[analyzer] PR43102: Fix an assertion and an out-of-bounds error for diagnostic location construction

Summary:
https://bugs.llvm.org/show_bug.cgi?id=43102

In today's edition of "Is this any better n

[analyzer] PR43102: Fix an assertion and an out-of-bounds error for diagnostic location construction

Summary:
https://bugs.llvm.org/show_bug.cgi?id=43102

In today's edition of "Is this any better now that it isn't crashing?", I'd like to show you a very interesting test case with loop widening.

Looking at the included test case, it's immediately obvious that this is not only a false positive, but also a very bad bug report in general. We can see how the analyzer mistakenly invalidated `b`, instead of its pointee, resulting in it reporting a null pointer dereference error. Not only that, the point at which this change of value is noted at is at the loop, rather then at the method call.

It turns out that `FindLastStoreVisitor` works correctly, rather the supplied explodedgraph is faulty, because `BlockEdge` really is the `ProgramPoint` where this happens.
{F9855739}
So it's fair to say that this needs improving on multiple fronts. In any case, at least the crash is gone.

Full ExplodedGraph: {F9855743}

Reviewers: NoQ, xazax.hun, baloghadamsoftware, Charusso, dcoughlin, rnkovacs, TWeaver

Subscribers: JesperAntonsson, uabelho, Ka-Ka, bjope, whisperity, szepet, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, gamesh411, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D66716

llvm-svn: 372269

show more ...

[analyzer][NFC] Fix inconsistent references to checkers as "checks"

Traditionally, clang-tidy uses the term check, and the analyzer uses checker,
but in the very early years, this wasn't the case, a

[analyzer][NFC] Fix inconsistent references to checkers as "checks"

Traditionally, clang-tidy uses the term check, and the analyzer uses checker,
but in the very early years, this wasn't the case, and code originating from the
early 2010's still incorrectly refer to checkers as checks.

This patch attempts to hunt down most of these, aiming to refer to checkers as
checkers, but preserve references to callback functions (like checkPreCall) as
checks.

Differential Revision: https://reviews.llvm.org/D67140

llvm-svn: 371760

show more ...

[analyzer] NFC: Move PathDiagnostic classes to libAnalysis.

At this point the PathDiagnostic, PathDiagnosticLocation, PathDiagnosticPiece
structures no longer rely on anything specific to Static Ana

[analyzer] NFC: Move PathDiagnostic classes to libAnalysis.

At this point the PathDiagnostic, PathDiagnosticLocation, PathDiagnosticPiece
structures no longer rely on anything specific to Static Analyzer, so we can
move them out of it for everybody to use.

PathDiagnosticConsumers are still to be handed off.

Differential Revision: https://reviews.llvm.org/D67419

llvm-svn: 371661

show more ...

Switch PathDiagnostic to StringRef.

llvm-svn: 91155

Reintroduce FoldingSet profiling for PathDiagnostics.

llvm-svn: 82299

Revert most of r82198, which was causing a large number of crashes
when running the analyzer on real projects. We'll keep the change to
AnalysisManager.cpp in r82198 so that -fobjc-gc analyzes code

Revert most of r82198, which was causing a large number of crashes
when running the analyzer on real projects. We'll keep the change to
AnalysisManager.cpp in r82198 so that -fobjc-gc analyzes code
correctly in both GC and non-GC modes, although this may emit two
diagnostics for each bug in some cases (a better solution will come
later).

llvm-svn: 82201

show more ...

Introduce caching of diagnostics in BugReporter. This provides extra
pruning of diagnostics that may be emitted multiple times. This is
accomplished by adding FoldingSet profiling support to PathDi

Introduce caching of diagnostics in BugReporter. This provides extra
pruning of diagnostics that may be emitted multiple times. This is
accomplished by adding FoldingSet profiling support to PathDiagnostic,
and then having BugReporter record what diagnostics have been issued.

This was motived to a serious bug introduced by moving the
'divide-by-zero' checking outside of GRExprEngine into a separate
'Checker' class. When analyzing code using the '-fobjc-gc' option, a
given function would be analyzed twice, but the second time various
"internal checks" would be disabled to avoid emitting multiple
diagnostics (e.g., "null dereference") for the same issue. The
problem is that such checks also effect path pruning and don't just
emit diagnostics. This resulted in an assertion failure involving a
real divide-by-zero in some analyzed code where we would get an
assertion failure in APInt because the 'DivZero' check was disabled
and didn't prune the logic that resulted in the divide-by-zero in the
analyzer.

The implemented solution is somewhat of a hack, and may not perform
extremely well. This will need to be cleaned up over time.

As a regression test, 'misc-ps.m' has been modified so that its tests
are run using -fobjc-gc to test this diagnostic pruning behavior.

llvm-svn: 82198

show more ...

Eliminate FunctionDecl::getBodyIfAvailable

llvm-svn: 81588

Remove tabs, and whitespace cleanups.

llvm-svn: 81346

Remove '#include <sstream>' from libAnalysis.

llvm-svn: 74245

PathDiagnosticLocation::asRange(): for a PathDiagnosticLocation, the range of a DeclStmt is only the decl, not
the decl + initializer.

llvm-svn: 71831

Implement function-try-blocks. However, there's a very subtle bug that I can't track down.

llvm-svn: 70155

Add PathDiagnosticRange to PathDiagnostics. These simply wrap SourceRange and
indicate whether or not the range represents an absolute range or should be
extended by lexing to the end of the token.

Add PathDiagnosticRange to PathDiagnostics. These simply wrap SourceRange and
indicate whether or not the range represents an absolute range or should be
extended by lexing to the end of the token.

llvm-svn: 69834

show more ...

PathDiagnosticLocation: ranges for terminators now only include the first
character instead of the entire range for the IfStmt, ForStmt, etc. We may
gradually refine these ranges later, but basically

PathDiagnosticLocation: ranges for terminators now only include the first
character instead of the entire range for the IfStmt, ForStmt, etc. We may
gradually refine these ranges later, but basically terminator ranges just refer
to the first keyword.

llvm-svn: 69812

show more ...

FunctionDecl::getBody() is getting an ASTContext argument for use in
lazy PCH deserialization. Propagate that argument wherever it needs to
be. No functionality change, except that I've tightened up

FunctionDecl::getBody() is getting an ASTContext argument for use in
lazy PCH deserialization. Propagate that argument wherever it needs to
be. No functionality change, except that I've tightened up a few PCH
tests in preparation.

llvm-svn: 69406

show more ...

PathDiagnosticLocation now also wraps Decls.

llvm-svn: 68470

- Changed PathDiagnosticPiece::getLocation() to return a PathDiagnosticLocation
instead of a FullSourceLoc. This resulted in a bunch of small edits in various
clients.
- Updated BugReporter to in

- Changed PathDiagnosticPiece::getLocation() to return a PathDiagnosticLocation
instead of a FullSourceLoc. This resulted in a bunch of small edits in various
clients.
- Updated BugReporter to include an alternate PathDiagnostic generation
algorithm for PathDiagnosticClients desiring more control-flow pieces.

llvm-svn: 68193

show more ...

- Add class PathDiagosticLocationPair.
- Have PathDiagnosticControlFlowPiece use a vector of PathDiagnosticLocationPairs to represent transitions.

llvm-svn: 67786

Implement PathDiagnosticLocation::asRange() and PathDiagnosticLocation::asStmt().

llvm-svn: 67777

Add comment.

llvm-svn: 67776

Restructure code to silence bogus GCC warning.

llvm-svn: 67775

- Implement PathDiagnosticLocation::asLocation.
- Switch PathDiagnosticEventPiece and PathDiagnosticMacroPiece to use
PathDiagnosticLocation.

llvm-svn: 67774

PathDiagnostics (analyzer):
- Added a new class, 'PathDiagnosticLocation', that is a variant for
SourceLocation, SourceRange, or Stmt*. This will be used soon by
PathDiagnosticPieces to describe

PathDiagnostics (analyzer):
- Added a new class, 'PathDiagnosticLocation', that is a variant for
SourceLocation, SourceRange, or Stmt*. This will be used soon by
PathDiagnosticPieces to describe locations for targets of branches, locations
of events, etc.
- Did some prep. refactoring of PathDiagnosticPieces to prepare them for
adopting the new PathDiagnosticLocation

llvm-svn: 67767

show more ...

PathDiagnostics:
- PathDiagnosticControlFlowPiece now consists of a "start" and "end" location
to indicating the branch location and where the branch goes.

BugReporter:
- Updated BugReporter to co

PathDiagnostics:
- PathDiagnosticControlFlowPiece now consists of a "start" and "end" location
to indicating the branch location and where the branch goes.

BugReporter:
- Updated BugReporter to construct PathDiagnosticControlFlowPiece objects with
"end" locations.

PlistDiagnostics:
- Plists now contain the bug "type" (not just bug "category")
- Plists now encode control-flow pieces differently than events; now the
"start" and "end" locations are recorded

llvm-svn: 66818

show more ...

BugReporter:
- Group control flow and event PathDiagnosticPieces into PathDiagnosticMacroPieces.
- Afterwards, eliminate any PathDiagnosticMacroPieces from a PathDiagnostic that
contain no informat

BugReporter:
- Group control flow and event PathDiagnosticPieces into PathDiagnosticMacroPieces.
- Afterwards, eliminate any PathDiagnosticMacroPieces from a PathDiagnostic that
contain no informative events.

HTMLDiagnostics:
- Use new information about PathDiagnosticMacroPieces to specially format
message bubbles for macro expansions containing interesting events.

llvm-svn: 66524

show more ...