- We should not evaluate strdup in the Malloc Checker, it's the job of
CString checker, so just update the RefState to reflect allocated
memory.

- Refactor to reduce LOC: remove some wrapper auxiliary functions, make
all functions return the state and add the transition in one place
(instead of in each auxiliary function).

llvm-svn: 151188

llvm-svn: 151124

, when we return a symbol reachable to the malloced one via pointer
arithmetic.

llvm-svn: 151121

llvm-svn: 151120

llvm-svn: 151007

tests.

llvm-svn: 150993

checks:

- unix.Malloc - Checks for memory leaks, double free, use-after-free.
- unix.cstring.NullArg - Checks for null pointers passed as arguments to
CString functions + evaluates CString functions.
- unix.cstring.BadSizeArg - Checks for common anti-patterns in
strncat size argument.

llvm-svn: 150988

llvm-svn: 150892

Adopt ExprEngine and checkers to ObjC property refactoring.  Everything was working, but now diagnostics are aware of message expressions implied by uses of properties.  Fixes <rdar://problem/9241180>.

llvm-svn: 150888

Have conjured symbols depend on LocationContext, to add context sensitivity for functions called more than once.

llvm-svn: 150849

it aware of CString APIs that return the input parameter.

Malloc Checker needs to know how the 'strcpy' function is
evaluated. Introduce the dependency on CStringChecker for that.
CStringChecker knows all about these APIs.

Addresses radar://10864450

llvm-svn: 150846

(Ex: It was not treating __inline_strcpy as strcpy. Will add tests that
rely on this later on.)

llvm-svn: 150845

 - Rename the category "Logic Error" -> "Memory Error".
 - Shorten all the messages.

llvm-svn: 150733

of failing realloc. + Minor cleanups.

llvm-svn: 150732

We are not properly handling the memory regions that escape into struct
fields, which led to a bunch of false positives. Be conservative here
and give up when a pointer escapes into a struct.

llvm-svn: 150658

llvm-svn: 150556

the passed in pointer on failure.

llvm-svn: 150533

hardening.

llvm-svn: 150532

(In response of Ted's review of r150112.)

This moves the logic which checked if a symbol escapes through a
parameter to invalidateRegionCallback (instead of post CallExpr visit.)

To accommodate the change, added a CallOrObjCMessage parameter to
checkRegionChanges callback.

llvm-svn: 150513

in realloc map. 

If there is no dependency, the reallocated ptr will get garbage
collected before we know that realloc failed, which would lead us to
missing a memory leak warning.

Also added new test cases, which we can handle now.
Plus minor cleanups.

llvm-svn: 150446

case when size is 0.

llvm-svn: 150412

1) Support the case when realloc fails to reduce False Positives. (We
essentially need to restore the state of the pointer being reallocated.)

2) Realloc behaves differently under special conditions (from pointer is
null, size is 0). When detecting these cases, we should consider
under-constrained states (size might or might not be 0). The
old version handled this in a very hacky way. The code did not
differentiate between definite and possible (no consideration for
under-constrained states). Further, after processing each special case,
the realloc processing function did not return but chained to the next
special case processing. So you could end up in an execution in which
you first see the states in which size is 0 and realloc ~ free(),
followed by the states corresponding to size is not 0 followed by the
evaluation of the regular realloc behavior.

llvm-svn: 150402

a pointer cannot escape through calls to system functions. Also, stop
after reporting the first use-after-free.

llvm-svn: 150315

memory.
(As per one test case, the existing checker thought that this could
cause a lot of false positives - not sure if that's valid, to be
verified.)

llvm-svn: 150313

Resolves a common false positive, where we were reporting a leak inside
asserts

llvm-svn: 150312

We use the same logic here as the RetainRelease checker.

llvm-svn: 150311

llvm-svn: 150306

(use of return instead of continue), wording.

llvm-svn: 150215

llvm-svn: 150172

llvm-svn: 150158

Very simple so far - we just highlight every allocation and release
site.

llvm-svn: 150156

llvm-svn: 150155

which allows values to escape through unknown calls.

Assumes all calls but the malloc family are unknown.

Also, catch a use-after-free when a pointer is passed to a
function after a call to free (previously, you had to explicitly
dereference the pointer value).

llvm-svn: 150112

optimistic.

TODO: actually implement the pessimistic version of the checker. Ex: it
needs to assume that any function that takes a pointer might free it.

The optimistic version relies on annotations to tell us which functions
can free the pointer.

llvm-svn: 150111

post visit of CallExpr.

In general, we should avoid using evalCall as it leads to interference
with other checkers.

llvm-svn: 150086

Revert my patches which removed Diagnostic.h includes by moving some operator overloads out of line.

This seems to negatively affect compile time onsome ObjC tests
(which use a lot of partial diagnostics I assume). I have to come
up with a way to keep them inline without including Diagnostic.h
everywhere. Now adding a new diagnostic requires a full rebuild
of e.g. the static analyzer which doesn't even use those diagnostics.

This reverts commit 6496bd10dc3a6d5e3266348f08b6e35f8184bc99.
This reverts commit 7af19b817ba964ac560b50c1ed6183235f699789.
This reverts commit fdd15602a42bbe26185978ef1e17019f6d969aa7.
This reverts commit 00bd44d5677783527d7517c1ffe45e4d75a0f56f.
This reverts commit ef9b60ffed980864a8db26ad30344be429e58ff5.

llvm-svn: 150006

llvm-svn: 149982

llvm-svn: 149981

separately.

llvm-svn: 149947

llvm-svn: 149939