546c49c3b2
[analyzer] Malloc Checker: Clean up bug naming:
...
- Rename the category "Logic Error" -> "Memory Error".
- Shorten all the messages.
llvm-svn: 150733
2012-02-16 22:26:12 +00:00
d32ead82d9
[analyzer] Malloc Checker: Give up when a pointer escapes into a struct.
...
We are not properly handling the memory regions that escape into struct
fields, which led to a bunch of false positives. Be conservative here
and give up when a pointer escapes into a struct.
llvm-svn: 150658
2012-02-16 03:40:57 +00:00
5a6213d22b
[analyzer] Malloc Checker: Add another false positive as a todo test.
...
llvm-svn: 150534
2012-02-15 00:11:28 +00:00
ac06814d2f
[analyzer] Malloc Checker: add support for reallocf, which always frees
...
the passed in pointer on failure.
llvm-svn: 150533
2012-02-15 00:11:25 +00:00
d51574850e
[analyzer] Malloc Checker: add support for valloc + minor code
...
hardening.
llvm-svn: 150532
2012-02-15 00:11:22 +00:00
ad01ef5fb9
[analyzer] Malloc Checker: realloc: add dependency between the symbols
...
in realloc map.
If there is no dependency, the reallocated ptr will get garbage
collected before we know that realloc failed, which would lead us to
missing a memory leak warning.
Also added new test cases, which we can handle now.
Plus minor cleanups.
llvm-svn: 150446
2012-02-14 00:26:13 +00:00
8fd0f2a6cb
[analyzer] Malloc Checker: realloc: correct the way we are handing the
...
case when size is 0.
llvm-svn: 150412
2012-02-13 20:57:07 +00:00
d56c8794d3
[analyzer] Malloc checker: rework realloc handling:
...
1) Support the case when realloc fails to reduce False Positives. (We
essentially need to restore the state of the pointer being reallocated.)
2) Realloc behaves differently under special conditions (from pointer is
null, size is 0). When detecting these cases, we should consider
under-constrained states (size might or might not be 0). The
old version handled this in a very hacky way. The code did not
differentiate between definite and possible (no consideration for
under-constrained states). Further, after processing each special case,
the realloc processing function did not return but chained to the next
special case processing. So you could end up in an execution in which
you first see the states in which size is 0 and realloc ~ free(),
followed by the states corresponding to size is not 0 followed by the
evaluation of the regular realloc behavior.
llvm-svn: 150402
2012-02-13 18:05:39 +00:00
41b84847bf
[analyzer] Malloc Checker: reduce false negatives rate by assuming that
...
a pointer cannot escape through calls to system functions. Also, stop
after reporting the first use-after-free.
llvm-svn: 150315
2012-02-11 23:46:36 +00:00
3aa5225d5e
[analyzer] Malloc Checker: Report a leak when we are returning freed
...
memory.
(As per one test case, the existing checker thought that this could
cause a lot of false positives - not sure if that's valid, to be
verified.)
llvm-svn: 150313
2012-02-11 21:44:39 +00:00
d3571e5ad3
[analyzer] Malloc checker: Leak bugs should be suppressed by sinks.
...
Resolves a common false positive, where we were reporting a leak inside
asserts
llvm-svn: 150312
2012-02-11 21:02:40 +00:00
bb1ef9011d
[analyzer] MallocChecker: refactor/improve the symbol escape logic.
...
We use the same logic here as the RetainRelease checker.
llvm-svn: 150311
2012-02-11 21:02:35 +00:00
e963fd51a8
[analyzer] MallocChecker: add a list of false positives based on running
...
the checker over postgres and sqlite.
llvm-svn: 150216
2012-02-10 01:11:03 +00:00
3188686c55
[analyzer] MallocChecker Cleanup - harden against crashes, fix an error
...
(use of return instead of continue), wording.
llvm-svn: 150215
2012-02-10 01:11:00 +00:00
2b5bb97986
[analyzer] Add custom path diagnostic to the Malloc Checker.
...
Very simple so far - we just highlight every allocation and release
site.
llvm-svn: 150156
2012-02-09 06:25:51 +00:00
12259b443d
[analyzer] MallocChecker cleanup, more tests.
...
llvm-svn: 150155
2012-02-09 06:25:47 +00:00
a1b227b6a7
[analyzer] MallocChecker: implement pessimistic version of the checker,
...
which allows values to escape through unknown calls.
Assumes all calls but the malloc family are unknown.
Also, catch a use-after-free when a pointer is passed to a
function after a call to free (previously, you had to explicitly
dereference the pointer value).
llvm-svn: 150112
2012-02-08 23:16:56 +00:00
bfb8e2fe6e
If size was equal to 0, either NULL or a pointer suitable to be passed to
...
free() is returned by realloc(). Most code expect NULL.
And we only need to transfer one final ProgramState.
llvm-svn: 138937
2011-09-01 04:53:59 +00:00
3f955e6d89
[analyzer] rename all experimental checker packages to have 'experimental' be the common root package.
...
llvm-svn: 136835
2011-08-03 23:14:55 +00:00
005b5c1aee
More accurately model realloc() when the size argument is 0. realloc() with a size of 0 is equivalent to free(). The memory region should be marked as free and not used again.
...
Unit tests f2_realloc_0(), f6_realloc(), and f7_realloc() contributed by Marshall Clow <mclow.lists@gmail.com>. Thanks!
llvm-svn: 130303
2011-04-27 14:49:29 +00:00
49c79790de
Rework checker "packages" and groups to be more hierarchical.
...
llvm-svn: 128187
2011-03-24 00:28:47 +00:00
9eb02dfa89
[analyzer] Remove '-analyzer-check-objc-mem' flag, the nominee for best misnomer award.
...
llvm-svn: 126676
2011-02-28 19:49:42 +00:00
098874a2f8
[analyzer] Migrate UndefinedAssignmentChecker to CheckerV2.
...
llvm-svn: 126617
2011-02-28 01:27:37 +00:00
21c9423ef4
[analyzer] Remove '-analyzer-experimental-checks' flag.
...
llvm-svn: 126607
2011-02-28 01:26:43 +00:00
183f0fb4cf
[analyzer] Migrate MallocChecker to CheckerV2.
...
llvm-svn: 126606
2011-02-28 01:26:35 +00:00
b388f77ad9
[analyzer] Remove '-analyzer-experimental-internal-checks' flag, it doesn't have any checkers associated with it anymore.
...
llvm-svn: 126440
2011-02-24 21:43:08 +00:00
8b08906411
[analyzer] Migrate CastSizeChecker to CheckerV2.
...
llvm-svn: 126438
2011-02-24 21:42:49 +00:00
2d3905ffac
[analyzer] Use the new registration mechanism on some of the experimental checks. These are:
...
CStringChecker
ChrootChecker
MallocChecker
PthreadLockChecker
StreamChecker
UnreachableCodeChecker
MallocChecker creates implicit dependencies between checkers and needs to be handled differently.
llvm-svn: 125598
2011-02-15 21:25:03 +00:00
d21139a34f
After a lengthy design discussion, add support for "ownership attributes" for malloc/free checking. Patch by Andrew McGregor!
...
llvm-svn: 109939
2010-07-31 01:52:11 +00:00
cba9f517ac
Added an path-sensitive unreachable code checker to the experimental analyzer checks.
...
- Created a new class to do post-analysis
- Updated several test cases with unreachable code to expect a warning
- Added some general tests
llvm-svn: 109286
2010-07-23 23:04:53 +00:00
2dd9b02cc8
Casting to void* or any other pointer-to-sizeless type (e.g. function pointers) causes a divide-by-zero error. Simple fix: check if the pointee type size is 0 and bail out early if it is.
...
llvm-svn: 106401
2010-06-20 04:30:57 +00:00
527ff6d1dc
Add support for calloc() in MallocChecker. Patch by Jordy Rose, with my
...
modification.
llvm-svn: 105264
2010-06-01 03:01:33 +00:00
658dd8b176
CastSizeChecker checks when casting a malloc'ed symbolic region to type T,
...
whether the size of the symbolic region is a multiple of the size of T.
Fixes PR6123 and PR7217.
llvm-svn: 104584
2010-05-25 04:59:19 +00:00
1bb6a1a593
Add use-after-free check to MallocChecker.
...
llvm-svn: 98136
2010-03-10 04:58:55 +00:00
be36ecbb60
Fix pr6293. If ptr is NULL, no operation is preformed.
...
llvm-svn: 96154
2010-02-14 06:49:48 +00:00
2f2692f8ca
Rename -cc1 option '-checker-cfref' to '-analyzer-check-objc-mem'.
...
llvm-svn: 95348
2010-02-05 02:06:54 +00:00
5fcd99b10f
Add test case for pr6069.
...
llvm-svn: 93708
2010-01-18 04:01:40 +00:00
b0e15df36b
Let constraint manager inform checkers that some assumption logic has happend.
...
Add new states for symbolic regions tracked by malloc checker. This enables us
to do malloc checking more accurately. See test case.
Based on Lei Zhang's patch and discussion.
llvm-svn: 92342
2009-12-31 06:13:07 +00:00
8fbe78f6fc
Update tests to use %clang_cc1 instead of 'clang-cc' or 'clang -cc1'.
...
- This is designed to make it obvious that %clang_cc1 is a "test variable"
which is substituted. It is '%clang_cc1' instead of '%clang -cc1' because it
can be useful to redefine what gets run as 'clang -cc1' (for example, to set
a default target).
llvm-svn: 91446
2009-12-15 20:14:24 +00:00
27f686f8ec
Replace clang-cc with clang -cc1.
...
llvm-svn: 91272
2009-12-14 06:34:20 +00:00
c0484fa611
Add initial support for realloc() in MallocChecker.
...
llvm-svn: 91216
2009-12-12 12:29:38 +00:00
23baa01af4
Add PreVisitReturn to Malloc checker. Now we can recognize returned memory
...
block.
llvm-svn: 89071
2009-11-17 08:58:18 +00:00
4668c7ed1c
Add EvalEndPath interface to Checker. Now we can check memory leaked at the
...
end of the path. Need to unify interfaces.
llvm-svn: 89063
2009-11-17 07:54:15 +00:00
b774685c08
Fix a couple of tests.
...
llvm-svn: 88756
2009-11-14 04:23:25 +00:00
9430bf20ff
Remove test case's dependency on header file.
...
llvm-svn: 88685
2009-11-13 20:03:22 +00:00
e5e977013c
Add two new test cases for the Malloc/Free checker. Both have to do with
...
storing malloc'ed memory to global storage.
llvm-svn: 88684
2009-11-13 20:00:28 +00:00
c2675568a1
Add test case that shows a leak we don't catch.
...
llvm-svn: 88683
2009-11-13 19:53:32 +00:00
4ef13f8ac9
Add clang-cc option "--analyzer-experimental-internal-checks". This
...
option enables new "internal" checks that will eventually be turned on
by default but still require broader testing.
llvm-svn: 88671
2009-11-13 18:46:29 +00:00
c7460964ac
Malloc checker basically works now.
...
llvm-svn: 87094
2009-11-13 07:48:11 +00:00
Anna Zaks