aboutsummaryrefslogtreecommitdiff
path: root/lib/Analysis/GRSimpleVals.cpp
AgeCommit message (Collapse)Author
2009-06-26Introduce a new concept to the static analyzer: SValuator.Ted Kremenek
GRTransferFuncs had the conflated role of both constructing SVals (symbolic expressions) as well as handling checker-specific logic. Now SValuator has the role of constructing SVals from expressions and GRTransferFuncs just handles checker-specific logic. The motivation is by separating these two concepts we will be able to much more easily create richer constraint-generating logic without coupling it to the main checker transfer function logic. We now have one implementation of SValuator: SimpleSValuator. SimpleSValuator is essentially the SVal-related logic that was in GRSimpleVals (which is removed in this patch). This includes the logic for EvalBinOp, EvalCast, etc. Because SValuator has a narrower role than the old GRTransferFuncs, the interfaces are much simpler, and so is the implementation of SimpleSValuator compared to GRSimpleVals. I also did a line-by-line review of SVal-related logic in GRSimpleVals and cleaned it up while moving it over to SimpleSValuator. As a consequence of removing GRSimpleVals, there is no longer a '-checker-simple' option. The '-checker-cfref' did everything that option did but also ran the retain/release checker. Of course a user may not always wish to run the retain/release checker, nor do we wish core analysis logic buried in the checker-specific logic. The next step is to refactor the logic in CFRefCount.cpp to separate out these pieces into the core analysis engine. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@74229 91177308-0d34-0410-b5e6-96231b3b80d8
2009-06-23Remove GRStateManager::BindLoc() and GRStateManager::Unbind().Ted Kremenek
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73996 91177308-0d34-0410-b5e6-96231b3b80d8
2009-06-23Move all factory methods from SVal to ValueManager. API cleanup!Zhongxing Xu
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73954 91177308-0d34-0410-b5e6-96231b3b80d8
2009-06-23MemRegions:Ted Kremenek
- Embed a reference to MemRegionManager objects in MemSpaceRegion objects - Use this embedded reference for MemRegion objects to access ASTContext objects without external help - Use this access to ASTContext to simplify 'isBoundable' (no ASTContext& argument required) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73935 91177308-0d34-0410-b5e6-96231b3b80d8
2009-06-18Move clients over from using GRStateManager::BindXXX and friends toTed Kremenek
GRState->bindXXX and friends (and constify some arguments along the way). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73740 91177308-0d34-0410-b5e6-96231b3b80d8
2009-06-16Do not invalidate unboundable regions in GRSimpleVals::EvalCall().Zhongxing Xu
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73474 91177308-0d34-0410-b5e6-96231b3b80d8
2009-05-20* API change: we need to pass GRState to GRExprEngine::EvalBinOp() becauseZhongxing Xu
RegionStore needs to know the type of alloca region. * RegionStoreManager::EvalBinOp() now converts the alloca region to its first element region, as what is done to symbolic region. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@72164 91177308-0d34-0410-b5e6-96231b3b80d8
2009-05-08Fix <rdar://problem/6845148>. Signed integers compared against pointers shouldTed Kremenek
implicitly be changed to unsigned values in GRSimpleVals.cpp. This can happen when the comparison involves logic in specialized transfer functions (e.g., OSAtomicCompareAndSwap). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@71200 91177308-0d34-0410-b5e6-96231b3b80d8
2009-05-04Fix false positive null dereference by unifying code paths in GRSimpleVals forTed Kremenek
'==' and '!=' (some code in the '!=' was not replicated in the '==' code, causing some constraints to get lost). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@70885 91177308-0d34-0410-b5e6-96231b3b80d8
2009-04-29Add corner case logic to BasicStoreManager and GRSimpleVals::EvalBinOp to enableTed Kremenek
reasoning about OSCompareAndSwap32Barrier/OSCompareAndSwap64Barrier. Essentially the address of reference to a region (pointer-to-pointer) can be casted to (int32_t*), and we need to handle the logic to convert the involved locations back and forth from nonloc::LocAsInteger, nonloc::ConcreteInt, to Loc and loc::ConcreteInt respectively. This adds some potentially suspect logic to BasicStoreManager that allows the analyzer to reason about abuses of the C type system. This should probably be refined, be ported over to RegionStoreManager, and extended with "path-sensitive type checking" to flag bugs in clearly incoherent code. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@70382 91177308-0d34-0410-b5e6-96231b3b80d8
2009-04-20Remove loc::FuncVal.Zhongxing Xu
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@69577 91177308-0d34-0410-b5e6-96231b3b80d8
2009-04-10Move a few more NonLoc static functions to ValueManager.Ted Kremenek
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68800 91177308-0d34-0410-b5e6-96231b3b80d8
2009-04-10Finally nuke loc::SymbolVal.Zhongxing Xu
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68771 91177308-0d34-0410-b5e6-96231b3b80d8
2009-04-09- Move ownership of MemRegionManager into ValueManager.Ted Kremenek
- Pull SVal::GetConjuredSymbol() and friends into ValueManager. This greatly simplifies the calling interface to clients. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68731 91177308-0d34-0410-b5e6-96231b3b80d8
2009-04-09stop using loc::SymbolVal and clean up code with new API.Zhongxing Xu
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68703 91177308-0d34-0410-b5e6-96231b3b80d8
2009-04-09clean up code with new API.Zhongxing Xu
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@68701 91177308-0d34-0410-b5e6-96231b3b80d8
2009-03-28Fix regression in pointer comparison with NULL (e.g., 0 != ptr). This fixesTed Kremenek
<rdar://problem/6732151>. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@67954 91177308-0d34-0410-b5e6-96231b3b80d8
2009-03-26Simplify some code. No functionality change.Zhongxing Xu
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@67748 91177308-0d34-0410-b5e6-96231b3b80d8
2009-03-26analyzer infrastructure: make a bunch of changes to symbolic expressions thatTed Kremenek
Zhongxing and I discussed by email. Main changes: - Removed SymIntConstraintVal and SymIntConstraint - Added SymExpr as a parent class to SymbolData, SymSymExpr, SymIntExpr - Added nonloc::SymExprVal to wrap SymExpr - SymbolRef is now just a typedef of 'const SymbolData*' - Bunch of minor code cleanups in how some methods were invoked (no functionality change) This changes are part of a long-term plan to have full symbolic expression trees. This will be useful for lazily evaluating complicated expressions. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@67731 91177308-0d34-0410-b5e6-96231b3b80d8
2009-03-25This patch adds two more SymbolData subclasses: SymIntExpr and SymSymExpr, forZhongxing Xu
representing symbolic expressions like 'x'+3 and 'x'+'y'. The design is subjected to change later when we fix the class hierarchy of symbolic expressions. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@67678 91177308-0d34-0410-b5e6-96231b3b80d8
2009-03-09Teach GRSimpleVals::EvalNE and GRSimplVals::EvalEQ about TypedRegionViews andTed Kremenek
SymbolicRegions. This fixes a serious regression when checking symbolic pointers against null. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@66444 91177308-0d34-0410-b5e6-96231b3b80d8
2009-03-02Initial support for pointer arithmetic. Only support concrete indexes and Zhongxing Xu
offsets for now. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@65814 91177308-0d34-0410-b5e6-96231b3b80d8
2009-02-10Fix a crash in GRSimpleVals::EvalCast due not handling transparent unions.Ted Kremenek
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@64200 91177308-0d34-0410-b5e6-96231b3b80d8
2008-12-05Rename SymbolID to SymbolRef. This is a precursor to some overhauling of ↵Ted Kremenek
the representation of symbolic values. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@60575 91177308-0d34-0410-b5e6-96231b3b80d8
2008-11-15Implement FIXME in GRExprEngine::VisitUnaryOperator() to handle implicit ↵Ted Kremenek
conversions caused by the '!' operator. This required adding some logic to GRSimpleVals to reason about nonloc::LocAsInteger SVals. This code appears to work fine, but it should eventually be cleaned up. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@59335 91177308-0d34-0410-b5e6-96231b3b80d8
2008-11-13GRExprEngine/CFRefCount/GRSimpleVals: We don't do any special handling (yet) ↵Ted Kremenek
of vector types. Add explicit checks that when we process integers that they really are scalars. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@59225 91177308-0d34-0410-b5e6-96231b3b80d8
2008-10-30Rename:Zhongxing Xu
- SetSVal(GRState*, Loc, SVal) => BindLoc - SetSVal(GRState*, Expr*, SVal) => BindExpr git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@58421 91177308-0d34-0410-b5e6-96231b3b80d8
2008-10-27Only loc::MemRegionVal can be modified. This avoids crashing in RegionStore ↵Zhongxing Xu
when a function pointer is used as an argument. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@58233 91177308-0d34-0410-b5e6-96231b3b80d8
2008-10-26Remove loc::StringLiteralVal. Now we allocate regions for string literals in ↵Zhongxing Xu
the Store. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@58182 91177308-0d34-0410-b5e6-96231b3b80d8
2008-10-17When conjuring symbols to recover path-sensitivity, don't conjure symbols ↵Ted Kremenek
that represent an entire struct. We need to implement struct temporaries as an actual "region", and then bind symbols to the FieldRegion of those temporaries. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@57739 91177308-0d34-0410-b5e6-96231b3b80d8
2008-10-17This patch did the following renaming. There should be no functional changes.Zhongxing Xu
RVal => SVal LVal => Loc NonLVal => NonLoc lval => loc nonlval => nonloc git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@57671 91177308-0d34-0410-b5e6-96231b3b80d8
2008-10-17Remove lval::FieldOffset, lval::ArrayOffset. These will be replaced with ↵Ted Kremenek
regions. Remove GRExprEngine::getLVal and RValues::MakeVal. Enhance StoreManager "GetLValue" methods to dispatch for specific kinds of lvalue queries, as opposed to interogating the expression tree (GRExprEngine already does this). Added FIXMEs. In particular, we no longer "assume" that a base pointer in a field/array access is null (this logic was removed). Perhaps we should do this when fetching the lvalue for fields and array elements? git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@57657 91177308-0d34-0410-b5e6-96231b3b80d8
2008-10-04This is a big patch, but the functionality change is small and the rest of ↵Ted Kremenek
the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@57042 91177308-0d34-0410-b5e6-96231b3b80d8
2008-09-19When we have a binary expression 'int operator symbol', properly rewrite this asTed Kremenek
'symbol operator-reverse int'. This patch is a combination of code from Zhongxing Xu and myself (Zhongxing noticed this bug for the cases of relational operators). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@56351 91177308-0d34-0410-b5e6-96231b3b80d8
2008-08-13Rename ValueState -> GRState.Ted Kremenek
Rename ValueStateManager -> GRStateManager. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@54721 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-22Moved registration of basic path-sensitive checks from GRSimpleVals.cpp to ↵Ted Kremenek
GRExprEngineInternalChecks.cpp. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53909 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-22Added path-sensitive checking for null pointer values passed to function ↵Ted Kremenek
arguments marked nonnull. This implements <rdar://problem/6069935> git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53891 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-18Fix regression by explicitly checking if we are negating a SymIntConstantVal.Ted Kremenek
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53753 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-18Improve path-sensitivity when using the logical not operator.Ted Kremenek
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53752 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-18Renamed deterministic EvalBinOp to DetermEvalBinOpNN. This name mangling is ↵Ted Kremenek
unfortunately needed because virtual methods with the same name can be hidden by subclasses. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53751 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-18Created ValueStateSet class to manage the creation of multiple states by a ↵Ted Kremenek
method. Modified the new EvalBinOpNN to generate states instead of nodes. This is a much simpler interface and is what clients will want to do. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53750 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-16Fix regression introduced by ↵Ted Kremenek
http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20080714/006514.html. The regression was the casts from integers to pointers where not being handled: they would just return UnknownVal. This would greatly decrease path-sensitivity. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53659 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-15Fix transfer function logic in GRSimpleVals for integer casts: only support ↵Ted Kremenek
casts from integers to integers. This fixes a crash reported by Anders Carlsson! git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53649 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-11Refactored auditor interface within GRExprEngine and GRCoreEngine to use a ↵Ted Kremenek
"batch auditor" to dispatch to specialized auditors instead of having a separate vector for each audited Expr*. This not only provides a much cleaner implementation, but also allows us to install auditors for any expression. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53464 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-10Refactored most of the "Store" piece of ValueState into a Store type. TheTed Kremenek
current store implementation is now encapsulated by BasicStore. These changes prompted some long due constification of ValueState. Much of the diffs in this patch include adding "const" qualifiers. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53423 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-02Unify the code path for the Dead Stores checker to always use the ↵Ted Kremenek
BugReporter interface. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53054 91177308-0d34-0410-b5e6-96231b3b80d8
2008-07-02Refactored some of the BugReporter interface so that data such as the ↵Ted Kremenek
ASTContext&, PathDiagnosticClient*, can be provided by an external source. Split BugReporter into BugReporter and GRBugReporter so checkers not based on GRExprEngine can still use the BugReporter mechanism. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53048 91177308-0d34-0410-b5e6-96231b3b80d8
2008-06-26Added a simple static analysis check to look for improper uses of ↵Ted Kremenek
CFCreateNumber. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@52799 91177308-0d34-0410-b5e6-96231b3b80d8
2008-05-12Support StringLiteralVal when comparing LVal types.Ted Kremenek
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@50979 91177308-0d34-0410-b5e6-96231b3b80d8
2008-05-09Rename IsPointerType to LVal::IsLValType, and update CFRefCount::EvalSummary ↵Ted Kremenek
to use IsLValType when conjuring symbols for return values (this fixes a bug with an assertion firing in the analyzer when two qualified objective-c types were compared). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@50924 91177308-0d34-0410-b5e6-96231b3b80d8
generated by cgit v1.2.3-18-g5258 (git 2.32.0) at 2025-05-02 15:50:03 +0000