Static Analyzer: Replace LiveSymbols/DeadSymbols sets with a new object called "SymbolReaper".  Right now it just consolidates the two and cleans up some client code, but shortly it will be used to enable "lazy computation" of live symbols for use with RegionStore.

llvm-svn: 62722

that every declaration lives inside a DeclContext.

Moved several things that don't have names but were ScopedDecls (and,
therefore, NamedDecls) to inherit from Decl rather than NamedDecl,
including ObjCImplementationDecl and LinkageSpecDecl. Now, we don't
store empty DeclarationNames for these things, nor do we try to insert
them into DeclContext's lookup structure.

The serialization tests are temporarily disabled. We'll re-enable them
once we've sorted out the remaining ownership/serialiazation issues
between DeclContexts and TranslationUnion, DeclGroups, etc.

llvm-svn: 62562

Fix analyzer crash found when scanning Wine sources where the analyzer used old logic to determine the value of a switch 'case' label.

llvm-svn: 62395

llvm-svn: 62130

information for declarations that were referenced via a qualified-id,
e.g., N::C::value. We keep track of the location of the start of the
nested-name-specifier. Note that the difference between
QualifiedDeclRefExpr and DeclRefExpr does have an effect on the
semantics of function calls in two ways:
  1) The use of a qualified-id instead of an unqualified-id suppresses
     argument-dependent lookup
  2) If the name refers to a virtual function, the qualified-id
  version will call the function determined statically while the
  unqualified-id version will call the function determined dynamically
  (by looking up the appropriate function in the vtable).

Neither of these features is implemented yet, but we do print out
qualified names for QualifiedDeclRefExprs as part of the AST printing.

llvm-svn: 61789

llvm-svn: 61333

us to measure the effect of this optimization.

llvm-svn: 61319

which can refer to static data members, enumerators, and member
functions as well as to non-static data members.

Implement correct lvalue computation for member references in C++. 
Compute the result type of non-static data members of reference type properly.

llvm-svn: 61294

* Now Bind() methods take and return GRState* because binding could
  also alter GDM.
* No variables are initialized except those declared with initial
  values.
* failed C test cases are due to bugs in RemoveDeadBindings(),
which removes constraints that is still alive. This will be fixed in later
patch.
* default value of array and struct regions will be implemented in later patch.

llvm-svn: 61274

- Added four new ProgramPoint types that subclass PostStmt for use in
  GRExprEngine::EvalLocation:
  - PostOutOfBoundsCheckFailed
  - PostUndefLocationCheckFailed
  - PostNullCheckFailed
  - PostLocationChecksSucceed
  These were created because of a horribly subtle caching bug in EvalLocation
  where a node representing an "bug condition" in EvalLocation (e.g. a null
  dereference) could be re-used as the "non-bug condition" because the Store did
  not contain any information to differentiate between the two. The extra
  program points just disables any accidental caching between EvalLocation and
  its callers.

GRExprEngine:
- EvalLocation now returns a NodeTy* instead of GRState*.  This should be used as the "vetted" predecessor for EvalLoad/EvalStore.

llvm-svn: 61105

llvm-svn: 61039

- Overhauled the notion of "types" for TypedRegions.  We now distinguish between the "lvalue" of a region (via getLValueRegion()) and the "rvalue" of a region (va getRValueRegion()).  Since a region represents a chunk of memory it has both, but we were conflating these concepts in some cases, leading to some insidious bugs.
- Removed AnonPointeeType, partially because it is unused and because it doesn't have a clear notion of lvalue vs rvalue type.  We can add it back once there is a need for it and we can resolve its role with these concepts.

StoreManager:
- Overhauled StoreManager::CastRegion.  It expects an *lvalue* type for a region.  This is actually what motivated the overhaul to the MemRegion type mechanism.  It also no longer returns an SVal; we can just return a MemRegion*.
- BasicStoreManager::CastRegion now overlays an "AnonTypedRegion" for pointer-pointer casts.  This matches with the MemRegion changes.
- Similar changes to RegionStore, except I've added a bunch of FIXMEs where it wasn't 100% clear where we should use TypedRegion::getRValueRegion() or TypedRegion::getLValueRegion().

AuditCFNumberCreate check:
- Now blasts through AnonTypedRegions that may layer the original memory region, thus checking if the actually memory block is of the appropriate type.  This change was needed to work with the changes to StoreManager::CastRegion.

GRExprEngine::VisitCast:
- Conform to the new interface of StoreManager::CastRegion.

Tests:
- None of the analysis tests fail now for using the "basic store".
- Disabled the tests 'array-struct.c' and 'rdar-6442306-1.m' pending further testing and bug fixing.

llvm-svn: 60995

GRExprEngine (VisitCast):
- When using StoreManager::CastRegion, always use the state and value it returns to generate the next node.  Failure to do so means that region values returned that don't require the state to be modified will get ignored.

MemRegion:
- Tighten the interface for ElementRegion.  Now ElementRegion can only be created with a super region that is a 'TypedRegion' instead of any MemRegion.  Code in BasicStoreManager/RegionStoreManager already assumed this, but it would result in a dynamic assertion check (and crash) rather than just having the compiler forbid the construction of such regions.
- Added ElementRegion::getArrayRegion() to return the 'typed version' of an ElementRegion's super region.
- Removed bogus assertion in ElementRegion::getType() that assumed that the super region was an AnonTypedRegion.  All that matters is that it is a TypedRegion, which is now true all the time by design.

BasicStore:
- Modified getLValueElement() to check if the 'array' region is a TypedRegion before creating an ElementRegion.  This conforms to the updated interface for ElementRegion.

RegionStore:
- In ArrayToPointer() gracefully handle things we don't reason about, and only create an ElementRegion if the array region is indeed a TypedRegion.

llvm-svn: 60990

In GRExprEngine treat @throw as an 'abort' that ends the current path.  This is a temporary solution.

llvm-svn: 60789

llvm-svn: 60734

llvm-svn: 60726

llvm-svn: 60622

Rename SymbolID to SymbolRef.  This is a precursor to some overhauling of the representation of symbolic values.

llvm-svn: 60575

This fixes PR3127
http://llvm.org/bugs/show_bug.cgi?id=3127

llvm-svn: 60280

llvm-svn: 60206

 - Creator function pointers are saved in ManagerRegistry.
 - The Register* class is used to notify ManagerRegistry new module is 
   available.
 - AnalysisManager queries ManagerRegistry for configurable module. Then it
   passes them to GRExprEngine, in turn to GRStateManager.

llvm-svn: 60143

llvm-svn: 59973

One design problem that is emerging is the signed-ness problem during static
analysis. Many unsigned value have to be converted into signed value because
it partipates in operations with signed values. 

On the other hand, we cannot blindly make all values occuring in static analysis
signed, because we do have cases where unsignedness is required, for example,
integer overflow detection.

llvm-svn: 59957

llvm-svn: 59951

llvm-svn: 59903

ConcreteInt index for now.

llvm-svn: 59869

- Add check for returning an undefined value to a caller.

llvm-svn: 59764

environment.

llvm-svn: 59407

 - RegionView and RegionViewMap is introduced to assist back-mapping from
   super region to subregions.
 - GDM is used to carry RegionView information.
 - AnonTypedRegion is added to represent a typed region introduced by pointer
   casting. Later AnonTypedRegion can be used in other similar cases, e.g.,
   malloc()'ed region.
 - The specific conversion is delegated to store manager.

llvm-svn: 59382

llvm-svn: 59354

Reverted part of r59335: http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20081110/009243.html
In that patch I added a bogus type promotion for unary '!'.

The real bug was more fallout from edges cases with compound assignments and conjured symbolic values.  Now the conjured value has the type of the LHS expression, and we do a promotion to the computation type.  We also now correctly do a conversion from the computation type back to the LHS type.

llvm-svn: 59349

llvm-svn: 59348

llvm-svn: 59343

Implement FIXME in GRExprEngine::VisitUnaryOperator() to handle implicit conversions caused by the '!' operator.  This required adding some logic to GRSimpleVals to reason about nonloc::LocAsInteger SVals.  This code appears to work fine, but it should eventually be cleaned up.

llvm-svn: 59335

Second attempt at implementation transfer function support for ObjCForCollectionStmt.  We now assume that the 'element' expression can be any lvalue.

llvm-svn: 59313

function call created in response to the use of operator syntax that
resolves to an overloaded operator in C++, e.g., "str1 +
str2" that resolves to std::operator+(str1, str2)". We now build a
CXXOperatorCallExpr in C++ when we pick an overloaded operator. (But
only for binary operators, where we actually implement overloading)

I decided *not* to refactor the current CallExpr to make it abstract
(with FunctionCallExpr and CXXOperatorCallExpr as derived
classes). Doing so would allow us to make CXXOperatorCallExpr a little
bit smaller, at the cost of making the argument and callee accessors
virtual. We won't know if this is going to be a win until we can parse
lots of C++ code to determine how much memory we'll save by making
this change vs. the performance penalty due to the extra virtual
calls.

llvm-svn: 59306

llvm-svn: 59294

- Temporarily disabled test Analysis/array-struct.c for region store.

llvm-svn: 59245

This is required by some operations, e.g., *p = 1; p[0] = 1;.
Also set the AllocaRegion's type during the cast.

llvm-svn: 59232

GRExprEngine/CFRefCount/GRSimpleVals: We don't do any special handling (yet) of vector types.  Add explicit checks that when we process integers that they really are scalars.

llvm-svn: 59225