| Age | Commit message (Collapse) | Author |
|---|
|
(1) libAnalysis is a generic analysis library that can be used by
Sema. It defines the CFG, basic dataflow analysis primitives, and
inexpensive flow-sensitive analyses (e.g. LiveVariables).
(2) libChecker contains the guts of the static analyzer, incuding the
path-sensitive analysis engine and domain-specific checks.
Now any clients that want to use the frontend to build their own tools
don't need to link in the entire static analyzer.
This change exposes various obvious cleanups that can be made to the
layout of files and headers in libChecker. More changes pending. :)
This change also exposed a layering violation between AnalysisContext
and MemRegion. BlockInvocationContext shouldn't explicitly know about
BlockDataRegions. For now I've removed the BlockDataRegion* from
BlockInvocationContext (removing context-sensitivity; although this
wasn't used yet). We need to have a better way to extend
BlockInvocationContext (and any LocationContext) to add
context-sensitivty.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@94406 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
malloc().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@93722 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
value bindings. Along with a small change to OSAtomicChecker, this
resolves <rdar://problem/7527292> and resolves some long-standing
issues with how values can be bound to the same physical address by
not have the same "key". This change is only a beginning; logically
RegionStore needs to better handle loads from addresses where the
stored value is larger/smaller/different type than the loaded value.
We handle these cases in an approximate fashion now (via
CastRetrievedVal and help in SimpleSValuator), but it could be made
much smarter.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@93137 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
(1) Introduce a new 'BindingKey' class to match 'BindingValue'. This
gives us the flexibility to change the current key value from 'const
MemRegion*' to something more interesting.
(2) Rework additions/removals/lookups from the store to use new
'Remove', 'Add', 'Lookup' utility methods.
No "real" functionality change; just prep work and abstraction.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@93136 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
Essentially treat 'this' as a implicit parameter to the method call, and associate a region with it.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@92675 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@91818 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@91572 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
attribute: the object type.
Add initial support for visiting CXXThisExpr.
Fix a bunch of 80-col violations.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@91535 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@91501 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
veneer on top of getRegionValueSymbolVal().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@91471 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
are outside the current stack frame. Fixes <rdar://problem/7462324>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@91107 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
- Refactor the MemRegion hierarchy to distinguish between different StackSpaceRegions for locals and parameters.
- VarRegions for "captured" variables now have the BlockDataRegion as their super region (except those passed by reference)
- Add transfer function support to GRExprEngine for BlockDeclRefExprs.
This change also supports analyzing blocks as an analysis entry point
(top-of-the-stack), which required pushing more context-sensitivity
around in the MemRegion hierarchy via the use of LocationContext
objects. Functionally almost everything is the same, except we track
LocationContexts in a few more areas and StackSpaceRegions now refer
to a StackFrameContext object. In the future we will need to modify
MemRegionManager to allow multiple StackSpaceRegions in flight at once
(for the analysis of multiple stack frames).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@90809 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@90582 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@90503 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
RegionStoreManager::RemoveDeadBindings(): only the VarRegions for variables marked with the '__block' annotation should have their lifetime extended by a BlockDataRegion.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@90462 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
invoking a block (without specific reasoning of what the block does) can invalidate any value to it by reference when the block was created.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@90431 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
multiple regions as once. After adopting this in the CFRefCount::EvalCall(), we see a reduction in analysis time of 1.5% when analyzing all of SQLite3.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@90405 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@90028 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
VarRegion for a "captured" variable should also be considered live.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@89928 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
'BlockDataRegion' to distinguish between the code associated with a
block (which is represented by 'BlockTextRegion') and an instance of a
block, which includes both code and data. 'BlockDataRegion' has an
associated LocationContext, which can be used to eventually model the
lifetime of a block object once LocationContexts can represent scopes
(and iterations around a loop, etc.).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@89900 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
MemRegionManager::getVarRegion().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@89897 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@89892 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
precursor to having basic static analysis support for blocks.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@89828 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
nested arrays/structs whose values are not explicitly specified. Fixes <rdar://problem/7403269>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@89384 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
* Add a load type to GRExprEngine::EvalLoad().
* When retrieve from 'theValue' of OSAtomic funcitions, use the type of the
region instead of the argument expression as the load type.
* Then we can convert CastRetrievedSVal to a pure assertion. In the future
we can let all Retrieve() methods simply return SVal.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@88888 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86932 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
getBaseRegion will be used in another method.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86649 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
Patch by Victor Zverovich!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86638 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
ArrayType>()) does not instantiate. Update all callers that used this
unsafe feature to use the appropriate ASTContext::getAs*ArrayType method.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86596 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
VarDecl*, and modify GRExprEngine::EvalBind() to handle decl initialization as well. This paves the way for adding "checker" visitation in EvalBind().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@85983 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
by Zhongxing Xu. RemoveDeadBindings() would falsely prune
SymbolicRegions from the store that wrapped derived symbols whose
liveness could only be determined after scanning the store.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@85484 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
an Objective-C object
region when doing lazy value retrieval of an ivar.
This fixes: <rdar://problem/7312221>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@84584 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@84398 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
nothing) and into RemoveDeadBindings. No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@84335 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
the code to standard worklist algorithm. Always add both sub and super
regions of live regions.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@84323 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
kinds. This means we are visiting all regions 'from super region'.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@84319 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
touched by StoreManager::InvalidateRegion().
This fixes <rdar://problem/7257223> and <rdar://problem/7283470>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@84223 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
RegionStoreManager::Retrieve() that was intended to handle conflated uses of pointers as integers.
It turns out this isn't needed, and resulted in inconsistent behavior when creating symbolic values on the following test case in 'tests/Analysis/misc-ps.m':
typedef struct _BStruct { void *grue; } BStruct;
void testB_aux(void *ptr);
void testB(BStruct *b) {
{
int *__gruep__ = ((int *)&((b)->grue));
int __gruev__ = *__gruep__;
testB_aux(__gruep__);
}
{
int *__gruep__ = ((int *)&((b)->grue));
int __gruev__ = *__gruep__;
if (~0 != __gruev__) {}
}
}
When the code was analyzed with '-arch x86_64', the value assigned to '__gruev__' be would be a
symbolic integer, but for '-arch i386' the value assigned to '__gruev__' would be a symbolic region
(a blob of memory). With this change the value created is always a symbolic integer.
Since the code being removed was added to support analysis of code calling
OSAtomicCompareAndSwapXXX(), I also modified 'test/Analysis/NSString.m' to analyze the code in both
'-arch i386' and '-arch x86_64', and also added some complementary test cases to test the presence
of leaks when using OSAtomicCompareAndSwap32Barrier()/OSAtomicCompareAndSwap64Barrier() instead of
just their absence. This code change reveals that previously both RegionStore and BasicStore were
handling these cases wrong, and would never cause the analyzer to emit a leak in these cases (false
negatives). Now RegionStore gets it right, but BasicStore still gets it wrong (and hence it has been
disabled temporarily for this test case).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@84163 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
* Make all Base value the last argument.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@84071 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83934 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
default binding for regions. This allows us to simply a lot of code. A
further simplification could be done is that many methods of
regionstore can only work on Store instead of GRState.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83762 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83611 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83610 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
adding assert
This fix required a few changes:
SimpleSValuator:
- Eagerly replace a symbolic value with its constant value in EvalBinOpNN
when it is constrained to a constant. This allows us to better constant fold
values along a path.
- Handle trivial case of '<', '>' comparison of pointers when the two pointers
are exactly the same.
RegionStoreManager:
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83358 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
concrete types. Use unqualified desugaring for getAs<> and sundry.
Fix a few users to either not desugar or use qualified desugar, as seemed
appropriate. Removed Type's qualified desugar method, as it was easy
to accidentally use instead of QualType's.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83116 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
'*((unsigned int *)"????")'
This issue was originally reported via personal email by Thomas Clement!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83069 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
identified with a false positive reported by Thomas Clement. This
involved doing another rewrite of
RegionStoreManager::RemoveDeadBindings(), which phrases the entire
problem of scanning for dead regions as a graph exploration problem.
It is more methodic than the previous implementation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83053 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
are only specially treated by RegionStore::InvalidateRegion() when
their super region is also invalidated. When this isn't the case,
conjure a new symbol for a FieldRegion. Thanks to Zhongxing Xu and
Daniel Dunbar for pointing out this issue.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83043 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
region has also been invalidated.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83040 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
RegionStoreManager::InvalidateRegion() by only removing their old
binding, not conjuring a new symbol.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@82939 91177308-0d34-0410-b5e6-96231b3b80d8
|
