Jordan Rose [Sat, 8 Sep 2012 01:24:53 +0000 (01:24 +0000)]
[analyzer] Remove constraints on dead symbols as part of removeDeadBindings.
Previously, we'd just keep constraints around forever, which means we'd
never be able to merge paths that differed only in constraints on dead
symbols.
Because we now allow constraints on symbolic expressions, not just single
symbols, this requires changing SymExpr::symbol_iterator to include
intermediate symbol nodes in its traversal, not just the SymbolData leaf
nodes.
Jordan Rose [Sat, 8 Sep 2012 01:24:38 +0000 (01:24 +0000)]
[analyzer] Cast the result of a placement new-expression to the correct type.
This is necessary because further analysis will assume that the SVal's
type matches the AST type. This caused a crash when trying to perform
a derived-to-base cast on a C++ object that had been new'd to be another
object type.
objective-C: introduce __attribute((objc_requires_super)) on method
in classes. Use it to flag those method implementations which don't
contain call to 'super' if they have 'super' class and it has the method
with this attribute set. This is wip. // rdar://6386358
John McCall [Fri, 7 Sep 2012 23:30:50 +0000 (23:30 +0000)]
In ARC, if we're emitting assembly markers for calls to
objc_retainAutoreleasedReturnValue, we need to also be killing
them during return peepholing. Make sure we recognize an
intervening bitcast, but more importantly, assert if we can't
find the asm marker at all. rdar://problem/12133032
Remove ProgramState::getSymVal(). It was being misused by Checkers,
with at least one subtle bug in MacOSXKeyChainAPIChecker where the
calling the method was a substitute for assuming a symbolic value
was null (which is not the case).
We still keep ConstraintManager::getSymVal(), but we use that as
an optimization in SValBuilder and ProgramState::getSVal() to
constant-fold SVals. This is only if the ConstraintManager can
provide us with that information, which is no longer a requirement.
As part of this, introduce a default implementation of
ConstraintManager::getSymVal() which returns null.
For Checkers, introduce ConstraintManager::isNull(), which queries
the state to see if the symbolic value is constrained to be a null
value. It does this without assuming it has been implicitly constant
folded.
Jordan Rose [Fri, 7 Sep 2012 19:48:09 +0000 (19:48 +0000)]
[analyzer] Use cast<> instead of getAs<> for a CFGElement known to be a CFGStmt.
When adding the next statement to the CoreEngine's work list, we take care
of all the special cases first. We certainly shouldn't be building
PostStmts with null statements (the diagnostics machinery assumes such
StmtPoints do not exist), and we should find out sooner if we're missing
a special case.
A refinement of r163402 that should help prevent further issues like PR13760.
Manuel Klimek [Fri, 7 Sep 2012 13:10:32 +0000 (13:10 +0000)]
Introduces anchors into LibASTMatchersReference.html.
This allows linking to LibASTMatchersRefernce.html#<matcher><N>Anchor to
link to the N'the declaration of a matcher and automatically expand
its documentation.
Daniel Jasper [Fri, 7 Sep 2012 12:48:17 +0000 (12:48 +0000)]
Change the behavior of the isDerivedFrom-matcher to not match on the
class itself. This caused some confusion (intuitively, a class is not
derived from itself) and makes it hard to write certain matchers, e.g.
"match and bind any pair of base and subclass".
The original behavior can be achieved with a new isA-matcher. Similar
to all other matchers, this matcher has the same behavior and name as
the corresponding AST-entity - in this case the isa<>() function.
Manuel Klimek [Fri, 7 Sep 2012 09:26:10 +0000 (09:26 +0000)]
Implements hasAncestor.
Implements the hasAncestor matcher. This builds
on the previous patch that introduced DynTypedNode to build up
a parent map for an additional degree of freedom in the AST traversal.
The map is only built once we hit an hasAncestor matcher, in order
to not slow down matching for cases where this is not needed.
We could implement some speed-ups for special cases, like building up
the parent map as we go and only building up the full map if we break
out of the already visited part of the tree, but that is probably
not going to be worth it, and would make the code significantly more
complex.
Major TODOs are:
- implement hasParent
- implement type traversal
- implement memoization in hasAncestor
Fix off-by-one bug in diagnostic prose of ObjCContainersASTChecker.
While the check itself should count 0-based for the parameter index,
the diagnostic should be 1-based (first, second, third, not start at 0).
ExplodedGraph::shouldCollectNode() should not collect nodes for non-Expr Stmts
(as this previously was the case before this was refactored). We also shouldn't
need to specially handle BinaryOperators since the eagerly-assume heuristic tags
such nodes.
Rework the retain-release.m test to use FileCheck and the "text" output
of the analyzer, as the RetainReleaseChecker has many fine-grain
path diagnostic events that were not being checked. This uncovered
an inconsistency between the path diagnostics between Objective-C
and Objective-C++ code in ConditionBRVisitor that was fixed in a recent
patch.
Fix bug in ConditionBRVisitor where for C++ (and not C) we were not ignoring
implicit pointer-to-boolean conversions in condition expressions. This would
result in inconsistent diagnostic emission between C and C++.
A consequence of this is now ConditionBRVisitor and TrackConstraintBRVisitor may
emit redundant diagnostics, for example:
"Assuming pointer value is null" (TrackConstraintBRVisitor)
"Assuming 'p' is null" (ConditionBRVisitor)
We need to reconcile the two, and perhaps prefer one over the other in some
cases.
Richard Smith [Fri, 7 Sep 2012 02:06:42 +0000 (02:06 +0000)]
PR9023: A template template parameter whose template parameter list contains an
unexpanded parameter pack is a pack expansion. Thus, as with a non-type template
parameter which is a pack expansion, it needs to be expanded early into a fixed
list of template parameters.
Since the expanded list of template parameters is not itself a parameter pack,
it is permitted to appear before the end of the template parameter list, so also
remove that restriction (for both template template parameter pack expansions and
non-type template parameter pack expansions).
Jordan Rose [Fri, 7 Sep 2012 01:19:42 +0000 (01:19 +0000)]
[analyzer] Fail gracefully when the dynamic type is outside the hierarchy.
With some particularly evil casts, we can get an object whose dynamic type
is not actually a subclass of its static type. In this case, we won't even
find the statically-resolved method as a devirtualization candidate.
Rather than assert that this situation cannot occur, we now simply check
that the dynamic type is not an ancestor or descendent of the static type,
and leave it at that.
This error actually occurred analyzing LLVM: CallEventManager uses a
BumpPtrAllocator to allocate a concrete subclass of CallEvent
(FunctionCall), but then casts it to the actual subclass requested
(such as ObjCMethodCall) to perform the constructor.
Jordan Rose [Thu, 6 Sep 2012 23:44:36 +0000 (23:44 +0000)]
[analyzer] Don't crash if we cache out while evaluating an ObjC message.
A bizarre series of coincidences led us to generate a previously-seen
node in the middle of processing an Objective-C message, where we assume
the receiver is non-nil. We were assuming that such an assumption would
never "cache out" like this, and blithely went on using a null ExplodedNode
as the predecessor for the next step in evaluation.
Although the test case committed here is complicated, this could in theory
happen in other ways as well, so the correct fix is just to test if the
non-nil assumption results in an ExplodedNode we've seen before.
Tweak DeadStoresChecker to not warn about dead stores to variables that
are used in EH code. Right now the CFG doesn't support exceptions well,
so we need this hack to avoid bogus dead store warnings.
Jordan Rose [Thu, 6 Sep 2012 20:37:08 +0000 (20:37 +0000)]
[analyzer] Don't attempt to devirtualize calls to base class destructors.
CXXDestructorCall now has a flag for when it is a base destructor call.
Other kinds of destructor calls (locals, fields, temporaries, and 'delete')
all behave as "whole-object" destructors and do not behave differently
from one another (specifically, in these cases we /should/ try to
devirtualize a call to a virtual destructor).
This was causing crashes in both our internal buildbot, the crash still
being tracked in PR13765, and some of the crashes being tracked in PR13763,
due to a assertion failure. (The behavior under -Asserts happened to be
correct anyway.)
Adding this knowledge also allows our DynamicTypePropagation checker to do
a bit less work; the special rules about virtual method calls during a
destructor only require extra handling during base destructors.
Chad Rosier [Thu, 6 Sep 2012 19:56:25 +0000 (19:56 +0000)]
[ms-inline asm] Output empty asm statements for the directives we don't
handle. Otherwise, the AsmParser will explode if we try to generate an
object files.
Chad Rosier [Thu, 6 Sep 2012 19:35:00 +0000 (19:35 +0000)]
[ms-inline asm] The IR representation of inline assembly enumerates the input
and output expressions much like that in GNU-style inline assembly. Output
expressions are first. Do this for MS-style inline asms.
Use custom ABIInfo for le32/PNaCl argument codegen
This patch uses a new ABIInfo implementation specific to the le32
target, rather than falling back to DefaultABIInfo. Its behavior is
basically the same, but it also allows the regparm argument attribute.
It also includes basic tests for argument codegen and attributes.
Enabling the UTF conversion routines that were previously conditionally ifdef'ed out. This change is required to support enhancements in the LLDB data formatters
Richard Smith [Thu, 6 Sep 2012 01:37:56 +0000 (01:37 +0000)]
PR13775: When checking for a tag type being shadowed by some other declaration,
don't trample over the caller's LookupResult in the case where the check fails.
Jordan Rose [Wed, 5 Sep 2012 22:56:26 +0000 (22:56 +0000)]
Format strings: suggest casts for NS(U)Integer and [SU]Int32 on Darwin.
These types are defined differently on 32-bit and 64-bit platforms, and
trying to offer a fixit for one platform would only mess up the format
string for the other. The Apple-recommended solution is to cast to a type
that is known to be large enough and always use that to print the value.
This should only have an impact on compile time if the format string is
incorrect; in cases where the format string matches the definition on the
current platform, no warning will be emitted.
Jordan Rose [Wed, 5 Sep 2012 22:55:23 +0000 (22:55 +0000)]
[analyzer] Always include destructors in the analysis CFG.
While destructors will continue to not be inlined (unless the analyzer
config option 'c++-inlining' is set to 'destructors'), leaving them out
of the CFG is an incomplete model of the behavior of an object, and
can cause false positive warnings (like PR13751, now working).
Destructors for temporaries are still not on by default, since
(a) we haven't actually checked this code to be sure it's fully correct
(in particular, we probably need to be very careful with regard to
lifetime-extension when a temporary is bound to a reference,
C++11 [class.temporary]p5), and
(b) ExprEngine doesn't actually do anything when it sees a temporary
destructor in the CFG -- not even invalidate the object region.
To enable temporary destructors, set the 'cfg-temporary-dtors' analyzer
config option to '1'. The old -cfg-add-implicit-dtors cc1 option, which
controlled all implicit destructors, has been removed.
[cindex.py] Make the use of a compatibilty check explicit
At the moment, we implictly check compatibility between the python
bindings and libclang, as the python bindings will fail to load in
case a method we use in libclang is not available.
This patch makes the use of this compatibility check explicit and introduces a
flag to optionally disable the check. This will allow us to further harden the
compatibility check, but it also gives the user the possibility to disable the
compatibility check to evaluate compatibility with older libclang versions.
I added documentation that makes clear the python bindings are only tested
with the libclang version they have been shipped with.
objective-c++11: c++11 does not change pod-ness when
type is an unqualified objc pointer in arc. Treat it just
as being treated in c++98. This fixes a bogus vararg warning
with -std=c++11. //rdar://12229679
c error recovery. treat an invalid redeclaration
of a c-function for what it is. Otherwise, this func
is treated as an overloadable c-function resulting in
a crash much later. // rdar://11743706
Jordan Rose [Wed, 5 Sep 2012 17:11:26 +0000 (17:11 +0000)]
[analyzer] Be more forgiving about calling methods on struct rvalues.
The problem is that the value of 'this' in a C++ member function call
should always be a region (or NULL). However, if the object is an rvalue,
it has no associated region (only a conjured symbol or LazyCompoundVal).
For now, we handle this in two ways:
1) Actually respect MaterializeTemporaryExpr. Before, it was relying on
CXXConstructExpr to create temporary regions for all struct values.
Now it just does the right thing: if the value is not in a temporary
region, create one.
2) Have CallEvent recognize the case where its 'this' pointer is a
non-region, and just return UnknownVal to keep from confusing clients.
The long-term problem is being tracked internally in <rdar://problem/12137950>,
but this makes many test cases pass.
Jordan Rose [Wed, 5 Sep 2012 17:11:15 +0000 (17:11 +0000)]
Revert "[analyzer] Treat all struct values as regions (even rvalues)."
This turned out to have many implications, but what eventually seemed to
make it unworkable was the fact that we can get struct values (as
LazyCompoundVals) from other places besides return-by-value function calls;
that is, we weren't actually able to "treat all struct values as regions"
consistently across the entire analyzer core.
Hopefully we'll be able to come up with an alternate solution soon.
Manuel Klimek [Wed, 5 Sep 2012 12:12:07 +0000 (12:12 +0000)]
Introduces DynTypedMatcher as a new concept that replaces the UntypedBaseMatcher and TypedMatcher.
Due to DynTypedNode the basic dynamically typed matcher interface can now be simplified.
Also switches the traversal interfaces to use DynTypedNode;
this is in preperation for the hasAncestor implementation, and
also allows us to need fewer changes when we want to add new
nodes to traverse, thus making the code a little more decoupled.
Main design concerns: I went back towards the original design
of getNodeAs to return a pointer, and switched DynTypedNode::get
to always return a pointer (in case of value types like QualType
the pointer points into the storage of DynTypedNode, thus allowing
us to treat all the nodes the same from the point of view of a
user of the DynTypedNodes.
Adding the QualType implementation for DynTypedNode was needed
for the recursive traversal interface changes.
Chad Rosier [Tue, 4 Sep 2012 22:23:54 +0000 (22:23 +0000)]
[ms-inline asm] Remove the Inline Asm Non-Standard Dialect attribute. This
implementation does not co-exist well with how the sideeffect and alignstack
attributes are handled.
Jordan Rose [Tue, 4 Sep 2012 19:34:58 +0000 (19:34 +0000)]
[analyzer] Don't use makeIntVal to create a floating-point value.
SimpleSValBuilder processes a couple trivial identities, including 'x - x'
and 'x ^ x' (both 0). However, the former could appear with arguments of
floating-point type, and we weren't checking for that. This started
triggering an assert with r163069, which checks that a constant value is
actually going to be used as an integer or pointer.
Chad Rosier [Tue, 4 Sep 2012 16:39:38 +0000 (16:39 +0000)]
[ms-inline asm] The MCInstrDesc only tracks register definitions. For now,
assume that if the 1st operands is an expression and the instruction mayStore,
then it is a memory definition.
projects / clang / log