The symbol-aware stack hint combines the checker-provided message
with the information about how the symbol was passed to the callee: as
a parameter or a return value.

For malloc, the generated messages look like this :
"Returning from 'foo'; released memory via 1st parameter"
"Returning from 'foo'; allocated memory via 1st parameter"
"Returning from 'foo'; allocated memory returned"
"Returning from 'foo'; reallocation of 1st parameter failed"


(We are yet to handle cases when the symbol is a field in a struct or
an array element.)

llvm-svn: 152962

BugVisitor DiagnosticPieces.

When checkers create a DiagnosticPieceEvent, they can supply an extra
string, which will be concatenated with the call exit message for every
call on the stack between the diagnostic event and the final bug report.
(This is a simple version, which could be/will be further enhanced.)

For example, this is used in Malloc checker to produce the ",
which allocated memory" in the following example:

static char *malloc_wrapper() { // 2. Entered call from 'use'
    return malloc(12);    // 3. Memory is allocated
}

void use() {
    char *v;
    v = malloc_wrapper(); // 1. Calling 'malloc_wrappers'
        // 4. Returning from 'malloc_wrapper', which allocated memory
}                         // 5. Memory is never released; potential
memory leak

llvm-svn: 152837

Essentially, a bug centers around a story for various symbols and regions.  We should only include
the path diagnostic events that relate to those symbols and regions.

The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which
can be modified at BugReport creation or by BugReporterVisitors.

This patch reduces the diagnostics emitted in several of our test cases.  I've vetted these as
having desired behavior.  The only regression is a missing null check diagnostic for the return
value of realloc() in test/Analysis/malloc-plist.c.  This will require some investigation to fix,
and I have added a FIXME to the test case.

llvm-svn: 152361

llvm-svn: 152080

llvm-svn: 152078

calling an ObjC method ending with 'NoCopy'.

llvm-svn: 152037

attributes, introduced in r151188.

+ the test to catch it.

Thanks to Ahmed Charles for pointing this out.

llvm-svn: 151840

funopen, setvbuf.

Teach the checker and the engine about these APIs to resolve malloc
false positives. As I am adding more of these APIs, it is clear that all
this should be factored out into a separate callback (for example,
region escapes). Malloc, KeyChainAPI and RetainRelease checkers could
all use it.

llvm-svn: 151737

When allocated buffer is passed to CF/NS..NoCopy functions, the
ownership is transfered unless the deallocator argument is set to
'kCFAllocatorNull'.

llvm-svn: 151608

closest function context. 

This prevents us from uniqueing all leaks from the same allocation
helper. radar://10932226

llvm-svn: 151592

Assume none of the ObjC messages defined in system headers free memory,
except for the ones containing 'freeWhenDone' selector. Currently, just
assume that the region escapes to the messages with 'freeWhenDone'
(ideally, we want to treat it as 'free()').

For now, always assume that regions escape when passed to C++ methods.

llvm-svn: 151410

When we find two leak reports with the same allocation site, report only
one of them.

Provide a helper method to BugReporter to facilitate this.

llvm-svn: 151287

Make this call an exception in ExprEngine::invalidateArguments:
'int pthread_setspecific(ptheread_key k, const void *)' stores
a value into thread local storage. The value can later be retrieved
with 'void *ptheread_getspecific(pthread_key)'. So even thought the
parameter is 'const void *', the region escapes through the
call.

(Here we just blacklist the call in the ExprEngine's default
logic. Another option would be to add a checker which evaluates
the call and triggers the call to invalidate regions.)

Teach the Malloc Checker, which treats all system calls as safe about
the API.

llvm-svn: 151220

 - We should not evaluate strdup in the Malloc Checker, it's the job of
CString checker, so just update the RefState to reflect allocated
memory.

- Refactor to reduce LOC: remove some wrapper auxiliary functions, make
all functions return the state and add the transition in one place
(instead of in each auxiliary function).

llvm-svn: 151188

llvm-svn: 151124

, when we return a symbol reachable to the malloced one via pointer
arithmetic.

llvm-svn: 151121

tests.

llvm-svn: 150993

it aware of CString APIs that return the input parameter.

Malloc Checker needs to know how the 'strcpy' function is
evaluated. Introduce the dependency on CStringChecker for that.
CStringChecker knows all about these APIs.

Addresses radar://10864450

llvm-svn: 150846

 - Rename the category "Logic Error" -> "Memory Error".
 - Shorten all the messages.

llvm-svn: 150733

of failing realloc. + Minor cleanups.

llvm-svn: 150732

We are not properly handling the memory regions that escape into struct
fields, which led to a bunch of false positives. Be conservative here
and give up when a pointer escapes into a struct.

llvm-svn: 150658

llvm-svn: 150556

the passed in pointer on failure.

llvm-svn: 150533

hardening.

llvm-svn: 150532

(In response of Ted's review of r150112.)

This moves the logic which checked if a symbol escapes through a
parameter to invalidateRegionCallback (instead of post CallExpr visit.)

To accommodate the change, added a CallOrObjCMessage parameter to
checkRegionChanges callback.

llvm-svn: 150513

in realloc map. 

If there is no dependency, the reallocated ptr will get garbage
collected before we know that realloc failed, which would lead us to
missing a memory leak warning.

Also added new test cases, which we can handle now.
Plus minor cleanups.

llvm-svn: 150446

case when size is 0.

llvm-svn: 150412

1) Support the case when realloc fails to reduce False Positives. (We
essentially need to restore the state of the pointer being reallocated.)

2) Realloc behaves differently under special conditions (from pointer is
null, size is 0). When detecting these cases, we should consider
under-constrained states (size might or might not be 0). The
old version handled this in a very hacky way. The code did not
differentiate between definite and possible (no consideration for
under-constrained states). Further, after processing each special case,
the realloc processing function did not return but chained to the next
special case processing. So you could end up in an execution in which
you first see the states in which size is 0 and realloc ~ free(),
followed by the states corresponding to size is not 0 followed by the
evaluation of the regular realloc behavior.

llvm-svn: 150402

a pointer cannot escape through calls to system functions. Also, stop
after reporting the first use-after-free.

llvm-svn: 150315

memory.
(As per one test case, the existing checker thought that this could
cause a lot of false positives - not sure if that's valid, to be
verified.)

llvm-svn: 150313

Resolves a common false positive, where we were reporting a leak inside
asserts

llvm-svn: 150312

We use the same logic here as the RetainRelease checker.

llvm-svn: 150311

(use of return instead of continue), wording.

llvm-svn: 150215

llvm-svn: 150172

llvm-svn: 150158

Very simple so far - we just highlight every allocation and release
site.

llvm-svn: 150156

llvm-svn: 150155

which allows values to escape through unknown calls.

Assumes all calls but the malloc family are unknown.

Also, catch a use-after-free when a pointer is passed to a
function after a call to free (previously, you had to explicitly
dereference the pointer value).

llvm-svn: 150112

optimistic.

TODO: actually implement the pessimistic version of the checker. Ex: it
needs to assume that any function that takes a pointer might free it.

The optimistic version relies on annotations to tell us which functions
can free the pointer.

llvm-svn: 150111

post visit of CallExpr.

In general, we should avoid using evalCall as it leads to interference
with other checkers.

llvm-svn: 150086