BindDecl better describes what the function does:
- Bind the VarDecl to its memory region
- Bind the memory region to some initial value.
llvm-svn: 58359
- Do not allow expressions to ever have reference type
- Extend Expr::isLvalue to handle more cases where having written a
reference into the source implies that the expression is an lvalue
(e.g., function calls, C++ casts).
- Make GRExprEngine::VisitCall treat the call arguments as lvalues when
they are being bound to a reference parameter.
llvm-svn: 58306
- GRExprEngine::VisitCompoundLiteral...
(1) visits the initializer list (generating ExplodedNodes)
(2) creates a CompoundMemRegion for the literal
(3) creates a new state with the bound literal values using
GRStateManager::BindCompoundLiteral
- GRStateManager::BindCompoundLiteral simply calls
StoreManager::BindCompoundLiteral to get a new store and returns a persistent
GRState with that store.
- BasicStore::BindCompoundLiteral simply returns the same store, as it
doesn't handle field sensitivity
- RegionStore::BindCompoundLiteral currently fires an assert (pending discussion
of how to best implement mappings for CompoundLiteralRegion).
llvm-svn: 58277
- CastExpr is the root of all casts
- ImplicitCastExpr is (still) used for all explicit casts
- ExplicitCastExpr is now the root of all *explicit* casts
- ExplicitCCastExpr (new name needed!?) is a C-style cast in C or C++
- CXXFunctionalCastExpr inherits from ExplicitCastExpr
- CXXNamedCastExpr inherits from ExplicitCastExpr and is the root of all
of the C++ named cast expression types (static_cast, dynamic_cast, etc.)
- Added classes CXXStaticCastExpr, CXXDynamicCastExpr,
CXXReinterpretCastExpr, and CXXConstCastExpr to
Also, fixed returned-stack-addr.cpp, which broke once when we fixed
reinterpret_cast to diagnose double->int* conversions and again when
we eliminated implicit conversions to reference types. The fix is in
both testcase and SemaChecking.cpp.
Most of this patch is simply support for the renaming. There's very
little actual change in semantics.
llvm-svn: 58264
GRExprEngine::VisitCast() so that other parts of the analyzer can be ignorant.
When we cast "array of type T" to "pointer to T", we get the loc::MemRegionVal
corresponding to the array variable. This is sufficient for BasicStore, but not
for RegionStore. RegionStore should get the element region for the first array
element in the cast. So next comes to the revamping of transfer functions for
different store model.
llvm-svn: 57897
Remove GRExprEngine::getLVal and RValues::MakeVal.
Enhance StoreManager "GetLValue" methods to dispatch for specific kinds of lvalue queries, as opposed to interogating the expression tree (GRExprEngine already does this).
Added FIXMEs. In particular, we no longer "assume" that a base pointer in a field/array access is null (this logic was removed). Perhaps we should do this when fetching the lvalue for fields and array elements?
llvm-svn: 57657
new VisitLValue method is added to replace the old VisitLVal. The semantics
model becomes more explicit to separate rvalue evaluation from lvalue
evaluation.
llvm-svn: 57627
This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on.
The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables.
There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized.
The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker.
llvm-svn: 57042
Use this updated interface when invalidating arguments passed by reference; the type of symbol is of the object passed by reference, not the reference itself.
llvm-svn: 56894
GRExprEngine:
Use PostStore in EvalStore.
Use a second version of EvalStore in EvalBinaryOperator to associate the store with the expression on the LHS.
llvm-svn: 56383
motivated because it became clear that the number of subclasses of ProgramPoint
would expand and we ran out of bits to represent a pointer variant. As a plus of
this change, BlockEdge program points can now be represented explicitly without
using a cache of CFGBlock* pairs in CFG.
llvm-svn: 56245
Their precise semantics will be implemented by a specific StoreManager.
Use function pointer to create the StoreManager in GRStateManager. This matches how we create ConstraintsManager.
llvm-svn: 55514
This patch extends BasicStoreManager::getInitialStore() to include code that symbolicates input variables.
It also removes redundant handling of ImplicitParamDecl, since it is a subclass of VarDecl.
llvm-svn: 54993
- Remove ConstNotEq from GRState/GRStateManager (!= tracking uses GDM instead).
- GRStateManager now can book-keep "contexts" (e.g., factory objects) for uses
with data elements stored into the GDM.
- Refactor pretty-printing of states to use GRState::Printer objects
exclusively. This removed a huge amount of pretty-printing logic from
GRExprEngine.
CFRefCount
- Simplified some API calls based on refinements to the GDM api.
llvm-svn: 54835
Modified the new EvalBinOpNN to generate states instead of nodes. This is a much simpler interface and is what clients will want to do.
llvm-svn: 53750
current store implementation is now encapsulated by BasicStore.
These changes prompted some long due constification of ValueState. Much of the
diffs in this patch include adding "const" qualifiers.
llvm-svn: 53423
1) Check if a dead store appears as a subexpression. For such cases, we emit
a verbose diagnostic so that users aren't confused. This addresses:
<rdar://problem/5968508> checker gives misleading report for dead store in loop
2) Don't emit a dead store warning when assigning a null value to a pointer.
This is a common form of defensive programming. We may wish to make
this an option to the the checker one day.
This addresses the feature request in the following email:
http://lists.cs.uiuc.edu/pipermail/cfe-dev/2008-June/001978.html
llvm-svn: 52555
EvalStore/EvalLoad to handle all loads/stores from symbolic memory, allowing us
to do checks for null dereferences, etc., at any arbitrary load/store (these
were missed checks before). This also resulted in some major cleanups, some
conceptual, and others just in the structure of the code.
This temporarily introduces a regression in the test suite (null-deref-ps.c)
before I add a new LVal type for structure fields.
llvm-svn: 50443
Implemented support for better localized leaks in the CF reference count checker.
Now leaks should be flagged close to where they occur.
This should implement the desired functionality in <rdar://problem/5879592>, although the diagnostics still need to be improved.
llvm-svn: 50241
Problem:
In the recently refactored VisitDeref (which processes dereferences), we
were incorrectly skipping the node just generated for the subexpression
of the dereference. This was a horrible regression.
llvm-svn: 50176
from registered BugTypes. This helps with debugging.
Add detection of NULL values in ref count checker; this suppresses false positives.
llvm-svn: 49912
This is a fairly mechanical/large change. As a result, I avoided making any changes/simplifications that weren't directly related. I did break two Analysis tests. I also have a couple FIXME's in UninitializedValues.cpp. Ted, can you take a look? If the bug isn't obvious, I am happy to dig in and fix it (since I broke it).
llvm-svn: 49748
Bugs are now reported using a combination of "BugType" (previously
BugDescription) and Bug "BugReport" objects, which are fed to BugReporter (which
generates PathDiagnostics). This provides a far more modular way of registering
bug types and plugging in diagnostics.
GRExprEngine now owns its copy of GRCoreEngine, and is not owned by the
ExplodedGraph.
ExplodedGraph is no longer templated on the "checker", but instead on the state
contained in the nodes.
llvm-svn: 49453
Added "AnnotatedPath" class to record an annotated path that will be useful for inspecting paths.
Added some boilerplate code for simple checks of Apple's Foundation API.
llvm-svn: 48867
lib dir and move all the libraries into it. This follows the main
llvm tree, and allows the libraries to be built in parallel. The
top level now enforces that all the libs are built before Driver,
but we don't care what order the libs are built in. This speeds
up parallel builds, particularly incremental ones.
llvm-svn: 48402
Ted Kremenek