It is not okay to clear that set because
it may already contain nodes.
llvm-svn: 90931
- Refactor the MemRegion hierarchy to distinguish between different StackSpaceRegions for locals and parameters.
- VarRegions for "captured" variables now have the BlockDataRegion as their super region (except those passed by reference)
- Add transfer function support to GRExprEngine for BlockDeclRefExprs.
This change also supports analyzing blocks as an analysis entry point
(top-of-the-stack), which required pushing more context-sensitivity
around in the MemRegion hierarchy via the use of LocationContext
objects. Functionally almost everything is the same, except we track
LocationContexts in a few more areas and StackSpaceRegions now refer
to a StackFrameContext object. In the future we will need to modify
MemRegionManager to allow multiple StackSpaceRegions in flight at once
(for the analysis of multiple stack frames).
llvm-svn: 90809
handler to this interface.
GRExprEngine::CheckerEvalCall() will return true if one of the checkers has
processed the node. In the future this might return void when we have some
default checker.
llvm-svn: 90755
we don't need to use the DoneEvaluation hack when check for
ObjCMessageExpr.
PreVisitObjCMessageExpr() only checks for undefined receiver or arguments.
Add checker interface EvalNilReceiver(). This is a 'once-and-done' interface.
llvm-svn: 90296
the set of variables "captured" by a block. Until the analysis gets
more sophisticated, for now we stop the retain count tracking of any
objects (transitively) referenced by these variables.
llvm-svn: 89929
This required two changes:
1) Added 'getReferencedgetReferencedBlockVars()' to AnalysisContext so
that clients can iterate over the "captured" variables in a block.
2) Modified LiveVariables to take an AnalysisContext& in its
constructor and to call getReferencedgetReferencedBlockVars() when it
processes a BlockExpr*.
llvm-svn: 89924
'BlockDataRegion' to distinguish between the code associated with a
block (which is represented by 'BlockTextRegion') and an instance of a
block, which includes both code and data. 'BlockDataRegion' has an
associated LocationContext, which can be used to eventually model the
lifetime of a block object once LocationContexts can represent scopes
(and iterations around a loop, etc.).
llvm-svn: 89900
only stop processing the checkers after all the nodes for a current
check have been processed. This (I believe) handles the case where
PredSet (the input nodes) contains more than one node due to state
bifurcation. Zhongxing: can you review this?
llvm-svn: 89882
initial transition of the nil-receiver checker to the Checker
interface as done in r89745. Some important changes include:
1) We consolidate the BugType object used for nil receiver bug
reports, and don't include the type of the returned value in the
BugType (which would be wrong if a nil receiver bug was reported more
than once)
2) Added a new (temporary) flag to CheckerContext: DoneEvauating.
This is used by GRExprEngine when evaluating message expressions to
not continue evaluating the message expression if this flag is set.
This flag is currently set by the nil receiver checker. This is an
intermediate solution to allow the nil-receiver checker to properly
work as a plug-in outside of GRExprEngine. Basically, this flag
indicates that the entire message expression has been evaluated, not
just a precondition (which is what the nil-receiver checker does).
This flag *should not* be repurposed for general use, but just to pull
more things out of GRExprEngine that already in there as we devise a
better interface in the Checker class.
3) Cleaned up the logic in the nil-receiver checker, making the
control-flow a lot easier to read.
llvm-svn: 89804
along the way. Important changes:
1) To generate a sink node, use GenerateSink(); GenerateNode() is for
generating regular transitions. This makes the API clearer and also
allows us to use the 'bool' option to GenerateNode() for a different
purpose.
2) GenerateNode() now automatically adds the generated node to the
destination ExplodedNodeSet (autotransition) unless the client
specifies otherwise with a bool flag. Several checkers did not call
'addTransition()' after calling 'GenerateNode()', causing the
simulation path to be prematurely culled when a non-fail stop bug was
encountered.
3) Add variants of GenerateNode()/GenerateSink() that take neither a
Stmt* or a GRState*; most callers of GenerateNode() just pass in the
same Stmt* as provided when the CheckerContext object is created; we
can just use that the majority of the time. This cleanup also allows
us to potentially coelesce the APIs for evaluating branches and
end-of-paths (which currently directly use builders).
4) addTransition() no longer needs to be called except for a few
cases. We now have a variant of addTransition() that takes a
GRState*; this allows one to propagate the updated state without
caring about generating a new node explicitly. This nicely cleaned up
a bunch of cases that called autoTransition() with a bunch of
conditional logic surround the call (that common logic has now been
swallowed up by addTransition() itself).
llvm-svn: 89707
sugared types. The basic problem is that our qualifier accessors
(getQualifiers, getCVRQualifiers, isConstQualified, etc.) only look at
the current QualType and not at any qualifiers that come from sugared
types, meaning that we won't see these qualifiers through, e.g.,
typedefs:
typedef const int CInt;
typedef CInt Self;
Self.isConstQualified() currently returns false!
Various bugs (e.g., PR5383) have cropped up all over the front end due
to such problems. I'm addressing this problem by splitting each
qualifier accessor into two versions:
- the "local" version only returns qualifiers on this particular
QualType instance
- the "normal" version that will eventually combine qualifiers from this
QualType instance with the qualifiers on the canonical type to
produce the full set of qualifiers.
This commit adds the local versions and switches a few callers from
the "normal" version (e.g., isConstQualified) over to the "local"
version (e.g., isLocalConstQualified) when that is the right thing to
do, e.g., because we're printing or serializing the qualifiers. Also,
switch a bunch of
Context.getCanonicalType(T1).getUnqualifiedType() == Context.getCanonicalType(T2).getQualifiedType()
expressions over to
Context.hasSameUnqualifiedType(T1, T2)
llvm-svn: 88969
* Add a load type to GRExprEngine::EvalLoad().
* When retrieve from 'theValue' of OSAtomic funcitions, use the type of the
region instead of the argument expression as the load type.
* Then we can convert CastRetrievedSVal to a pure assertion. In the future
we can let all Retrieve() methods simply return SVal.
llvm-svn: 88888
- Eliminates many calls to std::string.c_str()
- Fixes an invalid read in ReturnStackAddressChecker due to an unsafe call to
StringRef.data() which doesn't guarantee null-termination.
llvm-svn: 88779
the old builder API. This percolated a bunch of changes up to the
Checker class (where CheckLocation has been renamed VisitLocation) and
GRExprEngine. ProgramPoint now has the notion of a "LocationCheck"
point (with PreLoad and PreStore respectively), and a bunch of the old
ProgramPoints that are no longer used have been removed.
llvm-svn: 86798
This is reasonable because people know what they are doing when they
intentionally dereference the pointer.
So now we only emit warning when a pointer variable is use literally.
llvm-svn: 86673
ArrayType>()) does not instantiate. Update all callers that used this
unsafe feature to use the appropriate ASTContext::getAs*ArrayType method.
llvm-svn: 86596
value into their own respective subclasses of Checker (and put them in .cpp files where their
implementation details are hidden from GRExprEngine).
llvm-svn: 86215
an "assign expression", representing the expressions where the value
binding occurs and the assignment takes place respectively. These are
largely syntactic clues for better error reporting.
llvm-svn: 86084
Split it to two checkers, one for undefined size,
the other for zero size, so that we don't need to query the size
when emitting the bug report.
llvm-svn: 85895
by Zhongxing Xu. RemoveDeadBindings() would falsely prune
SymbolicRegions from the store that wrapped derived symbols whose
liveness could only be determined after scanning the store.
llvm-svn: 85484
qualified reference to a declaration that is not a non-static data
member or non-static member function, e.g.,
namespace N { int i; }
int j = N::i;
Instead, extend DeclRefExpr to optionally store the qualifier. Most
clients won't see or care about the difference (since
QualifierDeclRefExpr inherited DeclRefExpr). However, this reduces the
number of top-level expression types that clients need to cope with,
brings the implementation of DeclRefExpr into line with MemberExpr,
and simplifies and unifies our handling of declaration references.
Extended DeclRefExpr to (optionally) store explicitly-specified
template arguments. This occurs when naming a declaration via a
template-id (which will be stored in a TemplateIdRefExpr) that,
following template argument deduction and (possibly) overload
resolution, is replaced with a DeclRefExpr that refers to a template
specialization but maintains the template arguments as written.
llvm-svn: 84962
AnalysisManager periodically cleanup its AnalysisContextManager and LocationContextManager objects,
as they don't need to forever retain all the CFGs ever created when analyzing a file.
llvm-svn: 84684
RegionStoreManager::Retrieve() that was intended to handle conflated uses of pointers as integers.
It turns out this isn't needed, and resulted in inconsistent behavior when creating symbolic values on the following test case in 'tests/Analysis/misc-ps.m':
typedef struct _BStruct { void *grue; } BStruct;
void testB_aux(void *ptr);
void testB(BStruct *b) {
{
int *__gruep__ = ((int *)&((b)->grue));
int __gruev__ = *__gruep__;
testB_aux(__gruep__);
}
{
int *__gruep__ = ((int *)&((b)->grue));
int __gruev__ = *__gruep__;
if (~0 != __gruev__) {}
}
}
When the code was analyzed with '-arch x86_64', the value assigned to '__gruev__' be would be a
symbolic integer, but for '-arch i386' the value assigned to '__gruev__' would be a symbolic region
(a blob of memory). With this change the value created is always a symbolic integer.
Since the code being removed was added to support analysis of code calling
OSAtomicCompareAndSwapXXX(), I also modified 'test/Analysis/NSString.m' to analyze the code in both
'-arch i386' and '-arch x86_64', and also added some complementary test cases to test the presence
of leaks when using OSAtomicCompareAndSwap32Barrier()/OSAtomicCompareAndSwap64Barrier() instead of
just their absence. This code change reveals that previously both RegionStore and BasicStore were
handling these cases wrong, and would never cause the analyzer to emit a leak in these cases (false
negatives). Now RegionStore gets it right, but BasicStore still gets it wrong (and hence it has been
disabled temporarily for this test case).
llvm-svn: 84163
'CVPixelBufferCreateWithPlanarBytes()' and
'CVPixelBufferCreateWithBytes' (Core Video API) can indirectly release
a pixel buffer object via a callback.
This fixes <rdar://problem/7283567>.
llvm-svn: 84064
Speedup: when doing 'clang-cc -analyze -dump-cfg' (without actual printing, just
CFG building) on the amalgamated SQLite source (all of SQLite in one source
file), runtime reduced by 9%.
This fixes: <rdar://problem/7250745>
llvm-svn: 83899
default binding for regions. This allows us to simply a lot of code. A
further simplification could be done is that many methods of
regionstore can only work on Store instead of GRState.
llvm-svn: 83762
adding assert
This fix required a few changes:
SimpleSValuator:
- Eagerly replace a symbolic value with its constant value in EvalBinOpNN
when it is constrained to a constant. This allows us to better constant fold
values along a path.
- Handle trivial case of '<', '>' comparison of pointers when the two pointers
are exactly the same.
RegionStoreManager:
llvm-svn: 83358
concrete types. Use unqualified desugaring for getAs<> and sundry.
Fix a few users to either not desugar or use qualified desugar, as seemed
appropriate. Removed Type's qualified desugar method, as it was easy
to accidentally use instead of QualType's.
llvm-svn: 83116
identified with a false positive reported by Thomas Clement. This
involved doing another rewrite of
RegionStoreManager::RemoveDeadBindings(), which phrases the entire
problem of scanning for dead regions as a graph exploration problem.
It is more methodic than the previous implementation.
llvm-svn: 83053
are only specially treated by RegionStore::InvalidateRegion() when
their super region is also invalidated. When this isn't the case,
conjure a new symbol for a FieldRegion. Thanks to Zhongxing Xu and
Daniel Dunbar for pointing out this issue.
llvm-svn: 83043
<rdar://problem/6914474> checker doesn't realize that variable might
have been assigned if a pointer to that variable was passed to another
function via a structure
The problem here was the RegionStoreManager::InvalidateRegion didn't
invalidate the bindings of invalidated regions. This required a
rewrite of this method using a worklist.
As part of this fix, changed ValueManager::getConjuredSymbolVal() to
require a 'void*' SymbolTag argument. This tag is used to
differentiate two different symbols created at the same location.
llvm-svn: 82920
value-dependent. Audit (and fixed) all calls to
Expr::isNullPointerConstant() to provide the correct behavior with
value-dependent expressions. Fixes PR5041 and a crash in libstdc++
<locale>.
In the same vein, properly compute value- and type-dependence for
ChooseExpr. Fixes PR4996.
llvm-svn: 82748
have the iterators and operator[] handle the traversal of statements, as they
are stored in reverse order. Tests show this has no real performance impact, but
it does simply the CFG construction logic and will make it slightly easier to
change the allocation strategy for CFGBlocks (as we have fewer copies).
llvm-svn: 82702
The issue was a discrepancy between how RegionStoreManager::Bind() and
RegionStoreManager::Retrieve() derived the "key" for the first element
of a symbolic region.
llvm-svn: 82680
Several of the existing methods were identical to their respective
specializations, and so have been removed entirely. Several more 'leaf'
optimizations were introduced.
The getAsFoo() methods which imposed extra conditions, like
getAsObjCInterfacePointerType(), have been left in place.
llvm-svn: 82501
integer pointer. For now just invalidate the fields of the struct.
This addresses: <rdar://problem/7185607> [RegionStore] support invalidation of bit fields using integer assignment
llvm-svn: 82492
when running the analyzer on real projects. We'll keep the change to
AnalysisManager.cpp in r82198 so that -fobjc-gc analyzes code
correctly in both GC and non-GC modes, although this may emit two
diagnostics for each bug in some cases (a better solution will come
later).
llvm-svn: 82201
pruning of diagnostics that may be emitted multiple times. This is
accomplished by adding FoldingSet profiling support to PathDiagnostic,
and then having BugReporter record what diagnostics have been issued.
This was motived to a serious bug introduced by moving the
'divide-by-zero' checking outside of GRExprEngine into a separate
'Checker' class. When analyzing code using the '-fobjc-gc' option, a
given function would be analyzed twice, but the second time various
"internal checks" would be disabled to avoid emitting multiple
diagnostics (e.g., "null dereference") for the same issue. The
problem is that such checks also effect path pruning and don't just
emit diagnostics. This resulted in an assertion failure involving a
real divide-by-zero in some analyzed code where we would get an
assertion failure in APInt because the 'DivZero' check was disabled
and didn't prune the logic that resulted in the divide-by-zero in the
analyzer.
The implemented solution is somewhat of a hack, and may not perform
extremely well. This will need to be cleaned up over time.
As a regression test, 'misc-ps.m' has been modified so that its tests
are run using -fobjc-gc to test this diagnostic pruning behavior.
llvm-svn: 82198
__builtin_offsetof in the static analyzer that __builtin_offsetof is
not guaranteed to return an integer constant. We will need to shore
this up later, but now at least we have correct support for when this
*is* an integer constant.
llvm-svn: 81830
to statically type various methods in SValuator/GRState as required either a
defined value or a defined-but-possibly-unknown value. This leads to various
logic cleanups in GRExprEngine, and lets the compiler enforce via type checking
our assumptions about what symbolic values are possibly undefined and what are
not.
Along the way, clean up some of the static analyzer diagnostics regarding the uses of uninitialized values.
llvm-svn: 81579
Here we implement this as a precondition within GRExprEngine, even though it is
related to how BasicStoreManager and RegionStoreManager model 'self'
differently. Putting this as a high-level precondition is more general, which is
why it isn't in RegionStore.cpp.
llvm-svn: 81378
Also fix a checker context bug: the Dst set is not always empty initially.
Because in GRExprEngine::CheckerVisit(), *CurrSet is used repeatedly.
So we removed the Dst.empty() condition in ~CheckerContext() when deciding
whether to do autotransision.
llvm-svn: 80786
in the BugReport.
When all internal bug checking logic are moved to checkers, BuiltinBug will
not reference GRExprEngine, and FlushReports() will be not necessary, since
all bugs are emitted into the equivalent classes immediately.
For now just add a ctor with no arguments.
llvm-svn: 80770
motivated from Shark profiles that shows that 'markLive' was very
heavy when using --analyzer-store=region. On my benchmark file, this
reduces the analysis time for --analyzer-store=region from 19.5s to
13.5s and for --analyzer-store=basic from 5.3s to 3.5s. For the
benchmark file, this is a reduction of about 30% analysis time for
both analysis modes (a huge win).
llvm-svn: 80765
space within the MemberExpr for the nested-name-specifier and its
source range. We'll do the same thing with explicitly-specified
template arguments, assuming I don't flip-flop again.
llvm-svn: 80642
pointers. Most logic cares first about whether or not a region is
symbolic, and second if represents code. This should fix a series of
silent corner case bugs (as well as simplify a bunch of code).
llvm-svn: 80335
name, e.g.,
x->Base::f()
retain the qualifier (and its source range information) in a new
subclass of MemberExpr called CXXQualifiedMemberExpr. Provide
construction, transformation, profiling, printing, etc., for this new
expression type.
When a virtual function is called via a qualified name, don't emit a
virtual call. Instead, call that function directly. Mike, could you
add a CodeGen test for this, too?
llvm-svn: 80167
implicit cast logic in RegionStoreManager to BasicStoreManager. This involved
moving CastRetriedVal from RegionStoreManager to StoreManager.
llvm-svn: 80026
Now AnalysisManager is the only place we can get CodeDecl.
This leads to an API change: GRState::bindExpr() now takes the CFG argument.
llvm-svn: 79980
the condition. This eliminates a source of bugs where the client doesn't
correctly reason about undefined or unknown values. This fixes PR 4759.
llvm-svn: 79952
SelfRegion represented the object bound to 'self' (when analyzing Objective-C
methods) upon entry to a method. Having this region stored on the side ignores
the current stack frame that we might be analyzing (among other things), and is
a problem for interprocedural analysis.
For RegionStoreManager, the value for SelfRegion is just lazily created.
For BasicStoreManager, the value for SelfRegion is bound eagerly to 'self', but
no explicit tracking of SelfRegion on the side is made.
As part of this change, remove the restriction in BasicStoreManager that we only
track ivars for 'self'. This shouldn't actually change anything in terms of
precision, and simplifies the logic.
llvm-svn: 79694
fixing <rdar://problem/7152619>. Along the way, merge test cases in
'test/Analysis/rdar-6539791.c' into 'test/Analysis/retain-release.m'.
llvm-svn: 79499
which allows custom checks to register callback creator functions for creating
BugReporterVisitor objects. This allows various checks to include diagnostics
such as 'assuming value is null' with little extra work. Eventually this API
should be refactored to be cleaner and more simple.
llvm-svn: 79302
with array accesses. In the process, refactor some common logic in
RetrieveElement() and RetrieveField() into RetrieveFieldOrElementCommon().
llvm-svn: 78349
merge GRCoreEngineImpl and GRCoreEngine.
Introduce a new interface class GRSubEngine as the subengine of GRCoreEngine.
GRExprEngine subclasses GRSubEngine now.
llvm-svn: 78298
and their impl base classes. This can greatly simply some code of the core
analysis engine. This patch merges ExplodedNodeImpl into ExplodedNode.
llvm-svn: 78270
RegionStore already lazily abstracted the contents of arrays and structs, when
doing an assignment from one array/struct to another we did an explicit
element-wise copy, which resulted in a loss of laziness and huge performance
problem when analyzing many code bases.
Now RegionStoreManager handles such assignments using a new SVal could
'LazyCompoundSVal', which basically means the value of a given struct or array
(a MemRegion*) in a specific state (GRState). When we do a load from a field
whose encompassing struct binds to a LazyCompoundSVal, we essentially do a field
lookup in the original structure. This means we have essentially zero copying of
data for structs/arrays and everything stays lazy.
llvm-svn: 78268
constant value. If the UnaryOperator has location type, create the
constant with int type and pointer width.
This fixes the bug that all pointer increments 'p++' evaluated to Unknown.
llvm-svn: 78147
made to RegionStore (and related classes) in order to handle some
analyzer failures involving casts and manipulation of symbolic memory.
The root of the change is in StoreManager::CastRegion(). Instead of
using ad hoc heuristics to decide when to layer an ElementRegion on a
casted MemRegion, we now always layer an ElementRegion when the cast
type is different than the original type of the region. This carries
the current cast information associated with a region around without
resorting to the error prone recording of "casted types" in GRState.
Along with this new policy of layering ElementRegions, I added a new
algorithm to strip away existing ElementRegions when they simply
represented casts of a base memory object. This algorithm computes
the raw "byte offset" that an ElementRegion represents from the base
region, and allows the new ElementRegion to be based off that offset.
The added benefit is that this naturally handles a series of casts of
a MemRegion without building up a set of redundant ElementRegions
(thus canonicalizing the region view).
Other related changes that cascaded from this one (as tests were
failing in RegionStore):
- Revamped RegionStoreManager::InvalidateRegion() to completely remove
all bindings and default values from a region and all subregions.
Now invalidated fields are not bound directly to new symbolic
values; instead the base region has a "default" symbol value from
which "derived symbols" can be created. The main advantage of this
approach is that it allows us to invalidate a region hierarchy and
then lazily instantiate new values no matter how deep the hierarchy
went (i.e., regardless of the number of field accesses,
e.g. x->f->y->z->...). The previous approach did not do this.
- Slightly reworked RegionStoreManager::RemoveDeadBindings() to also
incorporate live symbols and live regions that do not have direct
bindings but also have "default values" used for lazy instantiation.
The changes to 'InvalidateRegion' revealed that these were necessary
in order to achieve lazy instantiation of values in the region store
with those bindings being removed too early.
- The changes to InvalidateRegion() and RemoveDeadBindings() revealed
a serious bug in 'getSubRegionMap()' where not all region -> subregion
relationships involved in actually bindings (explicit and implicit)
were being recorded. This has been fixed by using a worklist algorithm
to iteratively fill in the region map.
- Added special support to RegionStoreManager::Bind()/Retrieve() to handle
OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the
layering of ElementRegions.
- Fixed a bug in SymbolReaper::isLive() where derived symbols were not
being marked live if the symbol they were derived from was also live.
This fix was critical for getting lazy instantiation in RegionStore
to work.
- Tidied up the implementation of ValueManager::getXXXSymbolVal() methods
to use SymbolManager::canSymbolicate() to decide whether or not a
symbol should be symbolicated.
- 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been
moved to 'test/Analysis/misc-ps.m'.
- Tweaked some pretty-printing of MemRegions, and implemented
'ElementRegion::getRawOffset()' for use with the CastRegion changes.
llvm-svn: 77782
Type::getAsReferenceType() -> Type::getAs<ReferenceType>()
Type::getAsRecordType() -> Type::getAs<RecordType>()
Type::getAsPointerType() -> Type::getAs<PointerType>()
Type::getAsBlockPointerType() -> Type::getAs<BlockPointerType>()
Type::getAsLValueReferenceType() -> Type::getAs<LValueReferenceType>()
Type::getAsRValueReferenceType() -> Type::getAs<RValueReferenceType>()
Type::getAsMemberPointerType() -> Type::getAs<MemberPointerType>()
Type::getAsReferenceType() -> Type::getAs<ReferenceType>()
Type::getAsTagType() -> Type::getAs<TagType>()
And remove Type::getAsReferenceType(), etc.
This change is similar to one I made a couple weeks ago, but that was partly
reverted pending some additional design discussion. With Doug's pending smart
pointer changes for Types, it seemed natural to take this approach.
llvm-svn: 77510
in StoreManager to RegionStoreManager, and create a special, highly reduced
version in BasicStoreManager.
These changes are in preparation for future RegionStore-specific changes to
InvalidateRegion.
llvm-svn: 77483
could cause false positives if any the subexpressions had side-effects. These
initializers weren't evaluated because the StoreManager would need to handle
them, but that's an orthogonal problem of whether or not the StoreManager can
handle the binding.
llvm-svn: 77361
TryEvaluateBool instead of using a raw 'int'. This avoids any
confusion of how 'int' converts to bool, and makes the resultant code
easier to read.
Condense a bunch of 'addSuccessor()' calls in 'if ... else' to use the
ternary operator instead.
llvm-svn: 76947
Educate GRExprEngine::VisitGraph() about 'PreStmt'.
Mark the constructor of 'PostStmt' to be explicit, preventing implicit
conversions and the selection of the wrong 'generateNode' method in
GRStmtNodeBuilder.
Constify a bunch of arguments, which falls out of the changes to ProgramPoint.
llvm-svn: 76809
'Checker' interface. An updated test case illustrates that after calling a
function with the 'nonnull' attribute we now register the fact that the passed
pointer must be non-null. This retention of information was not possible with
the previously used GRSimpleAPICheck interface.
llvm-svn: 76797
instead preferring to use the a region's actual type when creating
symbols and using the QualType passed to Retrieve for implicit
casting. This preprocessor logic is temporary; eventually we will
either remove region casts or keep them.
Temporarily toggle (via preprocessor directives) that SymbolicRegions
with heap storage are not undefined, but instead should be
symbolicated. If we want to model that a SymbolicRegion is
uninitialized, we can explicitly model that by binding UndefinedVal to
that region. It turns out that we want to treat most heap objects as
being defined, not the other way around.
llvm-svn: 76720
'cast type' of a region to invalidate its binding. This only occurs
when using RegionStoreManager, as it records the cast type. I'm
currently considering removing the notion of a cast type (see
comments in code).
llvm-svn: 76719
to SValuator::EvalCast. In the process, the StoreManagers now use this new cast
machinery, and the hack in GRExprEngine::EvalBind to handle implicit casts
involving OSAtomicCompareAndSwap and friends has been removed (and replaced with
logic closer to the logic specific to those functions).
llvm-svn: 76641
-refactor logic for retrieving bindings from VarDecls into
RegionStoreManager::RetrieveVar()
- improve RegionStoreManager::CastRetrievedVal() and SimpleSValuate::EvalCastNL
to better handle casts of values of the same canonical type as well as
casts of LocAsInteger values.
llvm-svn: 76516
Entity can now refer to declarations that are not visible outside the translation unit.
It is a wrapper of a pointer union, it's either a Decl* for declarations that don't
"cross" translation units, or an EntityImpl* which is associated with the specific "visible" Decl.
Included is a test case for handling fields across translation units.
llvm-svn: 76515
pointers.
Enhanced RegionStoreManager::Retrieve() to handle automatic casts when the
loaded value is different from the requested value. This should be refined over
time, but essentially we should always symbolicate locations as locations, and
convert them to non-locations on demand.
These changes now cause 'misc-ps.m' to pass again.
llvm-svn: 76497
where the true or false CFGBlock* for a branch could be NULL. This will handle
the case where we can determine during CFG construction that a branch is
infeasible.
llvm-svn: 76450
is an algorithm that is much easier to understand and slightly more efficient.
Thanks to Mike Stump for our discussions on the CFGBuilder and his comments that
helped prompt this long needed cleanup.
llvm-svn: 76250
until Doug Gregor's Type smart pointer code lands (or more discussion occurs).
These methods just call the new Type::getAs<XXX> methods, so we still have
reduced implementation redundancy. Having explicit getAsXXXType() methods makes
it easier to set breakpoints in the debugger.
llvm-svn: 76193
This method is intended to eventually replace the individual
Type::getAsXXXType<> methods.
The motivation behind this change is twofold:
1) Reduce redundant implementations of Type::getAsXXXType() methods. Most of
them are basically copy-and-paste.
2) By centralizing the implementation of the getAs<Type> logic we can more
smoothly move over to Doug Gregor's proposed canonical type smart pointer
scheme.
Along with this patch:
a) Removed 'Type::getAsPointerType()'; now clients use getAs<PointerType>.
b) Removed 'Type::getAsBlockPointerTypE()'; now clients use getAs<BlockPointerType>.
llvm-svn: 76098
ValueManager::makeArrayIndex()/convertArrayIndex() methods. This
handles yet another crash case when reasoning about array indices of
different bitwidth and signedness.
llvm-svn: 75884
(1) Moved the SValuator object from GRExprEngine to ValueManager. This
allows ValueManager to use the SValuator when creating SVals.
(2) Added ValueManager::makeArrayIndex() and
ValueManager::convertToArrayIndex(), two SVal creation methods
that will help RegionStoreManager always have a consistent set of
SVals with the same integer size and type when reasoning about
array indices.
llvm-svn: 75882
This patch causes:
- StoreManager::InvalidateRegion() to not used the casted type of a region if
it would cause a pointer type to be invalidated as a non-pointer type.
- Pushes RegionStore::RetrieveElement() further by handling retrievals from
symbolic arrays that have been invalidated. This uses the new SymbolDerived
construct that was recently introduced.
The result is that the failing test in misc-ps-region-store-x86_64.m now passes.
Both misc-ps-region-store-x86_64.m and misc-ps-region-store-i386.m contain a
test case that motivated this change.
llvm-svn: 75730
SymbolDerived allows us to model symbolic values that are related to other
symbols via a region hierarchy. For example, SymbolDerived can be used to model
individual values of a symbolic array.
llvm-svn: 75728
I don't love the name, however it simplifies the code and is a worthwhile change. If/when we come up with a better name, we can do a search/replace.
llvm-svn: 75650
invalidate the region correctly. It uses the cast-to type to invalidate
the region when available. To avoid invalid cast-to type like 'void*' or 'id',
region store now only records non-generic casts of regions.
llvm-svn: 75580
are not explicitly marked as not accepting NULL pointers. This check illustrates
how we need more refactoring in the custom-check logic.
llvm-svn: 75570
where we are comparing a symbolic value against itself, regardless of
the nature of that symbolic value.
This enhancement identified a case where RegionStoreManager is not
correctly symbolicating the values of the pointees of parameters. The
failing test is now in 'test/Analysis/misc-ps-region-store.m', with
that test file now (temporarily) marked XFAIL.
llvm-svn: 75521
The idea is to segregate Objective-C "object" pointers from general C pointers (utilizing the recently added ObjCObjectPointerType). The fun starts in Sema::GetTypeForDeclarator(), where "SomeInterface *" is now represented by a single AST node (rather than a PointerType whose Pointee is an ObjCInterfaceType). Since a significant amount of code assumed ObjC object pointers where based on C pointers/structs, this patch is very tedious. It should also explain why it is hard to accomplish this in smaller, self-contained patches.
This patch does most of the "heavy lifting" related to moving from PointerType->ObjCObjectPointerType. It doesn't include all potential "cleanups". The good news is additional cleanups can be done later (some are noted in the code). This patch is so large that I didn't want to include any changes that are purely aesthetic.
By making the ObjC types truly built-in, they are much easier to work with (and require fewer "hacks"). For example, there is no need for ASTContext::isObjCIdStructType() or ASTContext::isObjCClassStructType()! We believe this change (and the follow-up cleanups) will pay dividends over time.
Given the amount of code change, I do expect some fallout from this change (though it does pass all of the clang tests). If you notice any problems, please let us know asap! Thanks.
llvm-svn: 75314
CodeTextRegions can only be casted to FunctionPointer or BlockPointerTypes. This
simply isn't true. We can handle bogus operations on CodeTextRegions (e.g, an
array access) elsewhere.
llvm-svn: 75285
and replace the 'clang-cc' option '-analyzer-store=basic-new-cast' with
'-analyzer-store=basic-old-cast'. We'll keep the old CastRegion implementation
around for a little while for regression testing.
llvm-svn: 75209
- Refactor logic that creates ElementRegions into a help method 'MakeElementRegion'.
- Fix crash due to not handling StringRegions. Casts of StringRegions now
result in a new ElementRegion layered on the original StringRegion.
llvm-svn: 74867
(its superclass). This will allow us to experiment with using the new CastRegion
with BasicStoreManager, and gradually phase out the old implementation.
llvm-svn: 74851
ValueManager::getRegionValueSymbolVal() with unguarded calls to
ValueManager::getRegionValueSymbolValOrUnknown(). This changes centralizes the
decision of what values to symbolicate in SymbolManager rather than having it
scatter in RegionStoreManager.
llvm-svn: 74730
pass misc-ps.m. Currently RegionStore/BasicStore don't do any special reasoning
about clang-style vectors, so we should return UnknownVal (in all cases) when
accessing their values via an array.
llvm-svn: 74660
TypedRegion. While we plan on removing this code at some point, it serves as a
good reference implementation for use with BasicStore until we are sure the new
CastRegion logic (in RegionStore.cpp) is correct.
llvm-svn: 74559
unknown for it.
Mark the super region of a live region as live, if the live region is pointed
to by a live pointer variable.
These fixes xfail_regionstore_wine_crash.c.
llvm-svn: 74524
Remove ASTContext parameter from DeclContext's methods. This change cascaded down to other Decl's methods and changes to call sites started "escalating".
Timings using pre-tokenized "cocoa.h" showed only a ~1% increase in time run between and after this commit.
llvm-svn: 74506
The implementations of these methods can Use Decl::getASTContext() to get the ASTContext.
This commit touches a lot of files since call sites for these methods are everywhere.
I used pre-tokenized "carbon.h" and "cocoa.h" headers to do some timings, and there was no real time difference between before the commit and after it.
llvm-svn: 74501
This is simple enough, but then I thought it would be nice to make PrintingPolicy
get a LangOptions so that various things can key off "bool" and "C++" independently.
This spiraled out of control. There are many fixme's, but I think things are slightly
better than they were before.
One thing that can be improved: CFG should probably have an ASTContext pointer in it,
which would simplify its clients.
llvm-svn: 74493
GRTransferFuncs had the conflated role of both constructing SVals (symbolic
expressions) as well as handling checker-specific logic. Now SValuator has the
role of constructing SVals from expressions and GRTransferFuncs just handles
checker-specific logic. The motivation is by separating these two concepts we
will be able to much more easily create richer constraint-generating logic
without coupling it to the main checker transfer function logic.
We now have one implementation of SValuator: SimpleSValuator.
SimpleSValuator is essentially the SVal-related logic that was in GRSimpleVals
(which is removed in this patch). This includes the logic for EvalBinOp,
EvalCast, etc. Because SValuator has a narrower role than the old
GRTransferFuncs, the interfaces are much simpler, and so is the implementation
of SimpleSValuator compared to GRSimpleVals. I also did a line-by-line review of
SVal-related logic in GRSimpleVals and cleaned it up while moving it over to
SimpleSValuator.
As a consequence of removing GRSimpleVals, there is no longer a
'-checker-simple' option. The '-checker-cfref' did everything that option did
but also ran the retain/release checker. Of course a user may not always wish to
run the retain/release checker, nor do we wish core analysis logic buried in the
checker-specific logic. The next step is to refactor the logic in CFRefCount.cpp
to separate out these pieces into the core analysis engine.
llvm-svn: 74229
- Change implementation of MemRegion::hasStackStorage()/hasHeapStorage() to use
'getMemorySpace()'. This avoids a double traversal up the region hierarchy
and is simpler.
- Add MemRegion::hasHeapOrStackStorage() as a slightly more efficient
alternative to 'hasStackStorage() || hasHeapStorage()'.
llvm-svn: 73977
- Embed a reference to MemRegionManager objects in MemSpaceRegion objects
- Use this embedded reference for MemRegion objects to access ASTContext objects without external help
- Use this access to ASTContext to simplify 'isBoundable' (no ASTContext& argument required)
llvm-svn: 73935
member template functions and traits. The idea is to allow MemRegionManager to
construct subclasses of MemRegion that aren't declared in MemRegion.h (e.g.,
checker-specific regions).
llvm-svn: 73917
- Remove the 'isFeasible' flag from all uses of 'Assume'.
- Remove the 'Assume' methods from GRStateManager. Now the only way to
create a new GRState with an assumption is to use the new 'assume' methods
in GRState.
llvm-svn: 73731
Add a type (ObjCObjectPointerType) and remove a type (ObjCQualifiedIdType).
This large/tedious patch is just a first step. Next step is to remove ObjCQualifiedInterfaceType. After that, I will remove the magic TypedefType for 'id' (installed by Sema). This work will enable various simplifications throughout clang (when dealing with ObjC types).
No functionality change.
llvm-svn: 73649
GRState object has a direct reference to its GRStateManager, making
the functionality of GRStateRef redunandant. This will lead to some
nice API cleanup and code shrinking across libAnalysis.
llvm-svn: 73644
- Add "sections" to RegionStoreManager.cpp to delineate functionality.
- Add new function "CreateFieldsOnlyRegionStoreManager" that uses the new
RegionStoreFeatures class to use a reduced set of features from
RegionStoreManager (in this case, only field-sensitivity). This isn't
completely hooked up yet.
llvm-svn: 73572
preprocessor and initialize it early in clang-cc. This
ensures that __has_builtin works in all modes, not just
when ASTContext is around.
llvm-svn: 73319
RegionStore needs to know the type of alloca region.
* RegionStoreManager::EvalBinOp() now converts the alloca region to its first
element region, as what is done to symbolic region.
llvm-svn: 72164
generation when EvalObjCMessageExpr() did not resolve the
ObjCInterfaceDecl* for a receiver when the receiver's symbolic value
wasn't being explicitly tracked.
llvm-svn: 71685
array region, set its default value to conjured symbol. When retrieving its
element, create new region value symbol for the element.
Also fix some 80 columns violations.
llvm-svn: 71548
where an owned one is expected. Also add preliminary checking for
returning a positive retain count object in GC mode where an owned GC
object is expected.
llvm-svn: 71388
Modify getLValueElement accordingly. Now we don't require base region
to be a typed region. Do not create TypedViewRegion when base region is
symbolic or alloca region. We can do so because each element region has
its type information.
llvm-svn: 71355
implicitly be changed to unsigned values in GRSimpleVals.cpp. This can happen
when the comparison involves logic in specialized transfer functions (e.g.,
OSAtomicCompareAndSwap).
llvm-svn: 71200
'BugReporterVisitor'. This simplifies callbacks from BugReporter to BugReports
(via VisitNode). It also lays the foundation for arbitrary visitor "call backs"
that can be registered to a BugReporterContext as a PathDiagnostic is
constructed. These call backs can help operate as separate "experts" that can
work on constructed pieces of a PathDiagnostic for which they possess special
knowledge.
llvm-svn: 71121
- Update the old StoreManager::CastRegion to strip off 'ElementRegions' when
casting to void* (Zhongxing: please validate)
- Pass-by-reference argument invalidation logic in CFRefCount.cpp:
- Strip ElementRegions when the ElementRegion is just a 'raw data' view
on top of the underlying typed region.
llvm-svn: 71094
- add a static function getTypeWidth(), which computes the width of a type
with the help of TargetInfo.
- no-outofbounds.c now passes for region store.
llvm-svn: 71080
'objc_ownership_cfretain' -> 'cf_ownership_retain'
'objc_ownership_cfrelease' -> 'cf_ownership_release'
Motivation: Core Foundation objects can be used in isolation from Objective-C,
and this forces users to reason about the separate semantics of CF objects. More
Sema support pending.
llvm-svn: 70884
'ElementRegion' on top of the VarRegion for 'x'. This causes the test
case xfail_wine_crash.c to now pass for BasicStoreManager. It doesn't
crash for RegionStoreManager either, but reports a bogus unintialized
value warning.
llvm-svn: 70832
ElementRegion. I also removed 'ElementRegion::getArrayRegion',
although we may need to add this back.
This breaks a few test cases with RegionStore:
- 'array-struct.c' triggers an infinite recursion in RegionStoreManager. Need to investigate.
- misc-ps.m triggers a failure with RegionStoreManager as we now get the diagnostic:
'Line 159: Uninitialized or undefined return value returned to caller.'
There were a bunch of places that needed to be edit
RegionStoreManager, and we may not be passing all the correct 'element
types' down from GRExprEngine.
Zhongxing: When you get a chance, could you review this? I could have
easily screwed up something basic in RegionStoreManager.
llvm-svn: 70830
- Don't layer TypedViewRegions on top of any region except
SymbolicRegions and AllocaRegions. This follows from my offline
discussion within Zhongxing about how TypedViewRegions really only
represent memory getting re-appropriated for a new purpose.
Fallout from this change:
- Move test case from xfail_rdar_6440393.m to misc-ps-64.m
(it now passes).
- test/Analysis/fields.c now fails for region store (crash).
Marking XFAIL.
- test/Analysis/rdar-6441136-region.c now fails (only runs with region store).
Marking XFAIL.
Diagnosis: The analyzer now correctly identifies an early out-of-bounds memory
access then the one flagged:
rdar-6541136-region.c:17:3: warning: Load or store into an out-of-bound memory position.
*p = 1;
^~
Changing the line:
char *p = (void*) &wonky[1];
to
char *p = (void*) &wonky[0];
(which should delay the buffer overrun) causes region store to crash, probably
because it expects a TypedViewRegion.
- test/Analysis/casts.c (region store) now fails (crash).
Marking XFAIL.
llvm-svn: 70565
location context. This allows us to postpone the decision of whether
or not a context should add a control-flow piece to the diagnostics
when inspecting its subexpressions.
llvm-svn: 70545
- Add an (optional) short description for BugReports for clients that want
to distinguish between long and short descriptions for bugs
- Make the bug report for VLA less obscene for Plist diagnostics by using
the short description
llvm-svn: 70415
reasoning about OSCompareAndSwap32Barrier/OSCompareAndSwap64Barrier. Essentially
the address of reference to a region (pointer-to-pointer) can be casted to
(int32_t*), and we need to handle the logic to convert the involved locations
back and forth from nonloc::LocAsInteger, nonloc::ConcreteInt, to Loc and
loc::ConcreteInt respectively. This adds some potentially suspect logic to
BasicStoreManager that allows the analyzer to reason about abuses of the C type
system. This should probably be refined, be ported over to RegionStoreManager,
and extended with "path-sensitive type checking" to flag bugs in clearly
incoherent code.
llvm-svn: 70382
as 'objc_ownership_cfretain' except that the method acts like a CFRetain instead
of a [... retain] (important in GC modes). Checker support is wired up, but
currently only for Objective-C message expressions (not function calls).
llvm-svn: 70218
- Fix summary lookup for class methods to now use the (optional)
ObjCInterfaceDecl associated with a message expression. This removes a
long-standing FIXME.
- Partial fix for <rdar://problem/6062730> by stop tracking objects that
are passed to [NSObject performSelector]. These methods are often used
for delegates, which the analyzer doesn't reason about well yet.
llvm-svn: 69982
extend the number of objects tracked by the retain/release checker by assuming
that all class and instance methods should follow Cocoa object "getter" and
"alloc/new" conventions.
llvm-svn: 69908
methods, class methods, and property implementations) and instead
place all of these entities into the DeclContext.
This eliminates more linear walks when looking for class or instance
methods and should make PCH (de-)serialization of ObjCDecls trivial
(and lazy).
llvm-svn: 69849
- Remove stale assertion that was breaking the test suite.
- When popping location contexts, only add a control-flow piece for fileID
locations.
llvm-svn: 69814
character instead of the entire range for the IfStmt, ForStmt, etc. We may
gradually refine these ranges later, but basically terminator ranges just refer
to the first keyword.
llvm-svn: 69812
When the StoreManager doesn't reason well about pointer-arithmetic, propagate
the non-nullness constraint on a pointer value when performing pointer
arithmetic uisng ++/--.
llvm-svn: 69741
into StoreManager::CastRegion. Both methods were practically identical, and this
is core logic that is common to all StoreManagers since it defines the basic
invariants of the abstract memory model.
llvm-svn: 69730
lazy PCH deserialization. Propagate that argument wherever it needs to
be. No functionality change, except that I've tightened up a few PCH
tests in preparation.
llvm-svn: 69406
ProgramPoints all the way through to GRCoreEngine.
NSString.m now fails with RegionStoreManager because of the void** cast.
Disabling use of region store for that test for now.
llvm-svn: 68845
A CodeTextRegion wraps two kinds of data: FunctionDecl* or SymbolRef.
The latter comes from the symbolic function pointer that are generated from
function calls or input data.
llvm-svn: 68777
clients of the analyzer to designate custom assertion routines as "noreturn"
functions from the analyzer's perspective but not the compiler's.
llvm-svn: 68746
"manager of symbolic values", wrapping BasicValueFactory, SymbolManager, and
MemRegionManager. While these individual managers nicely separate functionality
in the analyzer, constructing symbolic values can sometimes be cumbersome
because it requires using multiple managers at once. The goal of this class is
to create some factory methods to create SVals that require the use of these
different managers, thus (hopefully) simplifying the analyzer API for clients.
llvm-svn: 68709
"The attached patch generates warnings of cases where an ObjC message is sent to
a nil object and the size of return type of that message is larger than the size
of void pointer. This may result in undefined return values as described in PR
2718. The patch also includes test cases."
llvm-svn: 68585
are considered 'live'. This hack isn't needed anymore because we have a
separation in the path-sensitive analyzer between variable names and bindings;
the analyzer can continue to reason about the storage of a variable after its
name is no longer directly referenced. Now the live variables analysis literally means "is this name live".
Along this line, update the dead stores checker to explicitly look for variables
whose values have escaped.
llvm-svn: 68504
contexts". This allows us to use a stack of contexts to keep track of what control-flow pieces to include when exiting blocks like 'if', 'for', etc.
llvm-svn: 68473
when creating symbolic values, we distinguish between location and non-location
values. For location values, we create a symbolic region instead of a
loc::SymbolVal.
llvm-svn: 68373
- When processing BlockEdges with terminators, using the condition as the
control-flow point for terminators that are expressions (e.g., '&&', '?')
- When processing events, allow intra-compound statement "jumping"
llvm-svn: 68228
instead of a FullSourceLoc. This resulted in a bunch of small edits in various
clients.
- Updated BugReporter to include an alternate PathDiagnostic generation
algorithm for PathDiagnosticClients desiring more control-flow pieces.
llvm-svn: 68193
LHS type and the computation result type; this encodes information into
the AST which is otherwise non-obvious. Fix Sema to always come up with the
right answer for both of these types. Fix IRGen and the analyzer to
account for these changes. This fixes PR2601. The approach is inspired
by PR2601 comment 2.
Note that this changes real *= complex in CodeGen from a silent
miscompilation to an explicit error.
I'm not really sure that the analyzer changes are correct, or how to
test them... someone more familiar with the analyzer should check those
changes.
llvm-svn: 67889
- Added an internal helper class 'PathDiagnosticBuilder' which now bundles the
'ExecutionContinues' methods.
- Added preliminary diagnostics for short-circuit '&&' and '||'
llvm-svn: 67822
- Added a new class, 'PathDiagnosticLocation', that is a variant for
SourceLocation, SourceRange, or Stmt*. This will be used soon by
PathDiagnosticPieces to describe locations for targets of branches, locations
of events, etc.
- Did some prep. refactoring of PathDiagnosticPieces to prepare them for
adopting the new PathDiagnosticLocation
llvm-svn: 67767
Zhongxing and I discussed by email.
Main changes:
- Removed SymIntConstraintVal and SymIntConstraint
- Added SymExpr as a parent class to SymbolData, SymSymExpr, SymIntExpr
- Added nonloc::SymExprVal to wrap SymExpr
- SymbolRef is now just a typedef of 'const SymbolData*'
- Bunch of minor code cleanups in how some methods were invoked (no functionality change)
This changes are part of a long-term plan to have full symbolic expression
trees. This will be useful for lazily evaluating complicated expressions.
llvm-svn: 67731
representing symbolic expressions like 'x'+3 and 'x'+'y'. The design is
subjected to change later when we fix the class hierarchy of symbolic
expressions.
llvm-svn: 67678
<rdar://problem/6704930> involving SimpleConstraintManager not reasoning well
about symbolic constraint values involving arithmetic operators.
llvm-svn: 67534
- Conjure symbols at '--' and '++' unary operations
- Add utility method SVal::GetConjuredSymbolVal() and constify some arguments
along the way.
llvm-svn: 67395
SVal::GetRValueSymbolVal do the checking if we can symbolicate a type instead of
having BasicStoreManager do it (which wasn't always doing the check
consistently). Having this check in SVal::GetRValueSymbolVal keeps the check in
one centralized place.
llvm-svn: 67245
diagnostics. This builds on the patch that Sebastian committed and
then revert. Major differences are:
- We don't remove or use the current ".def" files. Instead, for now,
we just make sure that we're building the ".inc" files.
- Fixed CMake makefiles to run TableGen and build the ".inc" files
when needed. Tested with both the Xcode and Makefile generators
provided by CMake, so it should be solid.
- Fixed normal makefiles to handle out-of-source builds that involve
the ".inc" files.
I'll send a separate patch to the list with Sebastian's changes that
eliminate the use of the .def files.
llvm-svn: 67058
conditions. Currently the analyzer does not reason well about
promotions/truncations of symbolic values, so at branch conditions when we see:
if (condition)
and condition is something like a 'short' or 'char', essentially ignore the
promotion to 'int' so that we track constraints on the original symbolic value.
We only ignore the casts if the underlying type has the same or fewer bits as
the converted type.
This fixes:
<rdar://problem/6619921>
llvm-svn: 66899
ExplodedGraph::TrimGraph:
- Just do a DFS both ways instead of BFS-DFS. We're just determining what subset
of the nodes are reachable from the root and reverse-reachable from the bug
nodes. DFS is more efficient for this task.
BugReporter:
- MakeReportGraph: Do a reverse-BFS instead of a reverse-DFS to determine the
approximate shortest path through the simulation graph. We were seeing some
weird cases where too many loops were being reported for simple bugs. Possibly
we will need to replace this with actually computing the shortest path in
terms of line numbers.
llvm-svn: 66842
- PathDiagnosticControlFlowPiece now consists of a "start" and "end" location
to indicating the branch location and where the branch goes.
BugReporter:
- Updated BugReporter to construct PathDiagnosticControlFlowPiece objects with
"end" locations.
PlistDiagnostics:
- Plists now contain the bug "type" (not just bug "category")
- Plists now encode control-flow pieces differently than events; now the
"start" and "end" locations are recorded
llvm-svn: 66818
TypedViewRegion has a valid rvalue type. Also renamed instance variable 'T' to
'LvalueType' to make it unambiguous of its purpose.
This fixes some crashes I was seeing after:
http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20090309/013771.html
This is because 'isBoundable()' is defined in TypedRegion (the parent class) in
terms of the rvalue type (which could be null), while for TypedViewRegion it
should be defined in terms of the lvalue type.
llvm-svn: 66712
offset may be different that the base. Ultimately we need a better solution for
these issues, but this point-by-point fixes are gradually outlining the scope of
the problem.
llvm-svn: 66638
path-sensitivity, beyond checking to see if the value is "unknown" also check if
the ConstraintManager can handle the SVal. This allows us to recover some
path-sensitivity by actually discarding some information.
llvm-svn: 66627
- Group control flow and event PathDiagnosticPieces into PathDiagnosticMacroPieces.
- Afterwards, eliminate any PathDiagnosticMacroPieces from a PathDiagnostic that
contain no informative events.
HTMLDiagnostics:
- Use new information about PathDiagnosticMacroPieces to specially format
message bubbles for macro expansions containing interesting events.
llvm-svn: 66524
PathDiagnosticControlFlowPiece to distinguish (in the class hierarchy) between
events and control-flow diagnostic pieces. Clients must now use these directly
when constructing PathDiagnosticPieces.
llvm-svn: 66310
- Store bindings using a MemRegion -> SVal binding instead of VarDecl -> SVal
binding. This mirrors some of the idea of RegionStore, but is far simpler and
not nearly as functional. This leads to some code simplification and
some potential for some minor precision hacks.
Along the way...
- constify the use of MemRegion* in a few places
- add operator<<(llvm::raw_ostream, const MemRegion*)
llvm-svn: 66163
- Have 'TypedRegion::getRValueType()' return a null QualType for 'id<...>'
instead of aborting.
- Change 'TypedRegion::isBoundable()' to return true for all objects with a
non-null RValueType (this may not be the final behavior).
llvm-svn: 66093
multiple symbols conjured at the same location. All that is required of the tag
is that it is a fixed void* value that points to an memory address that remains
valid throughout the remainder of the lifetime of the SymbolManager.
llvm-svn: 66092
SVal::getAsLocSymbol(). This simplifies the code and allows the retain/release
checker to (I believe) also correctly reason about location symbols wrapped in
SymbolicRegions.
Along the way I cleaned up SymbolRef a little, disallowing implicit casts to
'unsigned'.
llvm-svn: 65972
giving them rough classifications (normal types, never-canonical
types, always-dependent types, abstract type representations) and
making it far easier to make sure that we've hit all of the cases when
decoding types.
Switched some switch() statements on the type class over to using this
mechanism, and filtering out those things we don't care about. For
example, CodeGen should never see always-dependent or non-canonical
types, while debug info generation should never see always-dependent
types. More switch() statements on the type class need to be moved
over to using this approach, so that we'll get warnings when we add a
new type then fail to account for it somewhere in the compiler.
As part of this, some types have been renamed:
TypeOfExpr -> TypeOfExprType
FunctionTypeProto -> FunctionProtoType
FunctionTypeNoProto -> FunctionNoProtoType
There shouldn't be any functionality change...
llvm-svn: 65591
know how to recover from an error, we can attach a hint to the
diagnostic that states how to modify the code, which can be one of:
- Insert some new code (a text string) at a particular source
location
- Remove the code within a given range
- Replace the code within a given range with some new code (a text
string)
Right now, we use these hints to annotate diagnostic information. For
example, if one uses the '>>' in a template argument in C++98, as in
this code:
template<int I> class B { };
B<1000 >> 2> *b1;
we'll warn that the behavior will change in C++0x. The fix is to
insert parenthese, so we use code insertion annotations to illustrate
where the parentheses go:
test.cpp:10:10: warning: use of right-shift operator ('>>') in template
argument will require parentheses in C++0x
B<1000 >> 2> *b1;
^
( )
Use of these annotations is partially implemented for HTML
diagnostics, but it's not (yet) producing valid HTML, which may be
related to PR2386, so it has been #if 0'd out.
In this future, we could consider hooking this mechanism up to the
rewriter to actually try to fix these problems during compilation (or,
after a compilation whose only errors have fixes). For now, however, I
suggest that we use these code modification hints whenever we can, so
that we get better diagnostics now and will have better coverage when
we find better ways to use this information.
This also fixes PR3410 by placing the complaint about missing tokens
just after the previous token (rather than at the location of the next
token).
llvm-svn: 65570
expressions of the form: 'short x = (y != 10);' While we handle 'int x = (y !=
10)' lazily, the cast to another integer type currently loses the symbolic
constraint. Eager evaluation of the constraint causes the paths to bifurcate and
eagerly evaluate 'y != 10' to a constant of 1 or 0. This should address
<rdar://problem/6619921> until we have a better (more lazy approach) for
handling promotions/truncations of symbolic integer values.
llvm-svn: 65480
- For autorelease pool tracking, keep information about the stack of pools
separate from their contents. Also, keep track of the number of times an
autorelease pool will send the "release" message to an object when the pool is
destroyed.
- Update CFRefCount::Update to return a new state instead of a reference count
binding. This will allow us to implement more complicated semantics with
autorelease pools.
llvm-svn: 65384
analyzer for array subscript expressions involving bases that are vectors. This
solution is probably a hack: it gets the lvalue of the vector instead of an
rvalue like all other types. This should be reviewed (big FIXME in
GRExprEngine).
llvm-svn: 65366
Should clang have a config.h or should we use the config.h of llvm or using the preprocessor is OK? I did a quick fix here, but having a guideline on how to handle non portable function would be great (or ask ted to stop breaking the windows build :)).
llvm-svn: 65233
handle method names that contain 'new', 'copy', etc., but those words might be
the substring of larger words such as 'newsgroup' and 'photocopy' that do not
indicate the allocation of objects. This should address the issues discussed in
<rdar://problem/6552389>.
llvm-svn: 65224
vanilla reverse-BFS followed by a forward-DFS instead of resulting to strange
histrionics (whose purpose I can no longer remember) in the reverse-BFS stage.
This fixes an assertion failure in BugReporter due to edge cases where no root
was being hit in the reverse-BFS phase.
llvm-svn: 65160
transitions and then generate a subsequent node that removes the dead symbol
bindings. This should drastically improve caching in the simulation graph when
retain-counted objects are being tracked.
llvm-svn: 65082
- Fix some grammar.
- Fix a bug where a "reference count incremented" diagnostic would not be shown
if the previous typestate was "Released" (only happens in GC mode).
llvm-svn: 64971
retain/releases performed via [... release] and CFRetain(). The former are
no-ops in GC. The checker already handled this, but now we emit nice diagnostics
to the user telling them that these are no-ops.
llvm-svn: 64937
When comparing if one Range is "less" than another, compare the actual APSInt
numeric values instead of their pointer addresses. This ensures that the
ImmutableSet in RangeSet always has a consistent ordering between Ranges. This
is critical for generating the same digest/hash for the contents of the sets.
This was a serious performance bug because it would often cause state caching
to be disabled along complicated paths.
Along the way:
- Put Range and RangeSet in the "anonymous namespace" and mark them hidden
llvm-svn: 64890
back to the summary used when evaluating the statement associated with a
simulation node. This is now being used to help improve the checker's
diagnostics. To get things started, the checker now emits a path diagnostic
indicating that 'autorelease' is a no-op in GC mode.
Some of these changes are exposing further grossness in the interface between
BugReporter and the ExplodedGraph::Trim facilities. These really need to be
cleaned up one day.
llvm-svn: 64881
Zhongxing Xu. The resultant code is less than 1/2 the size of the original.
Key highlights:
- All CouldBeXXX methods have been removed. Checking for feasibility is now just
done in the AddXXX methods.
- RangeSets now represent "all possible values" explicitly as the range set {
[min, max] } instead of the empty set. The empty set now represents "no
feasible values". This change consolidated much of the core algorithm to only
have one code path instead of alternate paths that considered the empty set to
represent "all possible falues."
llvm-svn: 64787
about, whether they are builtins or not. Use this to add the
appropriate "format" attribute to NSLog, NSLogv, asprintf, and
vasprintf, and to translate builtin attributes (from Builtins.def)
into actual attributes on the function declaration.
Use the "printf" format attribute on function declarations to
determine whether we should do format string checking, rather than
looking at an ad hoc list of builtins and "known" function names.
Be a bit more careful about when we consider a function a "builtin" in
C++.
llvm-svn: 64561
ConstraintManager:
- constify getSymVal()
BasicConstraintManager:
- Pull out logic that would be common to ConstraintManagers of a similar nature
and put them in a parent class called 'SimpleConstraintManager'.
RangeConstraintManager:
- Added a new prototype ConstraintManager to track ranges of variables! This
ConstraintManager keeps tracks of ranges of concrete integers that a symbolic
integer may have.
AnalysisConsumer:
- Add driver option to use RangeConstraintManager with GRExprEngine-based
analyses.
llvm-svn: 64558
symbols from an SVal.
- Fixed a bug in EnvironmentManager::RemoveDeadBindings() where it did not mark
live all the symbols reachable from a live block-level expression.
- Fixed a bug in the retain/release checker where it did not stop tracking
symbols that 'escaped' via compound literals being assigned to something the
BasicStoreManager didn't reason about.
llvm-svn: 64534
- Added a new 'node builder' class called GRStmtNodeBuilderRef (name may
change). This is essentially a smart reference to a GRStmtNodeBuilder object
that keeps track of the current context (predecessor node, GRExprEngine
object, etc.) The idea is to gradually simplify the interface between
GRExprEngine and GRTransferFuncs using this new builder (i.e., passing 1
argument instead of 5). It also handles some of the "auto-transition" for node
creation, simplifying some of the logic in GRExprEngine itself.
- Used GRStmtBuilderRef to replace GRTransferFuncs::EvalStore with
GRTransferFuncs::EvalBind. The new EvalBind method will be used at any
arbitrary places where a binding between a location and value takes place.
Moreover, GRTransferFuncs no longer has the responsibility to request
StoreManager to do the binding; this is now in GRExprEngine::EvalBind. All
GRTransferFuncs::EvalBind does is checker-specific logic (which can be a
no-op).
llvm-svn: 64525
etc.) when we perform name lookup on them. This ensures that we
produce the correct signature for these functions, which has two
practical impacts:
1) When we're supporting the "implicit function declaration" feature
of C99, these functions will be implicitly declared with the right
signature rather than as a function returning "int" with no
prototype. See PR3541 for the reason why this is important (hint:
GCC always predeclares these functions).
2) If users attempt to redeclare one of these library functions with
an incompatible signature, we produce a hard error.
This patch does a little bit of work to give reasonable error
messages. For example, when we hit case #1 we complain that we're
implicitly declaring this function with a specific signature, and then
we give a note that asks the user to include the appropriate header
(e.g., "please include <stdlib.h> or explicitly declare 'malloc'"). In
case #2, we show the type of the implicit builtin that was incorrectly
declared, so the user can see the problem. We could do better here:
for example, when displaying this latter error message we say
something like:
'strcpy' was implicitly declared here with type 'char *(char *, char
const *)'
but we should really print out a fake code line showing the
declaration, like this:
'strcpy' was implicitly declared here as:
char *strcpy(char *, char const *)
This would also be good for printing built-in candidates with C++
operator overloading.
The set of C library functions supported by this patch includes all
functions from the C99 specification's <stdlib.h> and <string.h> that
(a) are predefined by GCC and (b) have signatures that could cause
codegen issues if they are treated as functions with no prototype
returning and int. Future work could extend this set of functions to
other C library functions that we know about.
llvm-svn: 64504
- Add 'EvalBind', which will be used by 'EvalStore' to pull much of the value binding logic out of GRTransferFuncs.
- Rename many cases of 'St' to 'state'.
llvm-svn: 64426
- rename isObjCIdType/isObjCClassType -> isObjCIdStructType/isObjCClassStructType. The previous name didn't do what you would expect.
- add back isObjCIdType/isObjCClassType to do what you would expect. Not currently used, however many of the isObjCIdStructType/isObjCClassStructType clients could be converted over time.
- move static Sema function areComparableObjCInterfaces to ASTContext (renamed to areComparableObjCPointerTypes, since it now operates on pointer types).
llvm-svn: 64385
for FieldRegion. This enables us to track more values.
Simplify SymbolicRegion::getRValueType(). We assume the symbol always has
pointer type.
llvm-svn: 63928
do the symblic regions associated with them and we need them to be typed.
Current SymbolicRegion::getRValueType() method is very restricting. It may be
modified when we are more clear about what could be the types of symblic
regions.
BasicConstraintManager::Assume() is changed due to that now SymblicRegion is a
subclass of SubRegion.
llvm-svn: 63844
checker. This was previously needed because BugReport objects were previously
allocated on the stack and not owned by BugReporter. Now we can just issue them
on the fly. This change was motivated because we were seeing some weird cases
where some really long paths would get issued for bugs (particularly leaks)
because of some double-caching.
llvm-svn: 63840
the ownership of BugTypes and BugReports. Now BugReports are owned by BugTypes,
and BugTypes are owned by the BugReporter object.
The major functionality change in this patch is that reports are not immediately
emitted by a call to BugReporter::EmitWarning (now called EmitReport), but
instead of queued up in report "equivalence classes". When
BugReporter::FlushReports() is called, it emits one diagnostic per report
equivalence class. This provides a nice cleanup with the caching of reports as
well as enables the BugReporter engine to select the "best" path for reporting a
path-sensitive bug based on all the locations in the ExplodedGraph that the same
bug could occur.
Along with this patch, Leaks are now coalesced into a common equivalence class
by their allocation site, and the "summary" diagnostic for leaks now reports the
allocation site as the location of the bug (this may later be augmented to also
provide an example location where the leak occurs).
llvm-svn: 63796
makes it clear to clients that they have to pick an instantiation
or spelling location before calling it and allows optimization based
on that.
llvm-svn: 63698
the liveness state of block-level expressions could oscillate because
of two issues:
- The initial value before a merge was not always set to "Top"
- The set of live block-level expressions is a union, not an intersection
This fixes <rdar://problem/650084>.
llvm-svn: 63421
type" rather than the C definition. We do this because both C99 and
Clang always use "aggregate type" as "aggregate or union type", and
the C++ definition includes union types.
llvm-svn: 63395
- NonLoc::MakeVal() would use sizeof(unsigned) (literally) instead of consulting
ASTContext for the size (in bits) of 'int'. While it worked, it was a
conflation of concepts and using ASTContext.IntTy is 100% correct.
- RegionStore::getSizeInElements() no longer assumes that a VarRegion has the
type "ConstantArray", and handles the case when uses use ordinary variables
as if they were arrays.
- Fixed ElementRegion::getRValueType() to just return the rvalue type of its
"array region" in the case the array didn't have ArrayType.
- All of this fixes <rdar://problem/6541136>
llvm-svn: 63347
.def file for each library. This means that adding a diagnostic
to sema doesn't require all the other libraries to be rebuilt.
Patch by Anders Johnsen!
llvm-svn: 63111
as reported to the user and as manipulated by #line. This is what __FILE__,
__INCLUDE_LEVEL__, diagnostics and other things should follow (but not
dependency generation!).
This patch also includes several cleanups along the way:
- SourceLocation now has a dump method, and several other places
that did similar things now use it.
- I cleaned up some code in AnalysisConsumer, but it should probably be
simplified further now that NamedDecl is better.
- TextDiagnosticPrinter is now simplified and cleaned up a bit.
This patch is a prerequisite for #line, but does not actually provide
any #line functionality.
llvm-svn: 63098
- Add the distinction between the 'bug type' and the 'bug description'
HTMLDiagnostics:
- Output the bug type field as HTML comments
scan-build:
- Use the bug type field instead of the bug description for the HTML table.
- Radar filing now automatically picks up the bug description in the title (addresses <rdar://problem/6265970>)
llvm-svn: 63084
accurately states what the function is trying to do and how it is
different from Expr::isEvaluatable. Also get rid of a parameter that is both
unused and inaccurate.
llvm-svn: 62951
Implemented DiagCollector::IncludeInDiagnosticCounts() to return 'false' so that the batching of diagnostics for use with BugReporter doesn't mess up the count of real diagnostics.
llvm-svn: 62873
their associated APIs. We no longer need separate SymbolData objects
for fields, variables, etc. Instead, we now associated symbols with
the "rvalue" of a MemRegion (i.e., the value stored at that region).
Now we only have two kinds of SymbolData objects: SymbolRegionRValue
and SymbolConjured.
This cleanup also makes the distinction between a SymbolicRegion and a
symbolic value that is a location much clearer. A SymbolicRegion
represents a chunk of symbolic memory, while a symbolic location is
just a "pointer" with different possible values. Without any specific
knowledge, a symbolic location resolves (i.e., via a dereference) to a
SymbolicRegion. In the future, when we do better alias reasoning, a
symbolic location can become an alias for another location, thus
merging the constraints on the referred SymbolicRegion with the other
region.
llvm-svn: 62769
Because the RegionStore can reason about values beyond the reasoning power of BasicStore, this patch splits some of the test cases for the retain/release checker to have versions that are handled by RegionStore (more warnings) and BasicStore (less warnings).
llvm-svn: 62667
that every declaration lives inside a DeclContext.
Moved several things that don't have names but were ScopedDecls (and,
therefore, NamedDecls) to inherit from Decl rather than NamedDecl,
including ObjCImplementationDecl and LinkageSpecDecl. Now, we don't
store empty DeclarationNames for these things, nor do we try to insert
them into DeclContext's lookup structure.
The serialization tests are temporarily disabled. We'll re-enable them
once we've sorted out the remaining ownership/serialiazation issues
between DeclContexts and TranslationUnion, DeclGroups, etc.
llvm-svn: 62562
the "physical" location of tokens, refer to the "spelling" location.
This is more concrete and useful, tokens aren't really physical objects!
llvm-svn: 62309
- Refactor a bunch of logic in the retain/release checker, making it more
condense and easier to read.
- Add support for "Create" methods in the DiskArbitration framework
retain/release tests:
- Rename CFDate.m to retain-release.m, and move test from CFString.c to
retain-release.m
- Add DiskArbitration framework tests cases.
- Add/refine and few more retain/release GC test cases.
llvm-svn: 62106
recent discussions with Thomas Clement and Ken Ferry concerning the "fundamental
rule" for Cocoa memory management
(http://developer.apple.com/documentation/Cocoa/Conceptual/MemoryMgmt/Tasks/MemoryManagementRules.html).
Here is the revised behavior of the checker concerning tracking retain/release
counts for objects returned from message expressions involving instance methods:
1) Track the returned object if the return type of the message expression is
id<..>, id, or a pointer to *any* object that subclasses NSObject. Such objects
are assumed to have a retain count. Previously the checker only tracked objects
when the receiver of the message expression was part of the standard Cocoa API
(i.e., had class names prefixed with 'NS'). This should significantly expand the
amount of checking performed.
2) Consider the object owned if the selector of the message expression contains
"alloc", "new", or "copy". Previously we also considered "create", but this
doesn't follow from the fundamental rule (discussions with the Cocoa folks
confirms this).
llvm-svn: 61837
information for declarations that were referenced via a qualified-id,
e.g., N::C::value. We keep track of the location of the start of the
nested-name-specifier. Note that the difference between
QualifiedDeclRefExpr and DeclRefExpr does have an effect on the
semantics of function calls in two ways:
1) The use of a qualified-id instead of an unqualified-id suppresses
argument-dependent lookup
2) If the name refers to a virtual function, the qualified-id
version will call the function determined statically while the
unqualified-id version will call the function determined dynamically
(by looking up the appropriate function in the vtable).
Neither of these features is implemented yet, but we do print out
qualified names for QualifiedDeclRefExprs as part of the AST printing.
llvm-svn: 61789
which can refer to static data members, enumerators, and member
functions as well as to non-static data members.
Implement correct lvalue computation for member references in C++.
Compute the result type of non-static data members of reference type properly.
llvm-svn: 61294
* Now Bind() methods take and return GRState* because binding could
also alter GDM.
* No variables are initialized except those declared with initial
values.
* failed C test cases are due to bugs in RemoveDeadBindings(),
which removes constraints that is still alive. This will be fixed in later
patch.
* default value of array and struct regions will be implemented in later patch.
llvm-svn: 61274
- Fix regression reported in <rdar://problem/6452745>. After a null check, null references to resources should not have a retain count. This regression was caused by removing the call to "GRTransferFuncs::EvalAssume" in BasicConstraintManager.
- Added a test case to test this behavior.
llvm-svn: 61155
- Because of the introduction of AnonTypedRegions when reasoning about casts, we
had a regression in the "symbolication" of variable values passed-by-reference
to a function. This is now fixed in CFRefCount.cpp (-checker-cfref) by
blasting through the layer of AnonTypedRegions when symbolicating the value of
the variable. This logic may get moved elsewhere. Note that this change
affects only -checker-cfref and not -checker-simple; eventually this logic
should get pulled out of CFRefCount.cpp into a more common place. All users
use -checker-cfref by default, and -checker-simple should probably just be
removed.
- Updated test 'Analysis/uninit-vals-ps.c' to only use -checker-cfref and added
a test case for this regression.
llvm-svn: 61147
- one queue (FIFO) to queue up nodes at block entrances
- another queue (LIFO) to queue up other nodes
- The idea is to explore basic blocks to completion, but to do a BFS exploration of blocks.
llvm-svn: 61106
- Added four new ProgramPoint types that subclass PostStmt for use in
GRExprEngine::EvalLocation:
- PostOutOfBoundsCheckFailed
- PostUndefLocationCheckFailed
- PostNullCheckFailed
- PostLocationChecksSucceed
These were created because of a horribly subtle caching bug in EvalLocation
where a node representing an "bug condition" in EvalLocation (e.g. a null
dereference) could be re-used as the "non-bug condition" because the Store did
not contain any information to differentiate between the two. The extra
program points just disables any accidental caching between EvalLocation and
its callers.
GRExprEngine:
- EvalLocation now returns a NodeTy* instead of GRState*. This should be used as the "vetted" predecessor for EvalLoad/EvalStore.
llvm-svn: 61105
- Overhauled the notion of "types" for TypedRegions. We now distinguish between the "lvalue" of a region (via getLValueRegion()) and the "rvalue" of a region (va getRValueRegion()). Since a region represents a chunk of memory it has both, but we were conflating these concepts in some cases, leading to some insidious bugs.
- Removed AnonPointeeType, partially because it is unused and because it doesn't have a clear notion of lvalue vs rvalue type. We can add it back once there is a need for it and we can resolve its role with these concepts.
StoreManager:
- Overhauled StoreManager::CastRegion. It expects an *lvalue* type for a region. This is actually what motivated the overhaul to the MemRegion type mechanism. It also no longer returns an SVal; we can just return a MemRegion*.
- BasicStoreManager::CastRegion now overlays an "AnonTypedRegion" for pointer-pointer casts. This matches with the MemRegion changes.
- Similar changes to RegionStore, except I've added a bunch of FIXMEs where it wasn't 100% clear where we should use TypedRegion::getRValueRegion() or TypedRegion::getLValueRegion().
AuditCFNumberCreate check:
- Now blasts through AnonTypedRegions that may layer the original memory region, thus checking if the actually memory block is of the appropriate type. This change was needed to work with the changes to StoreManager::CastRegion.
GRExprEngine::VisitCast:
- Conform to the new interface of StoreManager::CastRegion.
Tests:
- None of the analysis tests fail now for using the "basic store".
- Disabled the tests 'array-struct.c' and 'rdar-6442306-1.m' pending further testing and bug fixing.
llvm-svn: 60995
GRExprEngine (VisitCast):
- When using StoreManager::CastRegion, always use the state and value it returns to generate the next node. Failure to do so means that region values returned that don't require the state to be modified will get ignored.
MemRegion:
- Tighten the interface for ElementRegion. Now ElementRegion can only be created with a super region that is a 'TypedRegion' instead of any MemRegion. Code in BasicStoreManager/RegionStoreManager already assumed this, but it would result in a dynamic assertion check (and crash) rather than just having the compiler forbid the construction of such regions.
- Added ElementRegion::getArrayRegion() to return the 'typed version' of an ElementRegion's super region.
- Removed bogus assertion in ElementRegion::getType() that assumed that the super region was an AnonTypedRegion. All that matters is that it is a TypedRegion, which is now true all the time by design.
BasicStore:
- Modified getLValueElement() to check if the 'array' region is a TypedRegion before creating an ElementRegion. This conforms to the updated interface for ElementRegion.
RegionStore:
- In ArrayToPointer() gracefully handle things we don't reason about, and only create an ElementRegion if the array region is indeed a TypedRegion.
llvm-svn: 60990
and separates lexical name lookup from qualified name lookup. In
particular:
* Make DeclContext the central data structure for storing and
looking up declarations within existing declarations, e.g., members
of structs/unions/classes, enumerators in C++0x enums, members of
C++ namespaces, and (later) members of Objective-C
interfaces/implementations. DeclContext uses a lazily-constructed
data structure optimized for fast lookup (array for small contexts,
hash table for larger contexts).
* Implement C++ qualified name lookup in terms of lookup into
DeclContext.
* Implement C++ unqualified name lookup in terms of
qualified+unqualified name lookup (since unqualified lookup is not
purely lexical in C++!)
* Limit the use of the chains of declarations stored in
IdentifierInfo to those names declared lexically.
* Eliminate CXXFieldDecl, collapsing its behavior into
FieldDecl. (FieldDecl is now a ScopedDecl).
* Make RecordDecl into a DeclContext and eliminates its
Members/NumMembers fields (since one can just iterate through the
DeclContext to get the fields).
llvm-svn: 60878
- Fix nonsensical logic in AssumeSymGE. When comparing 'sym >= constant' and the
constant is the maximum integer value, add the constraint that 'sym ==
constant' when the path is deemed feasible. All other cases are feasible.
- Improve AssumeSymGT. When comparing 'sym > constant' and constant is the
maximum integer value we know the path is infeasible.
- Add test case for this enhancement to AssumeSymGT.
llvm-svn: 60490
- Fix nonsensical logic in AssumeSymLE. When comparing 'sym <= constant' and the
constant is the minimum integer value, add the constraint that 'sym ==
constant' when the path is deemed feasible. All other cases are feasible.
- Improve AssumeSymLT to address <rdar://problem/6407949>. When comparing
'sym < constant' and constant is the minimum integer value we know the
path is infeasible.
- Add test case for <rdar://problem/6407949>.
llvm-svn: 60489
When initialized, the index of the ElementRegion was unsigned. But the index
value of the ArraySubscriptExpr is signed. This inconsistency caused the value
of the array element retrieved to be UnknownVal despite it was initialized to
symbolic.
This is only a hack. Real fix of this problem is required.
llvm-svn: 60207
Ted Kremenek