[analyzer] Overhaul how the static analyzer expects CFGs by forcing CFGs to be linearized only when used by the static analyzer.  This required a rewrite of LiveVariables, and exposed a ton of subtle bugs.

The motivation of this large change is to drastically simplify the logic in ExprEngine going forward.

Some fallout is that the output of some BugReporterVisitors is not as accurate as before; those will
need to be fixed over time.  There is also some possible performance regression as RemoveDeadBindings
will be called frequently; this can also be improved over time.

llvm-svn: 136419

[analyzer] fix bug in malloc checker where the tracked symbol would not properly be removed from the state.

llvm-svn: 136418

[analyzer] Add StoreManager::includedInBindings() to to query whether a region is used in any bindings.

llvm-svn: 136416

llvm-svn: 136415

llvm-svn: 136414

llvm-svn: 136413

the proper expression.

llvm-svn: 136412

SourceManager and FullSourceLoc.

llvm-svn: 135969

SourceManager and FullSourceLoc.

llvm-svn: 135965

llvm-svn: 135962

FullSourceLoc::getInstantiationLoc to ...::getExpansionLoc. This is part
of the API and documentation update from 'instantiation' as the term for
macros to 'expansion'.

llvm-svn: 135914

them into the clang namespace.

llvm-svn: 135852

methods, including indirectly overridden methods like those
declared in protocols and categories.  There are mismatches
that we would like to diagnose but aren't yet, but this   
is fine for now.

I looked at approaches that avoided doing this lookup 
unless we needed it, but the infer-related-result-type
checks were doing it anyway, so I left it with the same
fast-path check for no previous declartions of that 
selector.

llvm-svn: 135743

llvm-svn: 135667

llvm-svn: 135666

llvm-svn: 135518

pthread and XNU locks. Patch by Rui Paulo!

llvm-svn: 135515

[analyzer] Place checking for Core Foundation "Create" rule into a proper API.  No functionality change.

llvm-svn: 135349

Add tests for CFRefReport's path notes, and fix a few typos and non-standard terminology ('+0 retain counts') caught by the tests.

llvm-svn: 135310

llvm-svn: 135294

Clean up UnixAPIChecker, including switching its array of BugTypes to llvm::OwningPtr<BugType> vars (the new convention). No functionality change.

llvm-svn: 135255

Clean up MacOSXAPIChecker, including switching its array of BugTypes to a single llvm::OwningPtr<BugType> (the new convention). No functionality change.

llvm-svn: 135250

to represent a fully-substituted non-type template parameter.
This should improve source fidelity, as well as being generically
useful for diagnostics and such.

llvm-svn: 135243

where we have an immediate need of a retained value.

As an exception, don't do this when the call is made as the immediate
operand of a __bridge retain.  This is more in the way of a workaround
than an actual guarantee, so it's acceptable to be brittle here.

rdar://problem/9504800

llvm-svn: 134605

obey the objc_method_family attribute when provided. Fixes
<rdar://problem/9726279>.

llvm-svn: 134493

Fixes rdar://9714064

llvm-svn: 134292

[analyzer] Use UnknownVal when default-initializing arrays whose element types we don't model, to distinguish them from uninitialized arrays (PR10163).

llvm-svn: 133937

MaterializeTemporaryExpr captures a reference binding to a temporary
value, making explicit that the temporary value (a prvalue) needs to
be materialized into memory so that its address can be used. The
intended AST invariant here is that a reference will always bind to a
glvalue, and MaterializeTemporaryExpr will be used to convert prvalues
into glvalues for that binding to happen. For example, given

  const int& r = 1.0;

The initializer of "r" will be a MaterializeTemporaryExpr whose
subexpression is an implicit conversion from the double literal "1.0"
to an integer value. 

IR generation benefits most from this new node, since it was
previously guessing (badly) when to materialize temporaries for the
purposes of reference binding. There are likely more refactoring and
cleanups we could perform there, but the introduction of
MaterializeTemporaryExpr fixes PR9565, a case where IR generation
would effectively bind a const reference directly to a bitfield in a
struct. Addresses <rdar://problem/9552231>.

llvm-svn: 133521

llvm-svn: 133472

llvm-svn: 133410

[analyzer] Re-enable checking for strncpy, along with a new validation of the size argument. strncat is not yet up-to-date, but I'm leaving it enabled for now (there shouldn't be any false positives, at least...)

llvm-svn: 133408

[analyzer] Eliminate "byte string function" from CStringChecker's diagnostics, and make it easier to provide custom messages for overflow checking, in preparation for re-enabling strncpy checking.

llvm-svn: 133406

llvm-svn: 133246

[analyzer] Clean up modeling of strcmp, including cases where a string literal has an embedded null character, and where both arguments are the same buffer. Also use nested ifs rather than early returns; in this case early returns will lose any assumptions we've made earlier in the function.

llvm-svn: 133154

I will not commit without building first.
I will not commit without building first.
I will not commit without building first...

llvm-svn: 133150

[analyzer] Cleanup: mainly 80-char violations and preferring SValBuilder::getComparisonType() to just referencing IntTy.

llvm-svn: 133149

Language-design credit goes to a lot of people, but I particularly want
to single out Blaine Garst and Patrick Beard for their contributions.

Compiler implementation credit goes to Argyrios, Doug, Fariborz, and myself,
in no particular order.

llvm-svn: 133103

- (bounded copies) Be more conservative about how much is being copied.
- (str(n)cat) If we can't compute the exact final length of an append operation, we can still lower-bound it.
- (stpcpy) Fix the conjured return value at the end to actually be returned.

This requires these supporting changes:
- C string metadata symbols are still live even when buried in a SymExpr.
- "Hypothetical" C string lengths, to represent a value that /will/ be passed to setCStringLength() if all goes well. (The idea is to allow for temporary constrainable symbols that may end up becoming permanent.)
- The 'checkAdditionOverflow' helper makes sure that the two strings being appended in a strcat don't overflow size_t. This should never *actually* happen; the real effect is to keep the final string length from "wrapping around" in the constraint manager.

This doesn't actually test the "bounded" operations (strncpy and strncat) because they can leave strings unterminated. Next on the list!

llvm-svn: 133046

[analyzer] If a C string length is UnknownVal, clear any existing length binding. No tests yet because the only thing that sets string length is strcpy(), and that needs some work anyway.

llvm-svn: 133044

[analyzer] When performing a binary operation on symbolic operands, we convert the symbol values to a common type. But in a relational operation, the result is an 'int' or 'bool', which may not be the appropriate type to convert the operands to. In these cases, use the left-hand operand's type as the conversion type.

There's no associated test for this because fully-constrained symbolic values are evaluated ahead of time in normal expressions. This can only come up in checker-constructed expressions (like the ones in an upcoming patch to CStringChecker).

llvm-svn: 133041