Enhance null dereference diagnostics by indicating what variable (if any) was dereferenced.  Addresses <rdar://problem/7039161>.

llvm-svn: 89726

After performing a bounds check in ArrayBoundChecker, record the fact that a bounds check succeeded by transitioning the ExplodedGraph.

llvm-svn: 89712

along the way.  Important changes:

1) To generate a sink node, use GenerateSink(); GenerateNode() is for
generating regular transitions.  This makes the API clearer and also
allows us to use the 'bool' option to GenerateNode() for a different
purpose.

2) GenerateNode() now automatically adds the generated node to the
destination ExplodedNodeSet (autotransition) unless the client
specifies otherwise with a bool flag.  Several checkers did not call
'addTransition()' after calling 'GenerateNode()', causing the
simulation path to be prematurely culled when a non-fail stop bug was
encountered.

3) Add variants of GenerateNode()/GenerateSink() that take neither a
Stmt* or a GRState*; most callers of GenerateNode() just pass in the
same Stmt* as provided when the CheckerContext object is created; we
can just use that the majority of the time.  This cleanup also allows
us to potentially coelesce the APIs for evaluating branches and
end-of-paths (which currently directly use builders).

4) addTransition() no longer needs to be called except for a few
cases.  We now have a variant of addTransition() that takes a
GRState*; this allows one to propagate the updated state without
caring about generating a new node explicitly.  This nicely cleaned up
a bunch of cases that called autoTransition() with a bunch of
conditional logic surround the call (that common logic has now been
swallowed up by addTransition() itself).

llvm-svn: 89707

llvm-svn: 89688

Tweak UndefBranchChecker to register the most nested "undefined" expression with bugreporter::registerTrackNullOrUndefValue instead of the condition itself.

llvm-svn: 89682

llvm-svn: 89679

llvm-svn: 89650

llvm-svn: 89643

in the checker directly. But I don't have a better approach for now.

llvm-svn: 89640

Change CheckDeadStores to use Expr::isNullPointerConstant, which will correctly determine whether an expression is a null pointer constant.

Patch by Kovarththanan Rajaratnam!

llvm-svn: 89621

Undefined compound assignment result is checked in UndefinedAssignmentChecker. So this check is redundant.

llvm-svn: 89592

llvm-svn: 89591

llvm-svn: 89590

llvm-svn: 89587

llvm-svn: 89585

Make FixedAddressChecker and experimental check; it currently produces a ton of false positives when analyzing some projects (e.g., Wine).

llvm-svn: 89560

Restructure DereferenceChecker slightly to handle caching out when we would report a null dereference more than once.

llvm-svn: 89526

Pull BadCallChecker int UndefinedArgChecker, and have UndefinedArgChecker also handled undefined receivers in message expressions.

llvm-svn: 89524

More checker refactoring.  Passing undefined values in a message expression is now handled by UndefinedArgChecker.

llvm-svn: 89519

llvm-svn: 89453

Add simple static analyzer checker to check for sending 'release', 'retain', etc. directly to a class.  Fixes <rdar://problem/7252064>.

llvm-svn: 89449

Unused ivar checker: ivars referenced by lexically nested functions should not be flagged as unused.  Fixes <rdar://problem/7254495>.

llvm-svn: 89448

llvm-svn: 89446

llvm-svn: 89437

llvm-svn: 89413

Fix crash when using --analyzer-store=region when handling initializers with nested arrays/structs whose values are not explicitly specified.  Fixes <rdar://problem/7403269>.

llvm-svn: 89384

llvm-svn: 89383

llvm-svn: 89375

llvm-svn: 89373

block.

llvm-svn: 89071

end of the path. Need to unify interfaces.

llvm-svn: 89063

llvm-svn: 89060

sugared types. The basic problem is that our qualifier accessors
(getQualifiers, getCVRQualifiers, isConstQualified, etc.) only look at
the current QualType and not at any qualifiers that come from sugared
types, meaning that we won't see these qualifiers through, e.g.,
typedefs:

  typedef const int CInt;
  typedef CInt Self;

Self.isConstQualified() currently returns false!

Various bugs (e.g., PR5383) have cropped up all over the front end due
to such problems. I'm addressing this problem by splitting each
qualifier accessor into two versions: 

  - the "local" version only returns qualifiers on this particular
    QualType instance
  - the "normal" version that will eventually combine qualifiers from this
    QualType instance with the qualifiers on the canonical type to
    produce the full set of qualifiers.

This commit adds the local versions and switches a few callers from
the "normal" version (e.g., isConstQualified) over to the "local"
version (e.g., isLocalConstQualified) when that is the right thing to
do, e.g., because we're printing or serializing the qualifiers. Also,
switch a bunch of
  
  Context.getCanonicalType(T1).getUnqualifiedType() == Context.getCanonicalType(T2).getQualifiedType()

expressions over to 

  Context.hasSameUnqualifiedType(T1, T2)

llvm-svn: 88969

* Add a load type to GRExprEngine::EvalLoad().
* When retrieve from 'theValue' of OSAtomic funcitions, use the type of the 
  region instead of the argument expression as the load type.
* Then we can convert CastRetrievedSVal to a pure assertion. In the future
  we can let all Retrieve() methods simply return SVal.

llvm-svn: 88888

llvm-svn: 88882

- Eliminates many calls to std::string.c_str()
- Fixes an invalid read in ReturnStackAddressChecker due to an unsafe call to
  StringRef.data() which doesn't guarantee null-termination.

llvm-svn: 88779

llvm-svn: 88729

option enables new "internal" checks that will eventually be turned on
by default but still require broader testing.

llvm-svn: 88671

llvm-svn: 87094

llvm-svn: 87093