llvm-svn: 95534

llvm-svn: 95531

llvm-svn: 95360

(1) libAnalysis is a generic analysis library that can be used by
    Sema.  It defines the CFG, basic dataflow analysis primitives, and
    inexpensive flow-sensitive analyses (e.g. LiveVariables).

(2) libChecker contains the guts of the static analyzer, incuding the
    path-sensitive analysis engine and domain-specific checks.

Now any clients that want to use the frontend to build their own tools
don't need to link in the entire static analyzer.

This change exposes various obvious cleanups that can be made to the
layout of files and headers in libChecker.  More changes pending.  :)

This change also exposed a layering violation between AnalysisContext
and MemRegion.  BlockInvocationContext shouldn't explicitly know about
BlockDataRegions.  For now I've removed the BlockDataRegion* from
BlockInvocationContext (removing context-sensitivity; although this
wasn't used yet).  We need to have a better way to extend
BlockInvocationContext (and any LocationContext) to add
context-sensitivty.

llvm-svn: 94406

"ASTContext::getTypeSize() / 8". Replace [u]int64_t variables with CharUnits
ones as appropriate. 

Also rename RawType, fromRaw(), and getRaw() in CharUnits to QuantityType, 
fromQuantity(), and getQuantity() for clarity.

llvm-svn: 93153

value bindings.  Along with a small change to OSAtomicChecker, this
resolves <rdar://problem/7527292> and resolves some long-standing
issues with how values can be bound to the same physical address by
not have the same "key".  This change is only a beginning; logically
RegionStore needs to better handle loads from addresses where the
stored value is larger/smaller/different type than the loaded value.
We handle these cases in an approximate fashion now (via
CastRetrievedVal and help in SimpleSValuator), but it could be made
much smarter.

llvm-svn: 93137

Make static analysis support for C++ 'this' expression context-sensitive.  Essentially treat 'this' as a implicit parameter to the method call, and associate a region with it.

llvm-svn: 92675

llvm-svn: 91572

attribute: the object type. 
Add initial support for visiting CXXThisExpr.
Fix a bunch of 80-col violations.

llvm-svn: 91535

This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.

The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements.  Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue.  DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.

The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.

In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents.  EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).

Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).

Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references.  This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.

llvm-svn: 91501

Enhance understanding of VarRegions referenced by a block whose declarations are outside the current stack frame.  Fixes <rdar://problem/7462324>.

llvm-svn: 91107

instead of the ElementRegion obtained from casts.

Test cast: the leak cannot occur bacause the true branch cannot be taken.

llvm-svn: 90964

- Refactor the MemRegion hierarchy to distinguish between different StackSpaceRegions for locals and parameters.
- VarRegions for "captured" variables now have the BlockDataRegion as their super region (except those passed by reference)
- Add transfer function support to GRExprEngine for BlockDeclRefExprs.

This change also supports analyzing blocks as an analysis entry point
(top-of-the-stack), which required pushing more context-sensitivity
around in the MemRegion hierarchy via the use of LocationContext
objects.  Functionally almost everything is the same, except we track
LocationContexts in a few more areas and StackSpaceRegions now refer
to a StackFrameContext object.  In the future we will need to modify
MemRegionManager to allow multiple StackSpaceRegions in flight at once
(for the analysis of multiple stack frames).

llvm-svn: 90809

Add batch version of 'StoreManager::InvalidateRegion()' for invalidating multiple regions as once.  After adopting this in the CFRefCount::EvalCall(), we see a reduction in analysis time of 1.5% when analyzing all of SQLite3.

llvm-svn: 90405

llvm-svn: 89903

Split CodeTextRegion into FunctionTextRegion and BlockTextRegion.  This a precursor to having basic static analysis support for blocks.

llvm-svn: 89828

llvm-svn: 89375

llvm-svn: 89373

sugared types. The basic problem is that our qualifier accessors
(getQualifiers, getCVRQualifiers, isConstQualified, etc.) only look at
the current QualType and not at any qualifiers that come from sugared
types, meaning that we won't see these qualifiers through, e.g.,
typedefs:

  typedef const int CInt;
  typedef CInt Self;

Self.isConstQualified() currently returns false!

Various bugs (e.g., PR5383) have cropped up all over the front end due
to such problems. I'm addressing this problem by splitting each
qualifier accessor into two versions: 

  - the "local" version only returns qualifiers on this particular
    QualType instance
  - the "normal" version that will eventually combine qualifiers from this
    QualType instance with the qualifiers on the canonical type to
    produce the full set of qualifiers.

This commit adds the local versions and switches a few callers from
the "normal" version (e.g., isConstQualified) over to the "local"
version (e.g., isLocalConstQualified) when that is the right thing to
do, e.g., because we're printing or serializing the qualifiers. Also,
switch a bunch of
  
  Context.getCanonicalType(T1).getUnqualifiedType() == Context.getCanonicalType(T2).getQualifiedType()

expressions over to 

  Context.hasSameUnqualifiedType(T1, T2)

llvm-svn: 88969

* Add a load type to GRExprEngine::EvalLoad().
* When retrieve from 'theValue' of OSAtomic funcitions, use the type of the 
  region instead of the argument expression as the load type.
* Then we can convert CastRetrievedSVal to a pure assertion. In the future
  we can let all Retrieve() methods simply return SVal.

llvm-svn: 88888

getBaseRegion will be used in another method.

llvm-svn: 86649

llvm-svn: 84081

llvm-svn: 81346

pointers.  Most logic cares first about whether or not a region is
symbolic, and second if represents code.  This should fix a series of
silent corner case bugs (as well as simplify a bunch of code).

llvm-svn: 80335

implicit cast logic in RegionStoreManager to BasicStoreManager. This involved
moving CastRetriedVal from RegionStoreManager to StoreManager.

llvm-svn: 80026

'void*' (or 'const void*') as an identity transformation.

llvm-svn: 77860

made to RegionStore (and related classes) in order to handle some
analyzer failures involving casts and manipulation of symbolic memory.

The root of the change is in StoreManager::CastRegion().  Instead of
using ad hoc heuristics to decide when to layer an ElementRegion on a
casted MemRegion, we now always layer an ElementRegion when the cast
type is different than the original type of the region.  This carries
the current cast information associated with a region around without
resorting to the error prone recording of "casted types" in GRState.

Along with this new policy of layering ElementRegions, I added a new
algorithm to strip away existing ElementRegions when they simply
represented casts of a base memory object.  This algorithm computes
the raw "byte offset" that an ElementRegion represents from the base
region, and allows the new ElementRegion to be based off that offset.
The added benefit is that this naturally handles a series of casts of
a MemRegion without building up a set of redundant ElementRegions
(thus canonicalizing the region view).

Other related changes that cascaded from this one (as tests were
failing in RegionStore):

- Revamped RegionStoreManager::InvalidateRegion() to completely remove
  all bindings and default values from a region and all subregions.
  Now invalidated fields are not bound directly to new symbolic
  values; instead the base region has a "default" symbol value from
  which "derived symbols" can be created.  The main advantage of this
  approach is that it allows us to invalidate a region hierarchy and
  then lazily instantiate new values no matter how deep the hierarchy
  went (i.e., regardless of the number of field accesses,
  e.g. x->f->y->z->...).  The previous approach did not do this.

- Slightly reworked RegionStoreManager::RemoveDeadBindings() to also
  incorporate live symbols and live regions that do not have direct
  bindings but also have "default values" used for lazy instantiation.
  The changes to 'InvalidateRegion' revealed that these were necessary
  in order to achieve lazy instantiation of values in the region store
  with those bindings being removed too early.

- The changes to InvalidateRegion() and RemoveDeadBindings() revealed
  a serious bug in 'getSubRegionMap()' where not all region -> subregion
  relationships involved in actually bindings (explicit and implicit)
  were being recorded.  This has been fixed by using a worklist algorithm
  to iteratively fill in the region map.

- Added special support to RegionStoreManager::Bind()/Retrieve() to handle
  OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the
  layering of ElementRegions.

- Fixed a bug in SymbolReaper::isLive() where derived symbols were not
  being marked live if the symbol they were derived from was also live.
  This fix was critical for getting lazy instantiation in RegionStore
  to work.

- Tidied up the implementation of ValueManager::getXXXSymbolVal() methods
  to use SymbolManager::canSymbolicate() to decide whether or not a
  symbol should be symbolicated.

- 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been
  moved to 'test/Analysis/misc-ps.m'.

- Tweaked some pretty-printing of MemRegions, and implemented
  'ElementRegion::getRawOffset()' for use with the CastRegion changes.

llvm-svn: 77782

  Type::getAsReferenceType() -> Type::getAs<ReferenceType>()
  Type::getAsRecordType() -> Type::getAs<RecordType>()
  Type::getAsPointerType() -> Type::getAs<PointerType>()
  Type::getAsBlockPointerType() -> Type::getAs<BlockPointerType>()
  Type::getAsLValueReferenceType() -> Type::getAs<LValueReferenceType>()
  Type::getAsRValueReferenceType() -> Type::getAs<RValueReferenceType>()
  Type::getAsMemberPointerType() -> Type::getAs<MemberPointerType>()
  Type::getAsReferenceType() -> Type::getAs<ReferenceType>()
  Type::getAsTagType() -> Type::getAs<TagType>()
  
And remove Type::getAsReferenceType(), etc.

This change is similar to one I made a couple weeks ago, but that was partly
reverted pending some additional design discussion. With Doug's pending smart
pointer changes for Types, it seemed natural to take this approach.

llvm-svn: 77510

OldCastRegion used), and the associated command line option
'-analyzer-store=old-basic-cast'.

llvm-svn: 77509

in StoreManager to RegionStoreManager, and create a special, highly reduced
version in BasicStoreManager.

These changes are in preparation for future RegionStore-specific changes to
InvalidateRegion.

llvm-svn: 77483

'cast type' of a region to invalidate its binding.  This only occurs
when using RegionStoreManager, as it records the cast type.  I'm
currently considering removing the notion of a cast type (see
comments in code).

llvm-svn: 76719

Fix crash in StoreManager::NewCastRegion() when handling casts from 'id' (or whatever) to a BlockPointerType.

llvm-svn: 76288

until Doug Gregor's Type smart pointer code lands (or more discussion occurs).
These methods just call the new Type::getAs<XXX> methods, so we still have
reduced implementation redundancy. Having explicit getAsXXXType() methods makes
it easier to set breakpoints in the debugger.

llvm-svn: 76193

Replaced Type::getAsLValueReferenceType(), Type::getAsRValueReferenceType(), Type::getAsMemberPointerType(), Type::getAsTagType(), and Type::getAsRecordType() with their Type::getAs<XXX> equivalents.

llvm-svn: 76139

This method is intended to eventually replace the individual
Type::getAsXXXType<> methods.

The motivation behind this change is twofold:

1) Reduce redundant implementations of Type::getAsXXXType() methods. Most of
them are basically copy-and-paste.

2) By centralizing the implementation of the getAs<Type> logic we can more
smoothly move over to Doug Gregor's proposed canonical type smart pointer
scheme.

Along with this patch:

a) Removed 'Type::getAsPointerType()'; now clients use getAs<PointerType>.
b) Removed 'Type::getAsBlockPointerTypE()'; now clients use getAs<BlockPointerType>.

llvm-svn: 76098

Convert all clients to use the new predicate on Type.

llvm-svn: 76076

llvm-svn: 75750

More test cases revealed that the logic in StoreManager::InvalidateRegion() needs more finesse when handling the invalidation of pointers.  Pointers that were invalidated as integers could later cause problems for clients using them as pointers.  It is easier for us to model a symbolic value as a pointer rather than modeling a non-symbolic value as a pointer.

This patch causes:
- StoreManager::InvalidateRegion() to not used the casted type of a region if
  it would cause a pointer type to be invalidated as a non-pointer type.
- Pushes RegionStore::RetrieveElement() further by handling retrievals from
  symbolic arrays that have been invalidated.  This uses the new SymbolDerived
  construct that was recently introduced.
  
The result is that the failing test in misc-ps-region-store-x86_64.m now passes.
Both misc-ps-region-store-x86_64.m and misc-ps-region-store-i386.m contain a
test case that motivated this change.

llvm-svn: 75730

llvm-svn: 75713

invalidate the region correctly. It uses the cast-to type to invalidate 
the region when available. To avoid invalid cast-to type like 'void*' or 'id',
region store now only records non-generic casts of regions.

llvm-svn: 75580