ArrayBoundCheckerV2: don't arbitrarily warn about indexing before the 0-index of a symbolic region.  In many cases that isn't really the base offset.

llvm-svn: 129366

This patch adds modeling of strcmp() to the CString checker. Validates inputs are not NULL and are real C strings, then does the comparison and binds the proper return value. Unit tests included. 

llvm-svn: 129364

llvm-svn: 129349

Fix bug in SimpleSValBuilder where '--' pointer arithmetic was treated like '++' pointer arithmetic.

llvm-svn: 129348

llvm-svn: 129333

for __unknown_anytype resolution to destructively modify the AST.  So that's
what it does now, which significantly simplifies some of the implementation.
Normal member calls work pretty cleanly now, and I added support for
propagating unknown-ness through &.

llvm-svn: 129331

llvm-svn: 129308

llvm-svn: 129269

llvm-svn: 129265

represents a dynamic cast where we know that the result is always null.

For example:

struct A {
  virtual ~A();
};
struct B final : A { };
struct C { };

bool f(B* b) {
  return dynamic_cast<C*>(b);
}

llvm-svn: 129256

Validates inputs are not NULL, checks for overlapping strings, concatenates the strings checking for buffer overflow, sets the length of the destination string to the sum of the s1 length and the s2 length, binds the return value to the s1 value.

llvm-svn: 129215

Start overhauling static analyzer support for C++ constructors.  The inlining support isn't complete, and needs
to be reworked to model CallEnter/CallExit (just like all other calls).  For now, treat constructors mostly
like other function calls, making the analysis of C++ code just a little more useful.

llvm-svn: 129166

The idea is that you can create a VarDecl with an unknown type, or a
FunctionDecl with an unknown return type, and it will still be valid to
access that object as long as you explicitly cast it at every use.  I'm
still going back and forth about how I want to test this effectively, but
I wanted to go ahead and provide a skeletal implementation for the LLDB
folks' benefit and because it also improves some diagnostic goodness for
placeholder expressions.

llvm-svn: 129065

be sure to consume the argument index that actually had the attribute
rather than always the first.  rdar://problem/9234108

llvm-svn: 128998

Add security syntax checker for strcat() which causes the Static Analyzer to generate a warning any time the strcat() function is used with a note suggesting to use a function which provides bounded buffers. CWE-119.

Also, brings the security syntax checker more inline with coding standards.

llvm-svn: 128916

Fix PR 9626 (duplicated self-init warnings under -Wuninitialized) with numerous CFG and UninitializedValues analysis changes:

1) Change the CFG to include the DeclStmt for conditional variables, instead of using the condition itself as a faux DeclStmt.
2) Update ExprEngine (the static analyzer) to understand (1), so not to regress.
3) Update UninitializedValues.cpp to initialize all tracked variables to Uninitialized at the start of the function/method.
4) Only use the SelfReferenceChecker (SemaDecl.cpp) on global variables, leaving the dataflow analysis to handle other cases.

The combination of (1) and (3) allows the dataflow-based -Wuninitialized to find self-init problems when the initializer
contained control-flow.

llvm-svn: 128858

Refactoring the security checker a little bit so that each CallExpr check doesn't get called for each CallExpr. Instead it does a switch and only runs the check for the proper identifier. Slight speed improvement (probably significant on very large ASTs), and should make it easier and more clear to add more checks for other CallExpr's later.

llvm-svn: 128785

static analyzer: Add a new ProgramPoint PostCondition to represent the post position of a branch condition, and a new generateNode method to BranchNodeBuilder using PostCondition ProgramPoint. This method generates a new ExplodedNode but not a new block edge.

Patch by Lei Zhang!

llvm-svn: 128784

Fix RegionStore bug when doing a field load whose parent is also a field assigned a LazyCompoundValue.  Fixes <rdar://problem/9163742> and PR 9522.

llvm-svn: 128783

llvm-svn: 128762

Teach IdempotentOperationsChecker about paths aborted because ExprEngine didn't know how to handle a specific Expr type.

llvm-svn: 128761

static analyzer: Rename 'BlocksAborted' to 'BlocksExhausted' to reflect that a given CFGBlock was analyzed too many times.

llvm-svn: 128760

Add security syntax checker for strcpy() which causes the Static Analyzer to generate a warning any time the strcpy() function is used with a note suggesting to use a function which provides bounded buffers. 

llvm-svn: 128679

Models mempcpy() so that if length is NULL the destination pointer is returned. Otherwise, the source and destination are confirmed not to be NULL and not overlapping. Finally the copy is validated to not cause a buffer overrun and the return value is bound to the address of the byte after the last byte copied.

llvm-svn: 128677

llvm-svn: 128670

Static analyzer: fix bug in handling of dynamic_cast<>.  The sink node wouldn't always be the final node, thus causing the state to continue propagating.  Instead,
recover some path-sensitivity by conjuring a symbol.

llvm-svn: 128612

Teach static analyzer about the basics of handling new[].  We still don't simulate constructors, but at least the analyzer doesn't think the return value is uninitialized.

llvm-svn: 128611

from how we process ordinary function calls, had a tremendous about of redundancy, and relied
strictly on inlining behavior (which was incomplete) to provide semantics instead of falling
back to the conservative analysis we use for C functions.  This is a significant step into
making C++ analyzer support more useful.

llvm-svn: 128557

llvm-svn: 128512

[analyzer] For -analyzer-checker-help show all the info about groups, packages, and which packages/checkers are hidden.

llvm-svn: 128511

llvm-svn: 128475

llvm-svn: 128340

llvm-svn: 128310

llvm-svn: 128187

This rename serves two purposes:

- It reflects the actual functionality of this analysis.
- We will have more than one reachability analysis.

llvm-svn: 127930

llvm-svn: 127798

Teach VariadicMethodTypeChecker that CF references are valid arguments to variadic Objective-C methods.

llvm-svn: 127797

Tweak RegionStore's handling of lazy compound values to use the 'Default' versus 'Direct' binding key, thus allowing specific elements of an array/struct to be overwritten without
invalidating the entire binding.  Fixes PR 9455.

llvm-svn: 127796

VariadicMethodTypeChecker: don't warn for null pointer constants passed to variadic Objective-C methods.

llvm-svn: 127719

llvm-svn: 127687