[analyzer] Improve the modeling of memset().

Since there is no perfect way bind the non-zero value with the default binding, this patch only considers the case where buffer's offset is zero and the

[analyzer] Improve the modeling of memset().

Since there is no perfect way bind the non-zero value with the default binding, this patch only considers the case where buffer's offset is zero and the char value is 0. And according to the value for overwriting, decide how to update the string length.

Reviewers: dcoughlin, NoQ, xazax.hun, a.sidorin, george.karpenkov

Reviewed By: NoQ

Differential Revision: https://reviews.llvm.org/D44934

llvm-svn: 332463

show more ...

[analyzer] Re-apply r331096 "CStringChecker: Add support for BSD strlcpy()...".

Fixed after revert in r331401.

Patch by David Carlier!

Differential Revision: https://reviews.llvm.org/D45177

llvm-

[analyzer] Re-apply r331096 "CStringChecker: Add support for BSD strlcpy()...".

Fixed after revert in r331401.

Patch by David Carlier!

Differential Revision: https://reviews.llvm.org/D45177

llvm-svn: 332303

show more ...

[analyzer] Revert r331096 "CStringChecker: Add support for BSD strlcpy()...".

The return values of the newly supported functions were not handled correctly:
strlcpy()/strlcat() return string sizes r

[analyzer] Revert r331096 "CStringChecker: Add support for BSD strlcpy()...".

The return values of the newly supported functions were not handled correctly:
strlcpy()/strlcat() return string sizes rather than pointers.

Differential Revision: https://reviews.llvm.org/D45177

llvm-svn: 331401

show more ...

[analyzer] CStringChecker: Add support for BSD strlcpy() and strlcat().

Patch by David Carlier!

Differential Revision: https://reviews.llvm.org/D45177

llvm-svn: 331096

[analyzer] CStringChecker.cpp - Code refactoring on bug report.

Reviewers: NoQ, george.karpenkov, xazax.hun

Reviewed By: george.karpenkov

Differential Revision: https://reviews.llvm.org/D44557

l

[analyzer] CStringChecker.cpp - Code refactoring on bug report.

Reviewers: NoQ, george.karpenkov, xazax.hun

Reviewed By: george.karpenkov

Differential Revision: https://reviews.llvm.org/D44557

llvm-svn: 330589

show more ...

[analyzer] Fix assertion crash in CStringChecker

An offset might be unknown.

rdar://39054939

Differential Revision: https://reviews.llvm.org/D45115

llvm-svn: 328912

Revert r326782 "[analyzer] CStringChecker.cpp: Remove the duplicated check...".

It seems that the refactoring was causing a functional change and some warnings
have disappeared.

llvm-svn: 328067

[analyzer] CStringChecker.cpp: Remove the duplicated check about null dereference on dest-buffer or src-buffer.

Summary: `CheckBufferAccess()` calls `CheckNonNull()`, so there are some calls to `Che

[analyzer] CStringChecker.cpp: Remove the duplicated check about null dereference on dest-buffer or src-buffer.

Summary: `CheckBufferAccess()` calls `CheckNonNull()`, so there are some calls to `CheckNonNull()` that are useless.

Reviewers: dcoughlin, NoQ, xazax.hun, cfe-commits, george.karpenkov

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, MTC, a.sidorin

Differential Revision: https://reviews.llvm.org/D44075

llvm-svn: 326782

show more ...

[analyzer] Provide a check name when MallocChecker enables CStringChecker

Fix an assertion failure caused by a missing CheckName. The malloc checker
enables "basic" support in the CStringChecker, wh

[analyzer] Provide a check name when MallocChecker enables CStringChecker

Fix an assertion failure caused by a missing CheckName. The malloc checker
enables "basic" support in the CStringChecker, which causes some CString
bounds checks to be enabled. In this case, make sure that we have a
valid CheckName for the BugType.

llvm-svn: 323052

show more ...

[analyzer] introduce getSVal(Stmt *) helper on ExplodedNode, make sure the helper is used consistently

In most cases using
`N->getState()->getSVal(E, N->getLocationContext())`
is ugly, verbose, and

[analyzer] introduce getSVal(Stmt *) helper on ExplodedNode, make sure the helper is used consistently

In most cases using
`N->getState()->getSVal(E, N->getLocationContext())`
is ugly, verbose, and also opens up more surface area for bugs if an
inconsistent location context is used.

This patch introduces a helper on an exploded node, and ensures
consistent usage of either `ExplodedNode::getSVal` or
`CheckContext::getSVal` across the codebase.
As a result, a large number of redundant lines is removed.

Differential Revision: https://reviews.llvm.org/D42155

llvm-svn: 322753

show more ...

[analyzer] pr34779: CStringChecker: Accept non-standard headers.

Do not crash when trying to define and call a non-standard
strcpy(unsigned char *, unsigned char *) during analysis.

At the same tim

[analyzer] pr34779: CStringChecker: Accept non-standard headers.

Do not crash when trying to define and call a non-standard
strcpy(unsigned char *, unsigned char *) during analysis.

At the same time, do not try to actually evaluate the call.

Differential Revision: https://reviews.llvm.org/D39422

llvm-svn: 317565

show more ...

[analyzer] CStringChecker: pr34460: Avoid a crash when a cast is not modeled.

The checker used to crash when a mempcpy's length argument is symbolic. In this
case the cast from 'void *' to 'char *'

[analyzer] CStringChecker: pr34460: Avoid a crash when a cast is not modeled.

The checker used to crash when a mempcpy's length argument is symbolic. In this
case the cast from 'void *' to 'char *' failed because the respective
ElementRegion that represents cast is hard to add on top of the existing
ElementRegion that represents the offset to the last copied byte, while
preseving a sane memory region structure.

Additionally, a few test cases are added (to casts.c) which demonstrate problems
caused by existing sloppy work we do with multi-layer ElementRegions. If said
cast would be modeled properly in the future, these tests would need to be
taken into account.

Differential Revision: https://reviews.llvm.org/D38797

llvm-svn: 315742

show more ...

[analyzer] Check NULL pointer dereference issue for memset function

Reviewers: dcoughlin, zaks.anna, NoQ, danielmarjamaki

Reviewed By: NoQ, danielmarjamaki

Differential Revision: https://reviews.l

[analyzer] Check NULL pointer dereference issue for memset function

Reviewers: dcoughlin, zaks.anna, NoQ, danielmarjamaki

Reviewed By: NoQ, danielmarjamaki

Differential Revision: https://reviews.llvm.org/D31868

llvm-svn: 305773

show more ...

[analyzer] Add LocationContext as a parameter to checkRegionChanges

This patch adds LocationContext to checkRegionChanges and removes
wantsRegionChangeUpdate as it was unused.

A patch by Krzysztof

[analyzer] Add LocationContext as a parameter to checkRegionChanges

This patch adds LocationContext to checkRegionChanges and removes
wantsRegionChangeUpdate as it was unused.

A patch by Krzysztof Wiśniewski!

Differential Revision: https://reviews.llvm.org/D27090

llvm-svn: 291869

show more ...

[analyzer] Remove unused check::RegionChanges::wantsRegionChangeUpdate callback

Remove the check::RegionChanges::wantsRegionChangeUpdate callback as it is no
longer used (since checkPointerEscape ha

[analyzer] Remove unused check::RegionChanges::wantsRegionChangeUpdate callback

Remove the check::RegionChanges::wantsRegionChangeUpdate callback as it is no
longer used (since checkPointerEscape has been added).

A patch by Krzysztof Wiśniewski!

Differential Revision: https://reviews.llvm.org/D26759

llvm-svn: 287175

show more ...

[analyzer] Add LocationContext information to SymbolMetadata.

Like SymbolConjured, SymbolMetadata also needs to be uniquely
identified by the moment of its birth.

Such moments are coded by the (Sta

[analyzer] Add LocationContext information to SymbolMetadata.

Like SymbolConjured, SymbolMetadata also needs to be uniquely
identified by the moment of its birth.

Such moments are coded by the (Statement, LocationContext, Block count) triples.
Each such triple represents the moment of analyzing a statement with a certain
call backtrace, with corresponding CFG block having been entered a given amount
of times during analysis of the current code body.

The LocationContext information was accidentally omitted for SymbolMetadata,
which leads to reincarnation of SymbolMetadata upon re-entering a code body
with a different backtrace; the new symbol is incorrectly unified with
the old symbol, which leads to unsound assumptions.

Patch by Alexey Sidorin!

Differential Revision: https://reviews.llvm.org/D21978

llvm-svn: 278937

show more ...

[NFC] Header cleanup

Summary: Removed unused headers, replaced some headers with forward class declarations

Patch by: Eugene <claprix@yandex.ru>

Differential Revision: https://reviews.llvm.org/D20

[NFC] Header cleanup

Summary: Removed unused headers, replaced some headers with forward class declarations

Patch by: Eugene <claprix@yandex.ru>

Differential Revision: https://reviews.llvm.org/D20100

llvm-svn: 275882

show more ...

[analyzer] Fix for PR23790 : constrain return value of strcmp() rather than returning a concrete value.

The function strcmp() can return any value, not just {-1,0,1} : "The strcmp(const char *s1, co

[analyzer] Fix for PR23790 : constrain return value of strcmp() rather than returning a concrete value.

The function strcmp() can return any value, not just {-1,0,1} : "The strcmp(const char *s1, const char *s2) function returns an integer greater than, equal to, or less than zero, accordingly as the string pointed to by s1 is greater than, equal to, or less than the string pointed to by s2." [C11 7.24.4.2p3]
https://llvm.org/bugs/show_bug.cgi?id=23790
http://reviews.llvm.org/D16317

llvm-svn: 270154

show more ...

[analyzer] Let TK_PreserveContents span across the whole base region.

If an address of a field is passed through a const pointer,
the whole structure's base region should receive the
TK_PreserveCont

[analyzer] Let TK_PreserveContents span across the whole base region.

If an address of a field is passed through a const pointer,
the whole structure's base region should receive the
TK_PreserveContents trait and avoid invalidation.

Additionally, include a few FIXME tests shown up during testing.

Differential Revision: http://reviews.llvm.org/D19057

llvm-svn: 267413

show more ...

[analyzer] Invalidate destination of std::copy() and std::copy_backward().

Now that the libcpp implementations of these methods has a branch that doesn't call
memmove(), the analyzer needs to invali

[analyzer] Invalidate destination of std::copy() and std::copy_backward().

Now that the libcpp implementations of these methods has a branch that doesn't call
memmove(), the analyzer needs to invalidate the destination for these methods explicitly.

rdar://problem/23575656

llvm-svn: 260043

show more ...

[analyzer] Fix SVal/SymExpr/MemRegion class and enum names for consistency.

The purpose of these changes is to simplify introduction of definition files
for the three hierarchies.

1. For every sub-

[analyzer] Fix SVal/SymExpr/MemRegion class and enum names for consistency.

The purpose of these changes is to simplify introduction of definition files
for the three hierarchies.

1. For every sub-class C of these classes, its kind in the relevant enumeration
is changed to "CKind" (or C##Kind in preprocessor-ish terms), eg:

MemRegionKind -> MemRegionValKind
RegionValueKind -> SymbolRegionValueKind
CastSymbolKind -> SymbolCastKind
SymIntKind -> SymIntExprKind

2. MemSpaceRegion used to be inconsistently used as both an abstract base and
a particular region. This region class is now an abstract base and no longer
occupies GenericMemSpaceRegionKind. Instead, a new class, CodeSpaceRegion,
is introduced for handling the unique use case for MemSpaceRegion as
"the generic memory space" (when it represents a memory space that holds all
executable code).

3. BEG_ prefixes in memory region kind ranges are renamed to BEGIN_ for
consisitency with symbol kind ranges.

4. FunctionTextRegion and BlockTextRegion are renamed to FunctionCodeRegion and
BlockCodeRegion, respectively. The term 'code' is less jargony than 'text' and
we already refer to BlockTextRegion as a 'code region' in BlockDataRegion.

Differential Revision: http://reviews.llvm.org/D16062

llvm-svn: 257598

show more ...

Refactor: Simplify boolean conditional return statements in lib/StaticAnalyzer/Checkers

Summary: Use clang-tidy to simplify boolean conditional return values

Reviewers: dcoughlin, krememek

Subscri

Refactor: Simplify boolean conditional return statements in lib/StaticAnalyzer/Checkers

Summary: Use clang-tidy to simplify boolean conditional return values

Reviewers: dcoughlin, krememek

Subscribers: krememek, cfe-commits

Patch by Richard Thomson!

Differential Revision: http://reviews.llvm.org/D10021

llvm-svn: 256491

show more ...

[analyzer] When memcpy'ing into a fixed-size array, do not invalidate entire region.

Change the analyzer's modeling of memcpy to be more precise when copying into fixed-size
array fields. With this

[analyzer] When memcpy'ing into a fixed-size array, do not invalidate entire region.

Change the analyzer's modeling of memcpy to be more precise when copying into fixed-size
array fields. With this change, instead of invalidating the entire containing region the
analyzer now invalidates only offsets for the array itself when it can show that the
memcpy stays within the bounds of the array.

This addresses false positive memory leak warnings of the kind reported by
krzysztof in https://llvm.org/bugs/show_bug.cgi?id=22954

(This is the second attempt, now with assertion failures resolved.)

A patch by Pierre Gousseau!

Differential Revision: http://reviews.llvm.org/D12571

llvm-svn: 248516

show more ...

[analyzer] Add generateErrorNode() APIs to CheckerContext.

The analyzer trims unnecessary nodes from the exploded graph before reporting
path diagnostics. However, in some cases it can trim all node

[analyzer] Add generateErrorNode() APIs to CheckerContext.

The analyzer trims unnecessary nodes from the exploded graph before reporting
path diagnostics. However, in some cases it can trim all nodes (including the
error node), leading to an assertion failure (see
https://llvm.org/bugs/show_bug.cgi?id=24184).

This commit addresses the issue by adding two new APIs to CheckerContext to
explicitly create error nodes. Unless the client provides a custom tag, these
APIs tag the node with the checker's tag -- preventing it from being trimmed.
The generateErrorNode() method creates a sink error node, while
generateNonFatalErrorNode() creates an error node for a path that should
continue being explored.

The intent is that one of these two methods should be used whenever a checker
creates an error node.

This commit updates the checkers to use these APIs. These APIs
(unlike addTransition() and generateSink()) do not take an explicit Pred node.
This is because there are not any error nodes in the checkers that were created
with an explicit different than the default (the CheckerContext's Pred node).

It also changes generateSink() to require state and pred nodes (previously
these were optional) to reduce confusion.

Additionally, there were several cases where checkers did check whether a
generated node could be null; we now explicitly check for null in these places.

This commit also includes a test case written by Ying Yi as part of
http://reviews.llvm.org/D12163 (that patch originally addressed this issue but
was reverted because it introduced false positive regressions).

Differential Revision: http://reviews.llvm.org/D12780

llvm-svn: 247859

show more ...

[analyzer] Apply whitespace cleanups by Honggyu Kim.

llvm-svn: 246978