the ownership of BugTypes and BugReports. Now BugReports are owned by BugTypes,
and BugTypes are owned by the BugReporter object.
The major functionality change in this patch is that reports are not immediately
emitted by a call to BugReporter::EmitWarning (now called EmitReport), but
instead of queued up in report "equivalence classes". When
BugReporter::FlushReports() is called, it emits one diagnostic per report
equivalence class. This provides a nice cleanup with the caching of reports as
well as enables the BugReporter engine to select the "best" path for reporting a
path-sensitive bug based on all the locations in the ExplodedGraph that the same
bug could occur.
Along with this patch, Leaks are now coalesced into a common equivalence class
by their allocation site, and the "summary" diagnostic for leaks now reports the
allocation site as the location of the bug (this may later be augmented to also
provide an example location where the leak occurs).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@63796 91177308-0d34-0410-b5e6-96231b3b80d8
- Overhauled the notion of "types" for TypedRegions. We now distinguish between the "lvalue" of a region (via getLValueRegion()) and the "rvalue" of a region (va getRValueRegion()). Since a region represents a chunk of memory it has both, but we were conflating these concepts in some cases, leading to some insidious bugs.
- Removed AnonPointeeType, partially because it is unused and because it doesn't have a clear notion of lvalue vs rvalue type. We can add it back once there is a need for it and we can resolve its role with these concepts.
StoreManager:
- Overhauled StoreManager::CastRegion. It expects an *lvalue* type for a region. This is actually what motivated the overhaul to the MemRegion type mechanism. It also no longer returns an SVal; we can just return a MemRegion*.
- BasicStoreManager::CastRegion now overlays an "AnonTypedRegion" for pointer-pointer casts. This matches with the MemRegion changes.
- Similar changes to RegionStore, except I've added a bunch of FIXMEs where it wasn't 100% clear where we should use TypedRegion::getRValueRegion() or TypedRegion::getLValueRegion().
AuditCFNumberCreate check:
- Now blasts through AnonTypedRegions that may layer the original memory region, thus checking if the actually memory block is of the appropriate type. This change was needed to work with the changes to StoreManager::CastRegion.
GRExprEngine::VisitCast:
- Conform to the new interface of StoreManager::CastRegion.
Tests:
- None of the analysis tests fail now for using the "basic store".
- Disabled the tests 'array-struct.c' and 'rdar-6442306-1.m' pending further testing and bug fixing.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@60995 91177308-0d34-0410-b5e6-96231b3b80d8
a new NamedDecl::getAsString() method.
Change uses of Selector::getName() to just pass in a Selector
where possible (e.g. to diagnostics) instead of going through
an std::string.
This also adds new formatters for objcinstance and objcclass
as described in the dox.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@59933 91177308-0d34-0410-b5e6-96231b3b80d8
- Added new region "SymbolicRegion", which maps symbol values to the region domain.
- Enhanced BasicStore::getFieldLValue() to return a FieldRegion (using SymbolicRegion)
- Added some utility methods to GRState for fetch svals from the store.
- Fixed regression in CheckNSError (we weren't getting the value bound to the parameter)
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@57717 91177308-0d34-0410-b5e6-96231b3b80d8
This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on.
The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables.
There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized.
The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@57042 91177308-0d34-0410-b5e6-96231b3b80d8
- Drop {Decl.h,DeclObjC.h,IdentifierTable.h} from Expr.h
- Moved Sema::getCurMethodDecl() out of line (dependent on
ObjCMethodDecl via dyn_cast).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@54629 91177308-0d34-0410-b5e6-96231b3b80d8
current store implementation is now encapsulated by BasicStore.
These changes prompted some long due constification of ValueState. Much of the
diffs in this patch include adding "const" qualifiers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@53423 91177308-0d34-0410-b5e6-96231b3b80d8
can decide the policy on how to cache related bugs. This allows us to
properly to handle warning about multiple leaks in the same location in the
ref count checker (not yet done).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@49918 91177308-0d34-0410-b5e6-96231b3b80d8
EmitPathWarning into one method. We now properly handle emitting warnings
without a PathDiagnosticClient when the warning does not involve a particular
statement.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@49884 91177308-0d34-0410-b5e6-96231b3b80d8
Bugs are now reported using a combination of "BugType" (previously
BugDescription) and Bug "BugReport" objects, which are fed to BugReporter (which
generates PathDiagnostics). This provides a far more modular way of registering
bug types and plugging in diagnostics.
GRExprEngine now owns its copy of GRCoreEngine, and is not owned by the
ExplodedGraph.
ExplodedGraph is no longer templated on the "checker", but instead on the state
contained in the nodes.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@49453 91177308-0d34-0410-b5e6-96231b3b80d8
because the analyzer isn't tracking expected types for an object, and [NSString alloc] just runs "id".
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@48917 91177308-0d34-0410-b5e6-96231b3b80d8
Added "AnnotatedPath" class to record an annotated path that will be useful for inspecting paths.
Added some boilerplate code for simple checks of Apple's Foundation API.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@48867 91177308-0d34-0410-b5e6-96231b3b80d8
Ted Kremenek
Chris Lattner
Zhongxing Xu
Daniel Dunbar
Steve Naroff
Nuno Lopes