Commit Graph

741 Commits

Author SHA1 Message Date
Jordan Rose 637ff0cc0f [analyzer] Merge RegionStore's KillStruct and CopyLazyBindings: BindAggregate.
Both methods need to clear out existing bindings and provide a new default
binding. Originally KillStruct always provided UnknownVal as the default,
but it's allowed symbolic values for quite some time (for handling returned
structs in C).

No functionality change.

llvm-svn: 161637
2012-08-09 22:55:54 +00:00
Jordan Rose a44a55a8f2 [analyzer] Cluster bindings in RegionStore by base region.
This should speed up activities that need to access bindings by cluster,
such as invalidation and dead-bindings cleaning. In some cases all we save
is the cost of building the region cluster map, but other times we can
actually avoid traversing the rest of the store.

In casual testing, this produced a speedup of nearly 10% analyzing SQLite,
with /less/ memory used.

llvm-svn: 161636
2012-08-09 22:55:51 +00:00
Jordan Rose c91e01bc11 [analyzer] Cache the "concrete offset base" for regions with symbolic offsets.
This makes it faster to access and invalidate bindings with symbolic offsets
by only computing this information once.

No intended functionality change.

llvm-svn: 161635
2012-08-09 22:55:37 +00:00
Jordan Rose 996d309fb7 [analyzer] A CXXBaseObjectRegion should correspond to a DIRECT base.
An ASTContext's RecordLayoutInfo can only be used to look up offsets of
direct base classes, and we need the offset to make non-symbolic bindings
in RegionStore. This change makes sure that we have one layer of
CXXBaseObjectRegion for each base we are casting through.

This was causing crashes on an internal buildbot.

llvm-svn: 161621
2012-08-09 21:24:02 +00:00
Anna Zaks a0105b2320 [analyzer] Rename the function to better reflect what it actually does.
llvm-svn: 161617
2012-08-09 21:02:45 +00:00
Anna Zaks 8d1f1f3b06 [analyzer] Clarify the values in Dyn. Dispatch Bifurcation map.
llvm-svn: 161616
2012-08-09 21:02:41 +00:00
Anna Zaks 85383182ec [analyzer] Improve readability of the dyn. dispatch bifurcation patch
r161552.

As per Jordan's feedback.

llvm-svn: 161603
2012-08-09 18:43:00 +00:00
Anna Zaks bc6d0ccf92 Unbreak the build.
Declaring "const Decl *Decl" is not a good idea.

llvm-svn: 161567
2012-08-09 02:57:02 +00:00
Anna Zaks 123af098b8 [analyzer] Bifurcate the path with dynamic dispatch.
This is an initial (unoptimized) version. We split the path when
inlining ObjC instance methods. On one branch we always assume that the
type information for the given memory region is precise. On the other we
assume that we don't have the exact type info. It is important to check
since the class could be subclassed and the method can be overridden. If
we always inline we can loose coverage.

Had to refactor some of the call eval functions.

llvm-svn: 161552
2012-08-09 00:21:33 +00:00
Jordan Rose d86b3bdb7a [analyzer] Clean up the printing of FieldRegions for leaks.
Unfortunately, generalized region printing is very difficult:
- ElementRegions are used both for casting and as actual elements.
- Accessing values through a pointer means going through an intermediate
  SymbolRegionValue; symbolic regions are untyped.
- Referring to implicitly-defined variables like 'this' and 'self' could be
  very confusing if they come from another stack frame.

We fall back to simply not printing the region name if we can't be sure it
will print well. This will allow us to improve in the future.

llvm-svn: 161512
2012-08-08 18:23:36 +00:00
Jordan Rose 356279ca2d [analyzer] Track malloc'd regions stored in structs.
The main blocker on this (besides the previous commit) was that
ScanReachableSymbols was not looking through LazyCompoundVals.
Once that was fixed, it's easy enough to clear out malloc data on return,
just like we do when we bind to a global region.

<rdar://problem/10872635>

llvm-svn: 161511
2012-08-08 18:23:31 +00:00
Jordan Rose 3a80cec5e9 [analyzer] Revamp RegionStore to distinguish regions with symbolic offsets.
RegionStore currently uses a (Region, Offset) pair to describe the locations
of memory bindings. However, this representation breaks down when we have
regions like 'array[index]', where 'index' is unknown. We used to store this
as (SubRegion, 0); now we mark them specially as (SubRegion, SYMBOLIC).

Furthermore, ProgramState::scanReachableSymbols depended on the existence of
a sub-region map, but RegionStore's implementation doesn't provide for such
a thing. Moving the store-traversing logic of scanReachableSymbols into the
StoreManager allows us to eliminate the notion of SubRegionMap altogether.

This fixes some particularly awkward broken test cases, now in
array-struct-region.c.

llvm-svn: 161510
2012-08-08 18:23:27 +00:00
Anna Zaks 75930b65b4 [analyzer] Address Jordan's review of DynamicTypePropagation.
llvm-svn: 161391
2012-08-07 05:12:24 +00:00
Anna Zaks 472dbcf156 [analyzer] Add a checker to manage dynamic type propagation.
Instead of sprinkling dynamic type info propagation throughout
ExprEngine, the added checker would add the more precise type
information on known APIs (Ex: ObjC alloc, new) and propagate
the type info in other cases (ex: ObjC init method, casts (the second is
not implemented yet)).

Add handling of ObjC alloc, new and init to the checker.

llvm-svn: 161357
2012-08-06 23:25:39 +00:00
Jordan Rose 17a8757a46 [analyzer] Update initializer assertion for delegating constructors.
Like base constructors, delegating constructors require no further
processing in the CFGInitializer node.

Also, add PrettyStackTraceLoc to the initializer and destructor logic
so we can get better stack traces in the future.

llvm-svn: 161283
2012-08-03 23:31:15 +00:00
Jordan Rose cfb4eb293f [analyzer] When a symbol is null, we should track its constraints.
Because of this, we would previously emit NO path notes when a parameter
is constrained to null (because there are no stores). Now we show where we
made the assumption, which is much more useful.

llvm-svn: 161280
2012-08-03 23:09:01 +00:00
Jordan Rose 3eb3cd45b8 [analyzer] Flatten path diagnostics for text output like we do for HTML.
llvm-svn: 161279
2012-08-03 23:08:54 +00:00
Jordan Rose 92e1449b55 [analyzer] Track null/uninitialized C++ objects used in method calls.
llvm-svn: 161278
2012-08-03 23:08:49 +00:00
Jordan Rose 80880ac7ee [analyzer] Provide useful PathDiagnosticLocations for CallEnter/Exit events.
llvm-svn: 161277
2012-08-03 23:08:44 +00:00
Jordan Rose adec516f4e [analyzer] FindLastStoreBRVisitor was not actually finding stores.
The visitor walks back through the ExplodedGraph as expected, but
it wasn't actually keeping track of when a value was assigned. This
meant that it only worked when the value was assigned when the variable
was defined.

Tests in the next commit (dependent on another change).

llvm-svn: 161276
2012-08-03 23:08:42 +00:00
Anna Zaks afc13b9ec5 [analyzer] Fixup: remove the extra whitespace
llvm-svn: 161265
2012-08-03 21:49:42 +00:00
Anna Zaks 150843b87e [analyzer] ObjC Inlining: Start tracking dynamic type info in the GDM
In the following code, find the type of the symbolic receiver by
following it and updating the dynamic type info in the state when we
cast the symbol from id to MyClass *.

  MyClass *a = [[self alloc] init];
  return 5/[a testSelf];

llvm-svn: 161264
2012-08-03 21:43:37 +00:00
Anna Zaks 4bd96c4469 [analyzer] Fix a typo. Thanks Jordan.
llvm-svn: 161249
2012-08-03 18:30:20 +00:00
Anna Zaks 4c03dfd4b1 [analyzer] Solve another source of non-determinism in the diagnostic
engine.

The code that was supposed to split the tie in a deterministic way is
not deterministic. Most likely one of the profile methods uses a
pointer. After this change we do finally get the consistent diagnostic
output. Testing this requires running the analyzer on large code bases
and diffing the results.

llvm-svn: 161224
2012-08-02 23:41:05 +00:00
Jordan Rose fa49c92b5c [analyzer] Also emit Prev/Next links for macros in HTML output. Oops.
llvm-svn: 161154
2012-08-02 02:43:42 +00:00
Jordan Rose 11790a4810 [analyzer] Add Prev/Next links to the HTML output.
llvm-svn: 161153
2012-08-02 02:26:19 +00:00
Anna Zaks 4c4fe84b25 [analyzer] Flush bug reports in deterministic order.
This makes the diagnostic output order deterministic. 
1) This makes order of text diagnostics consistent from run to run.

2) Also resulted in different bugs being reported (from one run to
another) with plist-html output.

llvm-svn: 161151
2012-08-02 00:41:43 +00:00
Jordan Rose 69bd4e803b [analyzer] Control C++ inlining with a macro in ExprEngineCallAndReturn.cpp.
For now this will stay on, but this way it's easy to switch off if we need
to pull back our support for a while.

llvm-svn: 161064
2012-07-31 18:22:40 +00:00
Jordan Rose a765bac7a1 [analyzer] Turn -cfg-add-initializers on by default, and remove the flag.
llvm-svn: 161060
2012-07-31 18:04:59 +00:00
Jordan Rose 6a97d92ef5 [analyzer] Don't try to inline if there's no region for a message receiver.
While usually we'd use a symbolic region rather than a straight-up Unknown,
we can still generate unknowns via array subscripts with symbolic indexes.
(And if this ever changes in the future, we still shouldn't crash.)

llvm-svn: 161059
2012-07-31 18:04:53 +00:00
Jordan Rose 1f8c0b4587 [analyzer] Add a FIXME about devirtualization in ctors/dtors.
llvm-svn: 161058
2012-07-31 18:04:49 +00:00
Jordan Rose e8a21b73ac [analyzer] Getting an lvalue for a reference field still requires a load.
This was causing a crash in our array-to-pointer logic, since the region
was clearly not an array.

PR13440 / <rdar://problem/11977113>

llvm-svn: 161051
2012-07-31 16:34:07 +00:00
Jordan Rose 42e8d6497d [analyzer] Let CallEvent decide what goes in an inital stack frame.
This removes explicit checks for 'this' and 'self' from
Store::enterStackFrame. It also removes getCXXThisRegion() as a virtual
method on all CallEvents; it's now only implemented in the parts of the
hierarchy where it is relevant. Finally, it removes the option to ask
for the ParmVarDecls attached to the definition of an inlined function,
saving a recomputation of the result of getRuntimeDefinition().

No visible functionality change!

llvm-svn: 161017
2012-07-31 01:07:55 +00:00
Anna Zaks 5808eb8029 [analyzer] Handle inlining of instance calls to super.
Use self-init.m for testing. (It used to have a bunch of failing tests
with dynamic inlining turned on.)

llvm-svn: 161012
2012-07-30 23:48:36 +00:00
Jordan Rose c2d249ce2c [analyzer] Perform post-call checks for all inlined calls.
Previously, we were only checking the origin expressions of inlined calls.
Checkers using the generic postCall and older postObjCMessage callbacks were
ignored. Now that we have CallEventManager, it is much easier to create
a CallEvent generically when exiting an inlined function, which we can then
use for post-call checks.

No test case because we don't (yet) have any checkers that depend on this
behavior (which is why it hadn't been fixed before now).

llvm-svn: 161005
2012-07-30 23:39:47 +00:00
Anna Zaks 63282aefb9 [analyzer] Very simple ObjC instance method inlining
- Retrieves the type of the object/receiver from the state.
- Binds self during stack setup.
- Only explores the path on which the method is inlined (no
bifurcation to explore the path on which the method is not inlined).

llvm-svn: 160991
2012-07-30 20:31:29 +00:00
Anna Zaks e49190984c [analyzer] Add -analyzer-ipa=dynamic option for inlining dynamically
dispatched methods.

Disabled by default for now.

llvm-svn: 160988
2012-07-30 20:31:18 +00:00
Jordan Rose fcd016e57e [analyzer] Only allow CallEvents to be created by CallEventManager.
This ensures that it is valid to reference-count any CallEvents, and we
won't accidentally try to reclaim a CallEvent that lives on the stack.
It also hides an ugly switch statement for handling CallExprs!

There should be no functionality change here.

llvm-svn: 160986
2012-07-30 20:22:09 +00:00
Jordan Rose d457ca92ce [analyzer] Introduce a CallEventManager to keep a pool of CallEvents.
This allows us to get around the C++ "virtual constructor" problem
when we'd like to create a CallEvent from an ExplodedNode, an inlined
StackFrameContext, or another CallEvent. The solution has three parts:

- CallEventManager uses a BumpPtrAllocator to allocate CallEvent-sized
  memory blocks. It also keeps a cache of freed CallEvents for reuse.
- CallEvents all have protected copy constructors, along with cloneTo()
  methods that use placement new to copy into CallEventManager-managed
  memory, vtables intact.
- CallEvents owned by CallEventManager are now wrapped in an
  IntrusiveRefCntPtr. Going forwards, it's probably a good idea to create
  ALL CallEvents through the CallEventManager, so that we don't accidentally
  try to reclaim a stack-allocated CallEvent.

All of this machinery is currently unused but will be put into use shortly.

llvm-svn: 160983
2012-07-30 20:21:55 +00:00
NAKAMURA Takumi 836926dbdf clang/lib: [CMake] Update tblgen'd dependencies.
llvm-svn: 160851
2012-07-27 06:18:33 +00:00
Jordan Rose 41c98d9dc3 [analyzer] Look through SubstNonTypeTemplateParmExprs.
We were treating this like a CXXDefaultArgExpr, but
SubstNonTypeTemplateParmExpr actually appears when a template is
instantiated, i.e. we have all the information necessary to evaluate it.
This allows us to inline functions like llvm::array_lengthof.

<rdar://problem/11949235>

llvm-svn: 160846
2012-07-27 01:15:02 +00:00
Jordan Rose de76c92b15 [analyzer] Use a stack-based local AGAIN to fix the build for real.
It's a good thing CallEvents aren't created all over the place yet.
I checked all the uses this time and the private copy constructor
/really/ shouldn't cause any more problems.

llvm-svn: 160845
2012-07-27 00:47:52 +00:00
Jordan Rose 7aab2295be [analyzer] Use a stack-based local instead of a temporary to fix build.
Passing a temporary via reference parameter still requires a visible
copy constructor.

llvm-svn: 160840
2012-07-26 23:24:15 +00:00
Ted Kremenek 313c2ff375 Look at the preceding CFGBlock for the expression to load from in ExprEngine::VisitGuardedExpr
instead of walking to the preceding PostStmt node.  There are cases where the last evaluated
expression does not appear in the ExplodedGraph.

Fixes PR 13466.

llvm-svn: 160819
2012-07-26 22:23:41 +00:00
Jordan Rose 72ce8e2d42 [analyzer] CallEvent is no longer a value object.
After discussion, the type-based dispatch was decided to be bad for
maintenance and made it very easy for subtle bugs to creep in. Instead,
we'll just be very careful when we do have to allocate these on the heap.

llvm-svn: 160817
2012-07-26 21:41:15 +00:00
Jordan Rose 4f7df9be69 [analyzer] Rename Calls.{h,cpp} to CallEvent.{h,cpp}. No functionality change.
llvm-svn: 160815
2012-07-26 21:39:41 +00:00
Jordan Rose 25bc20f846 [analyzer] Don't crash on implicit statements inside initializers.
Our BugReporter knows how to deal with implicit statements: it looks in
the ParentMap until it finds a parent with a valid location. However, since
initializers are not in the body of a constructor, their sub-expressions are
not in the ParentMap. That was easy enough to fix in AnalysisDeclContext.

...and then even once THAT was fixed, there's still an extra funny case
of Objective-C object pointer fields under ARC, which are initialized with
a top-level ImplicitValueInitExpr. To catch these cases,
PathDiagnosticLocation will now fall back to the start of the current
function if it can't find any other valid SourceLocations. This isn't great,
but it's miles better than a crash.

(All of this is only relevant when constructors and destructors are being
inlined, i.e. under -cfg-add-initializers and -cfg-add-implicit-dtors.)

llvm-svn: 160810
2012-07-26 20:04:30 +00:00
Jordan Rose 20edae8749 [analyzer] Don't crash on array constructors and destructors.
This workaround is fairly lame: we simulate the first element's constructor
and destructor and rely on the region invalidation to "initialize" the rest
of the elements.

llvm-svn: 160809
2012-07-26 20:04:25 +00:00
Jordan Rose 54529a347e [analyzer] Handle C++ member initializers and destructors.
This uses CFG to tell if a constructor call is for a member, and uses
the member's region appropriately.

llvm-svn: 160808
2012-07-26 20:04:21 +00:00
Jordan Rose 05375eb4ec [analyzer] Use the CFG to see if a constructor is for a local variable.
Previously we were using ParentMap and crawling through the parent DeclStmt.
This should be at least slightly cheaper (and is also more flexible).

No (intended) functionality change.

llvm-svn: 160807
2012-07-26 20:04:16 +00:00
Jordan Rose b970505d0d [analyzer] Handle base class initializers and destructors.
Most of the logic here is fairly simple; the interesting thing is that
we now distinguish complete constructors from base or delegate constructors.
We also make sure to cast to the base class before evaluating a constructor
or destructor, since non-virtual base classes may behave differently.

This includes some refactoring of VisitCXXConstructExpr and VisitCXXDestructor
in order to keep ExprEngine.cpp as clean as possible (leaving the details for
ExprEngineCXX.cpp).

llvm-svn: 160806
2012-07-26 20:04:13 +00:00
Jordan Rose a4c0d21f42 [analyzer] Show paths for destructor calls.
This modifies BugReporter and friends to handle CallEnter and CallExitEnd
program points that came from implicit call CFG nodes (read: destructors).

This required some extra handling for nested implicit calls. For example,
the added multiple-inheritance test case has a call graph that looks like this:

testMultipleInheritance3
  ~MultipleInheritance
    ~SmartPointer
    ~Subclass
      ~SmartPointer
        ***bug here***

In this case we correctly notice that we started in an inlined function
when we reach the CallEnter program point for the second ~SmartPointer.
However, when we reach the next CallEnter (for ~Subclass), we were
accidentally re-using the inner ~SmartPointer call in the diagnostics.

Rather than guess if we saw the corresponding CallExitEnd based on the
contents of the active path, we now just ask the PathDiagnostic if there's
any known stack before popping off the top path.

(A similar issue could have occured without multiple inheritance, but there
wasn't a test case for it.)

llvm-svn: 160804
2012-07-26 20:04:05 +00:00
Jordan Rose c5d852447b [analyzer] Inline ctors + dtors when the CFG is built for them.
At the very least this means initializer nodes for constructors and
automatic object destructors are present in the CFG.

llvm-svn: 160803
2012-07-26 20:04:00 +00:00
Jordan Rose 443ec10e2d [analyzer] PostImplicitCall can also occur between CFGElements.
This avoids an assertion crash when we invalidate on a destructor call
instead of inlining it.

llvm-svn: 160802
2012-07-26 20:03:56 +00:00
Anna Zaks 83f1495fcb [analyzer] Inline ObjC class methods.
- Some cleanup(the TODOs) will be done after ObjC method inlining is
complete.
- Simplified CallEvent::getDefinition not to require ISDynamicDispatch
parameter.
- Also addressed Jordan's comments from r160530.

llvm-svn: 160768
2012-07-26 00:27:51 +00:00
Ted Kremenek 80b4ac76c5 Remove the ability to stash arbitrary pointers into UndefinedVal (no longer needed).
llvm-svn: 160764
2012-07-25 22:09:19 +00:00
Ted Kremenek b5a18d5881 Remove ExprEngine::MarkBranch(), as it is no longer needed.
llvm-svn: 160761
2012-07-25 21:58:29 +00:00
Ted Kremenek bb81ffb342 Update ExprEngine's handling of ternary operators to find the ternary expression
value by scanning the path, rather than assuming we have visited the '?:' operator
as a terminator (which sets a value indicating which expression to grab the
final ternary expression value from).

llvm-svn: 160760
2012-07-25 21:58:25 +00:00
Sylvestre Ledru 830885ca64 Fix a typo (the the => the)
llvm-svn: 160622
2012-07-23 08:59:39 +00:00
Benjamin Kramer f473cd4b6a Remove unused private member variable uncovered by the recent changes to clang's -Wunused-private-field.
llvm-svn: 160584
2012-07-20 22:06:30 +00:00
Anna Zaks 3136cf9d5b [analyzer] Refactor VisitObjCMessage and VisitCallExpr to rely on the
same implementation for call evaluation.

llvm-svn: 160530
2012-07-19 23:38:13 +00:00
Richard Smith 18eff57031 Silence another GCC warning.
llvm-svn: 160488
2012-07-19 03:08:07 +00:00
Jordan Rose 627b046c88 [analyzer] Combine all ObjC message CallEvents into ObjCMethodCall.
As pointed out by Anna, we only differentiate between explicit message sends

This also adds support for ObjCSubscriptExprs, which are basically the same
as properties in many ways. We were already checking these, but not emitting
nice messages for them.

This depends on the llvm::PointerIntPair change in r160456.

llvm-svn: 160461
2012-07-18 21:59:51 +00:00
Jordan Rose 9003d0d02f [analyzer] Rename addExtraInvalidatedRegions to get...Regions
Per Anna's comment that "add..." sounds like a method that modifies
the receiver, rather than its argument.

No functionality change.

llvm-svn: 160460
2012-07-18 21:59:46 +00:00
Jordan Rose 59e6ce922c [analyzer] Make CallEvent a value object.
We will need to be able to easily reconstruct a CallEvent from an ExplodedNode
for diagnostic purposes, and that's exactly what factory functions are for.
CallEvent objects are small enough (four pointers and a SourceLocation) that
returning them through the stack is fairly cheap. Clients who just need to use
existing CallEvents can continue to do so using const references.

This uses the same sort of "kind-field-dispatch" as SVal, though most of the
nastiness is contained in the DISPATCH and DISPATCH_ARG macros at the end of
the file. (We can't use a template for this because member-pointers to base
class methods don't call derived-class methods even when casting to the
derived class. We can't use variadic macros because they're a C99 feature.)

llvm-svn: 160459
2012-07-18 21:59:41 +00:00
Jordan Rose 074ebb3a6f [analyzer] Remove obsolete ObjCPropRef SVal kind.
ObjC properties are handled through their semantic form of ObjCMessageExprs
and their wrapper PseudoObjectExprs, and have been for quite a while. The
syntactic ObjCPropertyRefExprs do not appear in the CFG and are not visited
by ExprEngine.

No functionality change.

llvm-svn: 160458
2012-07-18 21:59:37 +00:00
Jordan Rose be25b07f67 [analyzer] Remove unused ExprEngine::VisitCXXTemporaryObjectExpr.
llvm-svn: 160457
2012-07-18 21:59:23 +00:00
Ted Kremenek 46dcfc9431 Fix crash in RegionStoreManager::evalDerivedToBase() due to not handling references
(in uses of dynamic_cast<>).

Fixes <rdar://problem/11817693>.

llvm-svn: 160427
2012-07-18 05:57:33 +00:00
Jordan Rose c4e9d56268 [analyzer] Remove stale result type lvalue code.
This code has been moved around multiple times, but seems to have been
obsolete ever since we started handled references like pointers.

llvm-svn: 160375
2012-07-17 17:27:10 +00:00
Jordan Rose 5089f3b398 [analyzer] Handle new-expressions with initializers for scalars.
<rdar://problem/11818967>

llvm-svn: 160328
2012-07-16 23:38:09 +00:00
Daniel Jasper 6b5a4fcc07 Prevent unused-variable warning in optimized builds.
llvm-svn: 160257
2012-07-16 10:25:15 +00:00
Ted Kremenek b50e716bac Refine CFG so that '&&' and '||' don't lead to extra confluence points when used in a branch, but
instead push the terminator for the branch down into the basic blocks of the subexpressions of '&&' and '||'
respectively.  This eliminates some artifical control-flow from the CFG and results in a more
compact CFG.

Note that this patch only alters the branches 'while', 'if' and 'for'.  This was complex enough for
one patch.  The remaining branches (e.g., do...while) can be handled in a separate patch, but they
weren't immediately tackled because they were less important.

It is possible that this patch introduces some subtle bugs, particularly w.r.t. to destructor placement.
I've tried to audit these changes, but it is also known that the destructor logic needs some refinement
in the area of '||' and '&&' regardless (i.e., their are known bugs).

llvm-svn: 160218
2012-07-14 05:04:10 +00:00
Jordan Rose d66bee3f76 [analyzer] Don't inline virtual calls unless we can devirtualize properly.
Previously we were using the static type of the base object to inline
methods, whether virtual or non-virtual. Now, we try to see if the base
object has a known type, and if so ask for its implementation of the method.

llvm-svn: 160094
2012-07-12 00:16:25 +00:00
Jordan Rose 8889cf008d [analyzer] Add debug.DumpCalls, which prints out any CallEvents it sees.
This is probably not so useful yet because it is not path-sensitive, though
it does try to show inlining with indentation.

This also adds a dump() method to CallEvent, which should be useful for
debugging.

llvm-svn: 160030
2012-07-10 23:56:23 +00:00
Jordan Rose eab627b951 [analyzer] Construct stack variables directly in their VarDecl.
Also contains a number of tweaks to inlining that are necessary
for constructors and destructors. (I have this enabled on a private
branch, but it is very much unstable.)

llvm-svn: 160023
2012-07-10 22:08:01 +00:00
Jordan Rose d1d54aa131 [analyzer] Use CallEvent for building inlined stack frames.
In order to accomplish this, we now build the callee's stack frame
as part of the CallEnter node, rather than the subsequent BlockEdge node.
This should not have any effect on perceived behavior or diagnostics.

This makes it safe to re-enable inlining of member overloaded operators.

llvm-svn: 160022
2012-07-10 22:07:57 +00:00
Jordan Rose fbe6dba15a [analyzer] Make CallEnter, CallExitBegin, and CallExitEnd not be StmtPoints
These ProgramPoints are used in inlining calls,
and not all calls have associated statements anymore.

llvm-svn: 160021
2012-07-10 22:07:52 +00:00
Jordan Rose 4ee71b8a18 [analyzer] Add a CXXDestructorCall CallEvent.
While this work is still fairly tentative (destructors are still left out of
the CFG by default), we now handle destructors in the same way as any other
calls, instead of just automatically trying to inline them.

llvm-svn: 160020
2012-07-10 22:07:47 +00:00
Jordan Rose 681cce9908 [analyzer] Add new PreImplicitCall and PostImplicitCall ProgramPoints.
These are currently unused, but are intended to be used in lieu of PreStmt
and PostStmt when the call is implicit (e.g. an automatic object destructor).

This also modifies the Data1 field of ProgramPoints to allow storing any
pointer-sized value, as opposed to only aligned pointers. This is necessary
to store SourceLocations.

There is currently no BugReporter support for these; they should be skipped
over in any diagnostic output.

This commit also tags checkers that currently rely on function calls only
occurring at StmtPoints.

llvm-svn: 160019
2012-07-10 22:07:42 +00:00
Jordan Rose e04395e2f4 [analyzer] When inlining, make sure we use the definition decl.
This was a regression introduced during the CallEvent changes; a call to
FunctionDecl::hasBody was also being used to replace the decl found by
lookup with the actual definition. To keep from making this mistake again
(particularly if/when we start inlining Objective-C methods), this commit
adds a "getDefinition()" method to CallEvent, which should do the right
thing under any circumstances.

llvm-svn: 159940
2012-07-09 16:54:49 +00:00
Jordan Rose 3f89e0ec93 [analyzer] Be careful about LazyCompoundVals, which may be for the first field.
We use LazyCompoundVals to avoid copying the contents of structs and arrays
around in the store, and when we need to pass a struct around that already
has a LazyCompoundVal we just use the original one. However, it's possible
that the first field of a struct may have a LazyCompoundVal of its own, and
we currently can't distinguish a LazyCompoundVal for the first element of a
struct from a LazyCompoundVal for the entire struct. In this case we should
just drop the optimization and make a new LazyCompoundVal that encompasses
the old one.

PR13264 / <rdar://problem/11802440>

llvm-svn: 159866
2012-07-06 21:59:56 +00:00
Dmitri Gribenko ec92531c29 Implement AST classes for comments, a real parser for Doxygen comments and a
very simple semantic analysis that just builds the AST; minor changes for lexer
to pick up source locations I didn't think about before.

Comments AST is modelled along the ideas of HTML AST: block and inline content.

* Block content is a paragraph or a command that has a paragraph as an argument
  or verbatim command.
* Inline content is placed within some block.  Inline content includes plain
  text, inline commands and HTML as tag soup.

llvm-svn: 159790
2012-07-06 00:28:32 +00:00
Benjamin Kramer 1ea8e092be Drop the ASTContext.h include from Stmt.h and fix up transitive users.
This required moving the ctors for IntegerLiteral and FloatingLiteral out of
line which shouldn't change anything as they are usually called through Create
methods that are already out of line.

ASTContext::Deallocate has been a nop for a long time, drop it from ASTVector
and make it independent from ASTContext.h

Pass the StorageAllocator directly to AccessedEntity so it doesn't need to
have a definition of ASTContext around.

llvm-svn: 159718
2012-07-04 17:04:04 +00:00
Jordan Rose 017591ab45 [analyzer] For now, don't inline non-static member overloaded operators.
Our current inlining support (specifically RegionStore::enterStackFrame)
doesn't know that calls to overloaded operators may be calls to non-static
member functions, and that in these cases the first argument should be
treated as 'this'. This caused incorrect results and sometimes crashes.

The long-term fix will be to rewrite RegionStore::enterStackFrame to use
CallEvent and its subclasses, but for now we can just disable these
problematic calls by classifying them under a new CallEvent,
CXXMemberOperatorCall.

llvm-svn: 159692
2012-07-03 22:55:57 +00:00
Jordan Rose a4ee064cf3 [analyzer] Introduce CXXAllocatorCall to handle placement arg invalidation.
This is NOT full-blown support for operator new, but removes some nasty
duplicated code introduced in r158784.

llvm-svn: 159608
2012-07-02 22:21:47 +00:00
Jordan Rose 62146f67b7 Revert "Remove unused member (& consequently unused parameter) in SA's Call code."
...and instead add an accessor. We're not using this today, but it's something
that should probably stay in the source for potential clients, and it doesn't
cost a lot. (ObjCPropertyAccess is only created on the stack, and right now
there's only ever one alive at a time.)

This reverts r159581 / commit 8e674e1da34a131faa7d43dc3fcbd6e49120edbe.

llvm-svn: 159595
2012-07-02 21:41:53 +00:00
David Blaikie 977a35644e Remove unused member (& consequently unused parameter) in SA's Call code.
This member became unused in r159559.

llvm-svn: 159581
2012-07-02 20:44:57 +00:00
Ted Kremenek de21a1c964 Bail out the LiveVariables analysis when the CFG is very large, as
we are encountering some scalability issues with memory usage.   The
appropriate long term fix is to make the analysis more scalable, but
this will at least prevent the analyzer swapping when
analyzing very large functions.

llvm-svn: 159578
2012-07-02 20:21:52 +00:00
Jordan Rose afe7c2c2bf [analyzer] Add generic preCall and postCall checks.
llvm-svn: 159562
2012-07-02 19:28:16 +00:00
Jordan Rose f3c12ac3b1 [analyzer] Convert CXXConstructExpr over to use CallEvent for evaluation.
llvm-svn: 159561
2012-07-02 19:28:12 +00:00
Jordan Rose cbeef55886 [analyzer] Use CallEvent for inlining and call default-evaluation.
llvm-svn: 159560
2012-07-02 19:28:09 +00:00
Jordan Rose 547060b30b [analyzer] Finish replacing ObjCMessage with ObjCMethodDecl and friends.
The preObjCMessage and postObjCMessage callbacks now take an ObjCMethodCall
argument, which can represent an explicit message send (ObjCMessageSend) or an
implicit message generated by a property access (ObjCPropertyAccess).

llvm-svn: 159559
2012-07-02 19:28:04 +00:00
Jordan Rose 6bad4905d7 [analyzer] Begin replacing ObjCMessage with ObjCMethodCall and friends.
Previously, the CallEvent subclass ObjCMessageInvocation was just a wrapper
around the existing ObjCMessage abstraction (over message sends and property
accesses). Now, we have abstract CallEvent ObjCMethodCall with subclasses
ObjCMessageSend and ObjCPropertyAccess.

In addition to removing yet another wrapper object, this should make it easy
to add a ObjCSubscriptAccess call event soon.

llvm-svn: 159558
2012-07-02 19:27:56 +00:00
Jordan Rose 7ab0182e33 [analyzer] Move the last bits of CallOrObjCMessage over to CallEvent.
This involved refactoring some common pointer-escapes code onto CallEvent,
then having MallocChecker use those callbacks for whether or not to consider
a pointer's /ownership/ as escaping. This still needs to be pinned down, and
probably we want to make the new argumentsMayEscape() function a little more
discerning (content invalidation vs. ownership/metadata invalidation), but
this is a good improvement.

As a bonus, also remove CallOrObjCMessage from the source completely.

llvm-svn: 159557
2012-07-02 19:27:51 +00:00
Jordan Rose 742920c8e7 [analyzer] Add a new abstraction over all types of calls: CallEvent
This is intended to replace CallOrObjCMessage, and is eventually intended to be
used for anything that cares more about /what/ is being called than /how/ it's
being called. For example, inlining destructors should be the same as inlining
blocks, and checking __attribute__((nonnull)) should apply to the allocator
calls generated by operator new.

llvm-svn: 159554
2012-07-02 19:27:35 +00:00
Jordan Rose 42ee04d00a [analyzer] Add a test that we are, in fact, doing a DFS on the ExplodedGraph.
Previously:
...the comment said DFS...
...the WorkList being instantiated said BFS...
...and the implementation was actually DFS...
...due to an unintentional change in 2010...
...and everything kept working anyway.

This fixes our std::deque implementation of BFS, but switches back to a
SmallVector-based implementation of DFS.

We should probably still investigate the ramifications of DFS vs. BFS,
especially for large functions (and especially when we hit our block path
limit), since this might completely change our memory use. It can also mask
some bugs and reveal others depending on when we halt analysis. But at least
we will not have this kind of little mistake creep in again.

llvm-svn: 159397
2012-06-29 00:33:10 +00:00
Jordan Rose 88be136cff [analyzer] Remove unneeded helper function (it's in ASTContext.h)
llvm-svn: 159244
2012-06-27 00:51:16 +00:00
Ted Kremenek 72b3452c2b Implement initial static analysis inlining support for C++ methods.
llvm-svn: 159047
2012-06-22 23:55:50 +00:00
Anna Zaks 301e0d6074 [analyzer] Remove a statistic - it's too expensive.
(Committed in r159038 by mistake.)

llvm-svn: 159040
2012-06-22 22:24:45 +00:00
Anna Zaks 7aa3687bb6 [analyzer]scan-build: report the total number of steps analyzer performs
This would be useful to investigate performance issues.

llvm-svn: 159038
2012-06-22 22:08:12 +00:00