Also fix a checker context bug: the Dst set is not always empty initially.
Because in GRExprEngine::CheckerVisit(), *CurrSet is used repeatedly.
So we removed the Dst.empty() condition in ~CheckerContext() when deciding
whether to do autotransision.
llvm-svn: 80786
space within the MemberExpr for the nested-name-specifier and its
source range. We'll do the same thing with explicitly-specified
template arguments, assuming I don't flip-flop again.
llvm-svn: 80642
name, e.g.,
x->Base::f()
retain the qualifier (and its source range information) in a new
subclass of MemberExpr called CXXQualifiedMemberExpr. Provide
construction, transformation, profiling, printing, etc., for this new
expression type.
When a virtual function is called via a qualified name, don't emit a
virtual call. Instead, call that function directly. Mike, could you
add a CodeGen test for this, too?
llvm-svn: 80167
Now AnalysisManager is the only place we can get CodeDecl.
This leads to an API change: GRState::bindExpr() now takes the CFG argument.
llvm-svn: 79980
and their impl base classes. This can greatly simply some code of the core
analysis engine. This patch merges ExplodedNodeImpl into ExplodedNode.
llvm-svn: 78270
constant value. If the UnaryOperator has location type, create the
constant with int type and pointer width.
This fixes the bug that all pointer increments 'p++' evaluated to Unknown.
llvm-svn: 78147
Type::getAsReferenceType() -> Type::getAs<ReferenceType>()
Type::getAsRecordType() -> Type::getAs<RecordType>()
Type::getAsPointerType() -> Type::getAs<PointerType>()
Type::getAsBlockPointerType() -> Type::getAs<BlockPointerType>()
Type::getAsLValueReferenceType() -> Type::getAs<LValueReferenceType>()
Type::getAsRValueReferenceType() -> Type::getAs<RValueReferenceType>()
Type::getAsMemberPointerType() -> Type::getAs<MemberPointerType>()
Type::getAsReferenceType() -> Type::getAs<ReferenceType>()
Type::getAsTagType() -> Type::getAs<TagType>()
And remove Type::getAsReferenceType(), etc.
This change is similar to one I made a couple weeks ago, but that was partly
reverted pending some additional design discussion. With Doug's pending smart
pointer changes for Types, it seemed natural to take this approach.
llvm-svn: 77510
could cause false positives if any the subexpressions had side-effects. These
initializers weren't evaluated because the StoreManager would need to handle
them, but that's an orthogonal problem of whether or not the StoreManager can
handle the binding.
llvm-svn: 77361
Educate GRExprEngine::VisitGraph() about 'PreStmt'.
Mark the constructor of 'PostStmt' to be explicit, preventing implicit
conversions and the selection of the wrong 'generateNode' method in
GRStmtNodeBuilder.
Constify a bunch of arguments, which falls out of the changes to ProgramPoint.
llvm-svn: 76809
to SValuator::EvalCast. In the process, the StoreManagers now use this new cast
machinery, and the hack in GRExprEngine::EvalBind to handle implicit casts
involving OSAtomicCompareAndSwap and friends has been removed (and replaced with
logic closer to the logic specific to those functions).
llvm-svn: 76641
where the true or false CFGBlock* for a branch could be NULL. This will handle
the case where we can determine during CFG construction that a branch is
infeasible.
llvm-svn: 76450
until Doug Gregor's Type smart pointer code lands (or more discussion occurs).
These methods just call the new Type::getAs<XXX> methods, so we still have
reduced implementation redundancy. Having explicit getAsXXXType() methods makes
it easier to set breakpoints in the debugger.
llvm-svn: 76193
This method is intended to eventually replace the individual
Type::getAsXXXType<> methods.
The motivation behind this change is twofold:
1) Reduce redundant implementations of Type::getAsXXXType() methods. Most of
them are basically copy-and-paste.
2) By centralizing the implementation of the getAs<Type> logic we can more
smoothly move over to Doug Gregor's proposed canonical type smart pointer
scheme.
Along with this patch:
a) Removed 'Type::getAsPointerType()'; now clients use getAs<PointerType>.
b) Removed 'Type::getAsBlockPointerTypE()'; now clients use getAs<BlockPointerType>.
llvm-svn: 76098
(1) Moved the SValuator object from GRExprEngine to ValueManager. This
allows ValueManager to use the SValuator when creating SVals.
(2) Added ValueManager::makeArrayIndex() and
ValueManager::convertToArrayIndex(), two SVal creation methods
that will help RegionStoreManager always have a consistent set of
SVals with the same integer size and type when reasoning about
array indices.
llvm-svn: 75882
invalidate the region correctly. It uses the cast-to type to invalidate
the region when available. To avoid invalid cast-to type like 'void*' or 'id',
region store now only records non-generic casts of regions.
llvm-svn: 75580
The implementations of these methods can Use Decl::getASTContext() to get the ASTContext.
This commit touches a lot of files since call sites for these methods are everywhere.
I used pre-tokenized "carbon.h" and "cocoa.h" headers to do some timings, and there was no real time difference between before the commit and after it.
llvm-svn: 74501
This is simple enough, but then I thought it would be nice to make PrintingPolicy
get a LangOptions so that various things can key off "bool" and "C++" independently.
This spiraled out of control. There are many fixme's, but I think things are slightly
better than they were before.
One thing that can be improved: CFG should probably have an ASTContext pointer in it,
which would simplify its clients.
llvm-svn: 74493
GRTransferFuncs had the conflated role of both constructing SVals (symbolic
expressions) as well as handling checker-specific logic. Now SValuator has the
role of constructing SVals from expressions and GRTransferFuncs just handles
checker-specific logic. The motivation is by separating these two concepts we
will be able to much more easily create richer constraint-generating logic
without coupling it to the main checker transfer function logic.
We now have one implementation of SValuator: SimpleSValuator.
SimpleSValuator is essentially the SVal-related logic that was in GRSimpleVals
(which is removed in this patch). This includes the logic for EvalBinOp,
EvalCast, etc. Because SValuator has a narrower role than the old
GRTransferFuncs, the interfaces are much simpler, and so is the implementation
of SimpleSValuator compared to GRSimpleVals. I also did a line-by-line review of
SVal-related logic in GRSimpleVals and cleaned it up while moving it over to
SimpleSValuator.
As a consequence of removing GRSimpleVals, there is no longer a
'-checker-simple' option. The '-checker-cfref' did everything that option did
but also ran the retain/release checker. Of course a user may not always wish to
run the retain/release checker, nor do we wish core analysis logic buried in the
checker-specific logic. The next step is to refactor the logic in CFRefCount.cpp
to separate out these pieces into the core analysis engine.
llvm-svn: 74229
- Remove the 'isFeasible' flag from all uses of 'Assume'.
- Remove the 'Assume' methods from GRStateManager. Now the only way to
create a new GRState with an assumption is to use the new 'assume' methods
in GRState.
llvm-svn: 73731
preprocessor and initialize it early in clang-cc. This
ensures that __has_builtin works in all modes, not just
when ASTContext is around.
llvm-svn: 73319
RegionStore needs to know the type of alloca region.
* RegionStoreManager::EvalBinOp() now converts the alloca region to its first
element region, as what is done to symbolic region.
llvm-svn: 72164
ElementRegion. I also removed 'ElementRegion::getArrayRegion',
although we may need to add this back.
This breaks a few test cases with RegionStore:
- 'array-struct.c' triggers an infinite recursion in RegionStoreManager. Need to investigate.
- misc-ps.m triggers a failure with RegionStoreManager as we now get the diagnostic:
'Line 159: Uninitialized or undefined return value returned to caller.'
There were a bunch of places that needed to be edit
RegionStoreManager, and we may not be passing all the correct 'element
types' down from GRExprEngine.
Zhongxing: When you get a chance, could you review this? I could have
easily screwed up something basic in RegionStoreManager.
llvm-svn: 70830
When the StoreManager doesn't reason well about pointer-arithmetic, propagate
the non-nullness constraint on a pointer value when performing pointer
arithmetic uisng ++/--.
llvm-svn: 69741
ProgramPoints all the way through to GRCoreEngine.
NSString.m now fails with RegionStoreManager because of the void** cast.
Disabling use of region store for that test for now.
llvm-svn: 68845
clients of the analyzer to designate custom assertion routines as "noreturn"
functions from the analyzer's perspective but not the compiler's.
llvm-svn: 68746
"The attached patch generates warnings of cases where an ObjC message is sent to
a nil object and the size of return type of that message is larger than the size
of void pointer. This may result in undefined return values as described in PR
2718. The patch also includes test cases."
llvm-svn: 68585
when creating symbolic values, we distinguish between location and non-location
values. For location values, we create a symbolic region instead of a
loc::SymbolVal.
llvm-svn: 68373
LHS type and the computation result type; this encodes information into
the AST which is otherwise non-obvious. Fix Sema to always come up with the
right answer for both of these types. Fix IRGen and the analyzer to
account for these changes. This fixes PR2601. The approach is inspired
by PR2601 comment 2.
Note that this changes real *= complex in CodeGen from a silent
miscompilation to an explicit error.
I'm not really sure that the analyzer changes are correct, or how to
test them... someone more familiar with the analyzer should check those
changes.
llvm-svn: 67889
Zhongxing and I discussed by email.
Main changes:
- Removed SymIntConstraintVal and SymIntConstraint
- Added SymExpr as a parent class to SymbolData, SymSymExpr, SymIntExpr
- Added nonloc::SymExprVal to wrap SymExpr
- SymbolRef is now just a typedef of 'const SymbolData*'
- Bunch of minor code cleanups in how some methods were invoked (no functionality change)
This changes are part of a long-term plan to have full symbolic expression
trees. This will be useful for lazily evaluating complicated expressions.
llvm-svn: 67731
- Conjure symbols at '--' and '++' unary operations
- Add utility method SVal::GetConjuredSymbolVal() and constify some arguments
along the way.
llvm-svn: 67395
conditions. Currently the analyzer does not reason well about
promotions/truncations of symbolic values, so at branch conditions when we see:
if (condition)
and condition is something like a 'short' or 'char', essentially ignore the
promotion to 'int' so that we track constraints on the original symbolic value.
We only ignore the casts if the underlying type has the same or fewer bits as
the converted type.
This fixes:
<rdar://problem/6619921>
llvm-svn: 66899
path-sensitivity, beyond checking to see if the value is "unknown" also check if
the ConstraintManager can handle the SVal. This allows us to recover some
path-sensitivity by actually discarding some information.
llvm-svn: 66627
giving them rough classifications (normal types, never-canonical
types, always-dependent types, abstract type representations) and
making it far easier to make sure that we've hit all of the cases when
decoding types.
Switched some switch() statements on the type class over to using this
mechanism, and filtering out those things we don't care about. For
example, CodeGen should never see always-dependent or non-canonical
types, while debug info generation should never see always-dependent
types. More switch() statements on the type class need to be moved
over to using this approach, so that we'll get warnings when we add a
new type then fail to account for it somewhere in the compiler.
As part of this, some types have been renamed:
TypeOfExpr -> TypeOfExprType
FunctionTypeProto -> FunctionProtoType
FunctionTypeNoProto -> FunctionNoProtoType
There shouldn't be any functionality change...
llvm-svn: 65591
expressions of the form: 'short x = (y != 10);' While we handle 'int x = (y !=
10)' lazily, the cast to another integer type currently loses the symbolic
constraint. Eager evaluation of the constraint causes the paths to bifurcate and
eagerly evaluate 'y != 10' to a constant of 1 or 0. This should address
<rdar://problem/6619921> until we have a better (more lazy approach) for
handling promotions/truncations of symbolic integer values.
llvm-svn: 65480
analyzer for array subscript expressions involving bases that are vectors. This
solution is probably a hack: it gets the lvalue of the vector instead of an
rvalue like all other types. This should be reviewed (big FIXME in
GRExprEngine).
llvm-svn: 65366
about, whether they are builtins or not. Use this to add the
appropriate "format" attribute to NSLog, NSLogv, asprintf, and
vasprintf, and to translate builtin attributes (from Builtins.def)
into actual attributes on the function declaration.
Use the "printf" format attribute on function declarations to
determine whether we should do format string checking, rather than
looking at an ad hoc list of builtins and "known" function names.
Be a bit more careful about when we consider a function a "builtin" in
C++.
llvm-svn: 64561
- Added a new 'node builder' class called GRStmtNodeBuilderRef (name may
change). This is essentially a smart reference to a GRStmtNodeBuilder object
that keeps track of the current context (predecessor node, GRExprEngine
object, etc.) The idea is to gradually simplify the interface between
GRExprEngine and GRTransferFuncs using this new builder (i.e., passing 1
argument instead of 5). It also handles some of the "auto-transition" for node
creation, simplifying some of the logic in GRExprEngine itself.
- Used GRStmtBuilderRef to replace GRTransferFuncs::EvalStore with
GRTransferFuncs::EvalBind. The new EvalBind method will be used at any
arbitrary places where a binding between a location and value takes place.
Moreover, GRTransferFuncs no longer has the responsibility to request
StoreManager to do the binding; this is now in GRExprEngine::EvalBind. All
GRTransferFuncs::EvalBind does is checker-specific logic (which can be a
no-op).
llvm-svn: 64525
etc.) when we perform name lookup on them. This ensures that we
produce the correct signature for these functions, which has two
practical impacts:
1) When we're supporting the "implicit function declaration" feature
of C99, these functions will be implicitly declared with the right
signature rather than as a function returning "int" with no
prototype. See PR3541 for the reason why this is important (hint:
GCC always predeclares these functions).
2) If users attempt to redeclare one of these library functions with
an incompatible signature, we produce a hard error.
This patch does a little bit of work to give reasonable error
messages. For example, when we hit case #1 we complain that we're
implicitly declaring this function with a specific signature, and then
we give a note that asks the user to include the appropriate header
(e.g., "please include <stdlib.h> or explicitly declare 'malloc'"). In
case #2, we show the type of the implicit builtin that was incorrectly
declared, so the user can see the problem. We could do better here:
for example, when displaying this latter error message we say
something like:
'strcpy' was implicitly declared here with type 'char *(char *, char
const *)'
but we should really print out a fake code line showing the
declaration, like this:
'strcpy' was implicitly declared here as:
char *strcpy(char *, char const *)
This would also be good for printing built-in candidates with C++
operator overloading.
The set of C library functions supported by this patch includes all
functions from the C99 specification's <stdlib.h> and <string.h> that
(a) are predefined by GCC and (b) have signatures that could cause
codegen issues if they are treated as functions with no prototype
returning and int. Future work could extend this set of functions to
other C library functions that we know about.
llvm-svn: 64504
- Add 'EvalBind', which will be used by 'EvalStore' to pull much of the value binding logic out of GRTransferFuncs.
- Rename many cases of 'St' to 'state'.
llvm-svn: 64426
the ownership of BugTypes and BugReports. Now BugReports are owned by BugTypes,
and BugTypes are owned by the BugReporter object.
The major functionality change in this patch is that reports are not immediately
emitted by a call to BugReporter::EmitWarning (now called EmitReport), but
instead of queued up in report "equivalence classes". When
BugReporter::FlushReports() is called, it emits one diagnostic per report
equivalence class. This provides a nice cleanup with the caching of reports as
well as enables the BugReporter engine to select the "best" path for reporting a
path-sensitive bug based on all the locations in the ExplodedGraph that the same
bug could occur.
Along with this patch, Leaks are now coalesced into a common equivalence class
by their allocation site, and the "summary" diagnostic for leaks now reports the
allocation site as the location of the bug (this may later be augmented to also
provide an example location where the leak occurs).
llvm-svn: 63796
makes it clear to clients that they have to pick an instantiation
or spelling location before calling it and allows optimization based
on that.
llvm-svn: 63698
type" rather than the C definition. We do this because both C99 and
Clang always use "aggregate type" as "aggregate or union type", and
the C++ definition includes union types.
llvm-svn: 63395
that every declaration lives inside a DeclContext.
Moved several things that don't have names but were ScopedDecls (and,
therefore, NamedDecls) to inherit from Decl rather than NamedDecl,
including ObjCImplementationDecl and LinkageSpecDecl. Now, we don't
store empty DeclarationNames for these things, nor do we try to insert
them into DeclContext's lookup structure.
The serialization tests are temporarily disabled. We'll re-enable them
once we've sorted out the remaining ownership/serialiazation issues
between DeclContexts and TranslationUnion, DeclGroups, etc.
llvm-svn: 62562
information for declarations that were referenced via a qualified-id,
e.g., N::C::value. We keep track of the location of the start of the
nested-name-specifier. Note that the difference between
QualifiedDeclRefExpr and DeclRefExpr does have an effect on the
semantics of function calls in two ways:
1) The use of a qualified-id instead of an unqualified-id suppresses
argument-dependent lookup
2) If the name refers to a virtual function, the qualified-id
version will call the function determined statically while the
unqualified-id version will call the function determined dynamically
(by looking up the appropriate function in the vtable).
Neither of these features is implemented yet, but we do print out
qualified names for QualifiedDeclRefExprs as part of the AST printing.
llvm-svn: 61789
which can refer to static data members, enumerators, and member
functions as well as to non-static data members.
Implement correct lvalue computation for member references in C++.
Compute the result type of non-static data members of reference type properly.
llvm-svn: 61294
* Now Bind() methods take and return GRState* because binding could
also alter GDM.
* No variables are initialized except those declared with initial
values.
* failed C test cases are due to bugs in RemoveDeadBindings(),
which removes constraints that is still alive. This will be fixed in later
patch.
* default value of array and struct regions will be implemented in later patch.
llvm-svn: 61274
- Added four new ProgramPoint types that subclass PostStmt for use in
GRExprEngine::EvalLocation:
- PostOutOfBoundsCheckFailed
- PostUndefLocationCheckFailed
- PostNullCheckFailed
- PostLocationChecksSucceed
These were created because of a horribly subtle caching bug in EvalLocation
where a node representing an "bug condition" in EvalLocation (e.g. a null
dereference) could be re-used as the "non-bug condition" because the Store did
not contain any information to differentiate between the two. The extra
program points just disables any accidental caching between EvalLocation and
its callers.
GRExprEngine:
- EvalLocation now returns a NodeTy* instead of GRState*. This should be used as the "vetted" predecessor for EvalLoad/EvalStore.
llvm-svn: 61105
- Overhauled the notion of "types" for TypedRegions. We now distinguish between the "lvalue" of a region (via getLValueRegion()) and the "rvalue" of a region (va getRValueRegion()). Since a region represents a chunk of memory it has both, but we were conflating these concepts in some cases, leading to some insidious bugs.
- Removed AnonPointeeType, partially because it is unused and because it doesn't have a clear notion of lvalue vs rvalue type. We can add it back once there is a need for it and we can resolve its role with these concepts.
StoreManager:
- Overhauled StoreManager::CastRegion. It expects an *lvalue* type for a region. This is actually what motivated the overhaul to the MemRegion type mechanism. It also no longer returns an SVal; we can just return a MemRegion*.
- BasicStoreManager::CastRegion now overlays an "AnonTypedRegion" for pointer-pointer casts. This matches with the MemRegion changes.
- Similar changes to RegionStore, except I've added a bunch of FIXMEs where it wasn't 100% clear where we should use TypedRegion::getRValueRegion() or TypedRegion::getLValueRegion().
AuditCFNumberCreate check:
- Now blasts through AnonTypedRegions that may layer the original memory region, thus checking if the actually memory block is of the appropriate type. This change was needed to work with the changes to StoreManager::CastRegion.
GRExprEngine::VisitCast:
- Conform to the new interface of StoreManager::CastRegion.
Tests:
- None of the analysis tests fail now for using the "basic store".
- Disabled the tests 'array-struct.c' and 'rdar-6442306-1.m' pending further testing and bug fixing.
llvm-svn: 60995
GRExprEngine (VisitCast):
- When using StoreManager::CastRegion, always use the state and value it returns to generate the next node. Failure to do so means that region values returned that don't require the state to be modified will get ignored.
MemRegion:
- Tighten the interface for ElementRegion. Now ElementRegion can only be created with a super region that is a 'TypedRegion' instead of any MemRegion. Code in BasicStoreManager/RegionStoreManager already assumed this, but it would result in a dynamic assertion check (and crash) rather than just having the compiler forbid the construction of such regions.
- Added ElementRegion::getArrayRegion() to return the 'typed version' of an ElementRegion's super region.
- Removed bogus assertion in ElementRegion::getType() that assumed that the super region was an AnonTypedRegion. All that matters is that it is a TypedRegion, which is now true all the time by design.
BasicStore:
- Modified getLValueElement() to check if the 'array' region is a TypedRegion before creating an ElementRegion. This conforms to the updated interface for ElementRegion.
RegionStore:
- In ArrayToPointer() gracefully handle things we don't reason about, and only create an ElementRegion if the array region is indeed a TypedRegion.
llvm-svn: 60990
Mike Stump