[analyzer] Malloc checker: rework realloc handling:

1) Support the case when realloc fails to reduce False Positives. (We
essentially need to restore the state of the pointer being reallocated.)

2)

[analyzer] Malloc checker: rework realloc handling:

1) Support the case when realloc fails to reduce False Positives. (We
essentially need to restore the state of the pointer being reallocated.)

2) Realloc behaves differently under special conditions (from pointer is
null, size is 0). When detecting these cases, we should consider
under-constrained states (size might or might not be 0). The
old version handled this in a very hacky way. The code did not
differentiate between definite and possible (no consideration for
under-constrained states). Further, after processing each special case,
the realloc processing function did not return but chained to the next
special case processing. So you could end up in an execution in which
you first see the states in which size is 0 and realloc ~ free(),
followed by the states corresponding to size is not 0 followed by the
evaluation of the regular realloc behavior.

llvm-svn: 150402

show more ...

[analyzer] Malloc Checker: reduce false negatives rate by assuming that
a pointer cannot escape through calls to system functions. Also, stop
after reporting the first use-after-free.

llvm-svn: 1503

[analyzer] Malloc Checker: reduce false negatives rate by assuming that
a pointer cannot escape through calls to system functions. Also, stop
after reporting the first use-after-free.

llvm-svn: 150315

show more ...

[analyzer] Malloc Checker: Report a leak when we are returning freed
memory.
(As per one test case, the existing checker thought that this could
cause a lot of false positives - not sure if that's va

[analyzer] Malloc Checker: Report a leak when we are returning freed
memory.
(As per one test case, the existing checker thought that this could
cause a lot of false positives - not sure if that's valid, to be
verified.)

llvm-svn: 150313

show more ...

[analyzer] Malloc checker: Leak bugs should be suppressed by sinks.
Resolves a common false positive, where we were reporting a leak inside
asserts

llvm-svn: 150312

[analyzer] MallocChecker: refactor/improve the symbol escape logic.

We use the same logic here as the RetainRelease checker.

llvm-svn: 150311

[analyzer] MallocChecker Cleanup - harden against crashes, fix an error
(use of return instead of continue), wording.

llvm-svn: 150215

Remove unused fun.

llvm-svn: 150172

[analyzer] MallocChecker: address a diagnostic "fixme".

llvm-svn: 150158

[analyzer] Add custom path diagnostic to the Malloc Checker.

Very simple so far - we just highlight every allocation and release
site.

llvm-svn: 150156

[analyzer] MallocChecker cleanup, more tests.

llvm-svn: 150155

[analyzer] MallocChecker: implement pessimistic version of the checker,
which allows values to escape through unknown calls.

Assumes all calls but the malloc family are unknown.

Also, catch a use-a

[analyzer] MallocChecker: implement pessimistic version of the checker,
which allows values to escape through unknown calls.

Assumes all calls but the malloc family are unknown.

Also, catch a use-after-free when a pointer is passed to a
function after a call to free (previously, you had to explicitly
dereference the pointer value).

llvm-svn: 150112

show more ...

[analyzer] Split the MallocChecker into two versions - pessimistic and
optimistic.

TODO: actually implement the pessimistic version of the checker. Ex: it
needs to assume that any function that take

[analyzer] Split the MallocChecker into two versions - pessimistic and
optimistic.

TODO: actually implement the pessimistic version of the checker. Ex: it
needs to assume that any function that takes a pointer might free it.

The optimistic version relies on annotations to tell us which functions
can free the pointer.

llvm-svn: 150111

show more ...

[analyzer] MallocChecker: convert from using evalCall to
post visit of CallExpr.

In general, we should avoid using evalCall as it leads to interference
with other checkers.

llvm-svn: 150086

Basic: import SmallString<> into clang namespace

(I was going to fix the TODO about DenseMap too, but
that would break self-host right now. See PR11922.)

llvm-svn: 149799

Basic: import OwningPtr<> into clang namespace

llvm-svn: 149798

Move a method from IdentifierTable.h out of line and remove the SmallString include.

Fix all the transitive include users.

llvm-svn: 149783

Move various diagnostic operator<< overloads out of line and remove includes of Diagnostic.h.

Fix all the files that depended on transitive includes of Diagnostic.h.
With this patch in place changin

Move various diagnostic operator<< overloads out of line and remove includes of Diagnostic.h.

Fix all the files that depended on transitive includes of Diagnostic.h.
With this patch in place changing a diagnostic no longer requires a full rebuild of the StaticAnalyzer.

llvm-svn: 149781

show more ...

Change references to 'const ProgramState *' to typedef 'ProgramStateRef'.

At this point this is largely cosmetic, but it opens the door to replace
ProgramStateRef with a smart pointer that more eage

Change references to 'const ProgramState *' to typedef 'ProgramStateRef'.

At this point this is largely cosmetic, but it opens the door to replace
ProgramStateRef with a smart pointer that more eagerly acts in the role
of reclaiming unused ProgramState objects.

llvm-svn: 149081

show more ...

Remove unnecessary default cases in switches over enums.

This allows -Wswitch-enum to find switches that need updating when these enums are modified.

llvm-svn: 148281

[analyzer] Make the entries in 'Environment' context-sensitive by making entries map from
(Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals.

This is needed to support basic IPA via i

[analyzer] Make the entries in 'Environment' context-sensitive by making entries map from
(Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals.

This is needed to support basic IPA via inlining. Without this, we cannot tell
if a Stmt* binding is part of the current analysis scope (StackFrameContext) or
part of a parent context.

This change introduces an uglification of the use of getSVal(), and thus takes
two steps forward and one step back. There are also potential performance implications
of enlarging the Environment. Both can be addressed going forward by refactoring the
APIs and optimizing the internal representation of Environment. This patch
mainly introduces the functionality upon when we want to build upon (and clean up).

llvm-svn: 147688

show more ...

[analyzer] Be less pessimistic about invalidation of global variables
as a result of a call.

Problem:
Global variables, which come in from system libraries should not be
invalidated by all calls. Al

[analyzer] Be less pessimistic about invalidation of global variables
as a result of a call.

Problem:
Global variables, which come in from system libraries should not be
invalidated by all calls. Also, non-system globals should not be
invalidated by system calls.

Solution:
The following solution to invalidation of globals seems flexible enough
for taint (does not invalidate stdin) and should not lead to too
many false positives. We split globals into 3 classes:

* immutable - values are preserved by calls (unless the specific
global is passed in as a parameter):
A : Most system globals and const scalars

* invalidated by functions defined in system headers:
B: errno

* invalidated by all other functions (note, these functions may in
turn contain system calls):
B: errno
C: all other globals (which are not in A nor B)

llvm-svn: 147569

show more ...

Fix 80 col violations.

llvm-svn: 147566

[analyzer] Refactor checkers to use helper function for getting callee Decl and name.

We are getting name of the called function or it's declaration in a few checkers. Refactor them to use the helpe

[analyzer] Refactor checkers to use helper function for getting callee Decl and name.

We are getting name of the called function or it's declaration in a few checkers. Refactor them to use the helper function in the CheckerContext.

llvm-svn: 145576

show more ...

[analyzer] Rename generateNode -> addTransition in CheckerContext

Also document addTransition methods.

llvm-svn: 143059

[analyzer] Simplify CheckerContext

Remove dead members/parameters: ProgramState, respondsToCallback, autoTransition.
Remove addTransition method since it's the same as generateNode. Maybe we should

[analyzer] Simplify CheckerContext

Remove dead members/parameters: ProgramState, respondsToCallback, autoTransition.
Remove addTransition method since it's the same as generateNode. Maybe we should
rename generateNode to genTransition (since a transition is always automatically
generated)?

llvm-svn: 142946

show more ...