| Age | Commit message (Collapse) | Author |
|---|
|
(1) libAnalysis is a generic analysis library that can be used by
Sema. It defines the CFG, basic dataflow analysis primitives, and
inexpensive flow-sensitive analyses (e.g. LiveVariables).
(2) libChecker contains the guts of the static analyzer, incuding the
path-sensitive analysis engine and domain-specific checks.
Now any clients that want to use the frontend to build their own tools
don't need to link in the entire static analyzer.
This change exposes various obvious cleanups that can be made to the
layout of files and headers in libChecker. More changes pending. :)
This change also exposed a layering violation between AnalysisContext
and MemRegion. BlockInvocationContext shouldn't explicitly know about
BlockDataRegions. For now I've removed the BlockDataRegion* from
BlockInvocationContext (removing context-sensitivity; although this
wasn't used yet). We need to have a better way to extend
BlockInvocationContext (and any LocationContext) to add
context-sensitivty.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@94406 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
veneer on top of getRegionValueSymbolVal().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@91471 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
'BlockDataRegion' to distinguish between the code associated with a
block (which is represented by 'BlockTextRegion') and an instance of a
block, which includes both code and data. 'BlockDataRegion' has an
associated LocationContext, which can be used to eventually model the
lifetime of a block object once LocationContexts can represent scopes
(and iterations around a loop, etc.).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@89900 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
precursor to having basic static analysis support for blocks.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@89828 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
<rdar://problem/6914474> checker doesn't realize that variable might
have been assigned if a pointer to that variable was passed to another
function via a structure
The problem here was the RegionStoreManager::InvalidateRegion didn't
invalidate the bindings of invalidated regions. This required a
rewrite of this method using a worklist.
As part of this fix, changed ValueManager::getConjuredSymbolVal() to
require a 'void*' SymbolTag argument. This tag is used to
differentiate two different symbols created at the same location.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@82920 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
to statically type various methods in SValuator/GRState as required either a
defined value or a defined-but-possibly-unknown value. This leads to various
logic cleanups in GRExprEngine, and lets the compiler enforce via type checking
our assumptions about what symbolic values are possibly undefined and what are
not.
Along the way, clean up some of the static analyzer diagnostics regarding the uses of uninitialized values.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@81579 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@81346 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
RegionStore already lazily abstracted the contents of arrays and structs, when
doing an assignment from one array/struct to another we did an explicit
element-wise copy, which resulted in a loss of laziness and huge performance
problem when analyzing many code bases.
Now RegionStoreManager handles such assignments using a new SVal could
'LazyCompoundSVal', which basically means the value of a given struct or array
(a MemRegion*) in a specific state (GRState). When we do a load from a field
whose encompassing struct binds to a LazyCompoundSVal, we essentially do a field
lookup in the original structure. This means we have essentially zero copying of
data for structs/arrays and everything stays lazy.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78268 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
constant value. If the UnaryOperator has location type, create the
constant with int type and pointer width.
This fixes the bug that all pointer increments 'p++' evaluated to Unknown.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78147 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
made to RegionStore (and related classes) in order to handle some
analyzer failures involving casts and manipulation of symbolic memory.
The root of the change is in StoreManager::CastRegion(). Instead of
using ad hoc heuristics to decide when to layer an ElementRegion on a
casted MemRegion, we now always layer an ElementRegion when the cast
type is different than the original type of the region. This carries
the current cast information associated with a region around without
resorting to the error prone recording of "casted types" in GRState.
Along with this new policy of layering ElementRegions, I added a new
algorithm to strip away existing ElementRegions when they simply
represented casts of a base memory object. This algorithm computes
the raw "byte offset" that an ElementRegion represents from the base
region, and allows the new ElementRegion to be based off that offset.
The added benefit is that this naturally handles a series of casts of
a MemRegion without building up a set of redundant ElementRegions
(thus canonicalizing the region view).
Other related changes that cascaded from this one (as tests were
failing in RegionStore):
- Revamped RegionStoreManager::InvalidateRegion() to completely remove
all bindings and default values from a region and all subregions.
Now invalidated fields are not bound directly to new symbolic
values; instead the base region has a "default" symbol value from
which "derived symbols" can be created. The main advantage of this
approach is that it allows us to invalidate a region hierarchy and
then lazily instantiate new values no matter how deep the hierarchy
went (i.e., regardless of the number of field accesses,
e.g. x->f->y->z->...). The previous approach did not do this.
- Slightly reworked RegionStoreManager::RemoveDeadBindings() to also
incorporate live symbols and live regions that do not have direct
bindings but also have "default values" used for lazy instantiation.
The changes to 'InvalidateRegion' revealed that these were necessary
in order to achieve lazy instantiation of values in the region store
with those bindings being removed too early.
- The changes to InvalidateRegion() and RemoveDeadBindings() revealed
a serious bug in 'getSubRegionMap()' where not all region -> subregion
relationships involved in actually bindings (explicit and implicit)
were being recorded. This has been fixed by using a worklist algorithm
to iteratively fill in the region map.
- Added special support to RegionStoreManager::Bind()/Retrieve() to handle
OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the
layering of ElementRegions.
- Fixed a bug in SymbolReaper::isLive() where derived symbols were not
being marked live if the symbol they were derived from was also live.
This fix was critical for getting lazy instantiation in RegionStore
to work.
- Tidied up the implementation of ValueManager::getXXXSymbolVal() methods
to use SymbolManager::canSymbolicate() to decide whether or not a
symbol should be symbolicated.
- 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been
moved to 'test/Analysis/misc-ps.m'.
- Tweaked some pretty-printing of MemRegions, and implemented
'ElementRegion::getRawOffset()' for use with the CastRegion changes.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@77782 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
to SValuator::EvalCast. In the process, the StoreManagers now use this new cast
machinery, and the hack in GRExprEngine::EvalBind to handle implicit casts
involving OSAtomicCompareAndSwap and friends has been removed (and replaced with
logic closer to the logic specific to those functions).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@76641 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
(1) Moved the SValuator object from GRExprEngine to ValueManager. This
allows ValueManager to use the SValuator when creating SVals.
(2) Added ValueManager::makeArrayIndex() and
ValueManager::convertToArrayIndex(), two SVal creation methods
that will help RegionStoreManager always have a consistent set of
SVals with the same integer size and type when reasoning about
array indices.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@75882 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
SymbolDerived allows us to model symbolic values that are related to other
symbols via a region hierarchy. For example, SymbolDerived can be used to model
individual values of a symbolic array.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@75728 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
T) should return a 'Loc' when 'T' is a pointer
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@75062 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@74762 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
ValueManager::getRegionValueSymbolVal() with unguarded calls to
ValueManager::getRegionValueSymbolValOrUnknown(). This changes centralizes the
decision of what values to symbolicate in SymbolManager rather than having it
scatter in RegionStoreManager.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@74730 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@74520 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
GRTransferFuncs had the conflated role of both constructing SVals (symbolic
expressions) as well as handling checker-specific logic. Now SValuator has the
role of constructing SVals from expressions and GRTransferFuncs just handles
checker-specific logic. The motivation is by separating these two concepts we
will be able to much more easily create richer constraint-generating logic
without coupling it to the main checker transfer function logic.
We now have one implementation of SValuator: SimpleSValuator.
SimpleSValuator is essentially the SVal-related logic that was in GRSimpleVals
(which is removed in this patch). This includes the logic for EvalBinOp,
EvalCast, etc. Because SValuator has a narrower role than the old
GRTransferFuncs, the interfaces are much simpler, and so is the implementation
of SimpleSValuator compared to GRSimpleVals. I also did a line-by-line review of
SVal-related logic in GRSimpleVals and cleaned it up while moving it over to
SimpleSValuator.
As a consequence of removing GRSimpleVals, there is no longer a
'-checker-simple' option. The '-checker-cfref' did everything that option did
but also ran the retain/release checker. Of course a user may not always wish to
run the retain/release checker, nor do we wish core analysis logic buried in the
checker-specific logic. The next step is to refactor the logic in CFRefCount.cpp
to separate out these pieces into the core analysis engine.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@74229 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73954 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73952 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
Clean up code with ValueManager.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73951 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
array elements to 0 explicitly. Create 0 values with the element type.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73946 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
- Embed a reference to MemRegionManager objects in MemSpaceRegion objects
- Use this embedded reference for MemRegion objects to access ASTContext objects without external help
- Use this access to ASTContext to simplify 'isBoundable' (no ASTContext& argument required)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73935 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
type.
When retrieving the region value, if we are going to create a symbol value, use
the cast-to type if possible.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73690 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
SymbolRegionRValue => SymbolRegionValue
SymExpr::RegionRValue => SymExpr::RegionValueKind
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@71322 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@70865 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
no-outofbounds.c still fails. Previously it passed because the array index
is mistakenly a loc::ConcreteInt.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@70844 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
ProgramPoints all the way through to GRCoreEngine.
NSString.m now fails with RegionStoreManager because of the void** cast.
Disabling use of region store for that test for now.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68845 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68800 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
A CodeTextRegion wraps two kinds of data: FunctionDecl* or SymbolRef.
The latter comes from the symbolic function pointer that are generated from
function calls or input data.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68777 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
- Pull SVal::GetConjuredSymbol() and friends into ValueManager. This greatly
simplifies the calling interface to clients.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68731 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68711 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
"manager of symbolic values", wrapping BasicValueFactory, SymbolManager, and
MemRegionManager. While these individual managers nicely separate functionality
in the analyzer, constructing symbolic values can sometimes be cumbersome
because it requires using multiple managers at once. The goal of this class is
to create some factory methods to create SVals that require the use of these
different managers, thus (hopefully) simplifying the analyzer API for clients.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68709 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@48025 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@47995 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@47954 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
bits, etc.)
This current implementation only works when both operands are concrete values; later we will add support for symbolic values.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@47726 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
include directory tree.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@47661 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
their own [.cpp;.h] files.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@47201 91177308-0d34-0410-b5e6-96231b3b80d8
|
