llvm-svn: 149009

using CFArrayCreate & family.

Specifically, CFArrayCreate's input should be:
'A C array of the pointer-sized values to be in the new array.'

(radar://10717339)

llvm-svn: 149008

llvm-svn: 148844

[analyzer] It's possible to have a non PointerType expression evaluate to a Loc value. When this happens, use the default type.

llvm-svn: 148631

Also, slightly modify the diagnostic message in ArrayBound and DivZero (still use 'taint', which might not mean much to the user, but plan on changing it later).

llvm-svn: 148626

llvm-svn: 148577

llvm-svn: 148566

Reenable DeadStoresChecker under --analyze, and move the IdempotentOperationsChecker to the 'experimental' category.  Fixes <rdar://problem/10146347>.

llvm-svn: 148533

Implement checker that looks for calls to mktemps and friends that have fewer than 6 Xs.  Implements <rdar://problem/6336672>.

llvm-svn: 148531

multiple checks are exposed as separate checkers, but CheckerManager only creates
one Checker object.

llvm-svn: 148525

llvm-svn: 148518

TaintPropagationRule::process().

Also remove the "should be a pointer argument" warning - should be
handled elsewhere.

llvm-svn: 148372

size (Ex: in malloc, memcpy, strncpy..)

(Maybe some of this could migrate to the CString checker. One issue
with that is that we might want to separate security issues from
regular API misuse.)

llvm-svn: 148371

functions.

llvm-svn: 148370

Remove unreachable code in Clang. (replace with llvm_unreachable where appropriate or when GCC requires it)

llvm-svn: 148292

This allows -Wswitch-enum to find switches that need updating when these enums are modified.

llvm-svn: 148281

taint propagation functions.

llvm-svn: 148266

data.

llvm-svn: 148176

llvm-svn: 148080

+ all the other Retrieve..() methods + a comment for ElementRegion.

llvm-svn: 148011

To simplify the process:
Refactor taint generation checker to simplify passing the
information on which arguments need to be tainted from pre to post
visit.

Todo: We need to factor out the code that sema is using to identify the
string and memcpy functions and use it here and in the CString checker.

llvm-svn: 148010

the common *alloc functions as well as a few tiny wibbles (adds a note
to CWE/CERT advisory numbers in the bug output, and fixes a couple
80-column-wide violations.)"

Patch by Austin Seipp!

llvm-svn: 147931

llvm-svn: 147744

We already have a more conservative check in the compiler (if the
format string is not a literal, we warn). Still adding it here for
completeness and since this check is stronger - only triggered if the
format string is tainted.

llvm-svn: 147714

(Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals.

This is needed to support basic IPA via inlining.  Without this, we cannot tell
if a Stmt* binding is part of the current analysis scope (StackFrameContext) or
part of a parent context.

This change introduces an uglification of the use of getSVal(), and thus takes
two steps forward and one step back.  There are also potential performance implications
of enlarging the Environment.  Both can be addressed going forward by refactoring the
APIs and optimizing the internal representation of Environment.  This patch
mainly introduces the functionality upon when we want to build upon (and clean up).

llvm-svn: 147688

as a result of a call.

Problem:
Global variables, which come in from system libraries should not be
invalidated by all calls. Also, non-system globals should not be
invalidated by system calls.

Solution:
The following solution to invalidation of globals seems flexible enough
for taint (does not invalidate stdin) and should not lead to too
many false positives. We split globals into 3 classes:

* immutable - values are preserved by calls (unless the specific
global is passed in as a parameter):
     A :  Most system globals and const scalars

* invalidated by functions defined in system headers:
     B: errno

* invalidated by all other functions (note, these functions may in
turn contain system calls):
     B: errno
     C: all other globals (which are not in A nor B)

llvm-svn: 147569

llvm-svn: 147566

llvm-svn: 147505

Enhance UnixAPIChecker to also warn about zero-sized allocations to calloc() and realloc().  Patch by Cyril Roelandt!

llvm-svn: 147500

from C++ constructors or destructors.  Checker by Lei Zhang with a few tweaks by Ted Kremenek.

llvm-svn: 147494

llvm-svn: 147338

llvm-svn: 147203

llvm-svn: 147139

Check if the input parameters are tainted (or point to tainted data) on
a checkPreStmt<CallExpr>. If the output should be tainted, record it in
the state. On post visit (checkPostStmt<CallExpr>), use the state to
make decisions (in addition to the existing logic). Use this logic for
atoi and fscanf.

llvm-svn: 146793

llvm-svn: 146748

Some of the test cases do not currently work because the analyzer core
does not seem to call checkers for pre/post DeclRefExpr visits.
(Opened radar://10573500. To be fixed later on.)

llvm-svn: 146536

llvm-svn: 146533

Also, allow adding taint to a region (not only a symbolic value).

llvm-svn: 146532

[analyzer] CStringChecker should not rely on the analyzer generating UndefOrUnknown value when it cannot reason about the expression.

We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. 

In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.)

This patch also contains 2 small bug fixes:
 - swap the order of operators inside SValBuilder::makeGenericVal.
 - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol.

llvm-svn: 146343

llvm-svn: 146146