aboutsummaryrefslogtreecommitdiff
path: root/lib/StaticAnalyzer
AgeCommit message (Collapse)Author
2011-11-17[analyzer] Do not conjure a symbol when we need to propagate taint.Anna Zaks
When the solver and SValBuilder cannot reason about symbolic expressions (ex: (x+1)*y ), the analyzer conjures a new symbol with no ties to the past. This helps it to recover some path-sensitivity. However, this breaks the taint propagation. With this commit, we are going to construct the expression even if we cannot reason about it later on if an operand is tainted. Also added some comments and asserts. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144932 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-17[analyzer] Minor tweaks to the ProgramState::isTainted().Anna Zaks
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144928 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-17[analyzer] Add a helper method.Anna Zaks
Naming could be improved.. But we should first rename the classes in the SVal hierarchy. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144927 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-17[analysis] Constify CheckerContext.Anna Zaks
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144871 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-17[analyzer] Put CheckerConext::getCalleeName out of line.Anna Zaks
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144870 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-16Fixed crash with initializer lists and unnamed bitfields in the RegionStoreJim Goodnow II
Manager. Added test to ensure proper binding of initialized values. This patch fixes PR11249. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144831 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-16Update CMake build.Benjamin Kramer
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144829 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-16[analyzer] Catch the first taint propagation implied buffer overflow.Anna Zaks
Change the ArrayBoundCheckerV2 to be more aggressive in reporting buffer overflows when the offset is tainted. Previously, we did not report bugs when the state was underconstrained (not enough information about the bound to determine if there is an overflow) to avoid false positives. However, if we know that the buffer offset is tainted - comes in from the user space and can be anything, we should report it as a bug. + The very first example of us catching a taint related bug. This is the only example we can currently handle. More to come... git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144826 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-16[analyzer] Adding generic taint checker.Anna Zaks
The checker is responsible for defining attack surface and adding taint to symbols. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144825 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-16[analyzer] Adding basic building blocks for taint propagation.Anna Zaks
TaintTag.h will contain definitions of different taint kinds and their properties. TaintManager will be responsible for implementing taint specific operations, storing taint. ProgramState will provide API to add/remove taint. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144824 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-16[analyzer] Cleanup: Null->0, comments.Anna Zaks
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144823 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-16[analyzer] Factor getCalleeName to the checker context.Anna Zaks
many checkers are trying to get a name of the callee when visiting a CallExpr, so provide a convenience API. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144820 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-14[static analyzer] Tweak RetainCountChecker's diagnostics to correctly ↵Ted Kremenek
indicate if a message was due to a property access. This can potentially be refactored for other clients, and this is a regression from the refactoring of property acceses. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144571 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-14[analyzer;Regionstore] handle loads from StringLiteral elements for ↵Ted Kremenek
StringLiterals representing wide strings. Fixes PR 11294. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144563 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-11[static analyzer] be more specific when running removeDeadBindings. Instead ↵Ted Kremenek
of seeing if the predecessor node was a non-StmtPoint, check if it is specifically a BlockEntrance node. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144340 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-10[static analyzer]: only call RemoveDeadBindings() when analyzing non-Expr ↵Ted Kremenek
stmts, entering a basic block, or analyzing non-consumed expressions. This sigificantly speeds up analysis time, and reduces analysis time down to 27% less than before we linearized the CFG. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144332 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-10Constant expression evaluation: support for evaluation of structs and unions ofRichard Smith
literal types, as well as derived-to-base casts for lvalues and derived-to-virtual-base casts. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144265 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-08[analyzer] Remove redundant check from DivZeroCheckerAnna Zaks
Analysis by Ted: " if (stateZero && !stateNotZero) { is checking to see if: (A) "it is possible for the value to be zero" (stateZero) AND (B) "it is not possible for the value to be non-zero" (!stateNotZero) That said, the only way for both B to be true AND A to be false is if the path is completely infeasible by the time we reach the divide-by-zero check. For the most part (all cases?), such cases should automatically get pruned out at branches (i.e., an infeasible path gets dropped), which is the case in our tests. So the question is whether or not such an infeasible path might not get dropped earlier? I can't envision any right now. Indeed, the rest of the checker assumes that if the bug condition didn't fire then 'stateNotZero' is non-NULL: C.addTransition(stateNotZero); " git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144114 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-07Rip out CK_GetObjCProperty.John McCall
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143910 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-06Change the AST representation of operations on Objective-CJohn McCall
property references to use a new PseudoObjectExpr expression which pairs a syntactic form of the expression with a set of semantic expressions implementing it. This should significantly reduce the complexity required elsewhere in the compiler to deal with these kinds of expressions (e.g. IR generation's special l-value kind, the static analyzer's Message abstraction), at the lower cost of specifically dealing with the odd AST structure of these expressions. It should also greatly simplify efforts to implement similar language features in the future, most notably Managed C++'s properties and indexed properties. Most of the effort here is in dealing with the various clients of the AST. I've gone ahead and simplified the ObjC rewriter's use of properties; other clients, like IR-gen and the static analyzer, have all the old complexity *and* all the new complexity, at least temporarily. Many thanks to Ted for writing and advising on the necessary changes to the static analyzer. I've xfailed a small diagnostics regression in the static analyzer at Ted's request. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143867 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-05[analyzer] There should be a space between "expect" and "only"Anna Zaks
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143787 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-04Remove unused variables.Benjamin Kramer
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143696 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-02Fix various minor issues find via unreachable code warnings, fromDouglas Gregor
Ahmed Charles! git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143569 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-02Remove virtually empty file.Benjamin Kramer
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143538 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-01[analyzer] Make sink attribute part of the node profile.Anna Zaks
This prevents caching out on nodes with different sink flag. (This is a cleaner fix for radar://10376675). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143517 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-01[analyzer] Fix PR11282 - an assert in markAsSinkAnna Zaks
This is another fallout from the refactoring. We were calling MarkAsSink on a cached out node. (Fixes radar://10376675) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143516 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-01[analyzer] Make sure the child builder use temporary destination setsAnna Zaks
The parent and child builders should not share node sets. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143515 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-01[analyzer] BranchNodeBuilder should not generate autotransitions.Anna Zaks
This fixes radar://10367606 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143514 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-01[analyzer] CheckerContext::getPredecessor() cleanupAnna Zaks
Remove unnecessary calls to CheckerContext::getPredecessor() + Comments. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143513 91177308-0d34-0410-b5e6-96231b3b80d8
2011-11-01[analyzer] Remove the CheckerContext's destructor.Anna Zaks
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143512 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-29Rename Expr::Evaluate to Expr::EvaluateAsRValue to make it clear that it willRichard Smith
implicitly perform an lvalue-to-rvalue conversion if used on an lvalue expression. Also improve the documentation of Expr::Evaluate* to indicate which of them will accept expressions with side-effects. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143263 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-28[analyzer] ObjC message sends to nil receivers that return structs are now ↵Ted Kremenek
okay (compiler zeroes out the data). Fixes <rdar://problem/9151319>. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143215 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-27[analyzer] Move enqueueEndOfFunction into CoreEngine.Anna Zaks
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143090 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-27[analyzer] Make CoreEngine responsible for enqueueing Stmt Nodes.Anna Zaks
Enqueue the nodes generated as the result of processing a statement inside the Core Engine. This makes sure ExpEngine does not access CoreEngine's private members and is more concise. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143089 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-26[analyzer] Add getLocationContext to CheckerContextAnna Zaks
CheckerContext::getPredecessor is only used to get to the LocationContext half of the times. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143061 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-26[analyzer] Remove EmitBasicReport form CheckerContext.Anna Zaks
The path sensitive checkers should use EmitBasicReport, which provides the node information. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143060 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-26[analyzer] Rename generateNode -> addTransition in CheckerContextAnna Zaks
Also document addTransition methods. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143059 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-26[analyzer] GenericNodeBuilder -> NodeBuilder.Anna Zaks
Remove GenericNodeBuilder and use a class inherited from NodeBuilder instead. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@143057 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-25[analyzer] Remove getEngine() form CheckerContextAnna Zaks
A step toward making sure that diagnostics report should only be generated though the CheckerContext and not though BugReporter or ExprEngine directly. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142947 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-25[analyzer] Simplify CheckerContextAnna Zaks
Remove dead members/parameters: ProgramState, respondsToCallback, autoTransition. Remove addTransition method since it's the same as generateNode. Maybe we should rename generateNode to genTransition (since a transition is always automatically generated)? git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142946 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-25[analyzer] Remove unused headers.Anna Zaks
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142945 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-25[analyzer] Make branch for condition callback use CheckerContextAnna Zaks
Now, all the path sensitive checkers use CheckerContext! git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142944 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-25[analyze] Convert EndOfPath callback to use CheckerContextAnna Zaks
Get rid of the EndOfPathBuilder completely. Use the generic NodeBuilder to generate nodes. Enqueue the end of path frontier explicitly. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142943 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-25Implement support for dependent Microsoft __if_exists/__if_not_existsDouglas Gregor
statements. As noted in the documentation for the AST node, the semantics of __if_exists/__if_not_exists are somewhat different from the way Visual C++ implements them, because our parsed-template representation can't accommodate VC++ semantics without serious contortions. Hopefully this implementation is "good enough". git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142901 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-25Add source-level dominators analysis. Patch by Guoping Long!Ted Kremenek
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142885 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-24[analyzer] Node builders cleanup + commentsAnna Zaks
Renamed PureNodeBuilder->StmtNodeBuilder. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142849 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-24[analyzer] Remove the old StmtNodeBuilder.Anna Zaks
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142848 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-24[analyzer] Completely remove the global Builder object.Anna Zaks
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142847 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-24[analyzer] Remove more dependencies from global BuilderAnna Zaks
- OSAtomicChecker - ExprEngine::processStmt git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142846 91177308-0d34-0410-b5e6-96231b3b80d8
2011-10-24[analyzer] Convert ExprEngine::visit() to use short lived builders.Anna Zaks
This commit removes the major functional dependency on the ExprEngine::Builder member variable. In some cases the code became more verbose. Particularly, we call takeNodes() and addNodes() to move responsibility for the nodes from one builder to another. This will get simplified later on. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@142831 91177308-0d34-0410-b5e6-96231b3b80d8