[analyzer] Don't claim an object was returned with +1 retain count before counting autoreleases. Fixes PR10376.

(Also, 80-column violations.)

llvm-svn: 152976

Do not display the standard "Returning from 'foo'", when a stack hint is
available.

llvm-svn: 152964

The symbol-aware stack hint combines the checker-provided message
with the information about how the symbol was passed to the callee: as
a parameter or a return value.

For malloc, the generated messages look like this :
"Returning from 'foo'; released memory via 1st parameter"
"Returning from 'foo'; allocated memory via 1st parameter"
"Returning from 'foo'; allocated memory returned"
"Returning from 'foo'; reallocation of 1st parameter failed"


(We are yet to handle cases when the symbol is a field in a struct or
an array element.)

llvm-svn: 152962

llvm-svn: 152961

number of steps in the work list.

llvm-svn: 152960

llvm-svn: 152900

llvm-svn: 152868

[analyzer] Remove AggExprVisitor, a dead class that assisted in visiting C++ expressions with a "base object", because the CFG is now linearized.

The only use of AggExprVisitor was in #if 0 code (the analyzer's incomplete C++ support), so there is no actual behavioral change anyway.

llvm-svn: 152856

BugVisitor DiagnosticPieces.

When checkers create a DiagnosticPieceEvent, they can supply an extra
string, which will be concatenated with the call exit message for every
call on the stack between the diagnostic event and the final bug report.
(This is a simple version, which could be/will be further enhanced.)

For example, this is used in Malloc checker to produce the ",
which allocated memory" in the following example:

static char *malloc_wrapper() { // 2. Entered call from 'use'
    return malloc(12);    // 3. Memory is allocated
}

void use() {
    char *v;
    v = malloc_wrapper(); // 1. Calling 'malloc_wrappers'
        // 4. Returning from 'malloc_wrapper', which allocated memory
}                         // 5. Memory is never released; potential
memory leak

llvm-svn: 152837

(Why are we keeping all of this code around anyway? Say the word and I'll
start swinging the delete hammer.)

llvm-svn: 152749

in the callee.

llvm-svn: 152734

MaterializeTemporaryExpr.

llvm-svn: 152730

longer needed as the CFG is fully linearized.

llvm-svn: 152720

llvm-svn: 152677

respectively.

llvm-svn: 152676

inlining to be the reverse of their declaration.

This optimizes running time under inlining up to 20% since we do not
re-analyze the utility functions which are usually defined first in the
translation unit if they have already been analyzed while inlined into
the root functions.

llvm-svn: 152653

BFS should give slightly better performance. Ex: Suppose, we have two
roots R1 and R2. A callee function C is reachable through both. However,
C is not inlined when analyzing R1 due to inline stack depth limit. With
DFS, C will be analyzed as top level even though it would be analyzed as
inlined through R2. On the other hand, BFS could avoid analyzing C as
top level.

llvm-svn: 152652

collecting function Decls.

llvm-svn: 152651

AnalysisConsumer.

As a result:
 - We now analyze the C++ methods which are defined within the
class body. These were completely skipped before.

- Ensure that AST checkers are called on functions in the
order they are defined in the Translation unit.

llvm-svn: 152650

function.

llvm-svn: 152649

llvm-svn: 152648

llvm-svn: 152586

llvm-svn: 152584

The member variable is always "LangOpts" and the member function is always "getLangOpts".

Reviewed by Chris Lattner

llvm-svn: 152536

llvm-svn: 152521

track whether the referenced declaration comes from an enclosing
local context.  I'm amenable to suggestions about the exact meaning
of this bit.

llvm-svn: 152491

[analyzer] fix regression in analyzer of NOT actually aborting on Stmts it doesn't understand.  We registered
as aborted, but didn't treat such cases as sinks in the ExplodedGraph.

Along the way, add basic support for CXXCatchStmt, expanding the set of code we actually analyze (hopefully correctly).

Fixes: <rdar://problem/10892489>
llvm-svn: 152468

Teach RetainCountChecker about mixing method families with explicit annotations.  Fixes <rdar://problem/10824732>.

llvm-svn: 152448

We do not reanalyze a function, which has already been analyzed as an
inlined callee. As per PRELIMINARY testing, this gives over
50% run time reduction on some benchmarks without decreasing of the
number of bugs found.

Turning the mode on by default.

llvm-svn: 152440

Essentially, a bug centers around a story for various symbols and regions.  We should only include
the path diagnostic events that relate to those symbols and regions.

The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which
can be modified at BugReport creation or by BugReporterVisitors.

This patch reduces the diagnostics emitted in several of our test cases.  I've vetted these as
having desired behavior.  The only regression is a missing null check diagnostic for the return
value of realloc() in test/Analysis/malloc-plist.c.  This will require some investigation to fix,
and I have added a FIXME to the test case.

llvm-svn: 152361

analyzed.

The CallGraph is used when inlining is on, which is the current default.

This alone does not bring any performance improvement. It's a
stepping stone for the upcoming optimization in which we do not
re-analyze a function that has already been analyzed while inlined in
other functions. Using the call graph makes it easier to play with
the order of functions to minimize redundant analyzes.

llvm-svn: 152352

 - Remove -analyzer-inline-call.
 - Add -analyzer-ipa=[none|inlining]
 - Add -analyzer-inlining-mode to allow experimentation for
different performance tuning methods.

llvm-svn: 152351

The final graph contains a single root node, which is a parent of all externally available functions(and 'main'). As well as a list of Parentless/Unreachable functions, which are either truly unreachable or are unreachable due to our analyses imprecision.

The analyzer checkers debug.DumpCallGraph or debug.ViewGraph can be used to look at the produced graph.

Currently, the graph is not very precise, for example, it entirely skips edges resulted from ObjC method calls.

llvm-svn: 152272

analysis to make the AST representation testable. They are represented by a
new UserDefinedLiteral AST node, which is a sugared CallExpr. All semantic
properties, including full CodeGen support, are achieved for free by this
representation.

UserDefinedLiterals can never be dependent, so no custom instantiation
behavior is required. They are mangled as if they were direct calls to the
underlying literal operator. This matches g++'s apparent behavior (but not its
actual mangling, which is broken for literal-operator-ids).

User-defined *string* literals are now fully-operational, but the semantic
analysis is quite hacky and needs more work. No other forms of user-defined
literal are created yet, but the AST support for them is present.

This patch committed after midnight because we had already hit the quota for
new kinds of literal yesterday.

llvm-svn: 152211

llvm-svn: 152139

[analyzer] add a diagnostic event when entering a call via inlining, within the callee, and add an edge.

llvm-svn: 152086

llvm-svn: 152083

llvm-svn: 152080

llvm-svn: 152078

when the called function is never inlined.

Fixes <rdar://problem/10977037>.

llvm-svn: 152073