This change adds support for cross-file diagnostic paths in html output. If the
diagnostic path is not cross-file, there is no change in the output.

Patch by Vlad Tsyrklevich!

Differential Revision: https://reviews.llvm.org/D30406

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@309968 91177308-0d34-0410-b5e6-96231b3b80d8

Example:

#define MACRO(C)   if (C) { static int x; .. }
void foo() {
	MACRO(0);
}

Differential Revision: https://reviews.llvm.org/D36141



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@309799 91177308-0d34-0410-b5e6-96231b3b80d8

This feature allows the analyzer to consider loops to completely unroll.
New requirements/rules (for unrolling) can be added easily via ASTMatchers.

Right now it is hidden behind a flag, the aim is to find the correct heuristic
and create a solution which results higher coverage % and more precise
analysis, thus can be enabled by default.

Right now the blocks which belong to an unrolled loop are marked by the
LoopVisitor which adds them to the ProgramState.
Then whenever we encounter a CFGBlock in the processCFGBlockEntrance which is
marked then we skip its investigating. That means, it won't be considered to
be visited more than the maximal bound for visiting since it won't be checked.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@309006 91177308-0d34-0410-b5e6-96231b3b80d8

Add a 'Generalized' object kind to the retain-count checker and suitable
generic diagnostic text for retain-count diagnostics involving those objects.

For now the object kind is introduced in summaries by 'annotate' attributes.
Once we have more experience with these annotations we will propose explicit
attributes.

Patch by Malhar Thakkar!

Differential Revision: https://reviews.llvm.org/D35613

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@308990 91177308-0d34-0410-b5e6-96231b3b80d8

Because since r308957 the suppress-on-sink feature contains its own
mini-analysis, it also needs to become aware that C++ unhandled exceptions
cause sinks. Unfortunately, for now we treat all exceptions as unhandled in
the analyzer, so suppress-on-sink needs to do the same.

rdar://problem/28157554

Differential Revision: https://reviews.llvm.org/D35674


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@308961 91177308-0d34-0410-b5e6-96231b3b80d8

If a certain memory leak (or other similar bug) found by the analyzer is known
to be happening only before abnormal termination of the program ("sink", eg.
assertion failure in the code under analysis, or another bug that introduces
undefined behavior), such leak warning is discarded. However, if the analysis
has never reaches completion (due to complexity of the code), it may be
failing to notice the sink.

This commit further extends the partial solution introduced in r290341 to cover
cases when a complicated control flow occurs before encountering a no-return
statement (which anyway inevitably leads to such statement(s)) by traversing
the respective section of the CFG in a depth-first manner. A complete solution
still seems elusive.

rdar://problem/28157554

Differential Revision: https://reviews.llvm.org/D35673


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@308957 91177308-0d34-0410-b5e6-96231b3b80d8

Revert r308561 and r308558.

Clang-ppc64be-linux seems to crash while running the test cases.



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@308592 91177308-0d34-0410-b5e6-96231b3b80d8

Missing files added to rL308558.



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@308561 91177308-0d34-0410-b5e6-96231b3b80d8

requirements/rules (for unrolling) can be added easily via ASTMatchers.

The current implementation is hidden behind a flag.

Right now the blocks which belong to an unrolled loop are marked by the 
LoopVisitor which adds them to the ProgramState. Then whenever we encounter a
CFGBlock in the processCFGBlockEntrance which is marked then we skip its
investigating. That means, it won't be considered to be visited more than the
maximal bound for visiting since it won't be checked.

Differential Revision: https://reviews.llvm.org/D34260



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@308558 91177308-0d34-0410-b5e6-96231b3b80d8

Add support to the retain-count checker for an annotation indicating that a
function's implementation should be trusted by the retain count checker.
Functions with these attributes will not be inlined and the arguments will
be treating as escaping.

Adding this annotation avoids spurious diagnostics when the implementation of
a reference counting operation is visible but the analyzer can't reason
precisely about the ref count.

Patch by Malhar Thakkar!

Differential Revision: https://reviews.llvm.org/D34937

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@308416 91177308-0d34-0410-b5e6-96231b3b80d8

be shared without warnings.  Build AttributedTypes to leave breadcrumbs
for tools like the static analyzer.  Warn about attempting to use the
attribute with incompatible return types.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@308092 91177308-0d34-0410-b5e6-96231b3b80d8

There was already a returns_localized_nsstring annotation to indicate
that the return value could be passed to UIKit methods that would
display them. However, those UIKit methods were hard-coded, and it was
not possible to indicate that other classes/methods in a code-base would
do the same.

The takes_localized_nsstring annotation can be put on function
parameters and selector parameters to indicate that those will also show
the string to the user.

Differential Revision: https://reviews.llvm.org/D35186


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@308012 91177308-0d34-0410-b5e6-96231b3b80d8

Assertion `Loc::isLocType(SSE->getLHS()->getType())' failed in Analysis/PR3991.m

This reverts commit e469ff27.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@307853 91177308-0d34-0410-b5e6-96231b3b80d8

Summary: Generate more IntSymExpr constraints, perform SVal simplification for IntSymExpr and SymbolCast constraints, and create fully symbolic SymExprs

Reviewers: zaks.anna, dcoughlin, NoQ, xazax.hun

Subscribers: mgorny, cfe-commits

Differential Revision: https://reviews.llvm.org/D28953

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@307833 91177308-0d34-0410-b5e6-96231b3b80d8

Summary:
This mimics the implementation for the implicit destructors. The
generation of this scope leaving elements is hidden behind
a flag to the CFGBuilder, thus it should not affect existing code.

Currently, I'm missing a test (it's implicitly tested by the clang-tidy
lifetime checker that I'm proposing).
I though about a test using debug.DumpCFG, but then I would
have to add an option to StaticAnalyzer/Core/AnalyzerOptions
to enable the scope leaving CFGElement,
which would only be useful to that particular test.

Any other ideas how I could make a test for this feature?

Reviewers: krememek, jordan_rose

Subscribers: cfe-commits

Differential Revision: http://reviews.llvm.org/D15031

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@307759 91177308-0d34-0410-b5e6-96231b3b80d8

This is a follow up for one of 
the previous diffs https://reviews.llvm.org/D32328.
getTypeSize and with getIntWidth are not equivalent for bool 
(see https://clang.llvm.org/doxygen/ASTContext_8cpp_source.html#l08444),
this causes a number of issues
(for instance, if APint X representing a bool is created 
with the wrong bit width then X is not comparable against Min/Max
(because of the different bit width), that results in crashes 
(triggered asserts) inside assume* methods), 
for examples see the newly added test cases.

Test plan: make check-all

Differential revision: https://reviews.llvm.org/D35041


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@307604 91177308-0d34-0410-b5e6-96231b3b80d8

This is a new checker package. It contains checkers that highlight
well-documented implementation-defined behavior. Such checkers are only useful
to developers that intend to write portable code. Code that is only compiled for
a single platform should be allowed to rely on this platform's specific
documented behavior.

rdar://problem/30545046

Differential Revision: https://reviews.llvm.org/D34102


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@306396 91177308-0d34-0410-b5e6-96231b3b80d8

Differential Revision: https://reviews.llvm.org/D34502


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@305991 91177308-0d34-0410-b5e6-96231b3b80d8

This makes the analyzer around 10% slower by default,
allowing it to find deeper bugs.

Default values for the following -analyzer-config change:
max-nodes: 150000 -> 225000;
max-inlinable-size: 50 -> 100.

rdar://problem/32539666
Differential Revision: https://reviews.llvm.org/D34277


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@305900 91177308-0d34-0410-b5e6-96231b3b80d8

Reviewers: dcoughlin, zaks.anna, NoQ, danielmarjamaki

Reviewed By: NoQ, danielmarjamaki

Differential Revision: https://reviews.llvm.org/D31868


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@305773 91177308-0d34-0410-b5e6-96231b3b80d8

Reviewers: v.g.vassilev, zaks.anna, NoQ, teemperor

Reviewed By: v.g.vassilev, zaks.anna, NoQ, teemperor

Differential Revision: https://reviews.llvm.org/D31320


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@305659 91177308-0d34-0410-b5e6-96231b3b80d8

Summary: Modify the test infrastructure to properly handle tests that require z3, and merge together the output of all tests on success. This is required for D28954.

Reviewers: dcoughlin, zaks.anna, NoQ, xazax.hun

Subscribers: cfe-commits

Differential Revision: https://reviews.llvm.org/D33308

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@305480 91177308-0d34-0410-b5e6-96231b3b80d8

Memory region allocated by alloca() carries no implicit type information.
Don't crash when resolving the init message for an Objective-C object
that is being constructed in such region.

rdar://problem/32517077

Differential Revision: https://reviews.llvm.org/D33828


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@305211 91177308-0d34-0410-b5e6-96231b3b80d8

In plist output mode with alternate path diagnostics, when entering a function,
we draw an arrow from the caller to the beginning of the callee's declaration.
Upon exiting, however, we draw the arrow from the last statement in the
callee function. The former makes little sense when the declaration is
not a definition, i.e. has no body, which may happen in case the body
is coming from a body farm, eg. Objective-C autosynthesized property accessor.

Differential Revision: https://reviews.llvm.org/D33671


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@304713 91177308-0d34-0410-b5e6-96231b3b80d8

Nullable-to-nonnull checks used to crash when the custom bug visitor was trying
to add its notes to autosynthesized accessors of Objective-C properties.

Now we avoid this, mostly automatically outside of checker control, by
moving the diagnostic to the parent stack frame where the accessor has been
called.

Differential revision: https://reviews.llvm.org/D32437


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@304710 91177308-0d34-0410-b5e6-96231b3b80d8

The analyzer's taint analysis can now reason about structures or arrays
originating from taint sources in which only certain sections are tainted.

In particular, it also benefits modeling functions like read(), which may
read tainted data into a section of a structure, but RegionStore is incapable of
expressing the fact that the rest of the structure remains intact, even if we
try to model read() directly.

Patch by Vlad Tsyrklevich!

Differential revision: https://reviews.llvm.org/D28445


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@304162 91177308-0d34-0410-b5e6-96231b3b80d8

The new checker currently contains the very core infrastructure for tracking
the state of iterator-type objects in the analyzer: relating iterators to
their containers, tracking symbolic begin and end iterator values for
containers, and solving simple equality-type constraints over iterators.
A single specific check over this infrastructure is capable of finding usage of
out-of-range iterators in some simple cases.

Patch by Ádám Balogh!

Differential revision: https://reviews.llvm.org/D32592


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@304160 91177308-0d34-0410-b5e6-96231b3b80d8

pthread_mutex_destroy() may fail, returning a non-zero error number, and
keeping the mutex untouched. The mutex can be used on the execution branch
that follows such failure, so the analyzer shouldn't warn on using
a mutex that was previously destroyed, when in fact the destroy call has failed.

Patch by Malhar Thakkar!

Differential revision: https://reviews.llvm.org/D32449


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@304159 91177308-0d34-0410-b5e6-96231b3b80d8

Differential Revision: https://reviews.llvm.org/D33092


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@302880 91177308-0d34-0410-b5e6-96231b3b80d8

It was written as "Memory Error" in most places and as "Memory error" in a few
other places, however it is the latter that is more consistent with
other categories (such as "Logic error").

rdar://problem/31718115

Differential Revision: https://reviews.llvm.org/D32702


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@302016 91177308-0d34-0410-b5e6-96231b3b80d8

Differential Revision: https://reviews.llvm.org/D31650


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@301913 91177308-0d34-0410-b5e6-96231b3b80d8

Reviewers: zaks.anna, NoQ, danielmarjamaki

Reviewed By: zaks.anna, NoQ, danielmarjamaki

Subscribers: cfe-commits, kalev, pwithnall

Differential Revision: https://reviews.llvm.org/D30771


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@301384 91177308-0d34-0410-b5e6-96231b3b80d8

Array-to-pointer cast now works correctly when the pointer to the array
is concrete, eg. null, which allows further symbolic calculations involving
such values.

Inlined defensive checks are now detected correctly when the resulting null
symbol is being array-subscripted before dereference.

Differential Revision: https://reviews.llvm.org/D32291


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@301251 91177308-0d34-0410-b5e6-96231b3b80d8

Null dereferences are suppressed if the lvalue was constrained to 0 for the
first time inside a sub-function that was inlined during analysis, because
such constraint is a valid defensive check that does not, by itself,
indicate that null pointer case is anyhow special for the caller.

If further operations on the lvalue are performed, the symbolic lvalue is
collapsed to concrete null pointer, and we need to track where does the null
pointer come from.

Improve such tracking for lvalue operations involving operator &.

rdar://problem/27876009

Differential Revision: https://reviews.llvm.org/D31982


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@301224 91177308-0d34-0410-b5e6-96231b3b80d8

This diff replaces getTypeSize(CondE->getType())) 
with getIntWidth(CondE->getType())) in ExprEngine::processSwitch.
These calls are not equivalent for bool, see ASTContext.cpp
Add a test case.

Test plan:
make check-clang-analysis
make check-clang

Differential revision: https://reviews.llvm.org/D32328


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@300936 91177308-0d34-0410-b5e6-96231b3b80d8

SValBuilder tries to constant-fold symbols in the left-hand side of the symbolic
expression whenever it fails to evaluate the expression directly. However, it
only constant-folds them when they are atomic expressions, not when they are
complicated expressions themselves. This patch adds recursive constant-folding
to the left-hand side subexpression (there's a lack of symmetry because we're
trying to have symbols on the left and constants on the right). As an example,
we'd now be able to handle operations similar to "$x + 1 < $y", when $x is
constrained to a constant.

rdar://problem/31354676

Differential Revision: https://reviews.llvm.org/D31886


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@300178 91177308-0d34-0410-b5e6-96231b3b80d8

This diff adds a defensive check in getExtraInvalidatedValues
for the case when there are no regions for the ivar associated with
a property. Corresponding test case added.

Test plan:
make check-clang
make check-clang-analysis


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@300114 91177308-0d34-0410-b5e6-96231b3b80d8

Move the test format into a standalone .py file and add it to the site
module search path. This allows us to run the test on Windows, and it
makes it compatible with the multiprocessing.Pool lit test execution
strategy.

I think this test was only passing everywhere else because
multiprocessing uses 'fork' to spawn workers, so the test format never
needs to be pickled.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@299577 91177308-0d34-0410-b5e6-96231b3b80d8

[analyzer] alpha.core.Conversion - Fix false positive for 'U32 += S16;' expression, that is not unsafe

Summary:
The alpha.core.Conversion was too strict about compound assignments and could warn even though there is no problem.

Differential Revision: https://reviews.llvm.org/D25596



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@299523 91177308-0d34-0410-b5e6-96231b3b80d8

Summary: Implement new Z3 constraint manager backend.

Reviewers: zaks.anna, dcoughlin, NoQ, xazax.hun

Subscribers: mgorny, cfe-commits

Differential Revision: https://reviews.llvm.org/D28952

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@299463 91177308-0d34-0410-b5e6-96231b3b80d8