[analyzer] Refactoring: Move checkers into lib/GR/Checkers and their own library, libclangGRCheckers

llvm-svn: 122422

llvm-svn: 122421

llvm-svn: 122420

llvm-svn: 122271

llvm-svn: 122270

implicit lvalue-to-rvalue casts that John McCall
recently introduced.  This causes a whole bunch
of logic in the analyzer for handling lvalues
to vanish.  It does, however, raise a few issues
in the analyzer w.r.t to modeling various constructs
(e.g., field accesses to compound literals).

The .c/.m analysis test cases that fail are
due to a missing lvalue-to-rvalue cast that
will get introduced into the AST.  The .cpp
failures were more than I could investigate in
one go, and the patch was already getting huge.
I have XFAILED some of these tests, and they
should obviously be further investigated.

Some highlights of this patch include:

- CFG no longer requires an lvalue bit for
  CFGElements
- StackFrameContext doesn't need an 'asLValue'
  flag
- The "VisitLValue" path from GRExprEngine has
  been eliminated.

Besides the test case failures (XFAILed), there
are surely other bugs that are fallout from
this change.

llvm-svn: 121960

not actually frequently used, because ImpCastExprToType only creates a node
if the types differ.  So explicitly create an ICE in the lvalue-to-rvalue
conversion code in DefaultFunctionArrayLvalueConversion() as well as several
other new places, and consistently deal with the consequences throughout the
compiler.

In addition, introduce a new cast kind for loading an ObjCProperty l-value,
and make sure we emit those nodes whenever an ObjCProperty l-value appears
that's not on the LHS of an assignment operator.

This breaks a couple of rewriter tests, which I've x-failed until future
development occurs on the rewriter.

Ted Kremenek kindly contributed the analyzer workarounds in this patch.

llvm-svn: 120890

to 'assumeXXX'.

llvm-svn: 120614

Tweak null dereference checker to give better diagnostics for null dereferences resulting from array accesses.

llvm-svn: 117334

Polish diagnostics for null dereferences via ObjC ivar accesses.  Finishes up <rdar://problem/6352035>.

llvm-svn: 113612

llvm-svn: 99731

a null dereference results from a field access.

llvm-svn: 99236

llvm-svn: 94608

llvm-svn: 94428

(1) libAnalysis is a generic analysis library that can be used by
    Sema.  It defines the CFG, basic dataflow analysis primitives, and
    inexpensive flow-sensitive analyses (e.g. LiveVariables).

(2) libChecker contains the guts of the static analyzer, incuding the
    path-sensitive analysis engine and domain-specific checks.

Now any clients that want to use the frontend to build their own tools
don't need to link in the entire static analyzer.

This change exposes various obvious cleanups that can be made to the
layout of files and headers in libChecker.  More changes pending.  :)

This change also exposed a layering violation between AnalysisContext
and MemRegion.  BlockInvocationContext shouldn't explicitly know about
BlockDataRegions.  For now I've removed the BlockDataRegion* from
BlockInvocationContext (removing context-sensitivity; although this
wasn't used yet).  We need to have a better way to extend
BlockInvocationContext (and any LocationContext) to add
context-sensitivty.

llvm-svn: 94406

llvm-svn: 90028

Enhance null dereference diagnostics by indicating what variable (if any) was dereferenced.  Addresses <rdar://problem/7039161>.

llvm-svn: 89726

along the way.  Important changes:

1) To generate a sink node, use GenerateSink(); GenerateNode() is for
generating regular transitions.  This makes the API clearer and also
allows us to use the 'bool' option to GenerateNode() for a different
purpose.

2) GenerateNode() now automatically adds the generated node to the
destination ExplodedNodeSet (autotransition) unless the client
specifies otherwise with a bool flag.  Several checkers did not call
'addTransition()' after calling 'GenerateNode()', causing the
simulation path to be prematurely culled when a non-fail stop bug was
encountered.

3) Add variants of GenerateNode()/GenerateSink() that take neither a
Stmt* or a GRState*; most callers of GenerateNode() just pass in the
same Stmt* as provided when the CheckerContext object is created; we
can just use that the majority of the time.  This cleanup also allows
us to potentially coelesce the APIs for evaluating branches and
end-of-paths (which currently directly use builders).

4) addTransition() no longer needs to be called except for a few
cases.  We now have a variant of addTransition() that takes a
GRState*; this allows one to propagate the updated state without
caring about generating a new node explicitly.  This nicely cleaned up
a bunch of cases that called autoTransition() with a bunch of
conditional logic surround the call (that common logic has now been
swallowed up by addTransition() itself).

llvm-svn: 89707

Restructure DereferenceChecker slightly to handle caching out when we would report a null dereference more than once.

llvm-svn: 89526

- Eliminates many calls to std::string.c_str()
- Fixes an invalid read in ReturnStackAddressChecker due to an unsafe call to
  StringRef.data() which doesn't guarantee null-termination.

llvm-svn: 88779

the old builder API.  This percolated a bunch of changes up to the
Checker class (where CheckLocation has been renamed VisitLocation) and
GRExprEngine.  ProgramPoint now has the notion of a "LocationCheck"
point (with PreLoad and PreStore respectively), and a bunch of the old
ProgramPoints that are no longer used have been removed.

llvm-svn: 86798

Minor cleanup: use BuiltinBug (which will soon be renamed) for DeferenceChecker and friends so that they always report the same bug type.

llvm-svn: 86208

Merge NullDerefChecker.[h,cpp] and UndefDerefChecker.[h,cpp].  They are essentially two parts of the same check.

llvm-svn: 85911

llvm-svn: 85642

llvm-svn: 85596

Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file.

llvm-svn: 85595