+ all the other Retrieve..() methods + a comment for ElementRegion.

llvm-svn: 148011

To simplify the process:
Refactor taint generation checker to simplify passing the
information on which arguments need to be tainted from pre to post
visit.

Todo: We need to factor out the code that sema is using to identify the
string and memcpy functions and use it here and in the CString checker.

llvm-svn: 148010

the common *alloc functions as well as a few tiny wibbles (adds a note
to CWE/CERT advisory numbers in the bug output, and fixes a couple
80-column-wide violations.)"

Patch by Austin Seipp!

llvm-svn: 147931

Remove '#if 0' from ExprEngine::InlineCall(), and start fresh by wiring up inlining for straight C calls.
My hope is to reimplement this from first principles based on the simplifications of removing unneeded node builders
and re-evaluating how C++ calls are handled in the CFG.  The hope is to turn inlining "on-by-default" as soon as possible
with a core set of things working well, and then expand over time.

llvm-svn: 147904

llvm-svn: 147854

llvm-svn: 147744

A patch by Dmitri Gribenko!

The attached patch fixes a use-after-free in AnalysisConsumer::HandleTranslationUnit.  The problem is that
BugReporter's destructor runs after AnalysisManager has been already
deleted.  The fix introduces a scope to force correct destruction
order.

A crash happens only when reports have been added in AnalysisConsumer::HandleTranslationUnit's BugReporter. We don't have such checkers in clang so no test.

llvm-svn: 147732

We already have a more conservative check in the compiler (if the
format string is not a literal, we warn). Still adding it here for
completeness and since this check is stronger - only triggered if the
format string is tainted.

llvm-svn: 147714

This removes analysis of other translation units, but that was an experimental feature anyway that we will revisit later.

llvm-svn: 147705

llvm-svn: 147698

[analyzer] Remove CallExitNodeBuilder, and have ExprEngine::processCallExit() do the work manually.  This is a nice simplification.

Along the way, fix Exprengine::processCallExit() to also perform the postStmt callback for checkers for CallExprs.

llvm-svn: 147697

(Stmt*,LocationContext*) pairs to SVals instead of Stmt* to SVals.

This is needed to support basic IPA via inlining.  Without this, we cannot tell
if a Stmt* binding is part of the current analysis scope (StackFrameContext) or
part of a parent context.

This change introduces an uglification of the use of getSVal(), and thus takes
two steps forward and one step back.  There are also potential performance implications
of enlarging the Environment.  Both can be addressed going forward by refactoring the
APIs and optimizing the internal representation of Environment.  This patch
mainly introduces the functionality upon when we want to build upon (and clean up).

llvm-svn: 147688

as a result of a call.

Problem:
Global variables, which come in from system libraries should not be
invalidated by all calls. Also, non-system globals should not be
invalidated by system calls.

Solution:
The following solution to invalidation of globals seems flexible enough
for taint (does not invalidate stdin) and should not lead to too
many false positives. We split globals into 3 classes:

* immutable - values are preserved by calls (unless the specific
global is passed in as a parameter):
     A :  Most system globals and const scalars

* invalidated by functions defined in system headers:
     B: errno

* invalidated by all other functions (note, these functions may in
turn contain system calls):
     B: errno
     C: all other globals (which are not in A nor B)

llvm-svn: 147569

llvm-svn: 147566

llvm-svn: 147526

llvm-svn: 147505

Enhance UnixAPIChecker to also warn about zero-sized allocations to calloc() and realloc().  Patch by Cyril Roelandt!

llvm-svn: 147500

from C++ constructors or destructors.  Checker by Lei Zhang with a few tweaks by Ted Kremenek.

llvm-svn: 147494

llvm-svn: 147338

clients. No functionality change.

llvm-svn: 147318

llvm-svn: 147203

llvm-svn: 147139

type is a pointer to const. (radar://10595327)

The regions corresponding to the pointer and reference arguments to
a function get invalidated by the calls since a function call can
possibly modify the pointed to data. With this change, we are not going
to invalidate the data if the argument is a pointer to const. This
change makes the analyzer more optimistic in reporting errors.
(Support for C, C++ and Obj C)

llvm-svn: 147002

llvm-svn: 146993

llvm-svn: 146967

llvm-svn: 146959

Check if the input parameters are tainted (or point to tainted data) on
a checkPreStmt<CallExpr>. If the output should be tainted, record it in
the state. On post visit (checkPostStmt<CallExpr>), use the state to
make decisions (in addition to the existing logic). Use this logic for
atoi and fscanf.

llvm-svn: 146793

llvm-svn: 146792

llvm-svn: 146748

llvm-svn: 146683

is deterministic.

Non-determinism was the reason for the test which caused the earlier
buildbot failures, so re-enable the test.

llvm-svn: 146628

Some of the test cases do not currently work because the analyzer core
does not seem to call checkers for pre/post DeclRefExpr visits.
(Opened radar://10573500. To be fixed later on.)

llvm-svn: 146536

llvm-svn: 146535

llvm-svn: 146533

Also, allow adding taint to a region (not only a symbolic value).

llvm-svn: 146532

[analyzer] CStringChecker should not rely on the analyzer generating UndefOrUnknown value when it cannot reason about the expression.

We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. 

In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.)

This patch also contains 2 small bug fixes:
 - swap the order of operators inside SValBuilder::makeGenericVal.
 - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol.

llvm-svn: 146343

Forgot to commit the Header files. 
Rename generateUnknownVal -> makeGenericVal.

llvm-svn: 146337

Fix a bug in SimpleSValBuilder, where we should swap lhs and rhs when calling generateUnknownVal(), - the function which creates symbolic expressions when data is tainted. The issue is not visible when we only create the expressions for taint since all expressions are commutative from taint perspective.

Refactor SymExpr::symbol_iterator::expand() to use a switch instead of a chain of ifs.

llvm-svn: 146336

types are equivalent.

+ A taint test which tests bitwise operations and which was
triggering an assertion due to presence of the integer to integer cast.

llvm-svn: 146240

+ random comments

llvm-svn: 146199