| Age | Commit message (Collapse) | Author |
|---|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152521 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
track whether the referenced declaration comes from an enclosing
local context. I'm amenable to suggestions about the exact meaning
of this bit.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152491 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
annotations. Fixes <rdar://problem/10824732>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152448 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
symbols and regions.
Essentially, a bug centers around a story for various symbols and regions. We should only include
the path diagnostic events that relate to those symbols and regions.
The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which
can be modified at BugReport creation or by BugReporterVisitors.
This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as
having desired behavior. The only regression is a missing null check diagnostic for the return
value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix,
and I have added a FIXME to the test case.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152361 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
The final graph contains a single root node, which is a parent of all externally available functions(and 'main'). As well as a list of Parentless/Unreachable functions, which are either truly unreachable or are unreachable due to our analyses imprecision.
The analyzer checkers debug.DumpCallGraph or debug.ViewGraph can be used to look at the produced graph.
Currently, the graph is not very precise, for example, it entirely skips edges resulted from ObjC method calls.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152272 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152139 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152080 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152078 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
call arguments
when the called function is never inlined.
Fixes <rdar://problem/10977037>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152073 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
calls with self as a parameter.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152039 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
calling an ObjC method ending with 'NoCopy'.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@152037 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
from an ancestor stack frame.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151964 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
attributes, introduced in r151188.
+ the test to catch it.
Thanks to Ahmed Charles for pointing this out.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151840 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
Needs llvm update.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151829 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
funopen, setvbuf.
Teach the checker and the engine about these APIs to resolve malloc
false positives. As I am adding more of these APIs, it is clear that all
this should be factored out into a separate callback (for example,
region escapes). Malloc, KeyChainAPI and RetainRelease checkers could
all use it.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151737 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
unreachable default blocks. Patch by Cyril Roelandt!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151709 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
closest function context (RetainCountChecker).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151661 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
message.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151657 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
closest function context (Keychain API).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151613 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
When allocated buffer is passed to CF/NS..NoCopy functions, the
ownership is transfered unless the deallocator argument is set to
'kCFAllocatorNull'.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151608 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
closest function context.
This prevents us from uniqueing all leaks from the same allocation
helper. radar://10932226
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151592 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
to make it more widely available.
Depends on llvm commit r151564
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151566 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
ReturnStmt unless we are in the top-level call frame. We can do more later, but this makes the checker self-consistent (and fixes a crash).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151426 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
Assume none of the ObjC messages defined in system headers free memory,
except for the ones containing 'freeWhenDone' selector. Currently, just
assume that the region escapes to the messages with 'freeWhenDone'
(ideally, we want to treat it as 'free()').
For now, always assume that regions escape when passed to C++ methods.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151410 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
(Very similar to the previous change in malloc.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151297 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
When we find two leak reports with the same allocation site, report only
one of them.
Provide a helper method to BugReporter to facilitate this.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151287 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
Make this call an exception in ExprEngine::invalidateArguments:
'int pthread_setspecific(ptheread_key k, const void *)' stores
a value into thread local storage. The value can later be retrieved
with 'void *ptheread_getspecific(pthread_key)'. So even thought the
parameter is 'const void *', the region escapes through the
call.
(Here we just blacklist the call in the ExprEngine's default
logic. Another option would be to add a checker which evaluates
the call and triggers the call to invalidate regions.)
Teach the Malloc Checker, which treats all system calls as safe about
the API.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151220 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
- We should not evaluate strdup in the Malloc Checker, it's the job of
CString checker, so just update the RefState to reflect allocated
memory.
- Refactor to reduce LOC: remove some wrapper auxiliary functions, make
all functions return the state and add the transition in one place
(instead of in each auxiliary function).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151188 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151124 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
, when we return a symbol reachable to the malloced one via pointer
arithmetic.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151121 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151120 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@151007 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
tests.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150993 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
checks:
- unix.Malloc - Checks for memory leaks, double free, use-after-free.
- unix.cstring.NullArg - Checks for null pointers passed as arguments to
CString functions + evaluates CString functions.
- unix.cstring.BadSizeArg - Checks for common anti-patterns in
strncat size argument.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150988 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
<rdar://problem/10640253>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150892 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
working, but now diagnostics are aware of message expressions implied by uses of properties. Fixes <rdar://problem/9241180>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150888 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
for functions called more than once.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150849 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
it aware of CString APIs that return the input parameter.
Malloc Checker needs to know how the 'strcpy' function is
evaluated. Introduce the dependency on CStringChecker for that.
CStringChecker knows all about these APIs.
Addresses radar://10864450
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150846 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
(Ex: It was not treating __inline_strcpy as strcpy. Will add tests that
rely on this later on.)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150845 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
- Rename the category "Logic Error" -> "Memory Error".
- Shorten all the messages.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150733 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
of failing realloc. + Minor cleanups.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150732 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
We are not properly handling the memory regions that escape into struct
fields, which led to a bunch of false positives. Be conservative here
and give up when a pointer escapes into a struct.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150658 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150556 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
the passed in pointer on failure.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150533 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
hardening.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150532 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
(In response of Ted's review of r150112.)
This moves the logic which checked if a symbol escapes through a
parameter to invalidateRegionCallback (instead of post CallExpr visit.)
To accommodate the change, added a CallOrObjCMessage parameter to
checkRegionChanges callback.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150513 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
in realloc map.
If there is no dependency, the reallocated ptr will get garbage
collected before we know that realloc failed, which would lead us to
missing a memory leak warning.
Also added new test cases, which we can handle now.
Plus minor cleanups.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150446 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
case when size is 0.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150412 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
1) Support the case when realloc fails to reduce False Positives. (We
essentially need to restore the state of the pointer being reallocated.)
2) Realloc behaves differently under special conditions (from pointer is
null, size is 0). When detecting these cases, we should consider
under-constrained states (size might or might not be 0). The
old version handled this in a very hacky way. The code did not
differentiate between definite and possible (no consideration for
under-constrained states). Further, after processing each special case,
the realloc processing function did not return but chained to the next
special case processing. So you could end up in an execution in which
you first see the states in which size is 0 and realloc ~ free(),
followed by the states corresponding to size is not 0 followed by the
evaluation of the regular realloc behavior.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150402 91177308-0d34-0410-b5e6-96231b3b80d8
|
|
a pointer cannot escape through calls to system functions. Also, stop
after reporting the first use-after-free.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150315 91177308-0d34-0410-b5e6-96231b3b80d8
|
