Improve diagnostics in ReturnStackAddressChecker for returning a stack-allocated block.  Implements the rest of <rdar://problem/7387385>.

llvm-svn: 89940

the set of variables "captured" by a block.  Until the analysis gets
more sophisticated, for now we stop the retain count tracking of any
objects (transitively) referenced by these variables.

llvm-svn: 89929

Teach RegionStoreManager::RemoveDeadBindings() about BlockDataRegions.  Any VarRegion for a "captured" variable should also be considered live.

llvm-svn: 89928

Add iterators to BlockDataRegion that allow clients to iterate over the VarRegions for "captured" variables for a block.

llvm-svn: 89927

Added batch versions of GRState::scanReachableSymbols() so that clients can scan a collection of SVals or MemRegions all at once.

llvm-svn: 89926

Enhance LiveVariables to understand that blocks can extend the liveness of a variable by "capturing" them in a BlockExpr.

This required two changes:

1) Added 'getReferencedgetReferencedBlockVars()' to AnalysisContext so
that clients can iterate over the "captured" variables in a block.

2) Modified LiveVariables to take an AnalysisContext& in its
constructor and to call getReferencedgetReferencedBlockVars() when it
processes a BlockExpr*.

llvm-svn: 89924

llvm-svn: 89903

'BlockDataRegion' to distinguish between the code associated with a
block (which is represented by 'BlockTextRegion') and an instance of a
block, which includes both code and data.  'BlockDataRegion' has an
associated LocationContext, which can be used to eventually model the
lifetime of a block object once LocationContexts can represent scopes
(and iterations around a loop, etc.).

llvm-svn: 89900

llvm-svn: 89897

llvm-svn: 89892

llvm-svn: 89890

Add a new RetainReleaseChecker class (that subclasses CheckerVisitor) to extend the functionality of the retain/release checker using the new Checker interface.  Pieces of CFRefCount will gradually be migrated to this new class over time.

llvm-svn: 89889

llvm-svn: 89888

Make RegisterInternalChecks() part of GRExprEngine's private implementation by making it a static function within GRExprEngine.cpp.

llvm-svn: 89884

Register internal checks with GRExprEngine when it is constructed, not manually in AnalysisConsumer.cpp.

llvm-svn: 89883

only stop processing the checkers after all the nodes for a current
check have been processed.  This (I believe) handles the case where
PredSet (the input nodes) contains more than one node due to state
bifurcation.  Zhongxing: can you review this?

llvm-svn: 89882

Add really basic support for blocks in the retain/release checker.  For now, anytime we pass a tracked object to a block call we stop tracking it.

llvm-svn: 89831

llvm-svn: 89830

llvm-svn: 89829

Split CodeTextRegion into FunctionTextRegion and BlockTextRegion.  This a precursor to having basic static analysis support for blocks.

llvm-svn: 89828

For the nil-receiver checker, take into account the behavioral changes that got introduced in Mac OS X 10.5 and later, notably return values of double, float, etc., will not be garbage.  Fixes <rdar://problem/6829160>.

llvm-svn: 89809

initial transition of the nil-receiver checker to the Checker
interface as done in r89745.  Some important changes include:

1) We consolidate the BugType object used for nil receiver bug
reports, and don't include the type of the returned value in the
BugType (which would be wrong if a nil receiver bug was reported more
than once)

2) Added a new (temporary) flag to CheckerContext: DoneEvauating.
This is used by GRExprEngine when evaluating message expressions to
not continue evaluating the message expression if this flag is set.
This flag is currently set by the nil receiver checker.  This is an
intermediate solution to allow the nil-receiver checker to properly
work as a plug-in outside of GRExprEngine.  Basically, this flag
indicates that the entire message expression has been evaluated, not
just a precondition (which is what the nil-receiver checker does).
This flag *should not* be repurposed for general use, but just to pull
more things out of GRExprEngine that already in there as we devise a
better interface in the Checker class.

3) Cleaned up the logic in the nil-receiver checker, making the
control-flow a lot easier to read.

llvm-svn: 89804

llvm-svn: 89751

llvm-svn: 89750

CallAndMessageChecker.

llvm-svn: 89745

llvm-svn: 89735

llvm-svn: 89734

Enhance null dereference diagnostics by indicating what variable (if any) was dereferenced.  Addresses <rdar://problem/7039161>.

llvm-svn: 89726

After performing a bounds check in ArrayBoundChecker, record the fact that a bounds check succeeded by transitioning the ExplodedGraph.

llvm-svn: 89712

along the way.  Important changes:

1) To generate a sink node, use GenerateSink(); GenerateNode() is for
generating regular transitions.  This makes the API clearer and also
allows us to use the 'bool' option to GenerateNode() for a different
purpose.

2) GenerateNode() now automatically adds the generated node to the
destination ExplodedNodeSet (autotransition) unless the client
specifies otherwise with a bool flag.  Several checkers did not call
'addTransition()' after calling 'GenerateNode()', causing the
simulation path to be prematurely culled when a non-fail stop bug was
encountered.

3) Add variants of GenerateNode()/GenerateSink() that take neither a
Stmt* or a GRState*; most callers of GenerateNode() just pass in the
same Stmt* as provided when the CheckerContext object is created; we
can just use that the majority of the time.  This cleanup also allows
us to potentially coelesce the APIs for evaluating branches and
end-of-paths (which currently directly use builders).

4) addTransition() no longer needs to be called except for a few
cases.  We now have a variant of addTransition() that takes a
GRState*; this allows one to propagate the updated state without
caring about generating a new node explicitly.  This nicely cleaned up
a bunch of cases that called autoTransition() with a bunch of
conditional logic surround the call (that common logic has now been
swallowed up by addTransition() itself).

llvm-svn: 89707

llvm-svn: 89688

Tweak UndefBranchChecker to register the most nested "undefined" expression with bugreporter::registerTrackNullOrUndefValue instead of the condition itself.

llvm-svn: 89682

llvm-svn: 89679

llvm-svn: 89650

llvm-svn: 89643

in the checker directly. But I don't have a better approach for now.

llvm-svn: 89640

Change CheckDeadStores to use Expr::isNullPointerConstant, which will correctly determine whether an expression is a null pointer constant.

Patch by Kovarththanan Rajaratnam!

llvm-svn: 89621

Undefined compound assignment result is checked in UndefinedAssignmentChecker. So this check is redundant.

llvm-svn: 89592

llvm-svn: 89591

llvm-svn: 89590