, when we return a symbol reachable to the malloced one via pointer
arithmetic.

llvm-svn: 151121

checks:

- unix.Malloc - Checks for memory leaks, double free, use-after-free.
- unix.cstring.NullArg - Checks for null pointers passed as arguments to
CString functions + evaluates CString functions.
- unix.cstring.BadSizeArg - Checks for common anti-patterns in
strncat size argument.

llvm-svn: 150988

llvm-svn: 150847

it aware of CString APIs that return the input parameter.

Malloc Checker needs to know how the 'strcpy' function is
evaluated. Introduce the dependency on CStringChecker for that.
CStringChecker knows all about these APIs.

Addresses radar://10864450

llvm-svn: 150846

llvm-svn: 150734

 - Rename the category "Logic Error" -> "Memory Error".
 - Shorten all the messages.

llvm-svn: 150733

We are not properly handling the memory regions that escape into struct
fields, which led to a bunch of false positives. Be conservative here
and give up when a pointer escapes into a struct.

llvm-svn: 150658

llvm-svn: 150534

the passed in pointer on failure.

llvm-svn: 150533

hardening.

llvm-svn: 150532

in realloc map. 

If there is no dependency, the reallocated ptr will get garbage
collected before we know that realloc failed, which would lead us to
missing a memory leak warning.

Also added new test cases, which we can handle now.
Plus minor cleanups.

llvm-svn: 150446

case when size is 0.

llvm-svn: 150412

1) Support the case when realloc fails to reduce False Positives. (We
essentially need to restore the state of the pointer being reallocated.)

2) Realloc behaves differently under special conditions (from pointer is
null, size is 0). When detecting these cases, we should consider
under-constrained states (size might or might not be 0). The
old version handled this in a very hacky way. The code did not
differentiate between definite and possible (no consideration for
under-constrained states). Further, after processing each special case,
the realloc processing function did not return but chained to the next
special case processing. So you could end up in an execution in which
you first see the states in which size is 0 and realloc ~ free(),
followed by the states corresponding to size is not 0 followed by the
evaluation of the regular realloc behavior.

llvm-svn: 150402

a pointer cannot escape through calls to system functions. Also, stop
after reporting the first use-after-free.

llvm-svn: 150315

memory.
(As per one test case, the existing checker thought that this could
cause a lot of false positives - not sure if that's valid, to be
verified.)

llvm-svn: 150313

Resolves a common false positive, where we were reporting a leak inside
asserts

llvm-svn: 150312

We use the same logic here as the RetainRelease checker.

llvm-svn: 150311

the checker over postgres and sqlite.

llvm-svn: 150216

(use of return instead of continue), wording.

llvm-svn: 150215

Very simple so far - we just highlight every allocation and release
site.

llvm-svn: 150156

llvm-svn: 150155

which allows values to escape through unknown calls.

Assumes all calls but the malloc family are unknown.

Also, catch a use-after-free when a pointer is passed to a
function after a call to free (previously, you had to explicitly
dereference the pointer value).

llvm-svn: 150112

free() is returned by realloc(). Most code expect NULL.

And we only need to transfer one final ProgramState.

llvm-svn: 138937

[analyzer] rename all experimental checker packages to have 'experimental' be the common root package.

llvm-svn: 136835

More accurately model realloc() when the size argument is 0. realloc() with a size of 0 is equivalent to free(). The memory region should be marked as free and not used again.

Unit tests f2_realloc_0(), f6_realloc(), and f7_realloc() contributed by Marshall Clow <mclow.lists@gmail.com>. Thanks! 

llvm-svn: 130303

llvm-svn: 128187

llvm-svn: 126676

llvm-svn: 126617

llvm-svn: 126607

llvm-svn: 126606

[analyzer] Remove '-analyzer-experimental-internal-checks' flag, it doesn't have any checkers associated with it anymore.

llvm-svn: 126440

llvm-svn: 126438

   CStringChecker
   ChrootChecker
   MallocChecker
   PthreadLockChecker
   StreamChecker
   UnreachableCodeChecker

MallocChecker creates implicit dependencies between checkers and needs to be handled differently.

llvm-svn: 125598

After a lengthy design discussion, add support for "ownership attributes" for malloc/free checking.  Patch by Andrew McGregor!

llvm-svn: 109939

- Created a new class to do post-analysis
- Updated several test cases with unreachable code to expect a warning
- Added some general tests

llvm-svn: 109286

Casting to void* or any other pointer-to-sizeless type (e.g. function pointers) causes a divide-by-zero error. Simple fix: check if the pointee type size is 0 and bail out early if it is.

llvm-svn: 106401

modification.

llvm-svn: 105264

whether the size of the symbolic region is a multiple of the size of T.
Fixes PR6123 and PR7217.

llvm-svn: 104584

llvm-svn: 98136

llvm-svn: 96154