[analyzer] Rename ConditionTruthVal::isTrue to isConstrainedTrue.

(and the same for isFalse)

No functionality change.

llvm-svn: 167186

[analyzer] Malloc checker cleanup/refactor

No need for the auxiliary flag. No need to generate a leak node when
there is no error.

llvm-svn: 166977

Use llvm::getOrdinalSuffix to print ordinal numbers in diagnostics.

Just a refactoring of common infrastructure. No intended functionality change.

llvm-svn: 164443

[analyzer] MallocChecker should not do post-call checks on inlined functions.

If someone provides their own function called 'strdup', or 'reallocf', or
even 'malloc', and we inlined it, the inlining

[analyzer] MallocChecker should not do post-call checks on inlined functions.

If someone provides their own function called 'strdup', or 'reallocf', or
even 'malloc', and we inlined it, the inlining should have given us all the
malloc-related information we need. If we then try to attach new information
to the return value, we could end up with spurious warnings.

<rdar://problem/12317671>

llvm-svn: 164276

show more ...

[analyzer] Teach the analyzer about implicit initialization of statics
in ObjCMethods.

Extend FunctionTextRegion to represent ObjC methods as well as
functions. Note, it is not clear what type ObjCM

[analyzer] Teach the analyzer about implicit initialization of statics
in ObjCMethods.

Extend FunctionTextRegion to represent ObjC methods as well as
functions. Note, it is not clear what type ObjCMethod region should
return. Since the type of the FunctionText region is not currently used,
defer solving this issue.

llvm-svn: 164046

show more ...

[analyzer] Fix another false positive in malloc realloc logic.

llvm-svn: 163749

Remove ProgramState::getSymVal(). It was being misused by Checkers,
with at least one subtle bug in MacOSXKeyChainAPIChecker where the
calling the method was a substitute for assuming a symbolic val

Remove ProgramState::getSymVal(). It was being misused by Checkers,
with at least one subtle bug in MacOSXKeyChainAPIChecker where the
calling the method was a substitute for assuming a symbolic value
was null (which is not the case).

We still keep ConstraintManager::getSymVal(), but we use that as
an optimization in SValBuilder and ProgramState::getSVal() to
constant-fold SVals. This is only if the ConstraintManager can
provide us with that information, which is no longer a requirement.
As part of this, introduce a default implementation of
ConstraintManager::getSymVal() which returns null.

For Checkers, introduce ConstraintManager::isNull(), which queries
the state to see if the symbolic value is constrained to be a null
value. It does this without assuming it has been implicitly constant
folded.

llvm-svn: 163428

show more ...

[analyzer] Fix realloc related bug in the malloc checker.

When reallocation of a non-allocated (not owned) symbol fails do not
expect it to be freed.

llvm-svn: 162533

Rename 'currentX' to 'currX' throughout analyzer and libAnalysis.
Also rename 'getCurrentBlockCounter()' to 'blockCount()'.

This ripples a bunch of code simplifications; mostly aesthetic,
but makes

Rename 'currentX' to 'currX' throughout analyzer and libAnalysis.
Also rename 'getCurrentBlockCounter()' to 'blockCount()'.

This ripples a bunch of code simplifications; mostly aesthetic,
but makes the code a bit tighter.

llvm-svn: 162349

show more ...

[analyzer] Cleanup of malloc checker.

Remove Escaped state, which is not really necessary. We can just stop
tracking the symbol instead of keeping it around and marking escaped.

llvm-svn: 161557

[analyzer] Clean up the printing of FieldRegions for leaks.

Unfortunately, generalized region printing is very difficult:
- ElementRegions are used both for casting and as actual elements.
- Accessi

[analyzer] Clean up the printing of FieldRegions for leaks.

Unfortunately, generalized region printing is very difficult:
- ElementRegions are used both for casting and as actual elements.
- Accessing values through a pointer means going through an intermediate
SymbolRegionValue; symbolic regions are untyped.
- Referring to implicitly-defined variables like 'this' and 'self' could be
very confusing if they come from another stack frame.

We fall back to simply not printing the region name if we can't be sure it
will print well. This will allow us to improve in the future.

llvm-svn: 161512

show more ...

[analyzer] Track malloc'd regions stored in structs.

The main blocker on this (besides the previous commit) was that
ScanReachableSymbols was not looking through LazyCompoundVals.
Once that was fixe

[analyzer] Track malloc'd regions stored in structs.

The main blocker on this (besides the previous commit) was that
ScanReachableSymbols was not looking through LazyCompoundVals.
Once that was fixed, it's easy enough to clear out malloc data on return,
just like we do when we bind to a global region.

<rdar://problem/10872635>

llvm-svn: 161511

show more ...

[analyzer] Malloc: remove assert since is not valid as of r161248

We can be in the situation where we did not track the symbol before
realloc was called on it.

llvm-svn: 161294

[analyzer] Malloc: track non-allocated but freed memory

There is no reason why we should not track the memory which was not
allocated in the current function, but was freed there. This would
allow t

[analyzer] Malloc: track non-allocated but freed memory

There is no reason why we should not track the memory which was not
allocated in the current function, but was freed there. This would
allow to catch more use-after-free and double free with no/limited IPA.

Also fix a realloc issue which surfaced as the result of this patch.

llvm-svn: 161248

show more ...

[analyzer] Rename Calls.{h,cpp} to CallEvent.{h,cpp}. No functionality change.

llvm-svn: 160815

[analyzer] Guard against C++ member functions that look like system functions.

C++ method calls and C function calls both appear as CallExprs in the AST.
This was causing crashes for an object that

[analyzer] Guard against C++ member functions that look like system functions.

C++ method calls and C function calls both appear as CallExprs in the AST.
This was causing crashes for an object that had a 'free' method.

<rdar://problem/11822244>

llvm-svn: 160029

show more ...

[analyzer] Make CallEnter, CallExitBegin, and CallExitEnd not be StmtPoints

These ProgramPoints are used in inlining calls,
and not all calls have associated statements anymore.

llvm-svn: 160021

[analyzer] Add new PreImplicitCall and PostImplicitCall ProgramPoints.

These are currently unused, but are intended to be used in lieu of PreStmt
and PostStmt when the call is implicit (e.g. an auto

[analyzer] Add new PreImplicitCall and PostImplicitCall ProgramPoints.

These are currently unused, but are intended to be used in lieu of PreStmt
and PostStmt when the call is implicit (e.g. an automatic object destructor).

This also modifies the Data1 field of ProgramPoints to allow storing any
pointer-sized value, as opposed to only aligned pointers. This is necessary
to store SourceLocations.

There is currently no BugReporter support for these; they should be skipped
over in any diagnostic output.

This commit also tags checkers that currently rely on function calls only
occurring at StmtPoints.

llvm-svn: 160019

show more ...

[analyzer] Finish replacing ObjCMessage with ObjCMethodDecl and friends.

The preObjCMessage and postObjCMessage callbacks now take an ObjCMethodCall
argument, which can represent an explicit message

[analyzer] Finish replacing ObjCMessage with ObjCMethodDecl and friends.

The preObjCMessage and postObjCMessage callbacks now take an ObjCMethodCall
argument, which can represent an explicit message send (ObjCMessageSend) or an
implicit message generated by a property access (ObjCPropertyAccess).

llvm-svn: 159559

show more ...

[analyzer] Begin replacing ObjCMessage with ObjCMethodCall and friends.

Previously, the CallEvent subclass ObjCMessageInvocation was just a wrapper
around the existing ObjCMessage abstraction (over

[analyzer] Begin replacing ObjCMessage with ObjCMethodCall and friends.

Previously, the CallEvent subclass ObjCMessageInvocation was just a wrapper
around the existing ObjCMessage abstraction (over message sends and property
accesses). Now, we have abstract CallEvent ObjCMethodCall with subclasses
ObjCMessageSend and ObjCPropertyAccess.

In addition to removing yet another wrapper object, this should make it easy
to add a ObjCSubscriptAccess call event soon.

llvm-svn: 159558

show more ...

[analyzer] Move the last bits of CallOrObjCMessage over to CallEvent.

This involved refactoring some common pointer-escapes code onto CallEvent,
then having MallocChecker use those callbacks for whe

[analyzer] Move the last bits of CallOrObjCMessage over to CallEvent.

This involved refactoring some common pointer-escapes code onto CallEvent,
then having MallocChecker use those callbacks for whether or not to consider
a pointer's /ownership/ as escaping. This still needs to be pinned down, and
probably we want to make the new argumentsMayEscape() function a little more
discerning (content invalidation vs. ownership/metadata invalidation), but
this is a good improvement.

As a bonus, also remove CallOrObjCMessage from the source completely.

llvm-svn: 159557

show more ...

[analyzer] Add a new abstraction over all types of calls: CallEvent

This is intended to replace CallOrObjCMessage, and is eventually intended to be
used for anything that cares more about /what/ is

[analyzer] Add a new abstraction over all types of calls: CallEvent

This is intended to replace CallOrObjCMessage, and is eventually intended to be
used for anything that cares more about /what/ is being called than /how/ it's
being called. For example, inlining destructors should be the same as inlining
blocks, and checking __attribute__((nonnull)) should apply to the allocator
calls generated by operator new.

llvm-svn: 159554

show more ...

[analyzer] Be careful about implicitly-declared operator new/delete. (PR13090)

The implicit global allocation functions do not have valid source locations,
but we still want to treat them as being "

[analyzer] Be careful about implicitly-declared operator new/delete. (PR13090)

The implicit global allocation functions do not have valid source locations,
but we still want to treat them as being "system header" functions for the
purposes of how they affect program state.

llvm-svn: 159160

show more ...

[analyzer] Teach malloc checker that initWith[Bytes|Characters}NoCopy
relinquish memory.

llvm-svn: 159043

[analyzer] Fixup to r158958.

llvm-svn: 159037