Add a new symbol type, SymbolExtent, to represent the extents of memory regions that may not be known at compile-time (such as those created by malloc). This replaces the old setExtent/getExtent API on Store, which used the GRState's GDM to store SVals.

Also adds a getKnownValue() method to SValuator, which gets the integer value of an SVal if it is known to only have one possible value. There are more places in the code that could be using this, but in general we want to be dealing entirely in SVals, so its usefulness is limited.

The only visible functionality change is that extents are now honored for any DeclRegion, such as fields and Objective-C ivars, rather than just variables. This shows up in bounds-checking and cast-size-checking.

llvm-svn: 107577

Fix PR 7475 by enhancing the static analyzer to also invalidate bindings for non-static global variables
when calling a function/method whose impact on global variables we cannot accurately estimate.
This change introduces two new MemSpaceRegions that divide up the memory space of globals, and causes
RegionStore and BasicStore to consult a binding to the NonStaticGlobalsMemSpaceRegion when lazily
determining the value of a global.

llvm-svn: 107423

Add an ivar to SymbolReaper for the current statement, and then stop passing the current statement around everywhere. Preparation for symbolic extents.

llvm-svn: 107422

llvm-svn: 107388

Correctly implement the CheckerVisit optimization introduced in r106884, but this time actually used the cached checker list when calling back to Checker visit methods.  This reduces the analysis time for sqlite3.c by 8%.

llvm-svn: 107259

Pointers casted as integers still count as locations to SimpleSValuator, so don't crash if we do a funny thing like ((int)ptr)&1. Fixes PR7527.

llvm-svn: 107236

be true if some paths were aborted because they exceeded
the maximum loop unrolling count.

llvm-svn: 107209

llvm-svn: 107012

Pointer comparisons (and pointer-pointer subtraction). Basically filling in SimpleSValuator::EvalBinOpLL().

llvm-svn: 106992

Implicitly compare symbolic expressions to zero when they're being used as constraints. Part of PR7491.

llvm-svn: 106972

llvm-svn: 106964

llvm-svn: 106919

llvm-svn: 106911

a winowed list of checkers that actually do something for a given StmtClass.
As the number of checkers grows, this may potentially significantly reduce
the number of checkers called at any one time.  My own measurements show that
for the ~20 registered Checker objects, only ~5 of them respond at any one time
to a give statement.  While this isn't a net performance win right now (there
is a minor slowdown on sqlite.3) this improvement does greatly improve debugging
when stepping through the checkers used to evaluate a given statement.

llvm-svn: 106884

llvm-svn: 106883

Change RegionStoreManager::Retrieve to infer the type of a symbolic region from the context when it is not already available.

llvm-svn: 106868

llvm-svn: 106755

llvm-svn: 106742

llvm-svn: 106741

llvm-svn: 106738

when the worklist algorithm has terminated.  This allows some checkers to do a post-analysis
phase after all paths have been analyzed.

llvm-svn: 106689

llvm-svn: 106617

llvm-svn: 106616

crash reported in PR 7450.

llvm-svn: 106609

types, updating callers of both isFloatingType() and
isRealFloatingType() accordingly. Caught at least one issue where we
allowed one to declare a vector of vectors (!), along with cleaning up
the standard-conversion logic for C++.

llvm-svn: 106595

Instead, halt the analysis of the current path, which is what we do in GRExprEngine::ProcessStmt
for all other C++ constructs not currently handled by the analyzer.

llvm-svn: 106561

llvm-svn: 106530

When folding additive operations, convert the values to the same type. When assuming relationships, convert the integers to the same type as the symbol, at least for now.

llvm-svn: 106458

llvm-svn: 106456

llvm-svn: 106403

Adds analyzer support for idempotent and tautological binary operations such as "a*0" and "a+0". This is not very powerful, but does make the analyzer look a little smarter than it actually is.

llvm-svn: 106402

Casting to void* or any other pointer-to-sizeless type (e.g. function pointers) causes a divide-by-zero error. Simple fix: check if the pointee type size is 0 and bail out early if it is.

llvm-svn: 106401

llvm-svn: 106339

to use them instead of SourceRange.  CharSourceRange is just a SourceRange
plus a bool that indicates whether the range has the end character resolved
or whether the end location is the start of the end token.  While most of
the compiler wants to think of ranges that have ends that are the start of
the end token, the printf diagnostic stuff wants to highlight ranges within
tokens.

This is transparent to the diagnostic stuff.  To start taking advantage of
the new capabilities, you can do something like this:
  Diag(..) << CharSourceRange::getCharRange(Begin,End)

llvm-svn: 106338

llvm-svn: 106274

Also refactor the diagnostics so that we print out the kind of stack memory returned.

llvm-svn: 106210

llvm-svn: 106188

by inspecting the Store bindings instead of iterating over all the global variables
in a translation unit.  By looking at the store directly, we avoid cases where we cannot
directly load from the global variable, such as an array (which can result in an assertion failure)
and it also catches cases where we store stack addresses to non-scalar globals.
Also, but not iterating over all the globals in the translation unit, we maintain cache
locality, and the complexity of the checker becomes restricted to the complexity of the
analyzed function, and doesn't scale with the size of the translation unit.

This fixes PR 7383.

llvm-svn: 106184

the binding key instead of the region + offset.  It isn't clear if this is the best semantics, but most
clients will likely only care about simple bindings, or bindings to a particular variable.  We can
refine later if necessary.

llvm-svn: 106183

Correctly return early from BasicStoreManager::iterBindings() when the BindingsHandler returns false.

llvm-svn: 106182