(Very similar to the previous change in malloc.)

llvm-svn: 151297

When we find two leak reports with the same allocation site, report only
one of them.

Provide a helper method to BugReporter to facilitate this.

llvm-svn: 151287

Make this call an exception in ExprEngine::invalidateArguments:
'int pthread_setspecific(ptheread_key k, const void *)' stores
a value into thread local storage. The value can later be retrieved
with 'void *ptheread_getspecific(pthread_key)'. So even thought the
parameter is 'const void *', the region escapes through the
call.

(Here we just blacklist the call in the ExprEngine's default
logic. Another option would be to add a checker which evaluates
the call and triggers the call to invalidate regions.)

Teach the Malloc Checker, which treats all system calls as safe about
the API.

llvm-svn: 151220

 - We should not evaluate strdup in the Malloc Checker, it's the job of
CString checker, so just update the RefState to reflect allocated
memory.

- Refactor to reduce LOC: remove some wrapper auxiliary functions, make
all functions return the state and add the transition in one place
(instead of in each auxiliary function).

llvm-svn: 151188

block pointer that returns a block literal which captures (by copy)
the lambda closure itself. Some aspects of the block literal are left
unspecified, namely the capture variable (which doesn't actually
exist) and the body (which will be filled in by IRgen because it can't
be written as an AST).

Because we're switching to this model, this patch also eliminates
tracking the copy-initialization expression for the block capture of
the conversion function, since that information is now embedded in the
synthesized block literal. -1 side tables FTW.

llvm-svn: 151131

llvm-svn: 151124

, when we return a symbol reachable to the malloced one via pointer
arithmetic.

llvm-svn: 151121

llvm-svn: 151120

Have ScanReachableSymbols reported reachable regions.  Fixes a false positive with nested array literals.  <rdar://problem/10686586>

llvm-svn: 151012

llvm-svn: 151007

tests.

llvm-svn: 150993

checks:

- unix.Malloc - Checks for memory leaks, double free, use-after-free.
- unix.cstring.NullArg - Checks for null pointers passed as arguments to
CString functions + evaluates CString functions.
- unix.cstring.BadSizeArg - Checks for common anti-patterns in
strncat size argument.

llvm-svn: 150988

The class name is long enough without the llvm:: added.
Also bring in RefCountedBase and RefCountedBaseVPTR.

llvm-svn: 150958

llvm-svn: 150896

llvm-svn: 150892

Adopt ExprEngine and checkers to ObjC property refactoring.  Everything was working, but now diagnostics are aware of message expressions implied by uses of properties.  Fixes <rdar://problem/9241180>.

llvm-svn: 150888

Have conjured symbols depend on LocationContext, to add context sensitivity for functions called more than once.

llvm-svn: 150849

it aware of CString APIs that return the input parameter.

Malloc Checker needs to know how the 'strcpy' function is
evaluated. Introduce the dependency on CStringChecker for that.
CStringChecker knows all about these APIs.

Addresses radar://10864450

llvm-svn: 150846

(Ex: It was not treating __inline_strcpy as strcpy. Will add tests that
rely on this later on.)

llvm-svn: 150845

 - Rename the category "Logic Error" -> "Memory Error".
 - Shorten all the messages.

llvm-svn: 150733

of failing realloc. + Minor cleanups.

llvm-svn: 150732

Add checker visitation hooks in ExprEngine::Visit() for common no-op expressions.  To be used later.

llvm-svn: 150723

Revert "Move ExplodedNode reclaimation out of ExprEngine and into CoreEngine.  Also have it based on adding predecessors/successors, not node allocation.  No measurable performance change."

llvm-svn: 150722

Move ExplodedNode reclaimation out of ExprEngine and into CoreEngine.  Also have it based on adding predecessors/successors, not node allocation.  No measurable performance change.

llvm-svn: 150720

llvm-svn: 150719

Revert "Revert "Make CXXNewExpr contain only a single initialier, and not hold the used constructor itself.""

This reintroduces commit r150682 with a fix for the Bullet benchmark crash.

llvm-svn: 150685

Revert "Make CXXNewExpr contain only a single initialier, and not hold the used constructor itself."
It leads to a compiler crash in the Bullet benchmark.

This reverts commit r12014.

llvm-svn: 150684

Holding the constructor directly makes no sense when list-initialized arrays come into play. The constructor is now held in a CXXConstructExpr, if construction is what is done. The new design can also distinguish properly between list-initialization and direct-initialization, as well as implicit default-initialization constructors and explicit value-initialization constructors. Finally, doing it this way removes redundance from the AST because CXXNewExpr doesn't try to handle both the allocation and the initialization responsibilities.

This breaks the static analysis of new expressions. I've filed PR12014 to track this.

llvm-svn: 150682

piece can always be generated.

The default end of diagnostic path piece was failing to generate on a
BlockEdge that was outgoing from a basic block without a terminator,
resulting in a very simple diagnostic being rendered (ex: no path
highlighting or custom visitors). Reuse another function, which is
essentially doing the same thing and correct it not to fail when a block
has no terminator.

llvm-svn: 150659

We are not properly handling the memory regions that escape into struct
fields, which led to a bunch of false positives. Be conservative here
and give up when a pointer escapes into a struct.

llvm-svn: 150658

llvm-svn: 150556

is general goodness because representations of member pointers are
not always equivalent across member pointer types on all ABIs
(even though this isn't really standard-endorsed).

Take advantage of the new information to teach IR-generation how
to do these reinterprets in constant initializers.  Make sure this
works when intermingled with hierarchy conversions (although
this is not part of our motivating use case).  Doing this in the
constant-evaluator would probably have been better, but that would
require a *lot* of extra structure in the representation of
constant member pointers:  you'd really have to track an arbitrary
chain of hierarchy conversions and reinterpretations in order to
get this right.  Ultimately, this seems less complex.  I also
wasn't quite sure how to extend the constant evaluator to handle
foldings that we don't actually want to treat as extended
constant expressions.

llvm-svn: 150551

the passed in pointer on failure.

llvm-svn: 150533

hardening.

llvm-svn: 150532

(In response of Ted's review of r150112.)

This moves the logic which checked if a symbol escapes through a
parameter to invalidateRegionCallback (instead of post CallExpr visit.)

To accommodate the change, added a CallOrObjCMessage parameter to
checkRegionChanges callback.

llvm-svn: 150513

llvm-svn: 150511

llvm-svn: 150509

llvm-svn: 150506

llvm-svn: 150505

Further remove some recursive visitiation in ExprEngine that is no longer needed because the CFG is fully linearized.

llvm-svn: 150504