The new checker currently contains the very core infrastructure for tracking
the state of iterator-type objects in the analyzer: relating iterators to
their containers, tracking symbolic begin and end iterator values for
containers, and solving simple equality-type constraints over iterators.
A single specific check over this infrastructure is capable of finding usage of
out-of-range iterators in some simple cases.

Patch by Ádám Balogh!

Differential revision: https://reviews.llvm.org/D32592


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@304160 91177308-0d34-0410-b5e6-96231b3b80d8

pthread_mutex_destroy() may fail, returning a non-zero error number, and
keeping the mutex untouched. The mutex can be used on the execution branch
that follows such failure, so the analyzer shouldn't warn on using
a mutex that was previously destroyed, when in fact the destroy call has failed.

Patch by Malhar Thakkar!

Differential revision: https://reviews.llvm.org/D32449


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@304159 91177308-0d34-0410-b5e6-96231b3b80d8

Differential Revision: https://reviews.llvm.org/D33092


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@302880 91177308-0d34-0410-b5e6-96231b3b80d8

It was written as "Memory Error" in most places and as "Memory error" in a few
other places, however it is the latter that is more consistent with
other categories (such as "Logic error").

rdar://problem/31718115

Differential Revision: https://reviews.llvm.org/D32702


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@302016 91177308-0d34-0410-b5e6-96231b3b80d8

Differential Revision: https://reviews.llvm.org/D31650


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@301913 91177308-0d34-0410-b5e6-96231b3b80d8

Reviewers: zaks.anna, NoQ, danielmarjamaki

Reviewed By: zaks.anna, NoQ, danielmarjamaki

Subscribers: cfe-commits, kalev, pwithnall

Differential Revision: https://reviews.llvm.org/D30771


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@301384 91177308-0d34-0410-b5e6-96231b3b80d8

Array-to-pointer cast now works correctly when the pointer to the array
is concrete, eg. null, which allows further symbolic calculations involving
such values.

Inlined defensive checks are now detected correctly when the resulting null
symbol is being array-subscripted before dereference.

Differential Revision: https://reviews.llvm.org/D32291


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@301251 91177308-0d34-0410-b5e6-96231b3b80d8

Null dereferences are suppressed if the lvalue was constrained to 0 for the
first time inside a sub-function that was inlined during analysis, because
such constraint is a valid defensive check that does not, by itself,
indicate that null pointer case is anyhow special for the caller.

If further operations on the lvalue are performed, the symbolic lvalue is
collapsed to concrete null pointer, and we need to track where does the null
pointer come from.

Improve such tracking for lvalue operations involving operator &.

rdar://problem/27876009

Differential Revision: https://reviews.llvm.org/D31982


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@301224 91177308-0d34-0410-b5e6-96231b3b80d8

This diff replaces getTypeSize(CondE->getType())) 
with getIntWidth(CondE->getType())) in ExprEngine::processSwitch.
These calls are not equivalent for bool, see ASTContext.cpp
Add a test case.

Test plan:
make check-clang-analysis
make check-clang

Differential revision: https://reviews.llvm.org/D32328


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@300936 91177308-0d34-0410-b5e6-96231b3b80d8

SValBuilder tries to constant-fold symbols in the left-hand side of the symbolic
expression whenever it fails to evaluate the expression directly. However, it
only constant-folds them when they are atomic expressions, not when they are
complicated expressions themselves. This patch adds recursive constant-folding
to the left-hand side subexpression (there's a lack of symmetry because we're
trying to have symbols on the left and constants on the right). As an example,
we'd now be able to handle operations similar to "$x + 1 < $y", when $x is
constrained to a constant.

rdar://problem/31354676

Differential Revision: https://reviews.llvm.org/D31886


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@300178 91177308-0d34-0410-b5e6-96231b3b80d8

This diff adds a defensive check in getExtraInvalidatedValues
for the case when there are no regions for the ivar associated with
a property. Corresponding test case added.

Test plan:
make check-clang
make check-clang-analysis


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@300114 91177308-0d34-0410-b5e6-96231b3b80d8

Move the test format into a standalone .py file and add it to the site
module search path. This allows us to run the test on Windows, and it
makes it compatible with the multiprocessing.Pool lit test execution
strategy.

I think this test was only passing everywhere else because
multiprocessing uses 'fork' to spawn workers, so the test format never
needs to be pickled.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@299577 91177308-0d34-0410-b5e6-96231b3b80d8

[analyzer] alpha.core.Conversion - Fix false positive for 'U32 += S16;' expression, that is not unsafe

Summary:
The alpha.core.Conversion was too strict about compound assignments and could warn even though there is no problem.

Differential Revision: https://reviews.llvm.org/D25596



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@299523 91177308-0d34-0410-b5e6-96231b3b80d8

Summary: Implement new Z3 constraint manager backend.

Reviewers: zaks.anna, dcoughlin, NoQ, xazax.hun

Subscribers: mgorny, cfe-commits

Differential Revision: https://reviews.llvm.org/D28952

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@299463 91177308-0d34-0410-b5e6-96231b3b80d8

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@299094 91177308-0d34-0410-b5e6-96231b3b80d8

If the value is known, but we cannot increment it, conjure a symbol to
represent the result of the operation based on the operator expression,
not on the sub-expression.

In particular, no longer crash on comparing a result of a LocAsInteger increment
to a constant integer.

rdar://problem/31067356

Differential Revision: https://reviews.llvm.org/D31289


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@298927 91177308-0d34-0410-b5e6-96231b3b80d8

Adjustments should be considered properly; we should copy the unadjusted object
over the whole temporary base region. If the unadjusted object is no longer
available in the Environment, invalidate the temporary base region, and then
copy the adjusted object into the adjusted sub-region of the temporary region.

This fixes a regression introduced by r288263, that caused various
false positives, due to copying only adjusted object into the adjusted region;
the rest of the base region therefore remained undefined.
Before r288263, the adjusted value was copied over the unadjusted region,
which is incorrect, but accidentally worked better due to how region store
disregards compound value bindings to non-base regions.

An additional test machinery is introduced to make sure that despite making
two binds, we only notify checkers once for both of them, without exposing
the partially copied objects.

This fix is a hack over a hack. The proper fix would be to model C++ temporaries
in the CFG, and after that dealing with adjustments would no longer be
necessary, and the values we need would no longer disappear from the
Environment.

rdar://problem/30658168

Differential Revision: https://reviews.llvm.org/D30534


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@298924 91177308-0d34-0410-b5e6-96231b3b80d8

The checker currently warns on copying, moving, or calling methods on an object
that was recently std::move'd from. It understands a set of "state reset"
methods that bring a moved-from object back to a well-specified state.

Patch by Peter Szecsi!

Differential Revision: https://reviews.llvm.org/D24246


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@298698 91177308-0d34-0410-b5e6-96231b3b80d8

It looks like on some host-triples the result of a valist related expr can be
a LazyCompoundVal. Handle that case in the check.

Patch by Abramo Bagnara!


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@297619 91177308-0d34-0410-b5e6-96231b3b80d8

Patch by Zoltan Daniel Torok!

Differential Revision: https://reviews.llvm.org/D29567



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@297461 91177308-0d34-0410-b5e6-96231b3b80d8

We have several reports of false positives coming from libc++. For example,
there are reports of false positives in std::regex, std::wcout, and also
a bunch of issues are reported in https://reviews.llvm.org/D30593. In many
cases, the analyzer trips over the complex libc++ code invariants. Let's turn
off the reports coming from these headers until we can re-evalate the support.

We can turn this back on once we individually suppress all known false
positives and perform deeper evaluation on large codebases that use libc++.
We'd also need to commit to doing these evaluations regularly as libc++
headers change.

Differential Revision: https://reviews.llvm.org/D30798

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@297429 91177308-0d34-0410-b5e6-96231b3b80d8

A patch by Vlad Tsyrklevich!

Differential Revision: https://reviews.llvm.org/D28445

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@297326 91177308-0d34-0410-b5e6-96231b3b80d8

Some of the magic functions take arguments of arbitrary type. However,
for semantic correctness, the compiler still requires a declaration
of these functions with the correct type. Since C does not have
argument-type-overloaded function, this made those functions hard to
use in C code. Improve this situation by allowing arbitrary suffixes
in the affected magic functions' names, thus allowing the user to
create different declarations for different types.

A patch by Keno Fischer!

Differential Revision: https://reviews.llvm.org/D30589

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@297325 91177308-0d34-0410-b5e6-96231b3b80d8

Add a bug visitor to the taint checker to make it easy to distinguish where
the tainted value originated. This is especially useful when the original
taint source is obscured by complex data flow.

A patch by Vlad Tsyrklevich!

Differential Revision: https://reviews.llvm.org/D30289

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@297324 91177308-0d34-0410-b5e6-96231b3b80d8

A patch by Leslie Zhai!

Differential Revision: https://reviews.llvm.org/D28348

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@297323 91177308-0d34-0410-b5e6-96231b3b80d8

Differential Revision: https://reviews.llvm.org/D30341


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@297283 91177308-0d34-0410-b5e6-96231b3b80d8

This crash was reported in https://bugs.llvm.org//show_bug.cgi?id=31173

Differential Revision: https://reviews.llvm.org/D28297


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@297187 91177308-0d34-0410-b5e6-96231b3b80d8

This patch makes the valist check more robust to the different AST variants on
different platforms and also fixes a FIXME.

Differential Revision: https://reviews.llvm.org/D30157


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@297153 91177308-0d34-0410-b5e6-96231b3b80d8

Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.

Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin

Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D30373

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296895 91177308-0d34-0410-b5e6-96231b3b80d8

* ExprEngine assumes that OpenMP statements should never appear in CFG.
  However, current CFG doesn't know anything about OpenMP and passes
  such statements as CFG nodes causing "UNREACHABLE executed!" crashes.
  Since there is no OpenMP implementation in ExprEngine or CFG,
  we stop the analysis on OpenMP statements to avoid crashes.

This fixes PR31835.

Differential Revision: https://reviews.llvm.org/D30565


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296884 91177308-0d34-0410-b5e6-96231b3b80d8

Revert "Reland 3: [analyzer] NFC: Update test infrastructure to support multiple constraint managers"

This reverts commit ea36f140.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296841 91177308-0d34-0410-b5e6-96231b3b80d8

Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.

Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin

Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D30373

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296837 91177308-0d34-0410-b5e6-96231b3b80d8

Revert "Reland 2: [analyzer] NFC: Update test infrastructure to support multiple constraint managers"

This reverts commit f93343c0.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296836 91177308-0d34-0410-b5e6-96231b3b80d8

Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.

Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin

Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D30373

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296835 91177308-0d34-0410-b5e6-96231b3b80d8

In the following code involving GNU statement-expression extension:
  struct S {
    ~S();
  };

  void foo() {
    const S &x = ({ return; S(); });
  }
function 'foo()' returns before reference x is initialized. We shouldn't call
the destructor for the temporary object lifetime-extended by 'x' in this case,
because the object never gets constructed in the first place.

The real problem is probably in the CFG somewhere, so this is a quick-and-dirty
hotfix rather than the perfect solution.

A patch by Artem Dergachev!

rdar://problem/30759076

Differential Revision: https://reviews.llvm.org/D30499

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296646 91177308-0d34-0410-b5e6-96231b3b80d8

Fix a crash in the ObjCPropertyChecker when analyzing a 'copy' property of an
NSMutable* type in a protocol.

rdar://problem/30766684

Differential Revision: https://reviews.llvm.org/D30482

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296562 91177308-0d34-0410-b5e6-96231b3b80d8

This reverts commit 1b28d0b1.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296422 91177308-0d34-0410-b5e6-96231b3b80d8

Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.

Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin

Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D30373

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296414 91177308-0d34-0410-b5e6-96231b3b80d8

Differential Revision: https://reviews.llvm.org/D28278


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296326 91177308-0d34-0410-b5e6-96231b3b80d8

This reverts commit 8e7780b9.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296317 91177308-0d34-0410-b5e6-96231b3b80d8