Previously, -Wtautological-overlap-compare did not warn on cases where the
boolean expression was in an assignment or return statement. This patch
should cause all boolean statements to be passed to the tautological compare
checks in the CFG analysis.
This is one of the issues from PR13101
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@290920 91177308-0d34-0410-b5e6-96231b3b80d8
mirror the description in the standard. Per DR1295, this means that binding a
const / rvalue reference to a bit-field no longer "binds directly", and per
P0135R1, this means that we materialize a temporary in reference binding
after adjusting cv-qualifiers and before performing a derived-to-base cast.
In C++11 onwards, this should have fixed the last case where we would
materialize a temporary of the wrong type (with a subobject adjustment inside
the MaterializeTemporaryExpr instead of outside), but we still have to deal
with that possibility in C++98, unless we want to start using xvalues to
represent materialized temporaries there too.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@289250 91177308-0d34-0410-b5e6-96231b3b80d8
Summary:
CXXDeleteExpr::getDestroyedType() can return a null QualType if the destroyed
type is a dependent type. This patch protects against this.
Reviewers: klimek
Subscribers: cfe-commits
Differential Revision: https://reviews.llvm.org/D27350
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@288665 91177308-0d34-0410-b5e6-96231b3b80d8
if (stmt; condition) { ... }
Patch by Anton Bikineev! Some minor formatting and comment tweets by me.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@275350 91177308-0d34-0410-b5e6-96231b3b80d8
Summary:
CFG generation is expected to fail in this case, but it should not crash.
Also added a test that reproduces the crash.
Reviewers: klimek
Subscribers: cfe-commits
Patch by Martin Boehme!
Differential Revision: http://reviews.llvm.org/D21895
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@274834 91177308-0d34-0410-b5e6-96231b3b80d8
This prevents spurious dead store warnings when a C++ lambda is casted to a block.
I've also added several tests documenting our still-incomplete support for lambda-to-block
casts.
rdar://problem/22236293
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@254107 91177308-0d34-0410-b5e6-96231b3b80d8
Summary:
VisitReturnStmt would create a new block with including Dtors, so the Dtors created
in VisitCompoundStmts would be in an unreachable block.
Example:
struct S {
~S();
};
void f()
{
S s;
return;
}
void g()
{
S s;
}
Before this patch, f has one additional unreachable block containing just the
destructor of S. With this patch, both f and g have the same blocks.
Reviewers: krememek
Subscribers: cfe-commits
Differential Revision: http://reviews.llvm.org/D13973
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@253107 91177308-0d34-0410-b5e6-96231b3b80d8
Prior to this patch, -Wtautological-overlap-compare would only warn us
if there was a sketchy logical comparison between variables and
IntegerLiterals. This patch makes -Wtautological-overlap-compare aware
of EnumConstantDecls, so it can apply the same logic to them.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@249053 91177308-0d34-0410-b5e6-96231b3b80d8
This fixes PR16833, in which the analyzer was using large amounts of memory
for switch statements with large case ranges.
rdar://problem/14685772
A patch by Aleksei Sidorin!
Differential Revision: http://reviews.llvm.org/D5102
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@248318 91177308-0d34-0410-b5e6-96231b3b80d8
Turns out the one place that relied on the implicit copy ctor was safe
because it created an object in a state where the dtor was a no-op, but
that's more luck that good management.
Sure up the API by defining move construction and using it, which
implicitly disallows the unreliable copy operations.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@244968 91177308-0d34-0410-b5e6-96231b3b80d8
In llvm commit r243581, a reverse range adapter was added which allows
us to change code such as
for (auto I = Fields.rbegin(), E = Fields.rend(); I != E; ++I) {
in to
for (const FieldDecl *I : llvm::reverse(Fields))
This commit changes a few of the places in clang which are eligible to use
this new adapter.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@243663 91177308-0d34-0410-b5e6-96231b3b80d8
StmtRange was just a convenient wrapper for two StmtIterators before
we had real range support. This removes some of the implicit conversions
StmtRange had leading to slightly more verbose code but also should make
more obvious what's going on. No functional change intended.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@242615 91177308-0d34-0410-b5e6-96231b3b80d8
The pattern was born out of the lack of range-based for loops in C++98
and is somewhat obscure. No functionality change intended.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@241300 91177308-0d34-0410-b5e6-96231b3b80d8
When checking if a function is noreturn, consider a codepath to be noreturn if
the path destroys a class and the class destructor, base class destructors, or
member field destructors are marked noreturn.
Differential Revision: http://reviews.llvm.org/D9454
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@238382 91177308-0d34-0410-b5e6-96231b3b80d8
As we only create temp dtor decision branches when a temp dtor needs to
be run (as opposed to for each logical branch in the original
expression), we must include the information about all previous logical
branches when we annotate the temp dtor decision branch.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@215188 91177308-0d34-0410-b5e6-96231b3b80d8
Use the parent context when visiting temporaries when we do not insert a
temporary dtor decision branch.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@215120 91177308-0d34-0410-b5e6-96231b3b80d8
If the truth value of a LHS is known, we can build the knowledge whether
a temporary destructor is executed or not into the CFG. This is needed
by the return type analysis.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@215118 91177308-0d34-0410-b5e6-96231b3b80d8
The return type analysis requires that the CFG is simplified when the
truth values of branches are statically known at analysis time.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@215114 91177308-0d34-0410-b5e6-96231b3b80d8
Changes to the original patch:
- model the CFG for temporary destructors in conditional operators so that
the destructors of the true and false branch are always exclusive. This
is necessary because we must not have impossible paths for the path
based analysis to work.
- add multiple regression tests with ternary operators
Original description:
Fix modelling of non-lifetime-extended temporary destructors in the
analyzer.
Changes to the CFG:
When creating the CFG for temporary destructors, we create a structure
that mirrors the branch structure of the conditionally executed
temporary constructors in a full expression.
The branches we create use a CXXBindTemporaryExpr as terminator which
corresponds to the temporary constructor which must have been executed
to enter the destruction branch.
2. Changes to the Analyzer:
When we visit a CXXBindTemporaryExpr we mark the CXXBindTemporaryExpr as
executed in the state; when we reach a branch that contains the
corresponding CXXBindTemporaryExpr as terminator, we branch out
depending on whether the corresponding CXXBindTemporaryExpr was marked
as executed.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@215096 91177308-0d34-0410-b5e6-96231b3b80d8
This reverts commit r214962 because after the change the
following code doesn't compile with -Wreturn-type -Werror.
#include <cstdlib>
class NoReturn {
public:
~NoReturn() __attribute__((noreturn)) { exit(1); }
};
int check() {
true ? NoReturn() : NoReturn();
}
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@214998 91177308-0d34-0410-b5e6-96231b3b80d8
1. Changes to the CFG:
When creating the CFG for temporary destructors, we create a structure
that mirrors the branch structure of the conditionally executed
temporary constructors in a full expression.
The branches we create use a CXXBindTemporaryExpr as terminator which
corresponds to the temporary constructor which must have been executed
to enter the destruction branch.
2. Changes to the Analyzer:
When we visit a CXXBindTemporaryExpr we mark the CXXBindTemporaryExpr as
executed in the state; when we reach a branch that contains the
corresponding CXXBindTemporaryExpr as terminator, we branch out
depending on whether the corresponding CXXBindTemporaryExpr was marked
as executed.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@214962 91177308-0d34-0410-b5e6-96231b3b80d8
MaterializeTemporaryExpr already contains information about the lifetime
of the temporary; if the lifetime is not the full statement, we do not
want to emit a destructor at the end of the full statement for it.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@214292 91177308-0d34-0410-b5e6-96231b3b80d8
lambda expressions (other than their capture initializers) nor blocks. Do walk
into default argument expressions and default initializer expressions.
These bugs were causing us to produce broken CFGs whenever a lambda expression
was used to initialize a libstdc++ std::function object!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@214050 91177308-0d34-0410-b5e6-96231b3b80d8
Fixes a crash in Retain Count checker error reporting logic by handing
the allocation statement retrieval from a BlockEdge program point.
Also added a simple CFG dump routine for debugging.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@210960 91177308-0d34-0410-b5e6-96231b3b80d8
will never be true in a well-defined context. The checking for null pointers
has been moved into the caller logic so it does not rely on undefined behavior.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@210498 91177308-0d34-0410-b5e6-96231b3b80d8
The assignment needs to be before the destruction of the temporary.
This patch calls out to addStmt, which invokes VisitDeclStmt, which has
all the correct logic for handling temporaries.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@207985 91177308-0d34-0410-b5e6-96231b3b80d8
which warns on compound conditionals that always evaluate to the same value.
For instance, (x > 5 && x < 3) will always be false since no value for x can
satisfy both conditions.
This patch also changes the CFG to use these tautological values for better
branch analysis. The test for -Wunreachable-code shows how this change catches
additional dead code.
Patch by Anders Rönnholm.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@205665 91177308-0d34-0410-b5e6-96231b3b80d8
Also, add several destructor-related tests. Most of them don't work yet, but it's
good to have them recorded.
Patch by Alex McCarthy!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@205326 91177308-0d34-0410-b5e6-96231b3b80d8
Taking a hint from -Wparentheses, use an extra '()' as a sigil that
a dead condition is intentionally dead. For example:
if ((0)) { dead }
When this sigil is found, do not emit a dead code warning. When the
analysis sees:
if (0)
it suggests inserting '()' as a Fix-It.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@205069 91177308-0d34-0410-b5e6-96231b3b80d8
This is to support some analyses, like -Wunreachable-code, that
will need to recover the original unprunned CFG edges in order
to suppress issues that aren't really bugs in practice.
There are two important changes here:
- AdjacentBlock replaces CFGBlock* for CFG successors/predecessors.
This has the size of 2 pointers, instead of 1. This is unlikely
to have a significant memory impact on Sema since a single
CFG usually exists at one time, but could impact the memory
usage of the static analyzer. This could possibly be optimized
down to a single pointer with some cleverness.
- Predecessors can now contain null predecessors, which means
some analyses doing a reverse traversal will need to take into
account. This already exists for successors, which contain
successor slots for specific branch kinds (e.g., 'if') that
expect a fixed number of successors, even if a branch is
not reachable.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@202325 91177308-0d34-0410-b5e6-96231b3b80d8
In an expression like "new (a, b) Foo(x, y)", two things happen:
- Memory is allocated by calling a function named 'operator new'.
- The memory is initialized using the constructor for 'Foo'.
Currently the analyzer only models the second event, though it has special
cases for both the default and placement forms of operator new. This patch
is the first step towards properly modeling both events: it changes the CFG
so that the above expression now generates the following elements.
1. a
2. b
3. (CFGNewAllocator)
4. x
5. y
6. Foo::Foo
The analyzer currently ignores the CFGNewAllocator element, but the next
step is to treat that as a call like any other.
The CFGNewAllocator element is not added to the CFG for analysis-based
warnings, since none of them take advantage of it yet.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@199123 91177308-0d34-0410-b5e6-96231b3b80d8
The predicates in CXXRecordDecl which test various properties of special
members can't be called on incomplete decls.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190353 91177308-0d34-0410-b5e6-96231b3b80d8
Summary:
If a noreturn destructor is executed while returning a value from a function,
the resulting CFG has had two edges to the exit block. This crashed the analyzer,
because it expects that blocks with no terminators have only one outgoing edge.
I added code to avoid creating the second edge in this case.
PS: The crashes did not manifest themselves always, as usually the
NoReturnFunctionChecker would stop program evaluation before the analyzer hit
the assertion, but in the case of lifetime extended temporaries, the checker
failed to do that (which is a separate bug in itself).
Reviewers: jordan_rose
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1513
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@190125 91177308-0d34-0410-b5e6-96231b3b80d8
This paves the way for adding support for modeling the destructor of a
region before it is deleted. The statement "delete <expr>" now generates
this series of CFG elements:
1. <expr>
2. [B1.1]->~Foo() (Implicit destructor)
3. delete [B1.1]
Patch by Karthik Bhat!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189828 91177308-0d34-0410-b5e6-96231b3b80d8
This is an improved version of r186498. It enables ExprEngine to reason about
temporary object destructors. However, these destructor calls are never
inlined, since this feature is still broken. Still, this is sufficient to
properly handle noreturn temporary destructors.
Now, the analyzer correctly handles expressions like "a || A()", and executes the
destructor of "A" only on the paths where "a" evaluted to false.
Temporary destructor processing is still off by default and one has to
explicitly request it by setting cfg-temporary-dtors=true.
Reviewers: jordan_rose
CC: cfe-commits
Differential Revision: http://llvm-reviews.chandlerc.com/D1259
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189746 91177308-0d34-0410-b5e6-96231b3b80d8
This builtin does not actually evaluate its arguments for side effects,
so we shouldn't include them in the CFG. In the analyzer, rely on the
constant expression evaluator to get the proper semantics, at least for
now. (In the future, we could get ambitious and try to provide path-
sensitive size values.)
In theory, this does pose a problem for liveness analysis: a variable can
be used within the __builtin_object_size argument expression but not show
up as live. However, it is very unlikely that such a value would be used
to compute the object size and not used to access the object in some way.
<rdar://problem/14760817>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188679 91177308-0d34-0410-b5e6-96231b3b80d8
Add the back edge info by creating a basic block, marked as loop target. This is
consistent with how other loops are processed, but was omitted from
VisitObjCForCollectionStmt.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@184617 91177308-0d34-0410-b5e6-96231b3b80d8
Previously our edges were completely broken here; now, the final result
is a very simple set of edges in most cases: one up to the "for" keyword
for context, and one into the body of the loop. This matches the behavior
for ObjC for-in loops.
In the AST, however, CXXForRangeStmts are handled very differently from
ObjCForCollectionStmts. Since they are specified in terms of equivalent
statements in the C++ standard, we actually have implicit AST nodes for
all of the semantic statements. This makes evaluation very easy, but
diagnostic locations a bit trickier. Fortunately, the problem can be
generally defined away by marking all of the implicit statements as
part of the top-level for-range statement.
One of the implicit statements in a for-range statement is the declaration
of implicit iterators __begin and __end. The CFG synthesizes two
separate DeclStmts to match each of these decls, but until now these
synthetic DeclStmts weren't in the function's ParentMap. Now, the CFG
keeps track of its synthetic statements, and the AnalysisDeclContext will
make sure to add them to the ParentMap.
<rdar://problem/14038483>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183449 91177308-0d34-0410-b5e6-96231b3b80d8
Consider the case where a SwitchStmt satisfied isAllEnumCasesCovered()
as well as having no cases at all (i.e. the enum it covers has no
enumerators).
In this case, we should add a successor to repair the CFG.
This fixes PR16212.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183237 91177308-0d34-0410-b5e6-96231b3b80d8
Neither the compiler nor the analyzer are doing anything with non-VarDecl
decls in the CFG, and having them there creates extra nodes in the
analyzer's path diagnostics. Simplify the CFG (and the path edges) by
simply leaving them out. We can always add interesting decls back in when
they become relevant.
Note that this only affects decls declared in a DeclStmt, and then only
those that appear within a function body.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@183157 91177308-0d34-0410-b5e6-96231b3b80d8
This class is a StmtVisitor that distinguishes between block-level and
non-block-level statements in a CFG. However, it does so using a hard-coded
idea of which statements might be block-level, which probably isn't accurate
anymore. The only implementer of the CFGStmtVisitor hierarchy was the
analyzer's DeadStoresChecker, and the analyzer creates a linearized CFG
anyway (every non-trivial statement is a block-level statement).
This also allows us to remove the block-expr map ("BlkExprMap"), which
mapped statements to positions in the CFG. Apart from having a helper type
that really should have just been Optional<unsigned>, it was only being
used to ask /if/ a particular expression was block-level, for traversal
purposes in CFGStmtVisitor.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181945 91177308-0d34-0410-b5e6-96231b3b80d8
The most common (non-buggy) case are where such objects are used as
return expressions in bool-returning functions or as boolean function
arguments. In those cases I've used (& added if necessary) a named
function to provide the equivalent (or sometimes negative, depending on
convenient wording) test.
DiagnosticBuilder kept its implicit conversion operator owing to the
prevalent use of it in return statements.
One bug was found in ExprConstant.cpp involving a comparison of two
PointerUnions (PointerUnion did not previously have an operator==, so
instead both operands were converted to bool & then compared). A test
is included in test/SemaCXX/constant-expression-cxx1y.cpp for the fix
(adding operator== to PointerUnion in LLVM).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@181869 91177308-0d34-0410-b5e6-96231b3b80d8
Add a CXXDefaultInitExpr, analogous to CXXDefaultArgExpr, and use it both in
CXXCtorInitializers and in InitListExprs to represent a default initializer.
There's an additional complication here: because the default initializer can
refer to the initialized object via its 'this' pointer, we need to make sure
that 'this' points to the right thing within the evaluation.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@179958 91177308-0d34-0410-b5e6-96231b3b80d8
This is an optional variant of the CFG. This allows analyses to model whether
or not a static initializer has run, e.g.:
static Foo x = bar();
For basic dataflow analysis in Sema we will just assume that the initializer
always runs. For the static analyzer we can use this branch to accurately
track whether or not initializers are on.
This patch just adds the (opt-in) functionality to the CFG. The
static analyzer still needs to be modified to adopt this feature.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178263 91177308-0d34-0410-b5e6-96231b3b80d8
Use Optional<CFG*> where invalid states were needed previously. In the one case
where that's not possible (beginAutomaticObjDtorsInsert) just use a dummy
CFGAutomaticObjDtor.
Thanks for the help from Jordan Rose & discussion/feedback from Ted Kremenek
and Doug Gregor.
Post commit code review feedback on r175796 by Ted Kremenek.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@175938 91177308-0d34-0410-b5e6-96231b3b80d8
This is a more natural order of evaluation, and it is very important
for visualization in the static analyzer. Within Xcode, the arrows
will not jump from right to left, which looks very visually jarring.
It also provides a more natural location for dataflow-based diagnostics.
Along the way, we found a case in the analyzer diagnostics where we
needed to indicate that a variable was "captured" by a block.
-fsyntax-only timings on sqlite3.c show no visible performance change,
although this is just one test case.
Fixes <rdar://problem/13016513>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@174447 91177308-0d34-0410-b5e6-96231b3b80d8
it apart from [[gnu::noreturn]] / __attribute__((noreturn)), since their
semantics are not equivalent (for instance, we treat [[gnu::noreturn]] as
affecting the function type, whereas [[noreturn]] does not).
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@172691 91177308-0d34-0410-b5e6-96231b3b80d8
First check only wrapped with i==8, second wrapped at i==2,8,18,28,...
This fix restores the intended behavior: i==8,18,28,...
Found with -fsanitize=integer.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171718 91177308-0d34-0410-b5e6-96231b3b80d8
Required to pull some functions out of line, but this shouldn't have a perf impact.
No functionality change.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@169092 91177308-0d34-0410-b5e6-96231b3b80d8
This code assigned the last created CFGBlock* to the variable 'Block',
which is a scratch variable which is null'ed out after a block is
completed. By assigning the last created block to 'Block', we start
editing a completed block, inserting CFGStmts that should be in
another block. This was the case with 'try'. The test case that
showed this had a while loop inside a 'try', and the logic before
the while loop was being included as part of the "condition block"
for the loop. This showed up as a bogus dead store, but could
have lots of implications.
Turns out this bug was replicated a few times within CFG.cpp, so
I went and fixed up those as well.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@167788 91177308-0d34-0410-b5e6-96231b3b80d8
Richard Trieu