Index: cfe/trunk/www/analyzer/alpha_checks.html
===================================================================
--- cfe/trunk/www/analyzer/alpha_checks.html
+++ cfe/trunk/www/analyzer/alpha_checks.html
@@ -107,6 +107,7 @@
 }
 </pre></div></div></td></tr>
 
+
 <tr><td><div class="namedescr expandable"><span class="name">
 alpha.core.CastSize</span><span class="lang">
 (C)</span><div class="descr">
@@ -276,6 +277,33 @@
 
 
 <tr><td><div class="namedescr expandable"><span class="name">
+alpha.core.StackAddressAsyncEscape</span><span class="lang">
+(C)</span><div class="descr">
+Check that addresses to stack memory do not escape the function that involves
+<code>dispatch_after</code> or <code>dispatch_async</code>. This checker is
+a part of core.StackAddressEscape, but is
+<a href=https://reviews.llvm.org/D41042>temporarily disabled</a> until some
+false positives are fixed.</div></div></td>
+<td><div class="exampleContainer expandable">
+<div class="example"><pre>
+dispatch_block_t test_block_inside_block_async_leak() {
+  int x = 123;
+  void (^inner)(void) = ^void(void) {
+    int y = x;
+    ++y; 
+  };
+  void (^outer)(void) = ^void(void) {
+    int z = x;
+    ++z;
+    inner(); 
+  }; 
+  return outer; // warn: address of stack-allocated block is captured by a
+                //       returned block
+}
+</pre></div></div></td></tr>
+
+
+<tr><td><div class="namedescr expandable"><span class="name">
 alpha.core.TestAfterDivZero</span><span class="lang">
 (C, C++, ObjC)</span><div class="descr">
 Check for division by variable that is later compared against 0. 
@@ -289,6 +317,7 @@
 }
 </pre></div></div></td></tr>
 
+
 </tbody></table>
 
 <!-- =========================== cplusplus alpha =========================== -->
@@ -296,72 +325,142 @@
 <table class="checkers">
 <colgroup><col class="namedescr"><col class="example"></colgroup>
 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
-
 <tbody>
+
+
 <tr><td><div class="namedescr expandable"><span class="name">
-alpha.cplusplus.VirtualCall</span><span class="lang">
+alpha.cplusplus.DeleteWithNonVirtualDtor</span><span class="lang">
 (C++)</span><div class="descr">
-Check virtual member function calls during construction or 
-destruction.</div></div></td>
+Reports destructions of polymorphic objects with a non-virtual destructor in
+their base class
+</div></div></td>
 <td><div class="exampleContainer expandable">
 <div class="example"><pre>
-class A {
-public:
-  A() { 
-    f(); // warn
-  }
-  virtual void f();
-};
-</pre></div><div class="separator"></div>
+NonVirtual *create() {
+  NonVirtual *x = new NVDerived(); // note: conversion from derived to base
+                                   //       happened here
+  return x;
+}
+
+void sink(NonVirtual *x) {
+  delete x; // warn: destruction of a polymorphic object with no virtual
+            //       destructor
+}
+</pre></div></div></td></tr>
+
+
+<tr><td><div class="namedescr expandable"><span class="name">
+alpha.cplusplus.InvalidatedIterator</span><span class="lang">
+(C++)</span><div class="descr">
+Check for use of invalidated iterators.
+</div></div></td>
+<td><div class="exampleContainer expandable">
 <div class="example"><pre>
-class A {
-public:
-  ~A() {
-    this-&gt;f(); // warn
-  }
-  virtual void f();
+void bad_copy_assign_operator_list1(std::list<int> &L1,
+                                    const std::list<int> &L2) {
+  auto i0 = L1.cbegin();
+  L1 = L2;
+  *i0; // warn: invalidated iterator accessed
+}
+</pre></div></div></td></tr>
+
+
+<tr><td><div class="namedescr expandable"><span class="name">
+alpha.cplusplus.IteratorRange</span><span class="lang">
+(C++)</span><div class="descr">
+Check for iterators used outside their valid ranges.
+</div></div></td>
+<td><div class="exampleContainer expandable">
+<div class="example"><pre>
+void simple_bad_end(const std::vector<int> &v) {
+  auto i = v.end();
+  *i; // warn: iterator accessed outside of its range
+}
+</pre></div></div></td></tr>
+
+
+<tr><td><div class="namedescr expandable"><span class="name">
+alpha.cplusplus.MismatchedIterator</span><span class="lang">
+(C++)</span><div class="descr">
+Check for use of iterators of different containers where iterators of the same
+container are expected.
+</div></div></td>
+<td><div class="exampleContainer expandable">
+<div class="example"><pre>
+void bad_insert3(std::vector<int> &v1, std::vector<int> &v2) {
+  v2.insert(v1.cbegin(), v2.cbegin(), v2.cend()); // warn: container accessed
+                                                  //       using foreign
+                                                  //       iterator argument
+  v1.insert(v1.cbegin(), v1.cbegin(), v2.cend()); // warn: iterators of
+                                                  //       different containers
+                                                  //       used where the same
+                                                  //       container is
+                                                  //       expected
+  v1.insert(v1.cbegin(), v2.cbegin(), v1.cend()); // warn: iterators of
+                                                  //       different containers
+                                                  //       used where the same
+                                                  //       container is
+                                                  //       expected
+}
+</pre></div></div></td></tr>
+
+
+<tr><td><div class="namedescr expandable"><span class="name">
+alpha.cplusplus.MisusedMovedObject</span><span class="lang">
+(C++)</span><div class="descr">
+Method calls on a moved-from object and copying a moved-from object will be
+reported.
+</div></div></td>
+<td><div class="exampleContainer expandable">
+<div class="example"><pre>
+struct A {
+  void foo() {}
 };
+
+void f() {
+  A a;
+  A b = std::move(a); // note: 'a' became 'moved-from' here
+  a.foo();            // warn: method call on a 'moved-from' object 'a'
+}
 </pre></div></div></td></tr>
 
-<tbody>
+
 <tr><td><div class="namedescr expandable"><span class="name">
 alpha.cplusplus.UninitializedObject</span><span class="lang">
 (C++)</span><div class="descr">
-This checker reports uninitialized fields in objects created
-after a constructor call. It doesn't only find direct uninitialized
-fields, but rather makes a deep inspection of the object,
-analyzing all of it's fields subfields. <br>
-The checker regards inherited fields as direct fields, so one
-will recieve warnings for uninitialized inherited data members
-as well. <br>
+This checker reports uninitialized fields in objects created after a constructor
+call. It doesn't only find direct uninitialized fields, but rather makes a deep
+inspection of the object, analyzing all of it's fields subfields. <br>
+The checker regards inherited fields as direct fields, so one will recieve
+warnings for uninitialized inherited data members as well. <br>
 <br>
 It has several options:
 <ul>
   <li>
-    "<code>Pedantic</code>" (boolean). If its not set or is set to false, the checker
-    won't emit warnings for objects that don't have at least one initialized
-    field. This may be set with <br>
+    "<code>Pedantic</code>" (boolean). If its not set or is set to false, the
+    checker won't emit warnings for objects that don't have at least one
+    initialized field. This may be set with <br>
     <code>-analyzer-config alpha.cplusplus.UninitializedObject:Pedantic=true</code>.
   </li>
   <li>
-    "<code>NotesAsWarnings</code>" (boolean). If set to true, the checker will emit a
-    warning for each uninitalized field, as opposed to emitting one warning
-    per constructor call, and listing the uninitialized fields that belongs
-    to it in notes. Defaults to false. <br>
+    "<code>NotesAsWarnings</code>" (boolean). If set to true, the checker will
+    emit a warning for each uninitalized field, as opposed to emitting one
+    warning per constructor call, and listing the uninitialized fields that
+    belongs to it in notes. Defaults to false. <br>
     <code>-analyzer-config alpha.cplusplus.UninitializedObject:NotesAsWarnings=true</code>.
   </li>
   <li>
-    "<code>CheckPointeeInitialization</code>" (boolean). If set to false, the checker will
-    not analyze the pointee of pointer/reference fields, and will only check
-    whether the object itself is initialized. Defaults to false. <br>
+    "<code>CheckPointeeInitialization</code>" (boolean). If set to false, the
+    checker will not analyze the pointee of pointer/reference fields, and will
+    only check whether the object itself is initialized. Defaults to false. <br>
     <code>-analyzer-config alpha.cplusplus.UninitializedObject:CheckPointeeInitialization=true</code>.
   </li>
   <li>
-    "<code>IgnoreRecordsWithField</code>" (string). If supplied, the checker will not
-     analyze structures that have a field with a name or type name that
-     matches the given pattern. Defaults to <code>""</code>.
+    "<code>IgnoreRecordsWithField</code>" (string). If supplied, the checker
+    will not analyze structures that have a field with a name or type name that
+    matches the given pattern. Defaults to <code>""</code>.
 
-     <code>-analyzer-config alpha.cplusplus.UninitializedObject:IgnoreRecordsWithField="[Tt]ag|[Kk]ind"</code>.
+    <code>-analyzer-config alpha.cplusplus.UninitializedObject:IgnoreRecordsWithField="[Tt]ag|[Kk]ind"</code>.
   </li>
 </ul></div></div></td>
 <td><div class="exampleContainer expandable">
@@ -437,82 +536,12 @@
   A a(&b, &c); // warning: 3 uninitialized fields
                //          after the constructor call
 }
-<div class="example"><pre>
-
-
-</pre></div></div></td></tr>
-
-</tbody></table>
-
-
-
-<!-- =============================== va_list =============================== -->
-<h3 id="valist_alpha_checkers">Variable Argument Alpha Checkers</h3>
-<table class="checkers">
-<colgroup><col class="namedescr"><col class="example"></colgroup>
-<thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
-
-<tbody>
-<tr><td><div class="namedescr expandable"><span class="name">
-alpha.valist.CopyToSelf</span><span class="lang">
-(C)</span><div class="descr">
-Calls to the <code>va_copy</code> macro should not copy onto itself.</div></div></td>
-<td><div class="exampleContainer expandable">
-<div class="example"><pre>
-#include &lt;stdarg.h&gt;
-
-void test(int x, ...) {
-  va_list args;
-  va_start(args, x);
-  va_copy(args, args); // warn
-  va_end(args);
-}
 </pre></div></div></td></tr>
 
-<tr><td><div class="namedescr expandable"><span class="name">
-alpha.valist.Uninitialized</span><span class="lang">
-(C)</span><div class="descr">
-Calls to the <code>va_arg</code>, <code>va_copy</code>, or
-<code>va_end</code> macro must happen after calling <code>va_start</code> and
-before calling <code>va_end</code>.</div></div></td>
-<td><div class="exampleContainer expandable">
-<div class="example"><pre>
-#include &lt;stdarg.h&gt;
-
-void test(int x, ...) {
-  va_list args;
-  int y = va_arg(args, int); // warn
-}
-</pre></div>
-<div class="example"><pre>
-#include &lt;stdarg.h&gt;
-
-void test(int x, ...) {
-  va_list args;
-  va_start(args, x);
-  va_end(args);
-  int z = va_arg(args, int); // warn
-}
-</pre></div></div></td></tr>
-
-<tr><td><div class="namedescr expandable"><span class="name">
-alpha.valist.Unterminated</span><span class="lang">
-(C)</span><div class="descr">
-Every <code>va_start</code> must be matched by a <code>va_end</code>. A va_list
-can only be ended once.</div></div></td>
-<td><div class="exampleContainer expandable">
-<div class="example"><pre>
-#include &lt;stdarg.h&gt;
-
-void test(int x, ...) {
-  va_list args;
-  va_start(args, x);
-  int y = x + va_arg(args, int);
-} // warn: missing va_end
-</pre></div></div></td></tr>
 
 </tbody></table>
 
+
 <!-- =========================== dead code alpha =========================== -->
 <h3 id="deadcode_alpha_checkers">Dead Code Alpha Checkers</h3>
 <table class="checkers">
@@ -784,6 +813,23 @@
 
 
 <tr><td><div class="namedescr expandable"><span class="name">
+alpha.security.MmapWriteExec</span><span class="lang">
+(C)</span><div class="descr">
+Warn on <code>mmap()<code> calls that are both writable and executable.
+</div></div></td>
+<td><div class="exampleContainer expandable">
+<div class="example"><pre>
+void test(int n) {
+  void *c = mmap(NULL, 32, PROT_READ | PROT_WRITE | PROT_EXEC,
+                 MAP_PRIVATE | MAP_ANON, -1, 0);
+  // warn: Both PROT_WRITE and PROT_EXEC flags are set. This can lead to
+  //       exploitable memory regions, which could be overwritten with malicious
+  //       code
+}
+</pre></div></div></td></tr>
+
+
+<tr><td><div class="namedescr expandable"><span class="name">
 alpha.security.ReturnPtrRange</span><span class="lang">
 (C)</span><div class="descr">
 Check for an out-of-bound pointer being returned to callers.</div></div></td>
@@ -842,8 +888,42 @@
 <table class="checkers">
 <colgroup><col class="namedescr"><col class="example"></colgroup>
 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
-
 <tbody>
+
+
+<tr><td><div class="namedescr expandable"><span class="name">
+alpha.unix.BlockInCriticalSection</span><span class="lang">
+(C)</span><div class="descr">
+Check for calls to blocking functions inside a critical section. Applies to:
+<div class=functions>
+lock<br>
+unlock<br>
+sleep<br>
+getc<br>
+fgets<br>
+read<br>
+revc<br>
+pthread_mutex_lock<br>
+pthread_mutex_unlock<br>
+mtx_lock<br>
+mtx_timedlock<br>
+mtx_trylock<br>
+mtx_unlock<br>
+lock_guard<br>
+unique_lock</div>
+</div></div></td>
+<td><div class="exampleContainer expandable">
+<div class="example"><pre>
+void test() {
+  std::mutex m;
+  m.lock();
+  sleep(3); // warn: a blocking function sleep is called inside a critical
+            //       section
+  m.unlock();
+}
+</pre></div></div></td></tr>
+
+
 <tr><td><div class="namedescr expandable"><span class="name">
 alpha.unix.Chroot</span><span class="lang">
 (C)</span><div class="descr">
@@ -858,6 +938,7 @@
 }
 </pre></div></div></td></tr>
 
+
 <tr><td><div class="namedescr expandable"><span class="name">
 alpha.unix.PthreadLock</span><span class="lang">
 (C)</span><div class="descr">
Index: cfe/trunk/www/analyzer/available_checks.html
===================================================================
--- cfe/trunk/www/analyzer/available_checks.html
+++ cfe/trunk/www/analyzer/available_checks.html
@@ -543,8 +543,35 @@
 <colgroup><col class="namedescr"><col class="example"></colgroup>
 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
 
+
 <tbody>
 <tr><td><div class="namedescr expandable"><span class="name">
+optin.cplusplus.VirtualCall</span><span class="lang">
+(C++)</span><div class="descr">
+Check virtual member function calls during construction or 
+destruction.</div></div></td>
+<td><div class="exampleContainer expandable">
+<div class="example"><pre>
+class A {
+public:
+  A() { 
+    f(); // warn
+  }
+  virtual void f();
+};
+</pre></div><div class="separator"></div>
+<div class="example"><pre>
+class A {
+public:
+  ~A() {
+    this-&gt;f(); // warn
+  }
+  virtual void f();
+};
+</pre></div></div></td></tr>
+
+
+<tr><td><div class="namedescr expandable"><span class="name">
 optin.mpi.MPI-Checker</span><span class="lang">
 (C)</span><div class="descr">
 Checks MPI code</div></div></td>

Name, Description	Example
-alpha.cplusplus.VirtualCall +alpha.cplusplus.DeleteWithNonVirtualDtor (C++) -Check virtual member function calls during construction or -destruction.	-class A { -public: - A() { - f(); // warn - } - virtual void f(); -}; - +NonVirtual create() { + NonVirtual x = new NVDerived(); // note: conversion from derived to base + // happened here + return x; +} + +void sink(NonVirtual *x) { + delete x; // warn: destruction of a polymorphic object with no virtual + // destructor +} +
+alpha.cplusplus.InvalidatedIterator +(C++) +Check for use of invalidated iterators. +	-class A { -public: - ~A() { - this->f(); // warn - } - virtual void f(); +void bad_copy_assign_operator_list1(std::list &L1, + const std::list &L2) { + auto i0 = L1.cbegin(); + L1 = L2; + *i0; // warn: invalidated iterator accessed +} +
+alpha.cplusplus.IteratorRange +(C++) +Check for iterators used outside their valid ranges. +	+ +void simple_bad_end(const std::vector &v) { + auto i = v.end(); + *i; // warn: iterator accessed outside of its range +} +
+alpha.cplusplus.MismatchedIterator +(C++) +Check for use of iterators of different containers where iterators of the same +container are expected. +	+ +void bad_insert3(std::vector &v1, std::vector &v2) { + v2.insert(v1.cbegin(), v2.cbegin(), v2.cend()); // warn: container accessed + // using foreign + // iterator argument + v1.insert(v1.cbegin(), v1.cbegin(), v2.cend()); // warn: iterators of + // different containers + // used where the same + // container is + // expected + v1.insert(v1.cbegin(), v2.cbegin(), v1.cend()); // warn: iterators of + // different containers + // used where the same + // container is + // expected +} +
+alpha.cplusplus.MisusedMovedObject +(C++) +Method calls on a moved-from object and copying a moved-from object will be +reported. +	+ +struct A { + void foo() {} }; + +void f() { + A a; + A b = std::move(a); // note: 'a' became 'moved-from' here + a.foo(); // warn: method call on a 'moved-from' object 'a' +}
alpha.cplusplus.UninitializedObject (C++) -This checker reports uninitialized fields in objects created -after a constructor call. It doesn't only find direct uninitialized -fields, but rather makes a deep inspection of the object, -analyzing all of it's fields subfields. -The checker regards inherited fields as direct fields, so one -will recieve warnings for uninitialized inherited data members -as well. +This checker reports uninitialized fields in objects created after a constructor +call. It doesn't only find direct uninitialized fields, but rather makes a deep +inspection of the object, analyzing all of it's fields subfields. +The checker regards inherited fields as direct fields, so one will recieve +warnings for uninitialized inherited data members as well. It has several options: - "`Pedantic`" (boolean). If its not set or is set to false, the checker - won't emit warnings for objects that don't have at least one initialized - field. This may be set with + "`Pedantic`" (boolean). If its not set or is set to false, the + checker won't emit warnings for objects that don't have at least one + initialized field. This may be set with `-analyzer-config alpha.cplusplus.UninitializedObject:Pedantic=true`. - "`NotesAsWarnings`" (boolean). If set to true, the checker will emit a - warning for each uninitalized field, as opposed to emitting one warning - per constructor call, and listing the uninitialized fields that belongs - to it in notes. Defaults to false. + "`NotesAsWarnings`" (boolean). If set to true, the checker will + emit a warning for each uninitalized field, as opposed to emitting one + warning per constructor call, and listing the uninitialized fields that + belongs to it in notes. Defaults to false. `-analyzer-config alpha.cplusplus.UninitializedObject:NotesAsWarnings=true`. - "`CheckPointeeInitialization`" (boolean). If set to false, the checker will - not analyze the pointee of pointer/reference fields, and will only check - whether the object itself is initialized. Defaults to false. + "`CheckPointeeInitialization`" (boolean). If set to false, the + checker will not analyze the pointee of pointer/reference fields, and will + only check whether the object itself is initialized. Defaults to false. `-analyzer-config alpha.cplusplus.UninitializedObject:CheckPointeeInitialization=true`. - "`IgnoreRecordsWithField`" (string). If supplied, the checker will not - analyze structures that have a field with a name or type name that - matches the given pattern. Defaults to `""`. + "`IgnoreRecordsWithField`" (string). If supplied, the checker + will not analyze structures that have a field with a name or type name that + matches the given pattern. Defaults to `""`. - `-analyzer-config alpha.cplusplus.UninitializedObject:IgnoreRecordsWithField="[Tt]ag\|[Kk]ind"`. + `-analyzer-config alpha.cplusplus.UninitializedObject:IgnoreRecordsWithField="[Tt]ag\|[Kk]ind"`.	@@ -437,82 +536,12 @@ A a(&b, &c); // warning: 3 uninitialized fields // after the constructor call } - - - -
Name, Description	Example
-alpha.valist.CopyToSelf -(C) -Calls to the `va_copy` macro should not copy onto itself.	- -#include <stdarg.h> - -void test(int x, ...) { - va_list args; - va_start(args, x); - va_copy(args, args); // warn - va_end(args); -}
-alpha.valist.Uninitialized -(C) -Calls to the `va_arg`, `va_copy`, or -`va_end` macro must happen after calling `va_start` and -before calling `va_end`.	- -#include <stdarg.h> - -void test(int x, ...) { - va_list args; - int y = va_arg(args, int); // warn -} - - -#include <stdarg.h> - -void test(int x, ...) { - va_list args; - va_start(args, x); - va_end(args); - int z = va_arg(args, int); // warn -} -
-alpha.valist.Unterminated -(C) -Every `va_start` must be matched by a `va_end`. A va_list -can only be ended once.	- -#include <stdarg.h> - -void test(int x, ...) { - va_list args; - va_start(args, x); - int y = x + va_arg(args, int); -} // warn: missing va_end -
Name, Description	Example
+alpha.unix.BlockInCriticalSection +(C) +Check for calls to blocking functions inside a critical section. Applies to: + +lock +unlock +sleep +getc +fgets +read +revc +pthread_mutex_lock +pthread_mutex_unlock +mtx_lock +mtx_timedlock +mtx_trylock +mtx_unlock +lock_guard +unique_lock +	+ +void test() { + std::mutex m; + m.lock(); + sleep(3); // warn: a blocking function sleep is called inside a critical + // section + m.unlock(); +} +
alpha.unix.Chroot (C) @@ -858,6 +938,7 @@ }
alpha.unix.PthreadLock (C) Index: cfe/trunk/www/analyzer/available_checks.html =================================================================== --- cfe/trunk/www/analyzer/available_checks.html +++ cfe/trunk/www/analyzer/available_checks.html @@ -543,8 +543,35 @@
Name, Description	Example
+optin.cplusplus.VirtualCall +(C++) +Check virtual member function calls during construction or +destruction.	+ +class A { +public: + A() { + f(); // warn + } + virtual void f(); +}; + + +class A { +public: + ~A() { + this->f(); // warn + } + virtual void f(); +}; +
optin.mpi.MPI-Checker (C) Checks MPI code