================ @@ -1074,33 +1074,75 @@ latest release, please see the [Clang Web Site](https://clang.llvm.org) or the ### Static Analyzer -- The `-analyzer-constraints` option `z3` was renamed to `unsupported-z3` - because the Z3-based (constraint) solver was known for crashing for years now. - Didn't receive support, so it was marked unsupported. +% comment: +% This is for the Static Analyzer. +% Subsections (using `####`), in this order, only when they have content: +% - New checkers and features +% - Crash and bug fixes +% - Improvements +% - Moved checkers +% - Removed checkers +% - Diagnostic changes + +#### New checkers and features + +- Introduced the experimental `alpha.cplusplus.UseAfterLifetimeEnd` checker to detect dangling pointers and references bound to local variables that go out of scope, using the `[[clang::lifetimebound]]` annotation. (#GH205521) +- Introduced the `optin.core.UnconditionalVAArg` checker to report variadic functions that unconditionally use `va_arg()`, which is undefined behavior when the function is called without any variadic arguments (SEI-CERT EXP47-C). (#GH175602) +- The `unix.DynamicMemoryModeling` modeling gained a new option to create branches where a memory allocation fails and returns a null pointer. It is disabled by default. (#GH205371) +- The `security.insecureAPI.DeprecatedOrUnsafeBufferHandling` checker gained a new `ReportInC99AndEarlier` option. When enabled, deprecated buffer-handling functions (`memcpy`, `memset`, `memmove`, etc.) are also reported when not compiling for C11 or later. It is disabled by default. (#GH168704, #GH177379) +- The `optin.taint.TaintPropagation` checker gained a new `EnableDefaultConfig` option, which makes it possible to disable the built-in taint configuration and use a fully custom configuration instead. (#GH176185) #### Crash and bug fixes -- Fixed `security.VAList` checker producing false positives when analyzing - C23 code where `va_start` expands to `__builtin_c23_va_start`. -- Fixed a compiler crash when combining `_Atomic` and `__auto_type` - in C, for example `_Atomic __auto_type x = expr`. (#GH118058) +- Fixed the `security.VAList` checker producing false positives when analyzing C23 code where `va_start` expands to `__builtin_c23_va_start`. (#GH192024) +- Fixed a crash when copying uninitialized data in a function named `swap`. (#GH178797) +- Fixed a compiler crash when combining `_Atomic` and `__auto_type` in C, for example `_Atomic __auto_type x = expr`. (#GH118058) +- Fixed a crash in the `unix.Malloc` checker when a function is annotated with both `ownership_returns` and `ownership_takes` (or `ownership_holds`). (#GH183344) +- Fixed a crash in the `alpha.unix.cstring` checkers on zero-size element types (for example an empty struct in C). (#GH190457) +- Fixed a use-after-free in `CheckerContext::getMacroNameOrSpelling`. (#GH194174) +- Fixed a false positive in the `alpha.unix.cstring` checkers when the buffer argument points into the middle of an array, such as `memcpy(dst, &arr[i], size)`. (#GH198346) +- Fixed the default binding of union aggregates being overwritten when initializing array elements with union members. (#GH178694) +- The analyzer no longer rules out the equality of a pointer to the stack and a symbolic pointer in unknown space, because a function may return a pointer to some other stack frame (for example one received as an argument). (#GH187080) +- Fixed bad logic in `VisitArrayInitLoopExpr` that used the wrong parent node when binding the expression value. (#GH196974) ---------------- Xazax-hun wrote:
I wonder if some of these could be rephrased in terms of the user impact. Like could it result in false positives? Or missed coverage? https://github.com/llvm/llvm-project/pull/207433 _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
