| Age | Commit message (Collapse) | Author |
|---|
|
default binding for regions. This allows us to simply a lot of code. A
further simplification could be done is that many methods of
regionstore can only work on Store instead of GRState.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83762 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83611 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83610 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
adding assert
This fix required a few changes:
SimpleSValuator:
- Eagerly replace a symbolic value with its constant value in EvalBinOpNN
when it is constrained to a constant. This allows us to better constant fold
values along a path.
- Handle trivial case of '<', '>' comparison of pointers when the two pointers
are exactly the same.
RegionStoreManager:
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83358 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
concrete types. Use unqualified desugaring for getAs<> and sundry.
Fix a few users to either not desugar or use qualified desugar, as seemed
appropriate. Removed Type's qualified desugar method, as it was easy
to accidentally use instead of QualType's.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83116 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
'*((unsigned int *)"????")'
This issue was originally reported via personal email by Thomas Clement!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83069 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
identified with a false positive reported by Thomas Clement. This
involved doing another rewrite of
RegionStoreManager::RemoveDeadBindings(), which phrases the entire
problem of scanning for dead regions as a graph exploration problem.
It is more methodic than the previous implementation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83053 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
are only specially treated by RegionStore::InvalidateRegion() when
their super region is also invalidated. When this isn't the case,
conjure a new symbol for a FieldRegion. Thanks to Zhongxing Xu and
Daniel Dunbar for pointing out this issue.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83043 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
region has also been invalidated.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@83040 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
RegionStoreManager::InvalidateRegion() by only removing their old
binding, not conjuring a new symbol.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@82939 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@82924 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
<rdar://problem/6914474> checker doesn't realize that variable might
have been assigned if a pointer to that variable was passed to another
function via a structure
The problem here was the RegionStoreManager::InvalidateRegion didn't
invalidate the bindings of invalidated regions. This required a
rewrite of this method using a worklist.
As part of this fix, changed ValueManager::getConjuredSymbolVal() to
require a 'void*' SymbolTag argument. This tag is used to
differentiate two different symbols created at the same location.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@82920 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
instead of 'cast<PointerType>()' (to handle pointer typedefs).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@82686 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
parameter regions
The issue was a discrepancy between how RegionStoreManager::Bind() and
RegionStoreManager::Retrieve() derived the "key" for the first element
of a symbolic region.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@82680 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
floats not honored
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@82575 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
Several of the existing methods were identical to their respective
specializations, and so have been removed entirely. Several more 'leaf'
optimizations were introduced.
The getAsFoo() methods which imposed extra conditions, like
getAsObjCInterfacePointerType(), have been left in place.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@82501 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
integer pointer. For now just invalidate the fields of the struct.
This addresses: <rdar://problem/7185607> [RegionStore] support invalidation of bit fields using integer assignment
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@82492 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@81346 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@81092 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
when using the non-fragile Objective-C ABI. This fixes <rdar://problem/7168531>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@80047 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
implicit cast logic in RegionStoreManager to BasicStoreManager. This involved
moving CastRetriedVal from RegionStoreManager to StoreManager.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@80026 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
SelfRegion represented the object bound to 'self' (when analyzing Objective-C
methods) upon entry to a method. Having this region stored on the side ignores
the current stack frame that we might be analyzing (among other things), and is
a problem for interprocedural analysis.
For RegionStoreManager, the value for SelfRegion is just lazily created.
For BasicStoreManager, the value for SelfRegion is bound eagerly to 'self', but
no explicit tracking of SelfRegion on the side is made.
As part of this change, remove the restriction in BasicStoreManager that we only
track ivars for 'self'. This shouldn't actually change anything in terms of
precision, and simplifies the logic.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@79694 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
analysis.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@79680 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
GRStateManager to create the SelfRegion.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@79628 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
of GRStateManager and GRExprEngine, pass the initial location context
to the getInitialState() method.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@79228 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
with array accesses. In the process, refactor some common logic in
RetrieveElement() and RetrieveField() into RetrieveFieldOrElementCommon().
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78349 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
involving reasoning about unions (which we don't handle yet).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78342 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78305 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
LazyCompoundSVals.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78284 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
are no longer needed.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78280 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78273 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
RegionStore already lazily abstracted the contents of arrays and structs, when
doing an assignment from one array/struct to another we did an explicit
element-wise copy, which resulted in a loss of laziness and huge performance
problem when analyzing many code bases.
Now RegionStoreManager handles such assignments using a new SVal could
'LazyCompoundSVal', which basically means the value of a given struct or array
(a MemRegion*) in a specific state (GRState). When we do a load from a field
whose encompassing struct binds to a LazyCompoundSVal, we essentially do a field
lookup in the original structure. This means we have essentially zero copying of
data for structs/arrays and everything stays lazy.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78268 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
region to the worklist used to create the subregion map.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78228 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
wouldn't correctly get registered in the SubRegion map.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78162 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
function.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78000 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@77876 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
as well.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@77875 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
manipulate the entire GRState, not just the Store.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@77870 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
made to RegionStore (and related classes) in order to handle some
analyzer failures involving casts and manipulation of symbolic memory.
The root of the change is in StoreManager::CastRegion(). Instead of
using ad hoc heuristics to decide when to layer an ElementRegion on a
casted MemRegion, we now always layer an ElementRegion when the cast
type is different than the original type of the region. This carries
the current cast information associated with a region around without
resorting to the error prone recording of "casted types" in GRState.
Along with this new policy of layering ElementRegions, I added a new
algorithm to strip away existing ElementRegions when they simply
represented casts of a base memory object. This algorithm computes
the raw "byte offset" that an ElementRegion represents from the base
region, and allows the new ElementRegion to be based off that offset.
The added benefit is that this naturally handles a series of casts of
a MemRegion without building up a set of redundant ElementRegions
(thus canonicalizing the region view).
Other related changes that cascaded from this one (as tests were
failing in RegionStore):
- Revamped RegionStoreManager::InvalidateRegion() to completely remove
all bindings and default values from a region and all subregions.
Now invalidated fields are not bound directly to new symbolic
values; instead the base region has a "default" symbol value from
which "derived symbols" can be created. The main advantage of this
approach is that it allows us to invalidate a region hierarchy and
then lazily instantiate new values no matter how deep the hierarchy
went (i.e., regardless of the number of field accesses,
e.g. x->f->y->z->...). The previous approach did not do this.
- Slightly reworked RegionStoreManager::RemoveDeadBindings() to also
incorporate live symbols and live regions that do not have direct
bindings but also have "default values" used for lazy instantiation.
The changes to 'InvalidateRegion' revealed that these were necessary
in order to achieve lazy instantiation of values in the region store
with those bindings being removed too early.
- The changes to InvalidateRegion() and RemoveDeadBindings() revealed
a serious bug in 'getSubRegionMap()' where not all region -> subregion
relationships involved in actually bindings (explicit and implicit)
were being recorded. This has been fixed by using a worklist algorithm
to iteratively fill in the region map.
- Added special support to RegionStoreManager::Bind()/Retrieve() to handle
OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the
layering of ElementRegions.
- Fixed a bug in SymbolReaper::isLive() where derived symbols were not
being marked live if the symbol they were derived from was also live.
This fix was critical for getting lazy instantiation in RegionStore
to work.
- Tidied up the implementation of ValueManager::getXXXSymbolVal() methods
to use SymbolManager::canSymbolicate() to decide whether or not a
symbol should be symbolicated.
- 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been
moved to 'test/Analysis/misc-ps.m'.
- Tweaked some pretty-printing of MemRegions, and implemented
'ElementRegion::getRawOffset()' for use with the CastRegion changes.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@77782 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
Type::getAsReferenceType() -> Type::getAs<ReferenceType>()
Type::getAsRecordType() -> Type::getAs<RecordType>()
Type::getAsPointerType() -> Type::getAs<PointerType>()
Type::getAsBlockPointerType() -> Type::getAs<BlockPointerType>()
Type::getAsLValueReferenceType() -> Type::getAs<LValueReferenceType>()
Type::getAsRValueReferenceType() -> Type::getAs<RValueReferenceType>()
Type::getAsMemberPointerType() -> Type::getAs<MemberPointerType>()
Type::getAsReferenceType() -> Type::getAs<ReferenceType>()
Type::getAsTagType() -> Type::getAs<TagType>()
And remove Type::getAsReferenceType(), etc.
This change is similar to one I made a couple weeks ago, but that was partly
reverted pending some additional design discussion. With Doug's pending smart
pointer changes for Types, it seemed natural to take this approach.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@77510 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
OldCastRegion used), and the associated command line option
'-analyzer-store=old-basic-cast'.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@77509 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
in StoreManager to RegionStoreManager, and create a special, highly reduced
version in BasicStoreManager.
These changes are in preparation for future RegionStore-specific changes to
InvalidateRegion.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@77483 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
instead preferring to use the a region's actual type when creating
symbols and using the QualType passed to Retrieve for implicit
casting. This preprocessor logic is temporary; eventually we will
either remove region casts or keep them.
Temporarily toggle (via preprocessor directives) that SymbolicRegions
with heap storage are not undefined, but instead should be
symbolicated. If we want to model that a SymbolicRegion is
uninitialized, we can explicitly model that by binding UndefinedVal to
that region. It turns out that we want to treat most heap objects as
being defined, not the other way around.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@76720 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
to SValuator::EvalCast. In the process, the StoreManagers now use this new cast
machinery, and the hack in GRExprEngine::EvalBind to handle implicit casts
involving OSAtomicCompareAndSwap and friends has been removed (and replaced with
logic closer to the logic specific to those functions).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@76641 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
-refactor logic for retrieving bindings from VarDecls into
RegionStoreManager::RetrieveVar()
- improve RegionStoreManager::CastRetrievedVal() and SimpleSValuate::EvalCastNL
to better handle casts of values of the same canonical type as well as
casts of LocAsInteger values.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@76516 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
pointers.
Enhanced RegionStoreManager::Retrieve() to handle automatic casts when the
loaded value is different from the requested value. This should be refined over
time, but essentially we should always symbolicate locations as locations, and
convert them to non-locations on demand.
These changes now cause 'misc-ps.m' to pass again.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@76497 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
until Doug Gregor's Type smart pointer code lands (or more discussion occurs).
These methods just call the new Type::getAs<XXX> methods, so we still have
reduced implementation redundancy. Having explicit getAsXXXType() methods makes
it easier to set breakpoints in the debugger.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@76193 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
Type::getAsMemberPointerType(), Type::getAsTagType(), and Type::getAsRecordType() with their Type::getAs<XXX> equivalents.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@76139 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
This method is intended to eventually replace the individual
Type::getAsXXXType<> methods.
The motivation behind this change is twofold:
1) Reduce redundant implementations of Type::getAsXXXType() methods. Most of
them are basically copy-and-paste.
2) By centralizing the implementation of the getAs<Type> logic we can more
smoothly move over to Doug Gregor's proposed canonical type smart pointer
scheme.
Along with this patch:
a) Removed 'Type::getAsPointerType()'; now clients use getAs<PointerType>.
b) Removed 'Type::getAsBlockPointerTypE()'; now clients use getAs<BlockPointerType>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@76098 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
ValueManager::makeArrayIndex()/convertArrayIndex() methods. This
handles yet another crash case when reasoning about array indices of
different bitwidth and signedness.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@75884 91177308-0d34-0410-b5e6-96231b3b80d8
|
