llvm-svn: 57891

Further improve path-sensitivity with divide-by-zero checking by assuming that a denominator cannot be zero even when the result of an '/' or '%' expression is unknown.

llvm-svn: 57855

Used conjured symbols to recover path-sensitivity when the result of a compound assignment is UnknownVal().

llvm-svn: 57851

llvm-svn: 57777

Generalize VisitLValue: not only can CallExprs and ObjCMessageExprs return aggregate temporaries, so can many other expressions.

llvm-svn: 57761

Function calls and ObjC message expressions can be used in a lvalue context if they return a structure.  E.g  foo().x == 1.  We don't really support, however, such temporaries yet in the environment or the store.

llvm-svn: 57760

retain/release checker: Check if a tracked value escapes if we also try binding it to the store and the store doesn't support that binding (i.e., it cannot track it).  This has the nice feature that the checker will automatically get more powerful if we use a more powerful store model.

llvm-svn: 57755

Use "VisitLValue" when processing the base for "x.f" field accesses, and "Visit" when processing the base for "x->f" field accesses.

llvm-svn: 57754

Hack: have BasicStore::getLValueElement return the "Base" lvalue.  This restores null dereference checking with array accesses.

BasicStore::RemoveDeadBindings: handle regions besides VarRegions (we now have FieldRegions).

llvm-svn: 57741

When conjuring symbols to recover path-sensitivity, don't conjure symbols that represent an entire struct.  We need to implement struct temporaries as an actual "region", and then bind symbols to the FieldRegion of those temporaries.

llvm-svn: 57739

Enhance "Assumption" logic in BasicConstraintManager when reasoning about regions and symbolic regions.  When assuming whether or not a location is non-null, walk up the region hierarchy until we hit a symbolic region (and test it for null).  This may not be the end all solution, as the notion of what a "symbolic region" is really belongs in the specific subclass of StoreManager.

llvm-svn: 57730

llvm-svn: 57724

Fixed an elusive caching bug in ExplodedGraph construction when a PostStmtKind was used instead of a PostStoreKind.

llvm-svn: 57719

- Added new region "SymbolicRegion", which maps symbol values to the region domain.
- Enhanced BasicStore::getFieldLValue() to return a FieldRegion (using SymbolicRegion)
- Added some utility methods to GRState for fetch svals from the store.
- Fixed regression in CheckNSError (we weren't getting the value bound to the parameter)

llvm-svn: 57717

"Implement" GRExprEngine::VisitLValue for ObjCPropertyRefExpr.  This is only a bandid; we need to properly handle properties by using locv/nonloc objects and specially handling property assignments in the transfer function for BinaryOperator.

llvm-svn: 57693

RVal => SVal
LVal => Loc
NonLVal => NonLoc
lval => loc
nonlval => nonloc

llvm-svn: 57671

llvm-svn: 57666

type T.

llvm-svn: 57665

struct s {};
void f() {
  int a[10];
  int (*p)[10];
  p = &a;
  (*p)[3] =1;

  struct s d;
  struct s *q;
  q = &d;
}

We return the corresponding MemRegionVal for them.

llvm-svn: 57664

llvm-svn: 57659

Remove GRExprEngine::getLVal and RValues::MakeVal.
Enhance StoreManager "GetLValue" methods to dispatch for specific kinds of lvalue queries, as opposed to interogating the expression tree (GRExprEngine already does this).

Added FIXMEs.  In particular, we no longer "assume" that a base pointer in a field/array access is null (this logic was removed).  Perhaps we should do this when fetching the lvalue for fields and array elements?

llvm-svn: 57657

llvm-svn: 57654

new VisitLValue method is added to replace the old VisitLVal. The semantics
model becomes more explicit to separate rvalue evaluation from lvalue
evaluation.  

llvm-svn: 57627

Enhance dead store checker to not flag preincrements to dead variables where the preincrement is a subexpression, e.g. foo(++x);  This can cause false negatives, but will remove a whole class of false positives.

llvm-svn: 57554

llvm-svn: 57317

This is the first step to implement a field-sensitive store model. Other things are simplified: no heap shape assumption, no parameter alias assumption, etc.

llvm-svn: 57285

llvm-svn: 57240

llvm-svn: 57225

Don't use DeclStmt::getDecl(); this will eventually disappear.  Just fetch the first decl using the DeclStmt::decl_iterator.

llvm-svn: 57194

Use DeclStmt::decl_iterator instead of using Decl::getDecl().  Soon DeclStmts will wrap group of Decls.
Added FIXME.

llvm-svn: 57189

llvm-svn: 57146

llvm-svn: 57107

This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes.

This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h.  This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses.  This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on.  

The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls.  In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal.  Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables.

There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized.

The memory region abstraction also allows type-information to literally be affixed to a memory region.  This will allow the some now redundant logic to be removed from the retain/release checker.

llvm-svn: 57042

Expand checking to include functions, not just methods.

llvm-svn: 56938

llvm-svn: 56912

Use this updated interface when invalidating arguments passed by reference; the type of symbol is of the object passed by reference, not the reference itself.

llvm-svn: 56894

llvm-svn: 56832

from the subexpression type to the expression type.

llvm-svn: 56831

llvm-svn: 56755

llvm-svn: 56735