summaryrefslogtreecommitdiff
path: root/test/Analysis
Commit message (Collapse)AuthorAgeFilesLines
* [analyzer] Taint: add system and popen as undesirable sinks for taintAnna Zaks2012-01-141-0/+8
| | | | | | data. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148176 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Unwrap the pointers when ignoring the const cast.Anna Zaks2012-01-131-0/+3
| | | | | | radar://10686991 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148081 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] RegionStoreManager::getBinding() should not crash whenAnna Zaks2012-01-131-0/+4
| | | | | | looking up value at a CodeTextRegion even when the type is not provided. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148079 91177308-0d34-0410-b5e6-96231b3b80d8
* Adjust set of default checkers.Ted Kremenek2012-01-121-1/+0
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148055 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] fix inlining's handling of mapping actual to formal arguments and ↵Ted Kremenek2012-01-121-0/+30
| | | | | | limit the call stack depth. The analyzer can now accurately simulate factorial for limited depths. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148036 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Add taint transfer by strcpy & others (part 1).Anna Zaks2012-01-121-7/+34
| | | | | | | | | | | | To simplify the process: Refactor taint generation checker to simplify passing the information on which arguments need to be tainted from pre to post visit. Todo: We need to factor out the code that sema is using to identify the string and memcpy functions and use it here and in the CString checker. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148010 91177308-0d34-0410-b5e6-96231b3b80d8
* "This change adds alloca/valloc checks to UnixAPIChecker. It includes a ↵Ted Kremenek2012-01-111-0/+38
| | | | | | | | | | | | small refactoring for the common *alloc functions as well as a few tiny wibbles (adds a note to CWE/CERT advisory numbers in the bug output, and fixes a couple 80-column-wide violations.)" Patch by Austin Seipp! git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147931 91177308-0d34-0410-b5e6-96231b3b80d8
* Add elidable CXXConstructExpr as block-level expr. It converts an lvalue to ↵Zhongxing Xu2012-01-111-641/+657
| | | | | | a rvalue, which is a useful step during AST evaluation. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147918 91177308-0d34-0410-b5e6-96231b3b80d8
* Remove '#if 0' from ExprEngine::InlineCall(), and start fresh by wiring up ↵Ted Kremenek2012-01-111-1/+0
| | | | | | | | | | inlining for straight C calls. My hope is to reimplement this from first principles based on the simplifications of removing unneeded node builders and re-evaluating how C++ calls are handled in the CFG. The hope is to turn inlining "on-by-default" as soon as possible with a core set of things working well, and then expand over time. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147904 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Add basic format string vulnerability checking.Anna Zaks2012-01-071-1/+15
| | | | | | | | | We already have a more conservative check in the compiler (if the format string is not a literal, we warn). Still adding it here for completeness and since this check is stronger - only triggered if the format string is tainted. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147714 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Add another tests to taint tester.Anna Zaks2012-01-041-0/+9
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147570 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Be less pessimistic about invalidation of global variablesAnna Zaks2012-01-043-18/+85
| | | | | | | | | | | | | | | | | | | | | | | | | | | | as a result of a call. Problem: Global variables, which come in from system libraries should not be invalidated by all calls. Also, non-system globals should not be invalidated by system calls. Solution: The following solution to invalidation of globals seems flexible enough for taint (does not invalidate stdin) and should not lead to too many false positives. We split globals into 3 classes: * immutable - values are preserved by calls (unless the specific global is passed in as a parameter): A : Most system globals and const scalars * invalidated by functions defined in system headers: B: errno * invalidated by all other functions (note, these functions may in turn contain system calls): B: errno C: all other globals (which are not in A nor B) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147569 91177308-0d34-0410-b5e6-96231b3b80d8
* Extend ConditionBRVisitor to handle condition variable assignments.Ted Kremenek2012-01-041-0/+214
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147526 91177308-0d34-0410-b5e6-96231b3b80d8
* Teach the static analyzer to not treat XPC types as CF types.Ted Kremenek2012-01-041-0/+16
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147506 91177308-0d34-0410-b5e6-96231b3b80d8
* Enhance UnixAPIChecker to also warn about zero-sized allocations to calloc() ↵Ted Kremenek2012-01-031-0/+32
| | | | | | and realloc(). Patch by Cyril Roelandt! git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147500 91177308-0d34-0410-b5e6-96231b3b80d8
* Add initial version of checker to check if virtual member functions are ↵Ted Kremenek2012-01-031-0/+53
| | | | | | | | called transitively from C++ constructors or destructors. Checker by Lei Zhang with a few tweaks by Ted Kremenek. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147494 91177308-0d34-0410-b5e6-96231b3b80d8
* Colorize and condense CFG pretty-printing.Ted Kremenek2011-12-224-1468/+1398
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147203 91177308-0d34-0410-b5e6-96231b3b80d8
* Fix typos in analyzer diagnostics pointed out by Matt Beaumont-Gay and ↵Ted Kremenek2011-12-221-1/+1
| | | | | | Robert Purves. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147139 91177308-0d34-0410-b5e6-96231b3b80d8
* Fix regression in LiveVariables when reasoning about variables captured by ↵Ted Kremenek2011-12-221-1/+13
| | | | | | blocks. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147116 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Do not invalidate arguments when the parameter'sAnna Zaks2011-12-205-8/+79
| | | | | | | | | | | | | type is a pointer to const. (radar://10595327) The regions corresponding to the pointer and reference arguments to a function get invalidated by the calls since a function call can possibly modify the pointed to data. With this change, we are not going to invalidate the data if the argument is a pointer to const. This change makes the analyzer more optimistic in reporting errors. (Support for C, C++ and Obj C) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147002 91177308-0d34-0410-b5e6-96231b3b80d8
* Fix inversion of static analyzer path diagnostics for path conditions.Ted Kremenek2011-12-201-181/+309
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146993 91177308-0d34-0410-b5e6-96231b3b80d8
* test/Analysis: fix error messageDylan Noblesmith2011-12-181-1/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146848 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Fixup for r146793. Add tests for atol and atoll.Anna Zaks2011-12-171-1/+12
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146794 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Add support for taint flowing through a function (atoi).Anna Zaks2011-12-171-0/+16
| | | | | | | | | | Check if the input parameters are tainted (or point to tainted data) on a checkPreStmt<CallExpr>. If the output should be tainted, record it in the state. On post visit (checkPostStmt<CallExpr>), use the state to make decisions (in addition to the existing logic). Use this logic for atoi and fscanf. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146793 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Better stdin support.Anna Zaks2011-12-161-4/+32
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146748 91177308-0d34-0410-b5e6-96231b3b80d8
* Add support for matching one or more (aka regex +) diagnostic messages with ↵Anna Zaks2011-12-151-33/+33
| | | | | | | | | -verify. Ex: // expected-warning + {{tainted} git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146633 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Ensure that the order in which checker callbacks are calledAnna Zaks2011-12-151-1/+1
| | | | | | | | | is deterministic. Non-determinism was the reason for the test which caused the earlier buildbot failures, so re-enable the test. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146628 91177308-0d34-0410-b5e6-96231b3b80d8
* Modify how the -verify flag works. Currently, the verification string andRichard Trieu2011-12-156-17/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | diagnostic message are compared. If either is a substring of the other, then no error is given. This gives rise to an unexpected case: // expect-error{{candidate function has different number of parameters}} will match the following error messages from Clang: candidate function has different number of parameters (expected 1 but has 2) candidate function has different number of parameters It will also match these other error messages: candidate function function has different number of parameters number of parameters This patch will change so that the verification string must be a substring of the diagnostic message before accepting. Also, all the failing tests from this change have been corrected. Some stats from this cleanup: 87 - removed extra spaces around verification strings 70 - wording updates to diagnostics 40 - extra leading or trailing characters (typos, unmatched parens or quotes) 35 - diagnostic level was included (error:, warning:, or note:) 18 - flag name put in the warning (-Wprotocol) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146619 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Disable verification step on the failing test.Anna Zaks2011-12-141-1/+1
| | | | | | I need to keep the test itself in the repository since it's the only way I can currently reproduce the issue. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146582 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Re-enable the test which was failing on one of the bots.Anna Zaks2011-12-141-0/+46
| | | | | | I cannot reproduce the failures neither on my machine nor on the same buildbot machine (with the clang binary built on it). Let's see if it fails again.. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146574 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Revert the taint test, which is failing on one of the bots for ↵Anna Zaks2011-12-141-46/+0
| | | | | | time being. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146541 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Treat stdin as a source of taint.Anna Zaks2011-12-141-11/+18
| | | | | | | | Some of the test cases do not currently work because the analyzer core does not seem to call checkers for pre/post DeclRefExpr visits. (Opened radar://10573500. To be fixed later on.) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146536 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Mark output of fscanf and fopen as tainted.Anna Zaks2011-12-141-0/+35
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146533 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Mark getenv output as tainted.Anna Zaks2011-12-141-0/+10
| | | | | | Also, allow adding taint to a region (not only a symbolic value). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146532 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] CStringChecker should not rely on the analyzer generating ↵Anna Zaks2011-12-112-3/+10
| | | | | | | | | | | | | | UndefOrUnknown value when it cannot reason about the expression. We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.) This patch also contains 2 small bug fixes: - swap the order of operators inside SValBuilder::makeGenericVal. - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146343 91177308-0d34-0410-b5e6-96231b3b80d8
* Check that arguments to a scanf call match the format specifier,Hans Wennborg2011-12-102-3/+4
| | | | | | and offer fixits when there is a mismatch. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146326 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Fix inconsistency on when SValBuilder assumes that 2Anna Zaks2011-12-091-0/+15
| | | | | | | | | types are equivalent. + A taint test which tests bitwise operations and which was triggering an assertion due to presence of the integer to integer cast. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146240 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] If memory region is tainted mark data as tainted.Anna Zaks2011-12-081-1/+24
| | | | | | + random comments git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146199 91177308-0d34-0410-b5e6-96231b3b80d8
* Add an experimental MallocSizeofChecker, which reports inconsistenciesPeter Collingbourne2011-12-081-0/+27
| | | | | | | | between the casted type of the return value of a malloc/calloc/realloc call and the operand of any sizeof expressions contained within its argument(s). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146144 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Propagate taint through MemRegions.Anna Zaks2011-12-071-4/+15
| | | | | | | SVal can be not only a symbol, but a MemRegion. Add support for such cases. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146006 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Propagate taint through NonLoc to NonLoc casts.Anna Zaks2011-12-061-0/+8
| | | | | | | | | | | - Created a new SymExpr type - SymbolCast. - SymbolCast is created when we don't know how to simplify a NonLoc to NonLoc casts. - A bit of code refactoring: introduced dispatchCast to have better code reuse, remove a goto. - Updated the test case to showcase the new taint flow. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145985 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Simplify the expected-warning statement.Anna Zaks2011-12-051-1/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145855 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Add a missing taint tester warning.Anna Zaks2011-12-051-1/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145834 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Remove all uses of ConstraintManager::canResonAbout() fromAnna Zaks2011-12-051-4/+2
| | | | | | | | | | | | ExprEngine. Teach SimpleConstraintManager::assumeSymRel() to propagate constraints to symbolic expressions. + One extra warning (real bug) is now generated due to enhanced assumeSymRel(). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145832 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Add a debug checker to test for tainted data.Anna Zaks2011-12-051-0/+15
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145827 91177308-0d34-0410-b5e6-96231b3b80d8
* [analyzer] Make KeychainAPI checker less aggressive. radar://10508828Anna Zaks2011-12-011-1/+17
| | | | | | We trigger an error if free is called after a possibly failed allocation. Do not trigger the error if we know that the buffer is not null. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145584 91177308-0d34-0410-b5e6-96231b3b80d8
* Fix typo.Ted Kremenek2011-12-011-1/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145577 91177308-0d34-0410-b5e6-96231b3b80d8
* When analyzing a C++ method (without a specific caller), assume 'this' is ↵Ted Kremenek2011-12-011-0/+14
| | | | | | non-null. Fixes <rdar://problem/10508787>. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145575 91177308-0d34-0410-b5e6-96231b3b80d8
* Per an offline conversation with John McCall, have StmtPrinter actually ↵Ted Kremenek2011-11-301-6/+7
| | | | | | print out the source expression for OpaqueValueExpr. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145524 91177308-0d34-0410-b5e6-96231b3b80d8
* Relax RegionStore to allow loads from CodeTextRegions. Apparently you can ↵Ted Kremenek2011-11-291-0/+8
| | | | | | actually write code that does this. This seems worthy of a checker, but the StoreManager should handle the memory abstraction without crashing. Fixes PR 11450. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@145424 91177308-0d34-0410-b5e6-96231b3b80d8
View Lorry Controller Status