[analyzer] Fix false warning about memory leak for QApplication::postEvent

According to Qt documentation Qt takes care of memory allocated for QEvent:
http://doc.qt.io/qt-4.8/qcoreapplication.html#p

[analyzer] Fix false warning about memory leak for QApplication::postEvent

According to Qt documentation Qt takes care of memory allocated for QEvent:
http://doc.qt.io/qt-4.8/qcoreapplication.html#postEvent

A patch by Evgeniy Dushistov!

Differential Revision: http://reviews.llvm.org/D14170

llvm-svn: 256887

show more ...

Refactor: Simplify boolean conditional return statements in lib/StaticAnalyzer/Checkers

Summary: Use clang-tidy to simplify boolean conditional return values

Reviewers: dcoughlin, krememek

Subscri

Refactor: Simplify boolean conditional return statements in lib/StaticAnalyzer/Checkers

Summary: Use clang-tidy to simplify boolean conditional return values

Reviewers: dcoughlin, krememek

Subscribers: krememek, cfe-commits

Patch by Richard Thomson!

Differential Revision: http://reviews.llvm.org/D10021

llvm-svn: 256491

show more ...

[analyzer] Assume escape is possible through system functions taking void*
The analyzer assumes that system functions will not free memory or modify the
arguments in other ways, so we assume that arg

[analyzer] Assume escape is possible through system functions taking void*
The analyzer assumes that system functions will not free memory or modify the
arguments in other ways, so we assume that arguments do not escape when
those are called. However, this may lead to false positive leak errors. For
example, in code like this where the pointers added to the rb_tree are freed
later on:

struct alarm_event *e = calloc(1, sizeof(*e));
<snip>

rb_tree_insert_node(&alarm_tree, e);

Add a heuristic to assume that calls to system functions taking void*
arguments allow for pointer escape.

llvm-svn: 251449

show more ...

[analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).

Currently realloc(ptr, 0) is treated as free() which seems to be not correct. C
standard (N1570) establishes equivalent behavior for

[analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).

Currently realloc(ptr, 0) is treated as free() which seems to be not correct. C
standard (N1570) establishes equivalent behavior for malloc(0) and realloc(ptr,
0): "7.22.3 Memory management functions calloc, malloc, realloc: If the size of
the space requested is zero, the behavior is implementation-defined: either a
null pointer is returned, or the behavior is as if the size were some nonzero
value, except that the returned pointer shall not be used to access an object."
The patch equalizes the processing of malloc(0) and realloc(ptr,0). The patch
also enables unix.Malloc checker to detect references to zero-allocated memory
returned by realloc(ptr,0) ("Use of zero-allocated memory" warning).

A patch by Антон Ярцев!

Differential Revision: http://reviews.llvm.org/D9040

llvm-svn: 248336

show more ...

[analyzer] Add generateErrorNode() APIs to CheckerContext.

The analyzer trims unnecessary nodes from the exploded graph before reporting
path diagnostics. However, in some cases it can trim all node

[analyzer] Add generateErrorNode() APIs to CheckerContext.

The analyzer trims unnecessary nodes from the exploded graph before reporting
path diagnostics. However, in some cases it can trim all nodes (including the
error node), leading to an assertion failure (see
https://llvm.org/bugs/show_bug.cgi?id=24184).

This commit addresses the issue by adding two new APIs to CheckerContext to
explicitly create error nodes. Unless the client provides a custom tag, these
APIs tag the node with the checker's tag -- preventing it from being trimmed.
The generateErrorNode() method creates a sink error node, while
generateNonFatalErrorNode() creates an error node for a path that should
continue being explored.

The intent is that one of these two methods should be used whenever a checker
creates an error node.

This commit updates the checkers to use these APIs. These APIs
(unlike addTransition() and generateSink()) do not take an explicit Pred node.
This is because there are not any error nodes in the checkers that were created
with an explicit different than the default (the CheckerContext's Pred node).

It also changes generateSink() to require state and pred nodes (previously
these were optional) to reduce confusion.

Additionally, there were several cases where checkers did check whether a
generated node could be null; we now explicitly check for null in these places.

This commit also includes a test case written by Ying Yi as part of
http://reviews.llvm.org/D12163 (that patch originally addressed this issue but
was reverted because it introduced false positive regressions).

Differential Revision: http://reviews.llvm.org/D12780

llvm-svn: 247859

show more ...

[analyzer] Apply whitespace cleanups by Honggyu Kim.

llvm-svn: 246978

Wdeprecated: BugReporterVisitors are copied for cloning (BugReporterVisitorImpl), make sure such copies are safe

Make the copy/move ctors defaulted in the base class and make the
derived classes fin

Wdeprecated: BugReporterVisitors are copied for cloning (BugReporterVisitorImpl), make sure such copies are safe

Make the copy/move ctors defaulted in the base class and make the
derived classes final to avoid any intermediate hierarchy slicing if
these types were further derived.

llvm-svn: 244979

show more ...

Wdeprecated: CollectReachableSymbolsCallback are move constructed/returned by value, so make sure they're copy/moveable

(return by value is in ExprEngine::processPointerEscapedOnBind and any
other c

Wdeprecated: CollectReachableSymbolsCallback are move constructed/returned by value, so make sure they're copy/moveable

(return by value is in ExprEngine::processPointerEscapedOnBind and any
other call to the scanReachableSymbols function template used there)

Protect the special members in the base class to avoid slicing, and make
derived classes final so these special members don't accidentally become
public on an intermediate base which would open up the possibility of
slicing again.

llvm-svn: 244975

show more ...

Clarify pointer ownership semantics by hoisting the std::unique_ptr creation to the caller instead of hiding it in emitReport. NFC.

llvm-svn: 240400

[analyzer] This implements potential undefbehavior.ZeroAllocDereference checker.

TODO: support realloc(). Currently it is not possible due to the present realloc() handling. Currently RegionState is

[analyzer] This implements potential undefbehavior.ZeroAllocDereference checker.

TODO: support realloc(). Currently it is not possible due to the present realloc() handling. Currently RegionState is not being attached to realloc() in case of a zero Size argument.
llvm-svn: 234889

show more ...

Use 'override/final' instead of 'virtual' for overridden methods

Summary:
The patch is generated using clang-tidy misc-use-override check.

This command was used:

tools/clang/tools/extra/clang-ti

Use 'override/final' instead of 'virtual' for overridden methods

Summary:
The patch is generated using clang-tidy misc-use-override check.

This command was used:

tools/clang/tools/extra/clang-tidy/tool/run-clang-tidy.py \
-checks='-*,misc-use-override' -header-filter='llvm|clang' -j=32 -fix

Reviewers: dblaikie

Reviewed By: dblaikie

Subscribers: klimek, cfe-commits

Differential Revision: http://reviews.llvm.org/D8926

llvm-svn: 234678

show more ...

[analyzer] Make getCheckIfTracked() return either leak or regular checker.

llvm-svn: 231863

[analyzer] Remove unused type (addition to r231540: "Revert changes from r229593")

llvm-svn: 231548

[analyzer] Revert changes from r229593; an enhancement is under discussion

llvm-svn: 231540

[analyzer] Bug fix: do not report leaks for alloca()

llvm-svn: 231314

[analyzer] Individual configuration options can be specified for checkers.

Reviewed by: Anna Zaks

Original patch by: Aleksei Sidorin

Differential Revision: http://reviews.llvm.org/D7905

llvm-svn:

[analyzer] Individual configuration options can be specified for checkers.

Reviewed by: Anna Zaks

Original patch by: Aleksei Sidorin

Differential Revision: http://reviews.llvm.org/D7905

llvm-svn: 231266

show more ...

[analyzer] unix.Malloc: preserve AllocaRegion bound to __builtin_alloca().

Binding __builtin_alloca() return value to the symbolic value kills previous binding to a AllocaRegion established by the c

[analyzer] unix.Malloc: preserve AllocaRegion bound to __builtin_alloca().

Binding __builtin_alloca() return value to the symbolic value kills previous binding to a AllocaRegion established by the core.BuiltinFunctions checker. Other checkers may rely upon this information. Rollback handling of __builtin_alloca() to the way prior to r229850.

llvm-svn: 231160

show more ...

[analyzer] Different handling of alloca().

+ separate bug report for "Free alloca()" error to be able to customize checkers responsible for this error.
+ Muted "Free alloca()" error for NewDelete ch

[analyzer] Different handling of alloca().

+ separate bug report for "Free alloca()" error to be able to customize checkers responsible for this error.
+ Muted "Free alloca()" error for NewDelete checker that is not responsible for c-allocated memory, turned on for unix.MismatchedDeallocator checker.
+ RefState for alloca() - to be able to detect usage of zero-allocated memory by upcoming ZeroAllocDereference checker.
+ AF_Alloca family to handle alloca() consistently - keep proper family in RefState, handle 'alloca' by getCheckIfTracked() facility, etc.
+ extra tests.

llvm-svn: 229850

show more ...

[analyzer] Refactoring: clarified the way the proper check kind is chosen.

llvm-svn: 229593

[analyzer] Pass actual state to alloc/dealloc handling functions.

The state obtained from CheckerContext::getState() may be outdated by the time the alloc/dealloc handling function is called (e.g. t

[analyzer] Pass actual state to alloc/dealloc handling functions.

The state obtained from CheckerContext::getState() may be outdated by the time the alloc/dealloc handling function is called (e.g. the state was modified but the transition was not performed). State argument was added to all alloc/dealloc handling functions in order to get the latest state and to allow sequential calls to those functions.

llvm-svn: 228737

show more ...

[analyzer] Look for allocation site in the parent frames as well as the current one.

Instead of handling edge cases (mostly involving blocks), where we have difficulty finding
an allocation statemen

[analyzer] Look for allocation site in the parent frames as well as the current one.

Instead of handling edge cases (mostly involving blocks), where we have difficulty finding
an allocation statement, allow the allocation site to be in a parent node.

Previously we assumed that the allocation site can always be found in the same frame
as allocation, but there are scenarios in which an element is leaked in a child
frame but is allocated in the parent.

llvm-svn: 228247

show more ...

Remove stray enum keywords. MSVC sees this as a redeclaration at global scope.

llvm-svn: 219031

[analyzer] Make Malloc Checker track memory allocated by if_nameindex

The MallocChecker does currently not track the memory allocated by
if_nameindex. That memory is dynamically allocated and should

[analyzer] Make Malloc Checker track memory allocated by if_nameindex

The MallocChecker does currently not track the memory allocated by
if_nameindex. That memory is dynamically allocated and should be freed
by calling if_freenameindex. The attached patch teaches the checker
about these functions.

Memory allocated by if_nameindex is treated as a separate allocation
"family". That way the checker can verify it is freed by the correct
function.

A patch by Daniel Fahlgren!

llvm-svn: 219025

show more ...

[analyzer] Don't crash if malloc() has an unexpected function prototype.

Patch by Daniel Fahlgren!

llvm-svn: 217258

unique_ptrify BugReporter::visitors

llvm-svn: 217205