1 //==-- RetainCountChecker.cpp - Checks for leaks and other issues -*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines the methods for RetainCountChecker, which implements 11 // a reference count checker for Core Foundation and Cocoa on (Mac OS X). 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "AllocationDiagnostics.h" 17 #include "SelectorExtras.h" 18 #include "clang/AST/Attr.h" 19 #include "clang/AST/DeclCXX.h" 20 #include "clang/AST/DeclObjC.h" 21 #include "clang/AST/ParentMap.h" 22 #include "clang/Analysis/DomainSpecific/CocoaConventions.h" 23 #include "clang/Basic/LangOptions.h" 24 #include "clang/Basic/SourceManager.h" 25 #include "clang/StaticAnalyzer/Checkers/ObjCRetainCount.h" 26 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 27 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 28 #include "clang/StaticAnalyzer/Core/Checker.h" 29 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 30 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 31 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 32 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 33 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 34 #include "llvm/ADT/DenseMap.h" 35 #include "llvm/ADT/FoldingSet.h" 36 #include "llvm/ADT/ImmutableList.h" 37 #include "llvm/ADT/ImmutableMap.h" 38 #include "llvm/ADT/STLExtras.h" 39 #include "llvm/ADT/SmallString.h" 40 #include "llvm/ADT/StringExtras.h" 41 #include <cstdarg> 42 43 using namespace clang; 44 using namespace ento; 45 using namespace objc_retain; 46 using llvm::StrInStrNoCase; 47 48 //===----------------------------------------------------------------------===// 49 // Adapters for FoldingSet. 50 //===----------------------------------------------------------------------===// 51 52 namespace llvm { 53 template <> struct FoldingSetTrait<ArgEffect> { 54 static inline void Profile(const ArgEffect X, FoldingSetNodeID &ID) { 55 ID.AddInteger((unsigned) X); 56 } 57 }; 58 template <> struct FoldingSetTrait<RetEffect> { 59 static inline void Profile(const RetEffect &X, FoldingSetNodeID &ID) { 60 ID.AddInteger((unsigned) X.getKind()); 61 ID.AddInteger((unsigned) X.getObjKind()); 62 } 63 }; 64 } // end llvm namespace 65 66 //===----------------------------------------------------------------------===// 67 // Reference-counting logic (typestate + counts). 68 //===----------------------------------------------------------------------===// 69 70 /// ArgEffects summarizes the effects of a function/method call on all of 71 /// its arguments. 72 typedef llvm::ImmutableMap<unsigned,ArgEffect> ArgEffects; 73 74 namespace { 75 class RefVal { 76 public: 77 enum Kind { 78 Owned = 0, // Owning reference. 79 NotOwned, // Reference is not owned by still valid (not freed). 80 Released, // Object has been released. 81 ReturnedOwned, // Returned object passes ownership to caller. 82 ReturnedNotOwned, // Return object does not pass ownership to caller. 83 ERROR_START, 84 ErrorDeallocNotOwned, // -dealloc called on non-owned object. 85 ErrorDeallocGC, // Calling -dealloc with GC enabled. 86 ErrorUseAfterRelease, // Object used after released. 87 ErrorReleaseNotOwned, // Release of an object that was not owned. 88 ERROR_LEAK_START, 89 ErrorLeak, // A memory leak due to excessive reference counts. 90 ErrorLeakReturned, // A memory leak due to the returning method not having 91 // the correct naming conventions. 92 ErrorGCLeakReturned, 93 ErrorOverAutorelease, 94 ErrorReturnedNotOwned 95 }; 96 97 /// Tracks how an object referenced by an ivar has been used. 98 /// 99 /// This accounts for us not knowing if an arbitrary ivar is supposed to be 100 /// stored at +0 or +1. 101 enum class IvarAccessHistory { 102 None, 103 AccessedDirectly, 104 ReleasedAfterDirectAccess 105 }; 106 107 private: 108 /// The number of outstanding retains. 109 unsigned Cnt; 110 /// The number of outstanding autoreleases. 111 unsigned ACnt; 112 /// The (static) type of the object at the time we started tracking it. 113 QualType T; 114 115 /// The current state of the object. 116 /// 117 /// See the RefVal::Kind enum for possible values. 118 unsigned RawKind : 5; 119 120 /// The kind of object being tracked (CF or ObjC), if known. 121 /// 122 /// See the RetEffect::ObjKind enum for possible values. 123 unsigned RawObjectKind : 2; 124 125 /// True if the current state and/or retain count may turn out to not be the 126 /// best possible approximation of the reference counting state. 127 /// 128 /// If true, the checker may decide to throw away ("override") this state 129 /// in favor of something else when it sees the object being used in new ways. 130 /// 131 /// This setting should not be propagated to state derived from this state. 132 /// Once we start deriving new states, it would be inconsistent to override 133 /// them. 134 unsigned RawIvarAccessHistory : 2; 135 136 RefVal(Kind k, RetEffect::ObjKind o, unsigned cnt, unsigned acnt, QualType t, 137 IvarAccessHistory IvarAccess) 138 : Cnt(cnt), ACnt(acnt), T(t), RawKind(static_cast<unsigned>(k)), 139 RawObjectKind(static_cast<unsigned>(o)), 140 RawIvarAccessHistory(static_cast<unsigned>(IvarAccess)) { 141 assert(getKind() == k && "not enough bits for the kind"); 142 assert(getObjKind() == o && "not enough bits for the object kind"); 143 assert(getIvarAccessHistory() == IvarAccess && "not enough bits"); 144 } 145 146 public: 147 Kind getKind() const { return static_cast<Kind>(RawKind); } 148 149 RetEffect::ObjKind getObjKind() const { 150 return static_cast<RetEffect::ObjKind>(RawObjectKind); 151 } 152 153 unsigned getCount() const { return Cnt; } 154 unsigned getAutoreleaseCount() const { return ACnt; } 155 unsigned getCombinedCounts() const { return Cnt + ACnt; } 156 void clearCounts() { 157 Cnt = 0; 158 ACnt = 0; 159 } 160 void setCount(unsigned i) { 161 Cnt = i; 162 } 163 void setAutoreleaseCount(unsigned i) { 164 ACnt = i; 165 } 166 167 QualType getType() const { return T; } 168 169 /// Returns what the analyzer knows about direct accesses to a particular 170 /// instance variable. 171 /// 172 /// If the object with this refcount wasn't originally from an Objective-C 173 /// ivar region, this should always return IvarAccessHistory::None. 174 IvarAccessHistory getIvarAccessHistory() const { 175 return static_cast<IvarAccessHistory>(RawIvarAccessHistory); 176 } 177 178 bool isOwned() const { 179 return getKind() == Owned; 180 } 181 182 bool isNotOwned() const { 183 return getKind() == NotOwned; 184 } 185 186 bool isReturnedOwned() const { 187 return getKind() == ReturnedOwned; 188 } 189 190 bool isReturnedNotOwned() const { 191 return getKind() == ReturnedNotOwned; 192 } 193 194 /// Create a state for an object whose lifetime is the responsibility of the 195 /// current function, at least partially. 196 /// 197 /// Most commonly, this is an owned object with a retain count of +1. 198 static RefVal makeOwned(RetEffect::ObjKind o, QualType t, 199 unsigned Count = 1) { 200 return RefVal(Owned, o, Count, 0, t, IvarAccessHistory::None); 201 } 202 203 /// Create a state for an object whose lifetime is not the responsibility of 204 /// the current function. 205 /// 206 /// Most commonly, this is an unowned object with a retain count of +0. 207 static RefVal makeNotOwned(RetEffect::ObjKind o, QualType t, 208 unsigned Count = 0) { 209 return RefVal(NotOwned, o, Count, 0, t, IvarAccessHistory::None); 210 } 211 212 RefVal operator-(size_t i) const { 213 return RefVal(getKind(), getObjKind(), getCount() - i, 214 getAutoreleaseCount(), getType(), getIvarAccessHistory()); 215 } 216 217 RefVal operator+(size_t i) const { 218 return RefVal(getKind(), getObjKind(), getCount() + i, 219 getAutoreleaseCount(), getType(), getIvarAccessHistory()); 220 } 221 222 RefVal operator^(Kind k) const { 223 return RefVal(k, getObjKind(), getCount(), getAutoreleaseCount(), 224 getType(), getIvarAccessHistory()); 225 } 226 227 RefVal autorelease() const { 228 return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount()+1, 229 getType(), getIvarAccessHistory()); 230 } 231 232 RefVal withIvarAccess() const { 233 assert(getIvarAccessHistory() == IvarAccessHistory::None); 234 return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount(), 235 getType(), IvarAccessHistory::AccessedDirectly); 236 } 237 RefVal releaseViaIvar() const { 238 assert(getIvarAccessHistory() == IvarAccessHistory::AccessedDirectly); 239 return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount(), 240 getType(), IvarAccessHistory::ReleasedAfterDirectAccess); 241 } 242 243 // Comparison, profiling, and pretty-printing. 244 245 bool hasSameState(const RefVal &X) const { 246 return getKind() == X.getKind() && Cnt == X.Cnt && ACnt == X.ACnt && 247 getIvarAccessHistory() == X.getIvarAccessHistory(); 248 } 249 250 bool operator==(const RefVal& X) const { 251 return T == X.T && hasSameState(X) && getObjKind() == X.getObjKind(); 252 } 253 254 void Profile(llvm::FoldingSetNodeID& ID) const { 255 ID.Add(T); 256 ID.AddInteger(RawKind); 257 ID.AddInteger(Cnt); 258 ID.AddInteger(ACnt); 259 ID.AddInteger(RawObjectKind); 260 ID.AddInteger(RawIvarAccessHistory); 261 } 262 263 void print(raw_ostream &Out) const; 264 }; 265 266 void RefVal::print(raw_ostream &Out) const { 267 if (!T.isNull()) 268 Out << "Tracked " << T.getAsString() << '/'; 269 270 switch (getKind()) { 271 default: llvm_unreachable("Invalid RefVal kind"); 272 case Owned: { 273 Out << "Owned"; 274 unsigned cnt = getCount(); 275 if (cnt) Out << " (+ " << cnt << ")"; 276 break; 277 } 278 279 case NotOwned: { 280 Out << "NotOwned"; 281 unsigned cnt = getCount(); 282 if (cnt) Out << " (+ " << cnt << ")"; 283 break; 284 } 285 286 case ReturnedOwned: { 287 Out << "ReturnedOwned"; 288 unsigned cnt = getCount(); 289 if (cnt) Out << " (+ " << cnt << ")"; 290 break; 291 } 292 293 case ReturnedNotOwned: { 294 Out << "ReturnedNotOwned"; 295 unsigned cnt = getCount(); 296 if (cnt) Out << " (+ " << cnt << ")"; 297 break; 298 } 299 300 case Released: 301 Out << "Released"; 302 break; 303 304 case ErrorDeallocGC: 305 Out << "-dealloc (GC)"; 306 break; 307 308 case ErrorDeallocNotOwned: 309 Out << "-dealloc (not-owned)"; 310 break; 311 312 case ErrorLeak: 313 Out << "Leaked"; 314 break; 315 316 case ErrorLeakReturned: 317 Out << "Leaked (Bad naming)"; 318 break; 319 320 case ErrorGCLeakReturned: 321 Out << "Leaked (GC-ed at return)"; 322 break; 323 324 case ErrorUseAfterRelease: 325 Out << "Use-After-Release [ERROR]"; 326 break; 327 328 case ErrorReleaseNotOwned: 329 Out << "Release of Not-Owned [ERROR]"; 330 break; 331 332 case RefVal::ErrorOverAutorelease: 333 Out << "Over-autoreleased"; 334 break; 335 336 case RefVal::ErrorReturnedNotOwned: 337 Out << "Non-owned object returned instead of owned"; 338 break; 339 } 340 341 switch (getIvarAccessHistory()) { 342 case IvarAccessHistory::None: 343 break; 344 case IvarAccessHistory::AccessedDirectly: 345 Out << " [direct ivar access]"; 346 break; 347 case IvarAccessHistory::ReleasedAfterDirectAccess: 348 Out << " [released after direct ivar access]"; 349 } 350 351 if (ACnt) { 352 Out << " [autorelease -" << ACnt << ']'; 353 } 354 } 355 } //end anonymous namespace 356 357 //===----------------------------------------------------------------------===// 358 // RefBindings - State used to track object reference counts. 359 //===----------------------------------------------------------------------===// 360 361 REGISTER_MAP_WITH_PROGRAMSTATE(RefBindings, SymbolRef, RefVal) 362 363 static inline const RefVal *getRefBinding(ProgramStateRef State, 364 SymbolRef Sym) { 365 return State->get<RefBindings>(Sym); 366 } 367 368 static inline ProgramStateRef setRefBinding(ProgramStateRef State, 369 SymbolRef Sym, RefVal Val) { 370 return State->set<RefBindings>(Sym, Val); 371 } 372 373 static ProgramStateRef removeRefBinding(ProgramStateRef State, SymbolRef Sym) { 374 return State->remove<RefBindings>(Sym); 375 } 376 377 //===----------------------------------------------------------------------===// 378 // Function/Method behavior summaries. 379 //===----------------------------------------------------------------------===// 380 381 namespace { 382 class RetainSummary { 383 /// Args - a map of (index, ArgEffect) pairs, where index 384 /// specifies the argument (starting from 0). This can be sparsely 385 /// populated; arguments with no entry in Args use 'DefaultArgEffect'. 386 ArgEffects Args; 387 388 /// DefaultArgEffect - The default ArgEffect to apply to arguments that 389 /// do not have an entry in Args. 390 ArgEffect DefaultArgEffect; 391 392 /// Receiver - If this summary applies to an Objective-C message expression, 393 /// this is the effect applied to the state of the receiver. 394 ArgEffect Receiver; 395 396 /// Ret - The effect on the return value. Used to indicate if the 397 /// function/method call returns a new tracked symbol. 398 RetEffect Ret; 399 400 public: 401 RetainSummary(ArgEffects A, RetEffect R, ArgEffect defaultEff, 402 ArgEffect ReceiverEff) 403 : Args(A), DefaultArgEffect(defaultEff), Receiver(ReceiverEff), Ret(R) {} 404 405 /// getArg - Return the argument effect on the argument specified by 406 /// idx (starting from 0). 407 ArgEffect getArg(unsigned idx) const { 408 if (const ArgEffect *AE = Args.lookup(idx)) 409 return *AE; 410 411 return DefaultArgEffect; 412 } 413 414 void addArg(ArgEffects::Factory &af, unsigned idx, ArgEffect e) { 415 Args = af.add(Args, idx, e); 416 } 417 418 /// setDefaultArgEffect - Set the default argument effect. 419 void setDefaultArgEffect(ArgEffect E) { 420 DefaultArgEffect = E; 421 } 422 423 /// getRetEffect - Returns the effect on the return value of the call. 424 RetEffect getRetEffect() const { return Ret; } 425 426 /// setRetEffect - Set the effect of the return value of the call. 427 void setRetEffect(RetEffect E) { Ret = E; } 428 429 430 /// Sets the effect on the receiver of the message. 431 void setReceiverEffect(ArgEffect e) { Receiver = e; } 432 433 /// getReceiverEffect - Returns the effect on the receiver of the call. 434 /// This is only meaningful if the summary applies to an ObjCMessageExpr*. 435 ArgEffect getReceiverEffect() const { return Receiver; } 436 437 /// Test if two retain summaries are identical. Note that merely equivalent 438 /// summaries are not necessarily identical (for example, if an explicit 439 /// argument effect matches the default effect). 440 bool operator==(const RetainSummary &Other) const { 441 return Args == Other.Args && DefaultArgEffect == Other.DefaultArgEffect && 442 Receiver == Other.Receiver && Ret == Other.Ret; 443 } 444 445 /// Profile this summary for inclusion in a FoldingSet. 446 void Profile(llvm::FoldingSetNodeID& ID) const { 447 ID.Add(Args); 448 ID.Add(DefaultArgEffect); 449 ID.Add(Receiver); 450 ID.Add(Ret); 451 } 452 453 /// A retain summary is simple if it has no ArgEffects other than the default. 454 bool isSimple() const { 455 return Args.isEmpty(); 456 } 457 458 private: 459 ArgEffects getArgEffects() const { return Args; } 460 ArgEffect getDefaultArgEffect() const { return DefaultArgEffect; } 461 462 friend class RetainSummaryManager; 463 }; 464 } // end anonymous namespace 465 466 //===----------------------------------------------------------------------===// 467 // Data structures for constructing summaries. 468 //===----------------------------------------------------------------------===// 469 470 namespace { 471 class ObjCSummaryKey { 472 IdentifierInfo* II; 473 Selector S; 474 public: 475 ObjCSummaryKey(IdentifierInfo* ii, Selector s) 476 : II(ii), S(s) {} 477 478 ObjCSummaryKey(const ObjCInterfaceDecl *d, Selector s) 479 : II(d ? d->getIdentifier() : nullptr), S(s) {} 480 481 ObjCSummaryKey(Selector s) 482 : II(nullptr), S(s) {} 483 484 IdentifierInfo *getIdentifier() const { return II; } 485 Selector getSelector() const { return S; } 486 }; 487 } 488 489 namespace llvm { 490 template <> struct DenseMapInfo<ObjCSummaryKey> { 491 static inline ObjCSummaryKey getEmptyKey() { 492 return ObjCSummaryKey(DenseMapInfo<IdentifierInfo*>::getEmptyKey(), 493 DenseMapInfo<Selector>::getEmptyKey()); 494 } 495 496 static inline ObjCSummaryKey getTombstoneKey() { 497 return ObjCSummaryKey(DenseMapInfo<IdentifierInfo*>::getTombstoneKey(), 498 DenseMapInfo<Selector>::getTombstoneKey()); 499 } 500 501 static unsigned getHashValue(const ObjCSummaryKey &V) { 502 typedef std::pair<IdentifierInfo*, Selector> PairTy; 503 return DenseMapInfo<PairTy>::getHashValue(PairTy(V.getIdentifier(), 504 V.getSelector())); 505 } 506 507 static bool isEqual(const ObjCSummaryKey& LHS, const ObjCSummaryKey& RHS) { 508 return LHS.getIdentifier() == RHS.getIdentifier() && 509 LHS.getSelector() == RHS.getSelector(); 510 } 511 512 }; 513 } // end llvm namespace 514 515 namespace { 516 class ObjCSummaryCache { 517 typedef llvm::DenseMap<ObjCSummaryKey, const RetainSummary *> MapTy; 518 MapTy M; 519 public: 520 ObjCSummaryCache() {} 521 522 const RetainSummary * find(const ObjCInterfaceDecl *D, Selector S) { 523 // Do a lookup with the (D,S) pair. If we find a match return 524 // the iterator. 525 ObjCSummaryKey K(D, S); 526 MapTy::iterator I = M.find(K); 527 528 if (I != M.end()) 529 return I->second; 530 if (!D) 531 return nullptr; 532 533 // Walk the super chain. If we find a hit with a parent, we'll end 534 // up returning that summary. We actually allow that key (null,S), as 535 // we cache summaries for the null ObjCInterfaceDecl* to allow us to 536 // generate initial summaries without having to worry about NSObject 537 // being declared. 538 // FIXME: We may change this at some point. 539 for (ObjCInterfaceDecl *C=D->getSuperClass() ;; C=C->getSuperClass()) { 540 if ((I = M.find(ObjCSummaryKey(C, S))) != M.end()) 541 break; 542 543 if (!C) 544 return nullptr; 545 } 546 547 // Cache the summary with original key to make the next lookup faster 548 // and return the iterator. 549 const RetainSummary *Summ = I->second; 550 M[K] = Summ; 551 return Summ; 552 } 553 554 const RetainSummary *find(IdentifierInfo* II, Selector S) { 555 // FIXME: Class method lookup. Right now we dont' have a good way 556 // of going between IdentifierInfo* and the class hierarchy. 557 MapTy::iterator I = M.find(ObjCSummaryKey(II, S)); 558 559 if (I == M.end()) 560 I = M.find(ObjCSummaryKey(S)); 561 562 return I == M.end() ? nullptr : I->second; 563 } 564 565 const RetainSummary *& operator[](ObjCSummaryKey K) { 566 return M[K]; 567 } 568 569 const RetainSummary *& operator[](Selector S) { 570 return M[ ObjCSummaryKey(S) ]; 571 } 572 }; 573 } // end anonymous namespace 574 575 //===----------------------------------------------------------------------===// 576 // Data structures for managing collections of summaries. 577 //===----------------------------------------------------------------------===// 578 579 namespace { 580 class RetainSummaryManager { 581 582 //==-----------------------------------------------------------------==// 583 // Typedefs. 584 //==-----------------------------------------------------------------==// 585 586 typedef llvm::DenseMap<const FunctionDecl*, const RetainSummary *> 587 FuncSummariesTy; 588 589 typedef ObjCSummaryCache ObjCMethodSummariesTy; 590 591 typedef llvm::FoldingSetNodeWrapper<RetainSummary> CachedSummaryNode; 592 593 //==-----------------------------------------------------------------==// 594 // Data. 595 //==-----------------------------------------------------------------==// 596 597 /// Ctx - The ASTContext object for the analyzed ASTs. 598 ASTContext &Ctx; 599 600 /// GCEnabled - Records whether or not the analyzed code runs in GC mode. 601 const bool GCEnabled; 602 603 /// Records whether or not the analyzed code runs in ARC mode. 604 const bool ARCEnabled; 605 606 /// FuncSummaries - A map from FunctionDecls to summaries. 607 FuncSummariesTy FuncSummaries; 608 609 /// ObjCClassMethodSummaries - A map from selectors (for instance methods) 610 /// to summaries. 611 ObjCMethodSummariesTy ObjCClassMethodSummaries; 612 613 /// ObjCMethodSummaries - A map from selectors to summaries. 614 ObjCMethodSummariesTy ObjCMethodSummaries; 615 616 /// BPAlloc - A BumpPtrAllocator used for allocating summaries, ArgEffects, 617 /// and all other data used by the checker. 618 llvm::BumpPtrAllocator BPAlloc; 619 620 /// AF - A factory for ArgEffects objects. 621 ArgEffects::Factory AF; 622 623 /// ScratchArgs - A holding buffer for construct ArgEffects. 624 ArgEffects ScratchArgs; 625 626 /// ObjCAllocRetE - Default return effect for methods returning Objective-C 627 /// objects. 628 RetEffect ObjCAllocRetE; 629 630 /// ObjCInitRetE - Default return effect for init methods returning 631 /// Objective-C objects. 632 RetEffect ObjCInitRetE; 633 634 /// SimpleSummaries - Used for uniquing summaries that don't have special 635 /// effects. 636 llvm::FoldingSet<CachedSummaryNode> SimpleSummaries; 637 638 //==-----------------------------------------------------------------==// 639 // Methods. 640 //==-----------------------------------------------------------------==// 641 642 /// getArgEffects - Returns a persistent ArgEffects object based on the 643 /// data in ScratchArgs. 644 ArgEffects getArgEffects(); 645 646 enum UnaryFuncKind { cfretain, cfrelease, cfautorelease, cfmakecollectable }; 647 648 const RetainSummary *getUnarySummary(const FunctionType* FT, 649 UnaryFuncKind func); 650 651 const RetainSummary *getCFSummaryCreateRule(const FunctionDecl *FD); 652 const RetainSummary *getCFSummaryGetRule(const FunctionDecl *FD); 653 const RetainSummary *getCFCreateGetRuleSummary(const FunctionDecl *FD); 654 655 const RetainSummary *getPersistentSummary(const RetainSummary &OldSumm); 656 657 const RetainSummary *getPersistentSummary(RetEffect RetEff, 658 ArgEffect ReceiverEff = DoNothing, 659 ArgEffect DefaultEff = MayEscape) { 660 RetainSummary Summ(getArgEffects(), RetEff, DefaultEff, ReceiverEff); 661 return getPersistentSummary(Summ); 662 } 663 664 const RetainSummary *getDoNothingSummary() { 665 return getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 666 } 667 668 const RetainSummary *getDefaultSummary() { 669 return getPersistentSummary(RetEffect::MakeNoRet(), 670 DoNothing, MayEscape); 671 } 672 673 const RetainSummary *getPersistentStopSummary() { 674 return getPersistentSummary(RetEffect::MakeNoRet(), 675 StopTracking, StopTracking); 676 } 677 678 void InitializeClassMethodSummaries(); 679 void InitializeMethodSummaries(); 680 private: 681 void addNSObjectClsMethSummary(Selector S, const RetainSummary *Summ) { 682 ObjCClassMethodSummaries[S] = Summ; 683 } 684 685 void addNSObjectMethSummary(Selector S, const RetainSummary *Summ) { 686 ObjCMethodSummaries[S] = Summ; 687 } 688 689 void addClassMethSummary(const char* Cls, const char* name, 690 const RetainSummary *Summ, bool isNullary = true) { 691 IdentifierInfo* ClsII = &Ctx.Idents.get(Cls); 692 Selector S = isNullary ? GetNullarySelector(name, Ctx) 693 : GetUnarySelector(name, Ctx); 694 ObjCClassMethodSummaries[ObjCSummaryKey(ClsII, S)] = Summ; 695 } 696 697 void addInstMethSummary(const char* Cls, const char* nullaryName, 698 const RetainSummary *Summ) { 699 IdentifierInfo* ClsII = &Ctx.Idents.get(Cls); 700 Selector S = GetNullarySelector(nullaryName, Ctx); 701 ObjCMethodSummaries[ObjCSummaryKey(ClsII, S)] = Summ; 702 } 703 704 void addMethodSummary(IdentifierInfo *ClsII, ObjCMethodSummariesTy &Summaries, 705 const RetainSummary *Summ, va_list argp) { 706 Selector S = getKeywordSelector(Ctx, argp); 707 Summaries[ObjCSummaryKey(ClsII, S)] = Summ; 708 } 709 710 void addInstMethSummary(const char* Cls, const RetainSummary * Summ, ...) { 711 va_list argp; 712 va_start(argp, Summ); 713 addMethodSummary(&Ctx.Idents.get(Cls), ObjCMethodSummaries, Summ, argp); 714 va_end(argp); 715 } 716 717 void addClsMethSummary(const char* Cls, const RetainSummary * Summ, ...) { 718 va_list argp; 719 va_start(argp, Summ); 720 addMethodSummary(&Ctx.Idents.get(Cls),ObjCClassMethodSummaries, Summ, argp); 721 va_end(argp); 722 } 723 724 void addClsMethSummary(IdentifierInfo *II, const RetainSummary * Summ, ...) { 725 va_list argp; 726 va_start(argp, Summ); 727 addMethodSummary(II, ObjCClassMethodSummaries, Summ, argp); 728 va_end(argp); 729 } 730 731 public: 732 733 RetainSummaryManager(ASTContext &ctx, bool gcenabled, bool usesARC) 734 : Ctx(ctx), 735 GCEnabled(gcenabled), 736 ARCEnabled(usesARC), 737 AF(BPAlloc), ScratchArgs(AF.getEmptyMap()), 738 ObjCAllocRetE(gcenabled 739 ? RetEffect::MakeGCNotOwned() 740 : (usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC) 741 : RetEffect::MakeOwned(RetEffect::ObjC, true))), 742 ObjCInitRetE(gcenabled 743 ? RetEffect::MakeGCNotOwned() 744 : (usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC) 745 : RetEffect::MakeOwnedWhenTrackedReceiver())) { 746 InitializeClassMethodSummaries(); 747 InitializeMethodSummaries(); 748 } 749 750 const RetainSummary *getSummary(const CallEvent &Call, 751 ProgramStateRef State = nullptr); 752 753 const RetainSummary *getFunctionSummary(const FunctionDecl *FD); 754 755 const RetainSummary *getMethodSummary(Selector S, const ObjCInterfaceDecl *ID, 756 const ObjCMethodDecl *MD, 757 QualType RetTy, 758 ObjCMethodSummariesTy &CachedSummaries); 759 760 const RetainSummary *getInstanceMethodSummary(const ObjCMethodCall &M, 761 ProgramStateRef State); 762 763 const RetainSummary *getClassMethodSummary(const ObjCMethodCall &M) { 764 assert(!M.isInstanceMessage()); 765 const ObjCInterfaceDecl *Class = M.getReceiverInterface(); 766 767 return getMethodSummary(M.getSelector(), Class, M.getDecl(), 768 M.getResultType(), ObjCClassMethodSummaries); 769 } 770 771 /// getMethodSummary - This version of getMethodSummary is used to query 772 /// the summary for the current method being analyzed. 773 const RetainSummary *getMethodSummary(const ObjCMethodDecl *MD) { 774 const ObjCInterfaceDecl *ID = MD->getClassInterface(); 775 Selector S = MD->getSelector(); 776 QualType ResultTy = MD->getReturnType(); 777 778 ObjCMethodSummariesTy *CachedSummaries; 779 if (MD->isInstanceMethod()) 780 CachedSummaries = &ObjCMethodSummaries; 781 else 782 CachedSummaries = &ObjCClassMethodSummaries; 783 784 return getMethodSummary(S, ID, MD, ResultTy, *CachedSummaries); 785 } 786 787 const RetainSummary *getStandardMethodSummary(const ObjCMethodDecl *MD, 788 Selector S, QualType RetTy); 789 790 /// Determine if there is a special return effect for this function or method. 791 Optional<RetEffect> getRetEffectFromAnnotations(QualType RetTy, 792 const Decl *D); 793 794 void updateSummaryFromAnnotations(const RetainSummary *&Summ, 795 const ObjCMethodDecl *MD); 796 797 void updateSummaryFromAnnotations(const RetainSummary *&Summ, 798 const FunctionDecl *FD); 799 800 void updateSummaryForCall(const RetainSummary *&Summ, 801 const CallEvent &Call); 802 803 bool isGCEnabled() const { return GCEnabled; } 804 805 bool isARCEnabled() const { return ARCEnabled; } 806 807 bool isARCorGCEnabled() const { return GCEnabled || ARCEnabled; } 808 809 RetEffect getObjAllocRetEffect() const { return ObjCAllocRetE; } 810 811 friend class RetainSummaryTemplate; 812 }; 813 814 // Used to avoid allocating long-term (BPAlloc'd) memory for default retain 815 // summaries. If a function or method looks like it has a default summary, but 816 // it has annotations, the annotations are added to the stack-based template 817 // and then copied into managed memory. 818 class RetainSummaryTemplate { 819 RetainSummaryManager &Manager; 820 const RetainSummary *&RealSummary; 821 RetainSummary ScratchSummary; 822 bool Accessed; 823 public: 824 RetainSummaryTemplate(const RetainSummary *&real, RetainSummaryManager &mgr) 825 : Manager(mgr), RealSummary(real), ScratchSummary(*real), Accessed(false) {} 826 827 ~RetainSummaryTemplate() { 828 if (Accessed) 829 RealSummary = Manager.getPersistentSummary(ScratchSummary); 830 } 831 832 RetainSummary &operator*() { 833 Accessed = true; 834 return ScratchSummary; 835 } 836 837 RetainSummary *operator->() { 838 Accessed = true; 839 return &ScratchSummary; 840 } 841 }; 842 843 } // end anonymous namespace 844 845 //===----------------------------------------------------------------------===// 846 // Implementation of checker data structures. 847 //===----------------------------------------------------------------------===// 848 849 ArgEffects RetainSummaryManager::getArgEffects() { 850 ArgEffects AE = ScratchArgs; 851 ScratchArgs = AF.getEmptyMap(); 852 return AE; 853 } 854 855 const RetainSummary * 856 RetainSummaryManager::getPersistentSummary(const RetainSummary &OldSumm) { 857 // Unique "simple" summaries -- those without ArgEffects. 858 if (OldSumm.isSimple()) { 859 llvm::FoldingSetNodeID ID; 860 OldSumm.Profile(ID); 861 862 void *Pos; 863 CachedSummaryNode *N = SimpleSummaries.FindNodeOrInsertPos(ID, Pos); 864 865 if (!N) { 866 N = (CachedSummaryNode *) BPAlloc.Allocate<CachedSummaryNode>(); 867 new (N) CachedSummaryNode(OldSumm); 868 SimpleSummaries.InsertNode(N, Pos); 869 } 870 871 return &N->getValue(); 872 } 873 874 RetainSummary *Summ = (RetainSummary *) BPAlloc.Allocate<RetainSummary>(); 875 new (Summ) RetainSummary(OldSumm); 876 return Summ; 877 } 878 879 //===----------------------------------------------------------------------===// 880 // Summary creation for functions (largely uses of Core Foundation). 881 //===----------------------------------------------------------------------===// 882 883 static bool isRetain(const FunctionDecl *FD, StringRef FName) { 884 return FName.endswith("Retain"); 885 } 886 887 static bool isRelease(const FunctionDecl *FD, StringRef FName) { 888 return FName.endswith("Release"); 889 } 890 891 static bool isAutorelease(const FunctionDecl *FD, StringRef FName) { 892 return FName.endswith("Autorelease"); 893 } 894 895 static bool isMakeCollectable(const FunctionDecl *FD, StringRef FName) { 896 // FIXME: Remove FunctionDecl parameter. 897 // FIXME: Is it really okay if MakeCollectable isn't a suffix? 898 return FName.find("MakeCollectable") != StringRef::npos; 899 } 900 901 static ArgEffect getStopTrackingHardEquivalent(ArgEffect E) { 902 switch (E) { 903 case DoNothing: 904 case Autorelease: 905 case DecRefBridgedTransferred: 906 case IncRef: 907 case IncRefMsg: 908 case MakeCollectable: 909 case MayEscape: 910 case StopTracking: 911 case StopTrackingHard: 912 return StopTrackingHard; 913 case DecRef: 914 case DecRefAndStopTrackingHard: 915 return DecRefAndStopTrackingHard; 916 case DecRefMsg: 917 case DecRefMsgAndStopTrackingHard: 918 return DecRefMsgAndStopTrackingHard; 919 case Dealloc: 920 return Dealloc; 921 } 922 923 llvm_unreachable("Unknown ArgEffect kind"); 924 } 925 926 void RetainSummaryManager::updateSummaryForCall(const RetainSummary *&S, 927 const CallEvent &Call) { 928 if (Call.hasNonZeroCallbackArg()) { 929 ArgEffect RecEffect = 930 getStopTrackingHardEquivalent(S->getReceiverEffect()); 931 ArgEffect DefEffect = 932 getStopTrackingHardEquivalent(S->getDefaultArgEffect()); 933 934 ArgEffects CustomArgEffects = S->getArgEffects(); 935 for (ArgEffects::iterator I = CustomArgEffects.begin(), 936 E = CustomArgEffects.end(); 937 I != E; ++I) { 938 ArgEffect Translated = getStopTrackingHardEquivalent(I->second); 939 if (Translated != DefEffect) 940 ScratchArgs = AF.add(ScratchArgs, I->first, Translated); 941 } 942 943 RetEffect RE = RetEffect::MakeNoRetHard(); 944 945 // Special cases where the callback argument CANNOT free the return value. 946 // This can generally only happen if we know that the callback will only be 947 // called when the return value is already being deallocated. 948 if (const SimpleFunctionCall *FC = dyn_cast<SimpleFunctionCall>(&Call)) { 949 if (IdentifierInfo *Name = FC->getDecl()->getIdentifier()) { 950 // When the CGBitmapContext is deallocated, the callback here will free 951 // the associated data buffer. 952 if (Name->isStr("CGBitmapContextCreateWithData")) 953 RE = S->getRetEffect(); 954 } 955 } 956 957 S = getPersistentSummary(RE, RecEffect, DefEffect); 958 } 959 960 // Special case '[super init];' and '[self init];' 961 // 962 // Even though calling '[super init]' without assigning the result to self 963 // and checking if the parent returns 'nil' is a bad pattern, it is common. 964 // Additionally, our Self Init checker already warns about it. To avoid 965 // overwhelming the user with messages from both checkers, we model the case 966 // of '[super init]' in cases when it is not consumed by another expression 967 // as if the call preserves the value of 'self'; essentially, assuming it can 968 // never fail and return 'nil'. 969 // Note, we don't want to just stop tracking the value since we want the 970 // RetainCount checker to report leaks and use-after-free if SelfInit checker 971 // is turned off. 972 if (const ObjCMethodCall *MC = dyn_cast<ObjCMethodCall>(&Call)) { 973 if (MC->getMethodFamily() == OMF_init && MC->isReceiverSelfOrSuper()) { 974 975 // Check if the message is not consumed, we know it will not be used in 976 // an assignment, ex: "self = [super init]". 977 const Expr *ME = MC->getOriginExpr(); 978 const LocationContext *LCtx = MC->getLocationContext(); 979 ParentMap &PM = LCtx->getAnalysisDeclContext()->getParentMap(); 980 if (!PM.isConsumedExpr(ME)) { 981 RetainSummaryTemplate ModifiableSummaryTemplate(S, *this); 982 ModifiableSummaryTemplate->setReceiverEffect(DoNothing); 983 ModifiableSummaryTemplate->setRetEffect(RetEffect::MakeNoRet()); 984 } 985 } 986 987 } 988 } 989 990 const RetainSummary * 991 RetainSummaryManager::getSummary(const CallEvent &Call, 992 ProgramStateRef State) { 993 const RetainSummary *Summ; 994 switch (Call.getKind()) { 995 case CE_Function: 996 Summ = getFunctionSummary(cast<SimpleFunctionCall>(Call).getDecl()); 997 break; 998 case CE_CXXMember: 999 case CE_CXXMemberOperator: 1000 case CE_Block: 1001 case CE_CXXConstructor: 1002 case CE_CXXDestructor: 1003 case CE_CXXAllocator: 1004 // FIXME: These calls are currently unsupported. 1005 return getPersistentStopSummary(); 1006 case CE_ObjCMessage: { 1007 const ObjCMethodCall &Msg = cast<ObjCMethodCall>(Call); 1008 if (Msg.isInstanceMessage()) 1009 Summ = getInstanceMethodSummary(Msg, State); 1010 else 1011 Summ = getClassMethodSummary(Msg); 1012 break; 1013 } 1014 } 1015 1016 updateSummaryForCall(Summ, Call); 1017 1018 assert(Summ && "Unknown call type?"); 1019 return Summ; 1020 } 1021 1022 const RetainSummary * 1023 RetainSummaryManager::getFunctionSummary(const FunctionDecl *FD) { 1024 // If we don't know what function we're calling, use our default summary. 1025 if (!FD) 1026 return getDefaultSummary(); 1027 1028 // Look up a summary in our cache of FunctionDecls -> Summaries. 1029 FuncSummariesTy::iterator I = FuncSummaries.find(FD); 1030 if (I != FuncSummaries.end()) 1031 return I->second; 1032 1033 // No summary? Generate one. 1034 const RetainSummary *S = nullptr; 1035 bool AllowAnnotations = true; 1036 1037 do { 1038 // We generate "stop" summaries for implicitly defined functions. 1039 if (FD->isImplicit()) { 1040 S = getPersistentStopSummary(); 1041 break; 1042 } 1043 1044 // [PR 3337] Use 'getAs<FunctionType>' to strip away any typedefs on the 1045 // function's type. 1046 const FunctionType* FT = FD->getType()->getAs<FunctionType>(); 1047 const IdentifierInfo *II = FD->getIdentifier(); 1048 if (!II) 1049 break; 1050 1051 StringRef FName = II->getName(); 1052 1053 // Strip away preceding '_'. Doing this here will effect all the checks 1054 // down below. 1055 FName = FName.substr(FName.find_first_not_of('_')); 1056 1057 // Inspect the result type. 1058 QualType RetTy = FT->getReturnType(); 1059 1060 // FIXME: This should all be refactored into a chain of "summary lookup" 1061 // filters. 1062 assert(ScratchArgs.isEmpty()); 1063 1064 if (FName == "pthread_create" || FName == "pthread_setspecific") { 1065 // Part of: <rdar://problem/7299394> and <rdar://problem/11282706>. 1066 // This will be addressed better with IPA. 1067 S = getPersistentStopSummary(); 1068 } else if (FName == "NSMakeCollectable") { 1069 // Handle: id NSMakeCollectable(CFTypeRef) 1070 S = (RetTy->isObjCIdType()) 1071 ? getUnarySummary(FT, cfmakecollectable) 1072 : getPersistentStopSummary(); 1073 // The headers on OS X 10.8 use cf_consumed/ns_returns_retained, 1074 // but we can fully model NSMakeCollectable ourselves. 1075 AllowAnnotations = false; 1076 } else if (FName == "CFPlugInInstanceCreate") { 1077 S = getPersistentSummary(RetEffect::MakeNoRet()); 1078 } else if (FName == "IOBSDNameMatching" || 1079 FName == "IOServiceMatching" || 1080 FName == "IOServiceNameMatching" || 1081 FName == "IORegistryEntrySearchCFProperty" || 1082 FName == "IORegistryEntryIDMatching" || 1083 FName == "IOOpenFirmwarePathMatching") { 1084 // Part of <rdar://problem/6961230>. (IOKit) 1085 // This should be addressed using a API table. 1086 S = getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true), 1087 DoNothing, DoNothing); 1088 } else if (FName == "IOServiceGetMatchingService" || 1089 FName == "IOServiceGetMatchingServices") { 1090 // FIXES: <rdar://problem/6326900> 1091 // This should be addressed using a API table. This strcmp is also 1092 // a little gross, but there is no need to super optimize here. 1093 ScratchArgs = AF.add(ScratchArgs, 1, DecRef); 1094 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1095 } else if (FName == "IOServiceAddNotification" || 1096 FName == "IOServiceAddMatchingNotification") { 1097 // Part of <rdar://problem/6961230>. (IOKit) 1098 // This should be addressed using a API table. 1099 ScratchArgs = AF.add(ScratchArgs, 2, DecRef); 1100 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1101 } else if (FName == "CVPixelBufferCreateWithBytes") { 1102 // FIXES: <rdar://problem/7283567> 1103 // Eventually this can be improved by recognizing that the pixel 1104 // buffer passed to CVPixelBufferCreateWithBytes is released via 1105 // a callback and doing full IPA to make sure this is done correctly. 1106 // FIXME: This function has an out parameter that returns an 1107 // allocated object. 1108 ScratchArgs = AF.add(ScratchArgs, 7, StopTracking); 1109 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1110 } else if (FName == "CGBitmapContextCreateWithData") { 1111 // FIXES: <rdar://problem/7358899> 1112 // Eventually this can be improved by recognizing that 'releaseInfo' 1113 // passed to CGBitmapContextCreateWithData is released via 1114 // a callback and doing full IPA to make sure this is done correctly. 1115 ScratchArgs = AF.add(ScratchArgs, 8, StopTracking); 1116 S = getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true), 1117 DoNothing, DoNothing); 1118 } else if (FName == "CVPixelBufferCreateWithPlanarBytes") { 1119 // FIXES: <rdar://problem/7283567> 1120 // Eventually this can be improved by recognizing that the pixel 1121 // buffer passed to CVPixelBufferCreateWithPlanarBytes is released 1122 // via a callback and doing full IPA to make sure this is done 1123 // correctly. 1124 ScratchArgs = AF.add(ScratchArgs, 12, StopTracking); 1125 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1126 } else if (FName == "dispatch_set_context" || 1127 FName == "xpc_connection_set_context") { 1128 // <rdar://problem/11059275> - The analyzer currently doesn't have 1129 // a good way to reason about the finalizer function for libdispatch. 1130 // If we pass a context object that is memory managed, stop tracking it. 1131 // <rdar://problem/13783514> - Same problem, but for XPC. 1132 // FIXME: this hack should possibly go away once we can handle 1133 // libdispatch and XPC finalizers. 1134 ScratchArgs = AF.add(ScratchArgs, 1, StopTracking); 1135 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1136 } else if (FName.startswith("NSLog")) { 1137 S = getDoNothingSummary(); 1138 } else if (FName.startswith("NS") && 1139 (FName.find("Insert") != StringRef::npos)) { 1140 // Whitelist NSXXInsertXX, for example NSMapInsertIfAbsent, since they can 1141 // be deallocated by NSMapRemove. (radar://11152419) 1142 ScratchArgs = AF.add(ScratchArgs, 1, StopTracking); 1143 ScratchArgs = AF.add(ScratchArgs, 2, StopTracking); 1144 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1145 } 1146 1147 // Did we get a summary? 1148 if (S) 1149 break; 1150 1151 if (RetTy->isPointerType()) { 1152 // For CoreFoundation ('CF') types. 1153 if (cocoa::isRefType(RetTy, "CF", FName)) { 1154 if (isRetain(FD, FName)) { 1155 S = getUnarySummary(FT, cfretain); 1156 } else if (isAutorelease(FD, FName)) { 1157 S = getUnarySummary(FT, cfautorelease); 1158 // The headers use cf_consumed, but we can fully model CFAutorelease 1159 // ourselves. 1160 AllowAnnotations = false; 1161 } else if (isMakeCollectable(FD, FName)) { 1162 S = getUnarySummary(FT, cfmakecollectable); 1163 AllowAnnotations = false; 1164 } else { 1165 S = getCFCreateGetRuleSummary(FD); 1166 } 1167 1168 break; 1169 } 1170 1171 // For CoreGraphics ('CG') types. 1172 if (cocoa::isRefType(RetTy, "CG", FName)) { 1173 if (isRetain(FD, FName)) 1174 S = getUnarySummary(FT, cfretain); 1175 else 1176 S = getCFCreateGetRuleSummary(FD); 1177 1178 break; 1179 } 1180 1181 // For the Disk Arbitration API (DiskArbitration/DADisk.h) 1182 if (cocoa::isRefType(RetTy, "DADisk") || 1183 cocoa::isRefType(RetTy, "DADissenter") || 1184 cocoa::isRefType(RetTy, "DASessionRef")) { 1185 S = getCFCreateGetRuleSummary(FD); 1186 break; 1187 } 1188 1189 if (FD->hasAttr<CFAuditedTransferAttr>()) { 1190 S = getCFCreateGetRuleSummary(FD); 1191 break; 1192 } 1193 1194 break; 1195 } 1196 1197 // Check for release functions, the only kind of functions that we care 1198 // about that don't return a pointer type. 1199 if (FName[0] == 'C' && (FName[1] == 'F' || FName[1] == 'G')) { 1200 // Test for 'CGCF'. 1201 FName = FName.substr(FName.startswith("CGCF") ? 4 : 2); 1202 1203 if (isRelease(FD, FName)) 1204 S = getUnarySummary(FT, cfrelease); 1205 else { 1206 assert (ScratchArgs.isEmpty()); 1207 // Remaining CoreFoundation and CoreGraphics functions. 1208 // We use to assume that they all strictly followed the ownership idiom 1209 // and that ownership cannot be transferred. While this is technically 1210 // correct, many methods allow a tracked object to escape. For example: 1211 // 1212 // CFMutableDictionaryRef x = CFDictionaryCreateMutable(...); 1213 // CFDictionaryAddValue(y, key, x); 1214 // CFRelease(x); 1215 // ... it is okay to use 'x' since 'y' has a reference to it 1216 // 1217 // We handle this and similar cases with the follow heuristic. If the 1218 // function name contains "InsertValue", "SetValue", "AddValue", 1219 // "AppendValue", or "SetAttribute", then we assume that arguments may 1220 // "escape." This means that something else holds on to the object, 1221 // allowing it be used even after its local retain count drops to 0. 1222 ArgEffect E = (StrInStrNoCase(FName, "InsertValue") != StringRef::npos|| 1223 StrInStrNoCase(FName, "AddValue") != StringRef::npos || 1224 StrInStrNoCase(FName, "SetValue") != StringRef::npos || 1225 StrInStrNoCase(FName, "AppendValue") != StringRef::npos|| 1226 StrInStrNoCase(FName, "SetAttribute") != StringRef::npos) 1227 ? MayEscape : DoNothing; 1228 1229 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, E); 1230 } 1231 } 1232 } 1233 while (0); 1234 1235 // If we got all the way here without any luck, use a default summary. 1236 if (!S) 1237 S = getDefaultSummary(); 1238 1239 // Annotations override defaults. 1240 if (AllowAnnotations) 1241 updateSummaryFromAnnotations(S, FD); 1242 1243 FuncSummaries[FD] = S; 1244 return S; 1245 } 1246 1247 const RetainSummary * 1248 RetainSummaryManager::getCFCreateGetRuleSummary(const FunctionDecl *FD) { 1249 if (coreFoundation::followsCreateRule(FD)) 1250 return getCFSummaryCreateRule(FD); 1251 1252 return getCFSummaryGetRule(FD); 1253 } 1254 1255 const RetainSummary * 1256 RetainSummaryManager::getUnarySummary(const FunctionType* FT, 1257 UnaryFuncKind func) { 1258 1259 // Sanity check that this is *really* a unary function. This can 1260 // happen if people do weird things. 1261 const FunctionProtoType* FTP = dyn_cast<FunctionProtoType>(FT); 1262 if (!FTP || FTP->getNumParams() != 1) 1263 return getPersistentStopSummary(); 1264 1265 assert (ScratchArgs.isEmpty()); 1266 1267 ArgEffect Effect; 1268 switch (func) { 1269 case cfretain: Effect = IncRef; break; 1270 case cfrelease: Effect = DecRef; break; 1271 case cfautorelease: Effect = Autorelease; break; 1272 case cfmakecollectable: Effect = MakeCollectable; break; 1273 } 1274 1275 ScratchArgs = AF.add(ScratchArgs, 0, Effect); 1276 return getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1277 } 1278 1279 const RetainSummary * 1280 RetainSummaryManager::getCFSummaryCreateRule(const FunctionDecl *FD) { 1281 assert (ScratchArgs.isEmpty()); 1282 1283 return getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true)); 1284 } 1285 1286 const RetainSummary * 1287 RetainSummaryManager::getCFSummaryGetRule(const FunctionDecl *FD) { 1288 assert (ScratchArgs.isEmpty()); 1289 return getPersistentSummary(RetEffect::MakeNotOwned(RetEffect::CF), 1290 DoNothing, DoNothing); 1291 } 1292 1293 //===----------------------------------------------------------------------===// 1294 // Summary creation for Selectors. 1295 //===----------------------------------------------------------------------===// 1296 1297 Optional<RetEffect> 1298 RetainSummaryManager::getRetEffectFromAnnotations(QualType RetTy, 1299 const Decl *D) { 1300 if (cocoa::isCocoaObjectRef(RetTy)) { 1301 if (D->hasAttr<NSReturnsRetainedAttr>()) 1302 return ObjCAllocRetE; 1303 1304 if (D->hasAttr<NSReturnsNotRetainedAttr>() || 1305 D->hasAttr<NSReturnsAutoreleasedAttr>()) 1306 return RetEffect::MakeNotOwned(RetEffect::ObjC); 1307 1308 } else if (!RetTy->isPointerType()) { 1309 return None; 1310 } 1311 1312 if (D->hasAttr<CFReturnsRetainedAttr>()) 1313 return RetEffect::MakeOwned(RetEffect::CF, true); 1314 1315 if (D->hasAttr<CFReturnsNotRetainedAttr>()) 1316 return RetEffect::MakeNotOwned(RetEffect::CF); 1317 1318 return None; 1319 } 1320 1321 void 1322 RetainSummaryManager::updateSummaryFromAnnotations(const RetainSummary *&Summ, 1323 const FunctionDecl *FD) { 1324 if (!FD) 1325 return; 1326 1327 assert(Summ && "Must have a summary to add annotations to."); 1328 RetainSummaryTemplate Template(Summ, *this); 1329 1330 // Effects on the parameters. 1331 unsigned parm_idx = 0; 1332 for (FunctionDecl::param_const_iterator pi = FD->param_begin(), 1333 pe = FD->param_end(); pi != pe; ++pi, ++parm_idx) { 1334 const ParmVarDecl *pd = *pi; 1335 if (pd->hasAttr<NSConsumedAttr>()) 1336 Template->addArg(AF, parm_idx, DecRefMsg); 1337 else if (pd->hasAttr<CFConsumedAttr>()) 1338 Template->addArg(AF, parm_idx, DecRef); 1339 } 1340 1341 QualType RetTy = FD->getReturnType(); 1342 if (Optional<RetEffect> RetE = getRetEffectFromAnnotations(RetTy, FD)) 1343 Template->setRetEffect(*RetE); 1344 } 1345 1346 void 1347 RetainSummaryManager::updateSummaryFromAnnotations(const RetainSummary *&Summ, 1348 const ObjCMethodDecl *MD) { 1349 if (!MD) 1350 return; 1351 1352 assert(Summ && "Must have a valid summary to add annotations to"); 1353 RetainSummaryTemplate Template(Summ, *this); 1354 1355 // Effects on the receiver. 1356 if (MD->hasAttr<NSConsumesSelfAttr>()) 1357 Template->setReceiverEffect(DecRefMsg); 1358 1359 // Effects on the parameters. 1360 unsigned parm_idx = 0; 1361 for (ObjCMethodDecl::param_const_iterator 1362 pi=MD->param_begin(), pe=MD->param_end(); 1363 pi != pe; ++pi, ++parm_idx) { 1364 const ParmVarDecl *pd = *pi; 1365 if (pd->hasAttr<NSConsumedAttr>()) 1366 Template->addArg(AF, parm_idx, DecRefMsg); 1367 else if (pd->hasAttr<CFConsumedAttr>()) { 1368 Template->addArg(AF, parm_idx, DecRef); 1369 } 1370 } 1371 1372 QualType RetTy = MD->getReturnType(); 1373 if (Optional<RetEffect> RetE = getRetEffectFromAnnotations(RetTy, MD)) 1374 Template->setRetEffect(*RetE); 1375 } 1376 1377 const RetainSummary * 1378 RetainSummaryManager::getStandardMethodSummary(const ObjCMethodDecl *MD, 1379 Selector S, QualType RetTy) { 1380 // Any special effects? 1381 ArgEffect ReceiverEff = DoNothing; 1382 RetEffect ResultEff = RetEffect::MakeNoRet(); 1383 1384 // Check the method family, and apply any default annotations. 1385 switch (MD ? MD->getMethodFamily() : S.getMethodFamily()) { 1386 case OMF_None: 1387 case OMF_initialize: 1388 case OMF_performSelector: 1389 // Assume all Objective-C methods follow Cocoa Memory Management rules. 1390 // FIXME: Does the non-threaded performSelector family really belong here? 1391 // The selector could be, say, @selector(copy). 1392 if (cocoa::isCocoaObjectRef(RetTy)) 1393 ResultEff = RetEffect::MakeNotOwned(RetEffect::ObjC); 1394 else if (coreFoundation::isCFObjectRef(RetTy)) { 1395 // ObjCMethodDecl currently doesn't consider CF objects as valid return 1396 // values for alloc, new, copy, or mutableCopy, so we have to 1397 // double-check with the selector. This is ugly, but there aren't that 1398 // many Objective-C methods that return CF objects, right? 1399 if (MD) { 1400 switch (S.getMethodFamily()) { 1401 case OMF_alloc: 1402 case OMF_new: 1403 case OMF_copy: 1404 case OMF_mutableCopy: 1405 ResultEff = RetEffect::MakeOwned(RetEffect::CF, true); 1406 break; 1407 default: 1408 ResultEff = RetEffect::MakeNotOwned(RetEffect::CF); 1409 break; 1410 } 1411 } else { 1412 ResultEff = RetEffect::MakeNotOwned(RetEffect::CF); 1413 } 1414 } 1415 break; 1416 case OMF_init: 1417 ResultEff = ObjCInitRetE; 1418 ReceiverEff = DecRefMsg; 1419 break; 1420 case OMF_alloc: 1421 case OMF_new: 1422 case OMF_copy: 1423 case OMF_mutableCopy: 1424 if (cocoa::isCocoaObjectRef(RetTy)) 1425 ResultEff = ObjCAllocRetE; 1426 else if (coreFoundation::isCFObjectRef(RetTy)) 1427 ResultEff = RetEffect::MakeOwned(RetEffect::CF, true); 1428 break; 1429 case OMF_autorelease: 1430 ReceiverEff = Autorelease; 1431 break; 1432 case OMF_retain: 1433 ReceiverEff = IncRefMsg; 1434 break; 1435 case OMF_release: 1436 ReceiverEff = DecRefMsg; 1437 break; 1438 case OMF_dealloc: 1439 ReceiverEff = Dealloc; 1440 break; 1441 case OMF_self: 1442 // -self is handled specially by the ExprEngine to propagate the receiver. 1443 break; 1444 case OMF_retainCount: 1445 case OMF_finalize: 1446 // These methods don't return objects. 1447 break; 1448 } 1449 1450 // If one of the arguments in the selector has the keyword 'delegate' we 1451 // should stop tracking the reference count for the receiver. This is 1452 // because the reference count is quite possibly handled by a delegate 1453 // method. 1454 if (S.isKeywordSelector()) { 1455 for (unsigned i = 0, e = S.getNumArgs(); i != e; ++i) { 1456 StringRef Slot = S.getNameForSlot(i); 1457 if (Slot.substr(Slot.size() - 8).equals_lower("delegate")) { 1458 if (ResultEff == ObjCInitRetE) 1459 ResultEff = RetEffect::MakeNoRetHard(); 1460 else 1461 ReceiverEff = StopTrackingHard; 1462 } 1463 } 1464 } 1465 1466 if (ScratchArgs.isEmpty() && ReceiverEff == DoNothing && 1467 ResultEff.getKind() == RetEffect::NoRet) 1468 return getDefaultSummary(); 1469 1470 return getPersistentSummary(ResultEff, ReceiverEff, MayEscape); 1471 } 1472 1473 const RetainSummary * 1474 RetainSummaryManager::getInstanceMethodSummary(const ObjCMethodCall &Msg, 1475 ProgramStateRef State) { 1476 const ObjCInterfaceDecl *ReceiverClass = nullptr; 1477 1478 // We do better tracking of the type of the object than the core ExprEngine. 1479 // See if we have its type in our private state. 1480 // FIXME: Eventually replace the use of state->get<RefBindings> with 1481 // a generic API for reasoning about the Objective-C types of symbolic 1482 // objects. 1483 SVal ReceiverV = Msg.getReceiverSVal(); 1484 if (SymbolRef Sym = ReceiverV.getAsLocSymbol()) 1485 if (const RefVal *T = getRefBinding(State, Sym)) 1486 if (const ObjCObjectPointerType *PT = 1487 T->getType()->getAs<ObjCObjectPointerType>()) 1488 ReceiverClass = PT->getInterfaceDecl(); 1489 1490 // If we don't know what kind of object this is, fall back to its static type. 1491 if (!ReceiverClass) 1492 ReceiverClass = Msg.getReceiverInterface(); 1493 1494 // FIXME: The receiver could be a reference to a class, meaning that 1495 // we should use the class method. 1496 // id x = [NSObject class]; 1497 // [x performSelector:... withObject:... afterDelay:...]; 1498 Selector S = Msg.getSelector(); 1499 const ObjCMethodDecl *Method = Msg.getDecl(); 1500 if (!Method && ReceiverClass) 1501 Method = ReceiverClass->getInstanceMethod(S); 1502 1503 return getMethodSummary(S, ReceiverClass, Method, Msg.getResultType(), 1504 ObjCMethodSummaries); 1505 } 1506 1507 const RetainSummary * 1508 RetainSummaryManager::getMethodSummary(Selector S, const ObjCInterfaceDecl *ID, 1509 const ObjCMethodDecl *MD, QualType RetTy, 1510 ObjCMethodSummariesTy &CachedSummaries) { 1511 1512 // Look up a summary in our summary cache. 1513 const RetainSummary *Summ = CachedSummaries.find(ID, S); 1514 1515 if (!Summ) { 1516 Summ = getStandardMethodSummary(MD, S, RetTy); 1517 1518 // Annotations override defaults. 1519 updateSummaryFromAnnotations(Summ, MD); 1520 1521 // Memoize the summary. 1522 CachedSummaries[ObjCSummaryKey(ID, S)] = Summ; 1523 } 1524 1525 return Summ; 1526 } 1527 1528 void RetainSummaryManager::InitializeClassMethodSummaries() { 1529 assert(ScratchArgs.isEmpty()); 1530 // Create the [NSAssertionHandler currentHander] summary. 1531 addClassMethSummary("NSAssertionHandler", "currentHandler", 1532 getPersistentSummary(RetEffect::MakeNotOwned(RetEffect::ObjC))); 1533 1534 // Create the [NSAutoreleasePool addObject:] summary. 1535 ScratchArgs = AF.add(ScratchArgs, 0, Autorelease); 1536 addClassMethSummary("NSAutoreleasePool", "addObject", 1537 getPersistentSummary(RetEffect::MakeNoRet(), 1538 DoNothing, Autorelease)); 1539 } 1540 1541 void RetainSummaryManager::InitializeMethodSummaries() { 1542 1543 assert (ScratchArgs.isEmpty()); 1544 1545 // Create the "init" selector. It just acts as a pass-through for the 1546 // receiver. 1547 const RetainSummary *InitSumm = getPersistentSummary(ObjCInitRetE, DecRefMsg); 1548 addNSObjectMethSummary(GetNullarySelector("init", Ctx), InitSumm); 1549 1550 // awakeAfterUsingCoder: behaves basically like an 'init' method. It 1551 // claims the receiver and returns a retained object. 1552 addNSObjectMethSummary(GetUnarySelector("awakeAfterUsingCoder", Ctx), 1553 InitSumm); 1554 1555 // The next methods are allocators. 1556 const RetainSummary *AllocSumm = getPersistentSummary(ObjCAllocRetE); 1557 const RetainSummary *CFAllocSumm = 1558 getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true)); 1559 1560 // Create the "retain" selector. 1561 RetEffect NoRet = RetEffect::MakeNoRet(); 1562 const RetainSummary *Summ = getPersistentSummary(NoRet, IncRefMsg); 1563 addNSObjectMethSummary(GetNullarySelector("retain", Ctx), Summ); 1564 1565 // Create the "release" selector. 1566 Summ = getPersistentSummary(NoRet, DecRefMsg); 1567 addNSObjectMethSummary(GetNullarySelector("release", Ctx), Summ); 1568 1569 // Create the -dealloc summary. 1570 Summ = getPersistentSummary(NoRet, Dealloc); 1571 addNSObjectMethSummary(GetNullarySelector("dealloc", Ctx), Summ); 1572 1573 // Create the "autorelease" selector. 1574 Summ = getPersistentSummary(NoRet, Autorelease); 1575 addNSObjectMethSummary(GetNullarySelector("autorelease", Ctx), Summ); 1576 1577 // For NSWindow, allocated objects are (initially) self-owned. 1578 // FIXME: For now we opt for false negatives with NSWindow, as these objects 1579 // self-own themselves. However, they only do this once they are displayed. 1580 // Thus, we need to track an NSWindow's display status. 1581 // This is tracked in <rdar://problem/6062711>. 1582 // See also http://llvm.org/bugs/show_bug.cgi?id=3714. 1583 const RetainSummary *NoTrackYet = getPersistentSummary(RetEffect::MakeNoRet(), 1584 StopTracking, 1585 StopTracking); 1586 1587 addClassMethSummary("NSWindow", "alloc", NoTrackYet); 1588 1589 // For NSPanel (which subclasses NSWindow), allocated objects are not 1590 // self-owned. 1591 // FIXME: For now we don't track NSPanels. object for the same reason 1592 // as for NSWindow objects. 1593 addClassMethSummary("NSPanel", "alloc", NoTrackYet); 1594 1595 // For NSNull, objects returned by +null are singletons that ignore 1596 // retain/release semantics. Just don't track them. 1597 // <rdar://problem/12858915> 1598 addClassMethSummary("NSNull", "null", NoTrackYet); 1599 1600 // Don't track allocated autorelease pools, as it is okay to prematurely 1601 // exit a method. 1602 addClassMethSummary("NSAutoreleasePool", "alloc", NoTrackYet); 1603 addClassMethSummary("NSAutoreleasePool", "allocWithZone", NoTrackYet, false); 1604 addClassMethSummary("NSAutoreleasePool", "new", NoTrackYet); 1605 1606 // Create summaries QCRenderer/QCView -createSnapShotImageOfType: 1607 addInstMethSummary("QCRenderer", AllocSumm, 1608 "createSnapshotImageOfType", nullptr); 1609 addInstMethSummary("QCView", AllocSumm, 1610 "createSnapshotImageOfType", nullptr); 1611 1612 // Create summaries for CIContext, 'createCGImage' and 1613 // 'createCGLayerWithSize'. These objects are CF objects, and are not 1614 // automatically garbage collected. 1615 addInstMethSummary("CIContext", CFAllocSumm, 1616 "createCGImage", "fromRect", nullptr); 1617 addInstMethSummary("CIContext", CFAllocSumm, "createCGImage", "fromRect", 1618 "format", "colorSpace", nullptr); 1619 addInstMethSummary("CIContext", CFAllocSumm, "createCGLayerWithSize", "info", 1620 nullptr); 1621 } 1622 1623 //===----------------------------------------------------------------------===// 1624 // Error reporting. 1625 //===----------------------------------------------------------------------===// 1626 namespace { 1627 typedef llvm::DenseMap<const ExplodedNode *, const RetainSummary *> 1628 SummaryLogTy; 1629 1630 //===-------------===// 1631 // Bug Descriptions. // 1632 //===-------------===// 1633 1634 class CFRefBug : public BugType { 1635 protected: 1636 CFRefBug(const CheckerBase *checker, StringRef name) 1637 : BugType(checker, name, categories::MemoryCoreFoundationObjectiveC) {} 1638 1639 public: 1640 1641 // FIXME: Eventually remove. 1642 virtual const char *getDescription() const = 0; 1643 1644 virtual bool isLeak() const { return false; } 1645 }; 1646 1647 class UseAfterRelease : public CFRefBug { 1648 public: 1649 UseAfterRelease(const CheckerBase *checker) 1650 : CFRefBug(checker, "Use-after-release") {} 1651 1652 const char *getDescription() const override { 1653 return "Reference-counted object is used after it is released"; 1654 } 1655 }; 1656 1657 class BadRelease : public CFRefBug { 1658 public: 1659 BadRelease(const CheckerBase *checker) : CFRefBug(checker, "Bad release") {} 1660 1661 const char *getDescription() const override { 1662 return "Incorrect decrement of the reference count of an object that is " 1663 "not owned at this point by the caller"; 1664 } 1665 }; 1666 1667 class DeallocGC : public CFRefBug { 1668 public: 1669 DeallocGC(const CheckerBase *checker) 1670 : CFRefBug(checker, "-dealloc called while using garbage collection") {} 1671 1672 const char *getDescription() const override { 1673 return "-dealloc called while using garbage collection"; 1674 } 1675 }; 1676 1677 class DeallocNotOwned : public CFRefBug { 1678 public: 1679 DeallocNotOwned(const CheckerBase *checker) 1680 : CFRefBug(checker, "-dealloc sent to non-exclusively owned object") {} 1681 1682 const char *getDescription() const override { 1683 return "-dealloc sent to object that may be referenced elsewhere"; 1684 } 1685 }; 1686 1687 class OverAutorelease : public CFRefBug { 1688 public: 1689 OverAutorelease(const CheckerBase *checker) 1690 : CFRefBug(checker, "Object autoreleased too many times") {} 1691 1692 const char *getDescription() const override { 1693 return "Object autoreleased too many times"; 1694 } 1695 }; 1696 1697 class ReturnedNotOwnedForOwned : public CFRefBug { 1698 public: 1699 ReturnedNotOwnedForOwned(const CheckerBase *checker) 1700 : CFRefBug(checker, "Method should return an owned object") {} 1701 1702 const char *getDescription() const override { 1703 return "Object with a +0 retain count returned to caller where a +1 " 1704 "(owning) retain count is expected"; 1705 } 1706 }; 1707 1708 class Leak : public CFRefBug { 1709 public: 1710 Leak(const CheckerBase *checker, StringRef name) : CFRefBug(checker, name) { 1711 // Leaks should not be reported if they are post-dominated by a sink. 1712 setSuppressOnSink(true); 1713 } 1714 1715 const char *getDescription() const override { return ""; } 1716 1717 bool isLeak() const override { return true; } 1718 }; 1719 1720 //===---------===// 1721 // Bug Reports. // 1722 //===---------===// 1723 1724 class CFRefReportVisitor : public BugReporterVisitorImpl<CFRefReportVisitor> { 1725 protected: 1726 SymbolRef Sym; 1727 const SummaryLogTy &SummaryLog; 1728 bool GCEnabled; 1729 1730 public: 1731 CFRefReportVisitor(SymbolRef sym, bool gcEnabled, const SummaryLogTy &log) 1732 : Sym(sym), SummaryLog(log), GCEnabled(gcEnabled) {} 1733 1734 void Profile(llvm::FoldingSetNodeID &ID) const override { 1735 static int x = 0; 1736 ID.AddPointer(&x); 1737 ID.AddPointer(Sym); 1738 } 1739 1740 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 1741 const ExplodedNode *PrevN, 1742 BugReporterContext &BRC, 1743 BugReport &BR) override; 1744 1745 std::unique_ptr<PathDiagnosticPiece> getEndPath(BugReporterContext &BRC, 1746 const ExplodedNode *N, 1747 BugReport &BR) override; 1748 }; 1749 1750 class CFRefLeakReportVisitor : public CFRefReportVisitor { 1751 public: 1752 CFRefLeakReportVisitor(SymbolRef sym, bool GCEnabled, 1753 const SummaryLogTy &log) 1754 : CFRefReportVisitor(sym, GCEnabled, log) {} 1755 1756 std::unique_ptr<PathDiagnosticPiece> getEndPath(BugReporterContext &BRC, 1757 const ExplodedNode *N, 1758 BugReport &BR) override; 1759 1760 std::unique_ptr<BugReporterVisitor> clone() const override { 1761 // The curiously-recurring template pattern only works for one level of 1762 // subclassing. Rather than make a new template base for 1763 // CFRefReportVisitor, we simply override clone() to do the right thing. 1764 // This could be trouble someday if BugReporterVisitorImpl is ever 1765 // used for something else besides a convenient implementation of clone(). 1766 return llvm::make_unique<CFRefLeakReportVisitor>(*this); 1767 } 1768 }; 1769 1770 class CFRefReport : public BugReport { 1771 void addGCModeDescription(const LangOptions &LOpts, bool GCEnabled); 1772 1773 public: 1774 CFRefReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled, 1775 const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym, 1776 bool registerVisitor = true) 1777 : BugReport(D, D.getDescription(), n) { 1778 if (registerVisitor) 1779 addVisitor(llvm::make_unique<CFRefReportVisitor>(sym, GCEnabled, Log)); 1780 addGCModeDescription(LOpts, GCEnabled); 1781 } 1782 1783 CFRefReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled, 1784 const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym, 1785 StringRef endText) 1786 : BugReport(D, D.getDescription(), endText, n) { 1787 addVisitor(llvm::make_unique<CFRefReportVisitor>(sym, GCEnabled, Log)); 1788 addGCModeDescription(LOpts, GCEnabled); 1789 } 1790 1791 llvm::iterator_range<ranges_iterator> getRanges() override { 1792 const CFRefBug& BugTy = static_cast<CFRefBug&>(getBugType()); 1793 if (!BugTy.isLeak()) 1794 return BugReport::getRanges(); 1795 return llvm::make_range(ranges_iterator(), ranges_iterator()); 1796 } 1797 }; 1798 1799 class CFRefLeakReport : public CFRefReport { 1800 const MemRegion* AllocBinding; 1801 public: 1802 CFRefLeakReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled, 1803 const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym, 1804 CheckerContext &Ctx, 1805 bool IncludeAllocationLine); 1806 1807 PathDiagnosticLocation getLocation(const SourceManager &SM) const override { 1808 assert(Location.isValid()); 1809 return Location; 1810 } 1811 }; 1812 } // end anonymous namespace 1813 1814 void CFRefReport::addGCModeDescription(const LangOptions &LOpts, 1815 bool GCEnabled) { 1816 const char *GCModeDescription = nullptr; 1817 1818 switch (LOpts.getGC()) { 1819 case LangOptions::GCOnly: 1820 assert(GCEnabled); 1821 GCModeDescription = "Code is compiled to only use garbage collection"; 1822 break; 1823 1824 case LangOptions::NonGC: 1825 assert(!GCEnabled); 1826 GCModeDescription = "Code is compiled to use reference counts"; 1827 break; 1828 1829 case LangOptions::HybridGC: 1830 if (GCEnabled) { 1831 GCModeDescription = "Code is compiled to use either garbage collection " 1832 "(GC) or reference counts (non-GC). The bug occurs " 1833 "with GC enabled"; 1834 break; 1835 } else { 1836 GCModeDescription = "Code is compiled to use either garbage collection " 1837 "(GC) or reference counts (non-GC). The bug occurs " 1838 "in non-GC mode"; 1839 break; 1840 } 1841 } 1842 1843 assert(GCModeDescription && "invalid/unknown GC mode"); 1844 addExtraText(GCModeDescription); 1845 } 1846 1847 static bool isNumericLiteralExpression(const Expr *E) { 1848 // FIXME: This set of cases was copied from SemaExprObjC. 1849 return isa<IntegerLiteral>(E) || 1850 isa<CharacterLiteral>(E) || 1851 isa<FloatingLiteral>(E) || 1852 isa<ObjCBoolLiteralExpr>(E) || 1853 isa<CXXBoolLiteralExpr>(E); 1854 } 1855 1856 /// Returns true if this stack frame is for an Objective-C method that is a 1857 /// property getter or setter whose body has been synthesized by the analyzer. 1858 static bool isSynthesizedAccessor(const StackFrameContext *SFC) { 1859 auto Method = dyn_cast_or_null<ObjCMethodDecl>(SFC->getDecl()); 1860 if (!Method || !Method->isPropertyAccessor()) 1861 return false; 1862 1863 return SFC->getAnalysisDeclContext()->isBodyAutosynthesized(); 1864 } 1865 1866 PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N, 1867 const ExplodedNode *PrevN, 1868 BugReporterContext &BRC, 1869 BugReport &BR) { 1870 // FIXME: We will eventually need to handle non-statement-based events 1871 // (__attribute__((cleanup))). 1872 if (!N->getLocation().getAs<StmtPoint>()) 1873 return nullptr; 1874 1875 // Check if the type state has changed. 1876 ProgramStateRef PrevSt = PrevN->getState(); 1877 ProgramStateRef CurrSt = N->getState(); 1878 const LocationContext *LCtx = N->getLocationContext(); 1879 1880 const RefVal* CurrT = getRefBinding(CurrSt, Sym); 1881 if (!CurrT) return nullptr; 1882 1883 const RefVal &CurrV = *CurrT; 1884 const RefVal *PrevT = getRefBinding(PrevSt, Sym); 1885 1886 // Create a string buffer to constain all the useful things we want 1887 // to tell the user. 1888 std::string sbuf; 1889 llvm::raw_string_ostream os(sbuf); 1890 1891 // This is the allocation site since the previous node had no bindings 1892 // for this symbol. 1893 if (!PrevT) { 1894 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 1895 1896 if (isa<ObjCIvarRefExpr>(S) && 1897 isSynthesizedAccessor(LCtx->getCurrentStackFrame())) { 1898 S = LCtx->getCurrentStackFrame()->getCallSite(); 1899 } 1900 1901 if (isa<ObjCArrayLiteral>(S)) { 1902 os << "NSArray literal is an object with a +0 retain count"; 1903 } 1904 else if (isa<ObjCDictionaryLiteral>(S)) { 1905 os << "NSDictionary literal is an object with a +0 retain count"; 1906 } 1907 else if (const ObjCBoxedExpr *BL = dyn_cast<ObjCBoxedExpr>(S)) { 1908 if (isNumericLiteralExpression(BL->getSubExpr())) 1909 os << "NSNumber literal is an object with a +0 retain count"; 1910 else { 1911 const ObjCInterfaceDecl *BoxClass = nullptr; 1912 if (const ObjCMethodDecl *Method = BL->getBoxingMethod()) 1913 BoxClass = Method->getClassInterface(); 1914 1915 // We should always be able to find the boxing class interface, 1916 // but consider this future-proofing. 1917 if (BoxClass) 1918 os << *BoxClass << " b"; 1919 else 1920 os << "B"; 1921 1922 os << "oxed expression produces an object with a +0 retain count"; 1923 } 1924 } 1925 else if (isa<ObjCIvarRefExpr>(S)) { 1926 os << "Object loaded from instance variable"; 1927 } 1928 else { 1929 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 1930 // Get the name of the callee (if it is available). 1931 SVal X = CurrSt->getSValAsScalarOrLoc(CE->getCallee(), LCtx); 1932 if (const FunctionDecl *FD = X.getAsFunctionDecl()) 1933 os << "Call to function '" << *FD << '\''; 1934 else 1935 os << "function call"; 1936 } 1937 else { 1938 assert(isa<ObjCMessageExpr>(S)); 1939 CallEventManager &Mgr = CurrSt->getStateManager().getCallEventManager(); 1940 CallEventRef<ObjCMethodCall> Call 1941 = Mgr.getObjCMethodCall(cast<ObjCMessageExpr>(S), CurrSt, LCtx); 1942 1943 switch (Call->getMessageKind()) { 1944 case OCM_Message: 1945 os << "Method"; 1946 break; 1947 case OCM_PropertyAccess: 1948 os << "Property"; 1949 break; 1950 case OCM_Subscript: 1951 os << "Subscript"; 1952 break; 1953 } 1954 } 1955 1956 if (CurrV.getObjKind() == RetEffect::CF) { 1957 os << " returns a Core Foundation object with a "; 1958 } 1959 else { 1960 assert (CurrV.getObjKind() == RetEffect::ObjC); 1961 os << " returns an Objective-C object with a "; 1962 } 1963 1964 if (CurrV.isOwned()) { 1965 os << "+1 retain count"; 1966 1967 if (GCEnabled) { 1968 assert(CurrV.getObjKind() == RetEffect::CF); 1969 os << ". " 1970 "Core Foundation objects are not automatically garbage collected."; 1971 } 1972 } 1973 else { 1974 assert (CurrV.isNotOwned()); 1975 os << "+0 retain count"; 1976 } 1977 } 1978 1979 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 1980 N->getLocationContext()); 1981 return new PathDiagnosticEventPiece(Pos, os.str()); 1982 } 1983 1984 // Gather up the effects that were performed on the object at this 1985 // program point 1986 SmallVector<ArgEffect, 2> AEffects; 1987 1988 const ExplodedNode *OrigNode = BRC.getNodeResolver().getOriginalNode(N); 1989 if (const RetainSummary *Summ = SummaryLog.lookup(OrigNode)) { 1990 // We only have summaries attached to nodes after evaluating CallExpr and 1991 // ObjCMessageExprs. 1992 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 1993 1994 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 1995 // Iterate through the parameter expressions and see if the symbol 1996 // was ever passed as an argument. 1997 unsigned i = 0; 1998 1999 for (CallExpr::const_arg_iterator AI=CE->arg_begin(), AE=CE->arg_end(); 2000 AI!=AE; ++AI, ++i) { 2001 2002 // Retrieve the value of the argument. Is it the symbol 2003 // we are interested in? 2004 if (CurrSt->getSValAsScalarOrLoc(*AI, LCtx).getAsLocSymbol() != Sym) 2005 continue; 2006 2007 // We have an argument. Get the effect! 2008 AEffects.push_back(Summ->getArg(i)); 2009 } 2010 } 2011 else if (const ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(S)) { 2012 if (const Expr *receiver = ME->getInstanceReceiver()) 2013 if (CurrSt->getSValAsScalarOrLoc(receiver, LCtx) 2014 .getAsLocSymbol() == Sym) { 2015 // The symbol we are tracking is the receiver. 2016 AEffects.push_back(Summ->getReceiverEffect()); 2017 } 2018 } 2019 } 2020 2021 do { 2022 // Get the previous type state. 2023 RefVal PrevV = *PrevT; 2024 2025 // Specially handle -dealloc. 2026 if (!GCEnabled && std::find(AEffects.begin(), AEffects.end(), Dealloc) != 2027 AEffects.end()) { 2028 // Determine if the object's reference count was pushed to zero. 2029 assert(!PrevV.hasSameState(CurrV) && "The state should have changed."); 2030 // We may not have transitioned to 'release' if we hit an error. 2031 // This case is handled elsewhere. 2032 if (CurrV.getKind() == RefVal::Released) { 2033 assert(CurrV.getCombinedCounts() == 0); 2034 os << "Object released by directly sending the '-dealloc' message"; 2035 break; 2036 } 2037 } 2038 2039 // Specially handle CFMakeCollectable and friends. 2040 if (std::find(AEffects.begin(), AEffects.end(), MakeCollectable) != 2041 AEffects.end()) { 2042 // Get the name of the function. 2043 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 2044 SVal X = 2045 CurrSt->getSValAsScalarOrLoc(cast<CallExpr>(S)->getCallee(), LCtx); 2046 const FunctionDecl *FD = X.getAsFunctionDecl(); 2047 2048 if (GCEnabled) { 2049 // Determine if the object's reference count was pushed to zero. 2050 assert(!PrevV.hasSameState(CurrV) && "The state should have changed."); 2051 2052 os << "In GC mode a call to '" << *FD 2053 << "' decrements an object's retain count and registers the " 2054 "object with the garbage collector. "; 2055 2056 if (CurrV.getKind() == RefVal::Released) { 2057 assert(CurrV.getCount() == 0); 2058 os << "Since it now has a 0 retain count the object can be " 2059 "automatically collected by the garbage collector."; 2060 } 2061 else 2062 os << "An object must have a 0 retain count to be garbage collected. " 2063 "After this call its retain count is +" << CurrV.getCount() 2064 << '.'; 2065 } 2066 else 2067 os << "When GC is not enabled a call to '" << *FD 2068 << "' has no effect on its argument."; 2069 2070 // Nothing more to say. 2071 break; 2072 } 2073 2074 // Determine if the typestate has changed. 2075 if (!PrevV.hasSameState(CurrV)) 2076 switch (CurrV.getKind()) { 2077 case RefVal::Owned: 2078 case RefVal::NotOwned: 2079 if (PrevV.getCount() == CurrV.getCount()) { 2080 // Did an autorelease message get sent? 2081 if (PrevV.getAutoreleaseCount() == CurrV.getAutoreleaseCount()) 2082 return nullptr; 2083 2084 assert(PrevV.getAutoreleaseCount() < CurrV.getAutoreleaseCount()); 2085 os << "Object autoreleased"; 2086 break; 2087 } 2088 2089 if (PrevV.getCount() > CurrV.getCount()) 2090 os << "Reference count decremented."; 2091 else 2092 os << "Reference count incremented."; 2093 2094 if (unsigned Count = CurrV.getCount()) 2095 os << " The object now has a +" << Count << " retain count."; 2096 2097 if (PrevV.getKind() == RefVal::Released) { 2098 assert(GCEnabled && CurrV.getCount() > 0); 2099 os << " The object is not eligible for garbage collection until " 2100 "the retain count reaches 0 again."; 2101 } 2102 2103 break; 2104 2105 case RefVal::Released: 2106 if (CurrV.getIvarAccessHistory() == 2107 RefVal::IvarAccessHistory::ReleasedAfterDirectAccess && 2108 CurrV.getIvarAccessHistory() != PrevV.getIvarAccessHistory()) { 2109 os << "Strong instance variable relinquished. "; 2110 } 2111 os << "Object released."; 2112 break; 2113 2114 case RefVal::ReturnedOwned: 2115 // Autoreleases can be applied after marking a node ReturnedOwned. 2116 if (CurrV.getAutoreleaseCount()) 2117 return nullptr; 2118 2119 os << "Object returned to caller as an owning reference (single " 2120 "retain count transferred to caller)"; 2121 break; 2122 2123 case RefVal::ReturnedNotOwned: 2124 os << "Object returned to caller with a +0 retain count"; 2125 break; 2126 2127 default: 2128 return nullptr; 2129 } 2130 2131 // Emit any remaining diagnostics for the argument effects (if any). 2132 for (SmallVectorImpl<ArgEffect>::iterator I=AEffects.begin(), 2133 E=AEffects.end(); I != E; ++I) { 2134 2135 // A bunch of things have alternate behavior under GC. 2136 if (GCEnabled) 2137 switch (*I) { 2138 default: break; 2139 case Autorelease: 2140 os << "In GC mode an 'autorelease' has no effect."; 2141 continue; 2142 case IncRefMsg: 2143 os << "In GC mode the 'retain' message has no effect."; 2144 continue; 2145 case DecRefMsg: 2146 os << "In GC mode the 'release' message has no effect."; 2147 continue; 2148 } 2149 } 2150 } while (0); 2151 2152 if (os.str().empty()) 2153 return nullptr; // We have nothing to say! 2154 2155 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 2156 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2157 N->getLocationContext()); 2158 PathDiagnosticPiece *P = new PathDiagnosticEventPiece(Pos, os.str()); 2159 2160 // Add the range by scanning the children of the statement for any bindings 2161 // to Sym. 2162 for (Stmt::const_child_iterator I = S->child_begin(), E = S->child_end(); 2163 I!=E; ++I) 2164 if (const Expr *Exp = dyn_cast_or_null<Expr>(*I)) 2165 if (CurrSt->getSValAsScalarOrLoc(Exp, LCtx).getAsLocSymbol() == Sym) { 2166 P->addRange(Exp->getSourceRange()); 2167 break; 2168 } 2169 2170 return P; 2171 } 2172 2173 // Find the first node in the current function context that referred to the 2174 // tracked symbol and the memory location that value was stored to. Note, the 2175 // value is only reported if the allocation occurred in the same function as 2176 // the leak. The function can also return a location context, which should be 2177 // treated as interesting. 2178 struct AllocationInfo { 2179 const ExplodedNode* N; 2180 const MemRegion *R; 2181 const LocationContext *InterestingMethodContext; 2182 AllocationInfo(const ExplodedNode *InN, 2183 const MemRegion *InR, 2184 const LocationContext *InInterestingMethodContext) : 2185 N(InN), R(InR), InterestingMethodContext(InInterestingMethodContext) {} 2186 }; 2187 2188 static AllocationInfo 2189 GetAllocationSite(ProgramStateManager& StateMgr, const ExplodedNode *N, 2190 SymbolRef Sym) { 2191 const ExplodedNode *AllocationNode = N; 2192 const ExplodedNode *AllocationNodeInCurrentOrParentContext = N; 2193 const MemRegion *FirstBinding = nullptr; 2194 const LocationContext *LeakContext = N->getLocationContext(); 2195 2196 // The location context of the init method called on the leaked object, if 2197 // available. 2198 const LocationContext *InitMethodContext = nullptr; 2199 2200 while (N) { 2201 ProgramStateRef St = N->getState(); 2202 const LocationContext *NContext = N->getLocationContext(); 2203 2204 if (!getRefBinding(St, Sym)) 2205 break; 2206 2207 StoreManager::FindUniqueBinding FB(Sym); 2208 StateMgr.iterBindings(St, FB); 2209 2210 if (FB) { 2211 const MemRegion *R = FB.getRegion(); 2212 const VarRegion *VR = R->getBaseRegion()->getAs<VarRegion>(); 2213 // Do not show local variables belonging to a function other than 2214 // where the error is reported. 2215 if (!VR || VR->getStackFrame() == LeakContext->getCurrentStackFrame()) 2216 FirstBinding = R; 2217 } 2218 2219 // AllocationNode is the last node in which the symbol was tracked. 2220 AllocationNode = N; 2221 2222 // AllocationNodeInCurrentContext, is the last node in the current or 2223 // parent context in which the symbol was tracked. 2224 // 2225 // Note that the allocation site might be in the parent conext. For example, 2226 // the case where an allocation happens in a block that captures a reference 2227 // to it and that reference is overwritten/dropped by another call to 2228 // the block. 2229 if (NContext == LeakContext || NContext->isParentOf(LeakContext)) 2230 AllocationNodeInCurrentOrParentContext = N; 2231 2232 // Find the last init that was called on the given symbol and store the 2233 // init method's location context. 2234 if (!InitMethodContext) 2235 if (Optional<CallEnter> CEP = N->getLocation().getAs<CallEnter>()) { 2236 const Stmt *CE = CEP->getCallExpr(); 2237 if (const ObjCMessageExpr *ME = dyn_cast_or_null<ObjCMessageExpr>(CE)) { 2238 const Stmt *RecExpr = ME->getInstanceReceiver(); 2239 if (RecExpr) { 2240 SVal RecV = St->getSVal(RecExpr, NContext); 2241 if (ME->getMethodFamily() == OMF_init && RecV.getAsSymbol() == Sym) 2242 InitMethodContext = CEP->getCalleeContext(); 2243 } 2244 } 2245 } 2246 2247 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 2248 } 2249 2250 // If we are reporting a leak of the object that was allocated with alloc, 2251 // mark its init method as interesting. 2252 const LocationContext *InterestingMethodContext = nullptr; 2253 if (InitMethodContext) { 2254 const ProgramPoint AllocPP = AllocationNode->getLocation(); 2255 if (Optional<StmtPoint> SP = AllocPP.getAs<StmtPoint>()) 2256 if (const ObjCMessageExpr *ME = SP->getStmtAs<ObjCMessageExpr>()) 2257 if (ME->getMethodFamily() == OMF_alloc) 2258 InterestingMethodContext = InitMethodContext; 2259 } 2260 2261 // If allocation happened in a function different from the leak node context, 2262 // do not report the binding. 2263 assert(N && "Could not find allocation node"); 2264 if (N->getLocationContext() != LeakContext) { 2265 FirstBinding = nullptr; 2266 } 2267 2268 return AllocationInfo(AllocationNodeInCurrentOrParentContext, 2269 FirstBinding, 2270 InterestingMethodContext); 2271 } 2272 2273 std::unique_ptr<PathDiagnosticPiece> 2274 CFRefReportVisitor::getEndPath(BugReporterContext &BRC, 2275 const ExplodedNode *EndN, BugReport &BR) { 2276 BR.markInteresting(Sym); 2277 return BugReporterVisitor::getDefaultEndPath(BRC, EndN, BR); 2278 } 2279 2280 std::unique_ptr<PathDiagnosticPiece> 2281 CFRefLeakReportVisitor::getEndPath(BugReporterContext &BRC, 2282 const ExplodedNode *EndN, BugReport &BR) { 2283 2284 // Tell the BugReporterContext to report cases when the tracked symbol is 2285 // assigned to different variables, etc. 2286 BR.markInteresting(Sym); 2287 2288 // We are reporting a leak. Walk up the graph to get to the first node where 2289 // the symbol appeared, and also get the first VarDecl that tracked object 2290 // is stored to. 2291 AllocationInfo AllocI = 2292 GetAllocationSite(BRC.getStateManager(), EndN, Sym); 2293 2294 const MemRegion* FirstBinding = AllocI.R; 2295 BR.markInteresting(AllocI.InterestingMethodContext); 2296 2297 SourceManager& SM = BRC.getSourceManager(); 2298 2299 // Compute an actual location for the leak. Sometimes a leak doesn't 2300 // occur at an actual statement (e.g., transition between blocks; end 2301 // of function) so we need to walk the graph and compute a real location. 2302 const ExplodedNode *LeakN = EndN; 2303 PathDiagnosticLocation L = PathDiagnosticLocation::createEndOfPath(LeakN, SM); 2304 2305 std::string sbuf; 2306 llvm::raw_string_ostream os(sbuf); 2307 2308 os << "Object leaked: "; 2309 2310 if (FirstBinding) { 2311 os << "object allocated and stored into '" 2312 << FirstBinding->getString() << '\''; 2313 } 2314 else 2315 os << "allocated object"; 2316 2317 // Get the retain count. 2318 const RefVal* RV = getRefBinding(EndN->getState(), Sym); 2319 assert(RV); 2320 2321 if (RV->getKind() == RefVal::ErrorLeakReturned) { 2322 // FIXME: Per comments in rdar://6320065, "create" only applies to CF 2323 // objects. Only "copy", "alloc", "retain" and "new" transfer ownership 2324 // to the caller for NS objects. 2325 const Decl *D = &EndN->getCodeDecl(); 2326 2327 os << (isa<ObjCMethodDecl>(D) ? " is returned from a method " 2328 : " is returned from a function "); 2329 2330 if (D->hasAttr<CFReturnsNotRetainedAttr>()) 2331 os << "that is annotated as CF_RETURNS_NOT_RETAINED"; 2332 else if (D->hasAttr<NSReturnsNotRetainedAttr>()) 2333 os << "that is annotated as NS_RETURNS_NOT_RETAINED"; 2334 else { 2335 if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) { 2336 os << "whose name ('" << MD->getSelector().getAsString() 2337 << "') does not start with 'copy', 'mutableCopy', 'alloc' or 'new'." 2338 " This violates the naming convention rules" 2339 " given in the Memory Management Guide for Cocoa"; 2340 } 2341 else { 2342 const FunctionDecl *FD = cast<FunctionDecl>(D); 2343 os << "whose name ('" << *FD 2344 << "') does not contain 'Copy' or 'Create'. This violates the naming" 2345 " convention rules given in the Memory Management Guide for Core" 2346 " Foundation"; 2347 } 2348 } 2349 } 2350 else if (RV->getKind() == RefVal::ErrorGCLeakReturned) { 2351 const ObjCMethodDecl &MD = cast<ObjCMethodDecl>(EndN->getCodeDecl()); 2352 os << " and returned from method '" << MD.getSelector().getAsString() 2353 << "' is potentially leaked when using garbage collection. Callers " 2354 "of this method do not expect a returned object with a +1 retain " 2355 "count since they expect the object to be managed by the garbage " 2356 "collector"; 2357 } 2358 else 2359 os << " is not referenced later in this execution path and has a retain " 2360 "count of +" << RV->getCount(); 2361 2362 return llvm::make_unique<PathDiagnosticEventPiece>(L, os.str()); 2363 } 2364 2365 CFRefLeakReport::CFRefLeakReport(CFRefBug &D, const LangOptions &LOpts, 2366 bool GCEnabled, const SummaryLogTy &Log, 2367 ExplodedNode *n, SymbolRef sym, 2368 CheckerContext &Ctx, 2369 bool IncludeAllocationLine) 2370 : CFRefReport(D, LOpts, GCEnabled, Log, n, sym, false) { 2371 2372 // Most bug reports are cached at the location where they occurred. 2373 // With leaks, we want to unique them by the location where they were 2374 // allocated, and only report a single path. To do this, we need to find 2375 // the allocation site of a piece of tracked memory, which we do via a 2376 // call to GetAllocationSite. This will walk the ExplodedGraph backwards. 2377 // Note that this is *not* the trimmed graph; we are guaranteed, however, 2378 // that all ancestor nodes that represent the allocation site have the 2379 // same SourceLocation. 2380 const ExplodedNode *AllocNode = nullptr; 2381 2382 const SourceManager& SMgr = Ctx.getSourceManager(); 2383 2384 AllocationInfo AllocI = 2385 GetAllocationSite(Ctx.getStateManager(), getErrorNode(), sym); 2386 2387 AllocNode = AllocI.N; 2388 AllocBinding = AllocI.R; 2389 markInteresting(AllocI.InterestingMethodContext); 2390 2391 // Get the SourceLocation for the allocation site. 2392 // FIXME: This will crash the analyzer if an allocation comes from an 2393 // implicit call (ex: a destructor call). 2394 // (Currently there are no such allocations in Cocoa, though.) 2395 const Stmt *AllocStmt = 0; 2396 ProgramPoint P = AllocNode->getLocation(); 2397 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 2398 AllocStmt = Exit->getCalleeContext()->getCallSite(); 2399 else 2400 AllocStmt = P.castAs<PostStmt>().getStmt(); 2401 assert(AllocStmt && "Cannot find allocation statement"); 2402 2403 PathDiagnosticLocation AllocLocation = 2404 PathDiagnosticLocation::createBegin(AllocStmt, SMgr, 2405 AllocNode->getLocationContext()); 2406 Location = AllocLocation; 2407 2408 // Set uniqieing info, which will be used for unique the bug reports. The 2409 // leaks should be uniqued on the allocation site. 2410 UniqueingLocation = AllocLocation; 2411 UniqueingDecl = AllocNode->getLocationContext()->getDecl(); 2412 2413 // Fill in the description of the bug. 2414 Description.clear(); 2415 llvm::raw_string_ostream os(Description); 2416 os << "Potential leak "; 2417 if (GCEnabled) 2418 os << "(when using garbage collection) "; 2419 os << "of an object"; 2420 2421 if (AllocBinding) { 2422 os << " stored into '" << AllocBinding->getString() << '\''; 2423 if (IncludeAllocationLine) { 2424 FullSourceLoc SL(AllocStmt->getLocStart(), Ctx.getSourceManager()); 2425 os << " (allocated on line " << SL.getSpellingLineNumber() << ")"; 2426 } 2427 } 2428 2429 addVisitor(llvm::make_unique<CFRefLeakReportVisitor>(sym, GCEnabled, Log)); 2430 } 2431 2432 //===----------------------------------------------------------------------===// 2433 // Main checker logic. 2434 //===----------------------------------------------------------------------===// 2435 2436 namespace { 2437 class RetainCountChecker 2438 : public Checker< check::Bind, 2439 check::DeadSymbols, 2440 check::EndAnalysis, 2441 check::EndFunction, 2442 check::PostStmt<BlockExpr>, 2443 check::PostStmt<CastExpr>, 2444 check::PostStmt<ObjCArrayLiteral>, 2445 check::PostStmt<ObjCDictionaryLiteral>, 2446 check::PostStmt<ObjCBoxedExpr>, 2447 check::PostStmt<ObjCIvarRefExpr>, 2448 check::PostCall, 2449 check::PreStmt<ReturnStmt>, 2450 check::RegionChanges, 2451 eval::Assume, 2452 eval::Call > { 2453 mutable std::unique_ptr<CFRefBug> useAfterRelease, releaseNotOwned; 2454 mutable std::unique_ptr<CFRefBug> deallocGC, deallocNotOwned; 2455 mutable std::unique_ptr<CFRefBug> overAutorelease, returnNotOwnedForOwned; 2456 mutable std::unique_ptr<CFRefBug> leakWithinFunction, leakAtReturn; 2457 mutable std::unique_ptr<CFRefBug> leakWithinFunctionGC, leakAtReturnGC; 2458 2459 typedef llvm::DenseMap<SymbolRef, const CheckerProgramPointTag *> SymbolTagMap; 2460 2461 // This map is only used to ensure proper deletion of any allocated tags. 2462 mutable SymbolTagMap DeadSymbolTags; 2463 2464 mutable std::unique_ptr<RetainSummaryManager> Summaries; 2465 mutable std::unique_ptr<RetainSummaryManager> SummariesGC; 2466 mutable SummaryLogTy SummaryLog; 2467 mutable bool ShouldResetSummaryLog; 2468 2469 /// Optional setting to indicate if leak reports should include 2470 /// the allocation line. 2471 mutable bool IncludeAllocationLine; 2472 2473 public: 2474 RetainCountChecker(AnalyzerOptions &AO) 2475 : ShouldResetSummaryLog(false), 2476 IncludeAllocationLine(shouldIncludeAllocationSiteInLeakDiagnostics(AO)) {} 2477 2478 ~RetainCountChecker() override { DeleteContainerSeconds(DeadSymbolTags); } 2479 2480 void checkEndAnalysis(ExplodedGraph &G, BugReporter &BR, 2481 ExprEngine &Eng) const { 2482 // FIXME: This is a hack to make sure the summary log gets cleared between 2483 // analyses of different code bodies. 2484 // 2485 // Why is this necessary? Because a checker's lifetime is tied to a 2486 // translation unit, but an ExplodedGraph's lifetime is just a code body. 2487 // Once in a blue moon, a new ExplodedNode will have the same address as an 2488 // old one with an associated summary, and the bug report visitor gets very 2489 // confused. (To make things worse, the summary lifetime is currently also 2490 // tied to a code body, so we get a crash instead of incorrect results.) 2491 // 2492 // Why is this a bad solution? Because if the lifetime of the ExplodedGraph 2493 // changes, things will start going wrong again. Really the lifetime of this 2494 // log needs to be tied to either the specific nodes in it or the entire 2495 // ExplodedGraph, not to a specific part of the code being analyzed. 2496 // 2497 // (Also, having stateful local data means that the same checker can't be 2498 // used from multiple threads, but a lot of checkers have incorrect 2499 // assumptions about that anyway. So that wasn't a priority at the time of 2500 // this fix.) 2501 // 2502 // This happens at the end of analysis, but bug reports are emitted /after/ 2503 // this point. So we can't just clear the summary log now. Instead, we mark 2504 // that the next time we access the summary log, it should be cleared. 2505 2506 // If we never reset the summary log during /this/ code body analysis, 2507 // there were no new summaries. There might still have been summaries from 2508 // the /last/ analysis, so clear them out to make sure the bug report 2509 // visitors don't get confused. 2510 if (ShouldResetSummaryLog) 2511 SummaryLog.clear(); 2512 2513 ShouldResetSummaryLog = !SummaryLog.empty(); 2514 } 2515 2516 CFRefBug *getLeakWithinFunctionBug(const LangOptions &LOpts, 2517 bool GCEnabled) const { 2518 if (GCEnabled) { 2519 if (!leakWithinFunctionGC) 2520 leakWithinFunctionGC.reset(new Leak(this, "Leak of object when using " 2521 "garbage collection")); 2522 return leakWithinFunctionGC.get(); 2523 } else { 2524 if (!leakWithinFunction) { 2525 if (LOpts.getGC() == LangOptions::HybridGC) { 2526 leakWithinFunction.reset(new Leak(this, 2527 "Leak of object when not using " 2528 "garbage collection (GC) in " 2529 "dual GC/non-GC code")); 2530 } else { 2531 leakWithinFunction.reset(new Leak(this, "Leak")); 2532 } 2533 } 2534 return leakWithinFunction.get(); 2535 } 2536 } 2537 2538 CFRefBug *getLeakAtReturnBug(const LangOptions &LOpts, bool GCEnabled) const { 2539 if (GCEnabled) { 2540 if (!leakAtReturnGC) 2541 leakAtReturnGC.reset(new Leak(this, 2542 "Leak of returned object when using " 2543 "garbage collection")); 2544 return leakAtReturnGC.get(); 2545 } else { 2546 if (!leakAtReturn) { 2547 if (LOpts.getGC() == LangOptions::HybridGC) { 2548 leakAtReturn.reset(new Leak(this, 2549 "Leak of returned object when not using " 2550 "garbage collection (GC) in dual " 2551 "GC/non-GC code")); 2552 } else { 2553 leakAtReturn.reset(new Leak(this, "Leak of returned object")); 2554 } 2555 } 2556 return leakAtReturn.get(); 2557 } 2558 } 2559 2560 RetainSummaryManager &getSummaryManager(ASTContext &Ctx, 2561 bool GCEnabled) const { 2562 // FIXME: We don't support ARC being turned on and off during one analysis. 2563 // (nor, for that matter, do we support changing ASTContexts) 2564 bool ARCEnabled = (bool)Ctx.getLangOpts().ObjCAutoRefCount; 2565 if (GCEnabled) { 2566 if (!SummariesGC) 2567 SummariesGC.reset(new RetainSummaryManager(Ctx, true, ARCEnabled)); 2568 else 2569 assert(SummariesGC->isARCEnabled() == ARCEnabled); 2570 return *SummariesGC; 2571 } else { 2572 if (!Summaries) 2573 Summaries.reset(new RetainSummaryManager(Ctx, false, ARCEnabled)); 2574 else 2575 assert(Summaries->isARCEnabled() == ARCEnabled); 2576 return *Summaries; 2577 } 2578 } 2579 2580 RetainSummaryManager &getSummaryManager(CheckerContext &C) const { 2581 return getSummaryManager(C.getASTContext(), C.isObjCGCEnabled()); 2582 } 2583 2584 void printState(raw_ostream &Out, ProgramStateRef State, 2585 const char *NL, const char *Sep) const override; 2586 2587 void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const; 2588 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 2589 void checkPostStmt(const CastExpr *CE, CheckerContext &C) const; 2590 2591 void checkPostStmt(const ObjCArrayLiteral *AL, CheckerContext &C) const; 2592 void checkPostStmt(const ObjCDictionaryLiteral *DL, CheckerContext &C) const; 2593 void checkPostStmt(const ObjCBoxedExpr *BE, CheckerContext &C) const; 2594 2595 void checkPostStmt(const ObjCIvarRefExpr *IRE, CheckerContext &C) const; 2596 2597 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 2598 2599 void checkSummary(const RetainSummary &Summ, const CallEvent &Call, 2600 CheckerContext &C) const; 2601 2602 void processSummaryOfInlined(const RetainSummary &Summ, 2603 const CallEvent &Call, 2604 CheckerContext &C) const; 2605 2606 bool evalCall(const CallExpr *CE, CheckerContext &C) const; 2607 2608 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 2609 bool Assumption) const; 2610 2611 ProgramStateRef 2612 checkRegionChanges(ProgramStateRef state, 2613 const InvalidatedSymbols *invalidated, 2614 ArrayRef<const MemRegion *> ExplicitRegions, 2615 ArrayRef<const MemRegion *> Regions, 2616 const CallEvent *Call) const; 2617 2618 bool wantsRegionChangeUpdate(ProgramStateRef state) const { 2619 return true; 2620 } 2621 2622 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 2623 void checkReturnWithRetEffect(const ReturnStmt *S, CheckerContext &C, 2624 ExplodedNode *Pred, RetEffect RE, RefVal X, 2625 SymbolRef Sym, ProgramStateRef state) const; 2626 2627 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 2628 void checkEndFunction(CheckerContext &C) const; 2629 2630 ProgramStateRef updateSymbol(ProgramStateRef state, SymbolRef sym, 2631 RefVal V, ArgEffect E, RefVal::Kind &hasErr, 2632 CheckerContext &C) const; 2633 2634 void processNonLeakError(ProgramStateRef St, SourceRange ErrorRange, 2635 RefVal::Kind ErrorKind, SymbolRef Sym, 2636 CheckerContext &C) const; 2637 2638 void processObjCLiterals(CheckerContext &C, const Expr *Ex) const; 2639 2640 const ProgramPointTag *getDeadSymbolTag(SymbolRef sym) const; 2641 2642 ProgramStateRef handleSymbolDeath(ProgramStateRef state, 2643 SymbolRef sid, RefVal V, 2644 SmallVectorImpl<SymbolRef> &Leaked) const; 2645 2646 ProgramStateRef 2647 handleAutoreleaseCounts(ProgramStateRef state, ExplodedNode *Pred, 2648 const ProgramPointTag *Tag, CheckerContext &Ctx, 2649 SymbolRef Sym, RefVal V) const; 2650 2651 ExplodedNode *processLeaks(ProgramStateRef state, 2652 SmallVectorImpl<SymbolRef> &Leaked, 2653 CheckerContext &Ctx, 2654 ExplodedNode *Pred = nullptr) const; 2655 }; 2656 } // end anonymous namespace 2657 2658 namespace { 2659 class StopTrackingCallback : public SymbolVisitor { 2660 ProgramStateRef state; 2661 public: 2662 StopTrackingCallback(ProgramStateRef st) : state(st) {} 2663 ProgramStateRef getState() const { return state; } 2664 2665 bool VisitSymbol(SymbolRef sym) override { 2666 state = state->remove<RefBindings>(sym); 2667 return true; 2668 } 2669 }; 2670 } // end anonymous namespace 2671 2672 //===----------------------------------------------------------------------===// 2673 // Handle statements that may have an effect on refcounts. 2674 //===----------------------------------------------------------------------===// 2675 2676 void RetainCountChecker::checkPostStmt(const BlockExpr *BE, 2677 CheckerContext &C) const { 2678 2679 // Scan the BlockDecRefExprs for any object the retain count checker 2680 // may be tracking. 2681 if (!BE->getBlockDecl()->hasCaptures()) 2682 return; 2683 2684 ProgramStateRef state = C.getState(); 2685 const BlockDataRegion *R = 2686 cast<BlockDataRegion>(state->getSVal(BE, 2687 C.getLocationContext()).getAsRegion()); 2688 2689 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2690 E = R->referenced_vars_end(); 2691 2692 if (I == E) 2693 return; 2694 2695 // FIXME: For now we invalidate the tracking of all symbols passed to blocks 2696 // via captured variables, even though captured variables result in a copy 2697 // and in implicit increment/decrement of a retain count. 2698 SmallVector<const MemRegion*, 10> Regions; 2699 const LocationContext *LC = C.getLocationContext(); 2700 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2701 2702 for ( ; I != E; ++I) { 2703 const VarRegion *VR = I.getCapturedRegion(); 2704 if (VR->getSuperRegion() == R) { 2705 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2706 } 2707 Regions.push_back(VR); 2708 } 2709 2710 state = 2711 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 2712 Regions.data() + Regions.size()).getState(); 2713 C.addTransition(state); 2714 } 2715 2716 void RetainCountChecker::checkPostStmt(const CastExpr *CE, 2717 CheckerContext &C) const { 2718 const ObjCBridgedCastExpr *BE = dyn_cast<ObjCBridgedCastExpr>(CE); 2719 if (!BE) 2720 return; 2721 2722 ArgEffect AE = IncRef; 2723 2724 switch (BE->getBridgeKind()) { 2725 case clang::OBC_Bridge: 2726 // Do nothing. 2727 return; 2728 case clang::OBC_BridgeRetained: 2729 AE = IncRef; 2730 break; 2731 case clang::OBC_BridgeTransfer: 2732 AE = DecRefBridgedTransferred; 2733 break; 2734 } 2735 2736 ProgramStateRef state = C.getState(); 2737 SymbolRef Sym = state->getSVal(CE, C.getLocationContext()).getAsLocSymbol(); 2738 if (!Sym) 2739 return; 2740 const RefVal* T = getRefBinding(state, Sym); 2741 if (!T) 2742 return; 2743 2744 RefVal::Kind hasErr = (RefVal::Kind) 0; 2745 state = updateSymbol(state, Sym, *T, AE, hasErr, C); 2746 2747 if (hasErr) { 2748 // FIXME: If we get an error during a bridge cast, should we report it? 2749 // Should we assert that there is no error? 2750 return; 2751 } 2752 2753 C.addTransition(state); 2754 } 2755 2756 void RetainCountChecker::processObjCLiterals(CheckerContext &C, 2757 const Expr *Ex) const { 2758 ProgramStateRef state = C.getState(); 2759 const ExplodedNode *pred = C.getPredecessor(); 2760 for (Stmt::const_child_iterator it = Ex->child_begin(), et = Ex->child_end() ; 2761 it != et ; ++it) { 2762 const Stmt *child = *it; 2763 SVal V = state->getSVal(child, pred->getLocationContext()); 2764 if (SymbolRef sym = V.getAsSymbol()) 2765 if (const RefVal* T = getRefBinding(state, sym)) { 2766 RefVal::Kind hasErr = (RefVal::Kind) 0; 2767 state = updateSymbol(state, sym, *T, MayEscape, hasErr, C); 2768 if (hasErr) { 2769 processNonLeakError(state, child->getSourceRange(), hasErr, sym, C); 2770 return; 2771 } 2772 } 2773 } 2774 2775 // Return the object as autoreleased. 2776 // RetEffect RE = RetEffect::MakeNotOwned(RetEffect::ObjC); 2777 if (SymbolRef sym = 2778 state->getSVal(Ex, pred->getLocationContext()).getAsSymbol()) { 2779 QualType ResultTy = Ex->getType(); 2780 state = setRefBinding(state, sym, 2781 RefVal::makeNotOwned(RetEffect::ObjC, ResultTy)); 2782 } 2783 2784 C.addTransition(state); 2785 } 2786 2787 void RetainCountChecker::checkPostStmt(const ObjCArrayLiteral *AL, 2788 CheckerContext &C) const { 2789 // Apply the 'MayEscape' to all values. 2790 processObjCLiterals(C, AL); 2791 } 2792 2793 void RetainCountChecker::checkPostStmt(const ObjCDictionaryLiteral *DL, 2794 CheckerContext &C) const { 2795 // Apply the 'MayEscape' to all keys and values. 2796 processObjCLiterals(C, DL); 2797 } 2798 2799 void RetainCountChecker::checkPostStmt(const ObjCBoxedExpr *Ex, 2800 CheckerContext &C) const { 2801 const ExplodedNode *Pred = C.getPredecessor(); 2802 const LocationContext *LCtx = Pred->getLocationContext(); 2803 ProgramStateRef State = Pred->getState(); 2804 2805 if (SymbolRef Sym = State->getSVal(Ex, LCtx).getAsSymbol()) { 2806 QualType ResultTy = Ex->getType(); 2807 State = setRefBinding(State, Sym, 2808 RefVal::makeNotOwned(RetEffect::ObjC, ResultTy)); 2809 } 2810 2811 C.addTransition(State); 2812 } 2813 2814 static bool wasLoadedFromIvar(SymbolRef Sym) { 2815 if (auto DerivedVal = dyn_cast<SymbolDerived>(Sym)) 2816 return isa<ObjCIvarRegion>(DerivedVal->getRegion()); 2817 if (auto RegionVal = dyn_cast<SymbolRegionValue>(Sym)) 2818 return isa<ObjCIvarRegion>(RegionVal->getRegion()); 2819 return false; 2820 } 2821 2822 void RetainCountChecker::checkPostStmt(const ObjCIvarRefExpr *IRE, 2823 CheckerContext &C) const { 2824 Optional<Loc> IVarLoc = C.getSVal(IRE).getAs<Loc>(); 2825 if (!IVarLoc) 2826 return; 2827 2828 ProgramStateRef State = C.getState(); 2829 SymbolRef Sym = State->getSVal(*IVarLoc).getAsSymbol(); 2830 if (!Sym || !wasLoadedFromIvar(Sym)) 2831 return; 2832 2833 // Accessing an ivar directly is unusual. If we've done that, be more 2834 // forgiving about what the surrounding code is allowed to do. 2835 2836 QualType Ty = Sym->getType(); 2837 RetEffect::ObjKind Kind; 2838 if (Ty->isObjCRetainableType()) 2839 Kind = RetEffect::ObjC; 2840 else if (coreFoundation::isCFObjectRef(Ty)) 2841 Kind = RetEffect::CF; 2842 else 2843 return; 2844 2845 // If the value is already known to be nil, don't bother tracking it. 2846 ConstraintManager &CMgr = State->getConstraintManager(); 2847 if (CMgr.isNull(State, Sym).isConstrainedTrue()) 2848 return; 2849 2850 if (const RefVal *RV = getRefBinding(State, Sym)) { 2851 // If we've seen this symbol before, or we're only seeing it now because 2852 // of something the analyzer has synthesized, don't do anything. 2853 if (RV->getIvarAccessHistory() != RefVal::IvarAccessHistory::None || 2854 isSynthesizedAccessor(C.getStackFrame())) { 2855 return; 2856 } 2857 2858 // Note that this value has been loaded from an ivar. 2859 C.addTransition(setRefBinding(State, Sym, RV->withIvarAccess())); 2860 return; 2861 } 2862 2863 RefVal PlusZero = RefVal::makeNotOwned(Kind, Ty); 2864 2865 // In a synthesized accessor, the effective retain count is +0. 2866 if (isSynthesizedAccessor(C.getStackFrame())) { 2867 C.addTransition(setRefBinding(State, Sym, PlusZero)); 2868 return; 2869 } 2870 2871 State = setRefBinding(State, Sym, PlusZero.withIvarAccess()); 2872 C.addTransition(State); 2873 } 2874 2875 void RetainCountChecker::checkPostCall(const CallEvent &Call, 2876 CheckerContext &C) const { 2877 RetainSummaryManager &Summaries = getSummaryManager(C); 2878 const RetainSummary *Summ = Summaries.getSummary(Call, C.getState()); 2879 2880 if (C.wasInlined) { 2881 processSummaryOfInlined(*Summ, Call, C); 2882 return; 2883 } 2884 checkSummary(*Summ, Call, C); 2885 } 2886 2887 /// GetReturnType - Used to get the return type of a message expression or 2888 /// function call with the intention of affixing that type to a tracked symbol. 2889 /// While the return type can be queried directly from RetEx, when 2890 /// invoking class methods we augment to the return type to be that of 2891 /// a pointer to the class (as opposed it just being id). 2892 // FIXME: We may be able to do this with related result types instead. 2893 // This function is probably overestimating. 2894 static QualType GetReturnType(const Expr *RetE, ASTContext &Ctx) { 2895 QualType RetTy = RetE->getType(); 2896 // If RetE is not a message expression just return its type. 2897 // If RetE is a message expression, return its types if it is something 2898 /// more specific than id. 2899 if (const ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(RetE)) 2900 if (const ObjCObjectPointerType *PT = RetTy->getAs<ObjCObjectPointerType>()) 2901 if (PT->isObjCQualifiedIdType() || PT->isObjCIdType() || 2902 PT->isObjCClassType()) { 2903 // At this point we know the return type of the message expression is 2904 // id, id<...>, or Class. If we have an ObjCInterfaceDecl, we know this 2905 // is a call to a class method whose type we can resolve. In such 2906 // cases, promote the return type to XXX* (where XXX is the class). 2907 const ObjCInterfaceDecl *D = ME->getReceiverInterface(); 2908 return !D ? RetTy : 2909 Ctx.getObjCObjectPointerType(Ctx.getObjCInterfaceType(D)); 2910 } 2911 2912 return RetTy; 2913 } 2914 2915 // We don't always get the exact modeling of the function with regards to the 2916 // retain count checker even when the function is inlined. For example, we need 2917 // to stop tracking the symbols which were marked with StopTrackingHard. 2918 void RetainCountChecker::processSummaryOfInlined(const RetainSummary &Summ, 2919 const CallEvent &CallOrMsg, 2920 CheckerContext &C) const { 2921 ProgramStateRef state = C.getState(); 2922 2923 // Evaluate the effect of the arguments. 2924 for (unsigned idx = 0, e = CallOrMsg.getNumArgs(); idx != e; ++idx) { 2925 if (Summ.getArg(idx) == StopTrackingHard) { 2926 SVal V = CallOrMsg.getArgSVal(idx); 2927 if (SymbolRef Sym = V.getAsLocSymbol()) { 2928 state = removeRefBinding(state, Sym); 2929 } 2930 } 2931 } 2932 2933 // Evaluate the effect on the message receiver. 2934 const ObjCMethodCall *MsgInvocation = dyn_cast<ObjCMethodCall>(&CallOrMsg); 2935 if (MsgInvocation) { 2936 if (SymbolRef Sym = MsgInvocation->getReceiverSVal().getAsLocSymbol()) { 2937 if (Summ.getReceiverEffect() == StopTrackingHard) { 2938 state = removeRefBinding(state, Sym); 2939 } 2940 } 2941 } 2942 2943 // Consult the summary for the return value. 2944 RetEffect RE = Summ.getRetEffect(); 2945 if (RE.getKind() == RetEffect::NoRetHard) { 2946 SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol(); 2947 if (Sym) 2948 state = removeRefBinding(state, Sym); 2949 } 2950 2951 C.addTransition(state); 2952 } 2953 2954 void RetainCountChecker::checkSummary(const RetainSummary &Summ, 2955 const CallEvent &CallOrMsg, 2956 CheckerContext &C) const { 2957 ProgramStateRef state = C.getState(); 2958 2959 // Evaluate the effect of the arguments. 2960 RefVal::Kind hasErr = (RefVal::Kind) 0; 2961 SourceRange ErrorRange; 2962 SymbolRef ErrorSym = nullptr; 2963 2964 for (unsigned idx = 0, e = CallOrMsg.getNumArgs(); idx != e; ++idx) { 2965 SVal V = CallOrMsg.getArgSVal(idx); 2966 2967 if (SymbolRef Sym = V.getAsLocSymbol()) { 2968 if (const RefVal *T = getRefBinding(state, Sym)) { 2969 state = updateSymbol(state, Sym, *T, Summ.getArg(idx), hasErr, C); 2970 if (hasErr) { 2971 ErrorRange = CallOrMsg.getArgSourceRange(idx); 2972 ErrorSym = Sym; 2973 break; 2974 } 2975 } 2976 } 2977 } 2978 2979 // Evaluate the effect on the message receiver. 2980 bool ReceiverIsTracked = false; 2981 if (!hasErr) { 2982 const ObjCMethodCall *MsgInvocation = dyn_cast<ObjCMethodCall>(&CallOrMsg); 2983 if (MsgInvocation) { 2984 if (SymbolRef Sym = MsgInvocation->getReceiverSVal().getAsLocSymbol()) { 2985 if (const RefVal *T = getRefBinding(state, Sym)) { 2986 ReceiverIsTracked = true; 2987 state = updateSymbol(state, Sym, *T, Summ.getReceiverEffect(), 2988 hasErr, C); 2989 if (hasErr) { 2990 ErrorRange = MsgInvocation->getOriginExpr()->getReceiverRange(); 2991 ErrorSym = Sym; 2992 } 2993 } 2994 } 2995 } 2996 } 2997 2998 // Process any errors. 2999 if (hasErr) { 3000 processNonLeakError(state, ErrorRange, hasErr, ErrorSym, C); 3001 return; 3002 } 3003 3004 // Consult the summary for the return value. 3005 RetEffect RE = Summ.getRetEffect(); 3006 3007 if (RE.getKind() == RetEffect::OwnedWhenTrackedReceiver) { 3008 if (ReceiverIsTracked) 3009 RE = getSummaryManager(C).getObjAllocRetEffect(); 3010 else 3011 RE = RetEffect::MakeNoRet(); 3012 } 3013 3014 switch (RE.getKind()) { 3015 default: 3016 llvm_unreachable("Unhandled RetEffect."); 3017 3018 case RetEffect::NoRet: 3019 case RetEffect::NoRetHard: 3020 // No work necessary. 3021 break; 3022 3023 case RetEffect::OwnedAllocatedSymbol: 3024 case RetEffect::OwnedSymbol: { 3025 SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol(); 3026 if (!Sym) 3027 break; 3028 3029 // Use the result type from the CallEvent as it automatically adjusts 3030 // for methods/functions that return references. 3031 QualType ResultTy = CallOrMsg.getResultType(); 3032 state = setRefBinding(state, Sym, RefVal::makeOwned(RE.getObjKind(), 3033 ResultTy)); 3034 3035 // FIXME: Add a flag to the checker where allocations are assumed to 3036 // *not* fail. 3037 break; 3038 } 3039 3040 case RetEffect::GCNotOwnedSymbol: 3041 case RetEffect::NotOwnedSymbol: { 3042 const Expr *Ex = CallOrMsg.getOriginExpr(); 3043 SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol(); 3044 if (!Sym) 3045 break; 3046 assert(Ex); 3047 // Use GetReturnType in order to give [NSFoo alloc] the type NSFoo *. 3048 QualType ResultTy = GetReturnType(Ex, C.getASTContext()); 3049 state = setRefBinding(state, Sym, RefVal::makeNotOwned(RE.getObjKind(), 3050 ResultTy)); 3051 break; 3052 } 3053 } 3054 3055 // This check is actually necessary; otherwise the statement builder thinks 3056 // we've hit a previously-found path. 3057 // Normally addTransition takes care of this, but we want the node pointer. 3058 ExplodedNode *NewNode; 3059 if (state == C.getState()) { 3060 NewNode = C.getPredecessor(); 3061 } else { 3062 NewNode = C.addTransition(state); 3063 } 3064 3065 // Annotate the node with summary we used. 3066 if (NewNode) { 3067 // FIXME: This is ugly. See checkEndAnalysis for why it's necessary. 3068 if (ShouldResetSummaryLog) { 3069 SummaryLog.clear(); 3070 ShouldResetSummaryLog = false; 3071 } 3072 SummaryLog[NewNode] = &Summ; 3073 } 3074 } 3075 3076 3077 ProgramStateRef 3078 RetainCountChecker::updateSymbol(ProgramStateRef state, SymbolRef sym, 3079 RefVal V, ArgEffect E, RefVal::Kind &hasErr, 3080 CheckerContext &C) const { 3081 // In GC mode [... release] and [... retain] do nothing. 3082 // In ARC mode they shouldn't exist at all, but we just ignore them. 3083 bool IgnoreRetainMsg = C.isObjCGCEnabled(); 3084 if (!IgnoreRetainMsg) 3085 IgnoreRetainMsg = (bool)C.getASTContext().getLangOpts().ObjCAutoRefCount; 3086 3087 switch (E) { 3088 default: 3089 break; 3090 case IncRefMsg: 3091 E = IgnoreRetainMsg ? DoNothing : IncRef; 3092 break; 3093 case DecRefMsg: 3094 E = IgnoreRetainMsg ? DoNothing : DecRef; 3095 break; 3096 case DecRefMsgAndStopTrackingHard: 3097 E = IgnoreRetainMsg ? StopTracking : DecRefAndStopTrackingHard; 3098 break; 3099 case MakeCollectable: 3100 E = C.isObjCGCEnabled() ? DecRef : DoNothing; 3101 break; 3102 } 3103 3104 // Handle all use-after-releases. 3105 if (!C.isObjCGCEnabled() && V.getKind() == RefVal::Released) { 3106 V = V ^ RefVal::ErrorUseAfterRelease; 3107 hasErr = V.getKind(); 3108 return setRefBinding(state, sym, V); 3109 } 3110 3111 switch (E) { 3112 case DecRefMsg: 3113 case IncRefMsg: 3114 case MakeCollectable: 3115 case DecRefMsgAndStopTrackingHard: 3116 llvm_unreachable("DecRefMsg/IncRefMsg/MakeCollectable already converted"); 3117 3118 case Dealloc: 3119 // Any use of -dealloc in GC is *bad*. 3120 if (C.isObjCGCEnabled()) { 3121 V = V ^ RefVal::ErrorDeallocGC; 3122 hasErr = V.getKind(); 3123 break; 3124 } 3125 3126 switch (V.getKind()) { 3127 default: 3128 llvm_unreachable("Invalid RefVal state for an explicit dealloc."); 3129 case RefVal::Owned: 3130 // The object immediately transitions to the released state. 3131 V = V ^ RefVal::Released; 3132 V.clearCounts(); 3133 return setRefBinding(state, sym, V); 3134 case RefVal::NotOwned: 3135 V = V ^ RefVal::ErrorDeallocNotOwned; 3136 hasErr = V.getKind(); 3137 break; 3138 } 3139 break; 3140 3141 case MayEscape: 3142 if (V.getKind() == RefVal::Owned) { 3143 V = V ^ RefVal::NotOwned; 3144 break; 3145 } 3146 3147 // Fall-through. 3148 3149 case DoNothing: 3150 return state; 3151 3152 case Autorelease: 3153 if (C.isObjCGCEnabled()) 3154 return state; 3155 // Update the autorelease counts. 3156 V = V.autorelease(); 3157 break; 3158 3159 case StopTracking: 3160 case StopTrackingHard: 3161 return removeRefBinding(state, sym); 3162 3163 case IncRef: 3164 switch (V.getKind()) { 3165 default: 3166 llvm_unreachable("Invalid RefVal state for a retain."); 3167 case RefVal::Owned: 3168 case RefVal::NotOwned: 3169 V = V + 1; 3170 break; 3171 case RefVal::Released: 3172 // Non-GC cases are handled above. 3173 assert(C.isObjCGCEnabled()); 3174 V = (V ^ RefVal::Owned) + 1; 3175 break; 3176 } 3177 break; 3178 3179 case DecRef: 3180 case DecRefBridgedTransferred: 3181 case DecRefAndStopTrackingHard: 3182 switch (V.getKind()) { 3183 default: 3184 // case 'RefVal::Released' handled above. 3185 llvm_unreachable("Invalid RefVal state for a release."); 3186 3187 case RefVal::Owned: 3188 assert(V.getCount() > 0); 3189 if (V.getCount() == 1) { 3190 if (E == DecRefBridgedTransferred || 3191 V.getIvarAccessHistory() == 3192 RefVal::IvarAccessHistory::AccessedDirectly) 3193 V = V ^ RefVal::NotOwned; 3194 else 3195 V = V ^ RefVal::Released; 3196 } else if (E == DecRefAndStopTrackingHard) { 3197 return removeRefBinding(state, sym); 3198 } 3199 3200 V = V - 1; 3201 break; 3202 3203 case RefVal::NotOwned: 3204 if (V.getCount() > 0) { 3205 if (E == DecRefAndStopTrackingHard) 3206 return removeRefBinding(state, sym); 3207 V = V - 1; 3208 } else if (V.getIvarAccessHistory() == 3209 RefVal::IvarAccessHistory::AccessedDirectly) { 3210 // Assume that the instance variable was holding on the object at 3211 // +1, and we just didn't know. 3212 if (E == DecRefAndStopTrackingHard) 3213 return removeRefBinding(state, sym); 3214 V = V.releaseViaIvar() ^ RefVal::Released; 3215 } else { 3216 V = V ^ RefVal::ErrorReleaseNotOwned; 3217 hasErr = V.getKind(); 3218 } 3219 break; 3220 3221 case RefVal::Released: 3222 // Non-GC cases are handled above. 3223 assert(C.isObjCGCEnabled()); 3224 V = V ^ RefVal::ErrorUseAfterRelease; 3225 hasErr = V.getKind(); 3226 break; 3227 } 3228 break; 3229 } 3230 return setRefBinding(state, sym, V); 3231 } 3232 3233 void RetainCountChecker::processNonLeakError(ProgramStateRef St, 3234 SourceRange ErrorRange, 3235 RefVal::Kind ErrorKind, 3236 SymbolRef Sym, 3237 CheckerContext &C) const { 3238 // HACK: Ignore retain-count issues on values accessed through ivars, 3239 // because of cases like this: 3240 // [_contentView retain]; 3241 // [_contentView removeFromSuperview]; 3242 // [self addSubview:_contentView]; // invalidates 'self' 3243 // [_contentView release]; 3244 if (const RefVal *RV = getRefBinding(St, Sym)) 3245 if (RV->getIvarAccessHistory() != RefVal::IvarAccessHistory::None) 3246 return; 3247 3248 ExplodedNode *N = C.generateSink(St); 3249 if (!N) 3250 return; 3251 3252 CFRefBug *BT; 3253 switch (ErrorKind) { 3254 default: 3255 llvm_unreachable("Unhandled error."); 3256 case RefVal::ErrorUseAfterRelease: 3257 if (!useAfterRelease) 3258 useAfterRelease.reset(new UseAfterRelease(this)); 3259 BT = &*useAfterRelease; 3260 break; 3261 case RefVal::ErrorReleaseNotOwned: 3262 if (!releaseNotOwned) 3263 releaseNotOwned.reset(new BadRelease(this)); 3264 BT = &*releaseNotOwned; 3265 break; 3266 case RefVal::ErrorDeallocGC: 3267 if (!deallocGC) 3268 deallocGC.reset(new DeallocGC(this)); 3269 BT = &*deallocGC; 3270 break; 3271 case RefVal::ErrorDeallocNotOwned: 3272 if (!deallocNotOwned) 3273 deallocNotOwned.reset(new DeallocNotOwned(this)); 3274 BT = &*deallocNotOwned; 3275 break; 3276 } 3277 3278 assert(BT); 3279 CFRefReport *report = new CFRefReport(*BT, C.getASTContext().getLangOpts(), 3280 C.isObjCGCEnabled(), SummaryLog, 3281 N, Sym); 3282 report->addRange(ErrorRange); 3283 C.emitReport(report); 3284 } 3285 3286 //===----------------------------------------------------------------------===// 3287 // Handle the return values of retain-count-related functions. 3288 //===----------------------------------------------------------------------===// 3289 3290 bool RetainCountChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { 3291 // Get the callee. We're only interested in simple C functions. 3292 ProgramStateRef state = C.getState(); 3293 const FunctionDecl *FD = C.getCalleeDecl(CE); 3294 if (!FD) 3295 return false; 3296 3297 IdentifierInfo *II = FD->getIdentifier(); 3298 if (!II) 3299 return false; 3300 3301 // For now, we're only handling the functions that return aliases of their 3302 // arguments: CFRetain and CFMakeCollectable (and their families). 3303 // Eventually we should add other functions we can model entirely, 3304 // such as CFRelease, which don't invalidate their arguments or globals. 3305 if (CE->getNumArgs() != 1) 3306 return false; 3307 3308 // Get the name of the function. 3309 StringRef FName = II->getName(); 3310 FName = FName.substr(FName.find_first_not_of('_')); 3311 3312 // See if it's one of the specific functions we know how to eval. 3313 bool canEval = false; 3314 3315 QualType ResultTy = CE->getCallReturnType(C.getASTContext()); 3316 if (ResultTy->isObjCIdType()) { 3317 // Handle: id NSMakeCollectable(CFTypeRef) 3318 canEval = II->isStr("NSMakeCollectable"); 3319 } else if (ResultTy->isPointerType()) { 3320 // Handle: (CF|CG)Retain 3321 // CFAutorelease 3322 // CFMakeCollectable 3323 // It's okay to be a little sloppy here (CGMakeCollectable doesn't exist). 3324 if (cocoa::isRefType(ResultTy, "CF", FName) || 3325 cocoa::isRefType(ResultTy, "CG", FName)) { 3326 canEval = isRetain(FD, FName) || isAutorelease(FD, FName) || 3327 isMakeCollectable(FD, FName); 3328 } 3329 } 3330 3331 if (!canEval) 3332 return false; 3333 3334 // Bind the return value. 3335 const LocationContext *LCtx = C.getLocationContext(); 3336 SVal RetVal = state->getSVal(CE->getArg(0), LCtx); 3337 if (RetVal.isUnknown()) { 3338 // If the receiver is unknown, conjure a return value. 3339 SValBuilder &SVB = C.getSValBuilder(); 3340 RetVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, ResultTy, C.blockCount()); 3341 } 3342 state = state->BindExpr(CE, LCtx, RetVal, false); 3343 3344 // FIXME: This should not be necessary, but otherwise the argument seems to be 3345 // considered alive during the next statement. 3346 if (const MemRegion *ArgRegion = RetVal.getAsRegion()) { 3347 // Save the refcount status of the argument. 3348 SymbolRef Sym = RetVal.getAsLocSymbol(); 3349 const RefVal *Binding = nullptr; 3350 if (Sym) 3351 Binding = getRefBinding(state, Sym); 3352 3353 // Invalidate the argument region. 3354 state = state->invalidateRegions(ArgRegion, CE, C.blockCount(), LCtx, 3355 /*CausesPointerEscape*/ false); 3356 3357 // Restore the refcount status of the argument. 3358 if (Binding) 3359 state = setRefBinding(state, Sym, *Binding); 3360 } 3361 3362 C.addTransition(state); 3363 return true; 3364 } 3365 3366 //===----------------------------------------------------------------------===// 3367 // Handle return statements. 3368 //===----------------------------------------------------------------------===// 3369 3370 void RetainCountChecker::checkPreStmt(const ReturnStmt *S, 3371 CheckerContext &C) const { 3372 3373 // Only adjust the reference count if this is the top-level call frame, 3374 // and not the result of inlining. In the future, we should do 3375 // better checking even for inlined calls, and see if they match 3376 // with their expected semantics (e.g., the method should return a retained 3377 // object, etc.). 3378 if (!C.inTopFrame()) 3379 return; 3380 3381 const Expr *RetE = S->getRetValue(); 3382 if (!RetE) 3383 return; 3384 3385 ProgramStateRef state = C.getState(); 3386 SymbolRef Sym = 3387 state->getSValAsScalarOrLoc(RetE, C.getLocationContext()).getAsLocSymbol(); 3388 if (!Sym) 3389 return; 3390 3391 // Get the reference count binding (if any). 3392 const RefVal *T = getRefBinding(state, Sym); 3393 if (!T) 3394 return; 3395 3396 // Change the reference count. 3397 RefVal X = *T; 3398 3399 switch (X.getKind()) { 3400 case RefVal::Owned: { 3401 unsigned cnt = X.getCount(); 3402 assert(cnt > 0); 3403 X.setCount(cnt - 1); 3404 X = X ^ RefVal::ReturnedOwned; 3405 break; 3406 } 3407 3408 case RefVal::NotOwned: { 3409 unsigned cnt = X.getCount(); 3410 if (cnt) { 3411 X.setCount(cnt - 1); 3412 X = X ^ RefVal::ReturnedOwned; 3413 } 3414 else { 3415 X = X ^ RefVal::ReturnedNotOwned; 3416 } 3417 break; 3418 } 3419 3420 default: 3421 return; 3422 } 3423 3424 // Update the binding. 3425 state = setRefBinding(state, Sym, X); 3426 ExplodedNode *Pred = C.addTransition(state); 3427 3428 // At this point we have updated the state properly. 3429 // Everything after this is merely checking to see if the return value has 3430 // been over- or under-retained. 3431 3432 // Did we cache out? 3433 if (!Pred) 3434 return; 3435 3436 // Update the autorelease counts. 3437 static CheckerProgramPointTag AutoreleaseTag(this, "Autorelease"); 3438 state = handleAutoreleaseCounts(state, Pred, &AutoreleaseTag, C, Sym, X); 3439 3440 // Did we cache out? 3441 if (!state) 3442 return; 3443 3444 // Get the updated binding. 3445 T = getRefBinding(state, Sym); 3446 assert(T); 3447 X = *T; 3448 3449 // Consult the summary of the enclosing method. 3450 RetainSummaryManager &Summaries = getSummaryManager(C); 3451 const Decl *CD = &Pred->getCodeDecl(); 3452 RetEffect RE = RetEffect::MakeNoRet(); 3453 3454 // FIXME: What is the convention for blocks? Is there one? 3455 if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(CD)) { 3456 const RetainSummary *Summ = Summaries.getMethodSummary(MD); 3457 RE = Summ->getRetEffect(); 3458 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CD)) { 3459 if (!isa<CXXMethodDecl>(FD)) { 3460 const RetainSummary *Summ = Summaries.getFunctionSummary(FD); 3461 RE = Summ->getRetEffect(); 3462 } 3463 } 3464 3465 checkReturnWithRetEffect(S, C, Pred, RE, X, Sym, state); 3466 } 3467 3468 void RetainCountChecker::checkReturnWithRetEffect(const ReturnStmt *S, 3469 CheckerContext &C, 3470 ExplodedNode *Pred, 3471 RetEffect RE, RefVal X, 3472 SymbolRef Sym, 3473 ProgramStateRef state) const { 3474 // HACK: Ignore retain-count issues on values accessed through ivars, 3475 // because of cases like this: 3476 // [_contentView retain]; 3477 // [_contentView removeFromSuperview]; 3478 // [self addSubview:_contentView]; // invalidates 'self' 3479 // [_contentView release]; 3480 if (X.getIvarAccessHistory() != RefVal::IvarAccessHistory::None) 3481 return; 3482 3483 // Any leaks or other errors? 3484 if (X.isReturnedOwned() && X.getCount() == 0) { 3485 if (RE.getKind() != RetEffect::NoRet) { 3486 bool hasError = false; 3487 if (C.isObjCGCEnabled() && RE.getObjKind() == RetEffect::ObjC) { 3488 // Things are more complicated with garbage collection. If the 3489 // returned object is suppose to be an Objective-C object, we have 3490 // a leak (as the caller expects a GC'ed object) because no 3491 // method should return ownership unless it returns a CF object. 3492 hasError = true; 3493 X = X ^ RefVal::ErrorGCLeakReturned; 3494 } 3495 else if (!RE.isOwned()) { 3496 // Either we are using GC and the returned object is a CF type 3497 // or we aren't using GC. In either case, we expect that the 3498 // enclosing method is expected to return ownership. 3499 hasError = true; 3500 X = X ^ RefVal::ErrorLeakReturned; 3501 } 3502 3503 if (hasError) { 3504 // Generate an error node. 3505 state = setRefBinding(state, Sym, X); 3506 3507 static CheckerProgramPointTag ReturnOwnLeakTag(this, "ReturnsOwnLeak"); 3508 ExplodedNode *N = C.addTransition(state, Pred, &ReturnOwnLeakTag); 3509 if (N) { 3510 const LangOptions &LOpts = C.getASTContext().getLangOpts(); 3511 bool GCEnabled = C.isObjCGCEnabled(); 3512 CFRefReport *report = 3513 new CFRefLeakReport(*getLeakAtReturnBug(LOpts, GCEnabled), 3514 LOpts, GCEnabled, SummaryLog, 3515 N, Sym, C, IncludeAllocationLine); 3516 3517 C.emitReport(report); 3518 } 3519 } 3520 } 3521 } else if (X.isReturnedNotOwned()) { 3522 if (RE.isOwned()) { 3523 if (X.getIvarAccessHistory() == 3524 RefVal::IvarAccessHistory::AccessedDirectly) { 3525 // Assume the method was trying to transfer a +1 reference from a 3526 // strong ivar to the caller. 3527 state = setRefBinding(state, Sym, 3528 X.releaseViaIvar() ^ RefVal::ReturnedOwned); 3529 } else { 3530 // Trying to return a not owned object to a caller expecting an 3531 // owned object. 3532 state = setRefBinding(state, Sym, X ^ RefVal::ErrorReturnedNotOwned); 3533 3534 static CheckerProgramPointTag 3535 ReturnNotOwnedTag(this, "ReturnNotOwnedForOwned"); 3536 3537 ExplodedNode *N = C.addTransition(state, Pred, &ReturnNotOwnedTag); 3538 if (N) { 3539 if (!returnNotOwnedForOwned) 3540 returnNotOwnedForOwned.reset(new ReturnedNotOwnedForOwned(this)); 3541 3542 CFRefReport *report = 3543 new CFRefReport(*returnNotOwnedForOwned, 3544 C.getASTContext().getLangOpts(), 3545 C.isObjCGCEnabled(), SummaryLog, N, Sym); 3546 C.emitReport(report); 3547 } 3548 } 3549 } 3550 } 3551 } 3552 3553 //===----------------------------------------------------------------------===// 3554 // Check various ways a symbol can be invalidated. 3555 //===----------------------------------------------------------------------===// 3556 3557 void RetainCountChecker::checkBind(SVal loc, SVal val, const Stmt *S, 3558 CheckerContext &C) const { 3559 // Are we storing to something that causes the value to "escape"? 3560 bool escapes = true; 3561 3562 // A value escapes in three possible cases (this may change): 3563 // 3564 // (1) we are binding to something that is not a memory region. 3565 // (2) we are binding to a memregion that does not have stack storage 3566 // (3) we are binding to a memregion with stack storage that the store 3567 // does not understand. 3568 ProgramStateRef state = C.getState(); 3569 3570 if (Optional<loc::MemRegionVal> regionLoc = loc.getAs<loc::MemRegionVal>()) { 3571 escapes = !regionLoc->getRegion()->hasStackStorage(); 3572 3573 if (!escapes) { 3574 // To test (3), generate a new state with the binding added. If it is 3575 // the same state, then it escapes (since the store cannot represent 3576 // the binding). 3577 // Do this only if we know that the store is not supposed to generate the 3578 // same state. 3579 SVal StoredVal = state->getSVal(regionLoc->getRegion()); 3580 if (StoredVal != val) 3581 escapes = (state == (state->bindLoc(*regionLoc, val))); 3582 } 3583 if (!escapes) { 3584 // Case 4: We do not currently model what happens when a symbol is 3585 // assigned to a struct field, so be conservative here and let the symbol 3586 // go. TODO: This could definitely be improved upon. 3587 escapes = !isa<VarRegion>(regionLoc->getRegion()); 3588 } 3589 } 3590 3591 // If we are storing the value into an auto function scope variable annotated 3592 // with (__attribute__((cleanup))), stop tracking the value to avoid leak 3593 // false positives. 3594 if (const VarRegion *LVR = dyn_cast_or_null<VarRegion>(loc.getAsRegion())) { 3595 const VarDecl *VD = LVR->getDecl(); 3596 if (VD->hasAttr<CleanupAttr>()) { 3597 escapes = true; 3598 } 3599 } 3600 3601 // If our store can represent the binding and we aren't storing to something 3602 // that doesn't have local storage then just return and have the simulation 3603 // state continue as is. 3604 if (!escapes) 3605 return; 3606 3607 // Otherwise, find all symbols referenced by 'val' that we are tracking 3608 // and stop tracking them. 3609 state = state->scanReachableSymbols<StopTrackingCallback>(val).getState(); 3610 C.addTransition(state); 3611 } 3612 3613 ProgramStateRef RetainCountChecker::evalAssume(ProgramStateRef state, 3614 SVal Cond, 3615 bool Assumption) const { 3616 3617 // FIXME: We may add to the interface of evalAssume the list of symbols 3618 // whose assumptions have changed. For now we just iterate through the 3619 // bindings and check if any of the tracked symbols are NULL. This isn't 3620 // too bad since the number of symbols we will track in practice are 3621 // probably small and evalAssume is only called at branches and a few 3622 // other places. 3623 RefBindingsTy B = state->get<RefBindings>(); 3624 3625 if (B.isEmpty()) 3626 return state; 3627 3628 bool changed = false; 3629 RefBindingsTy::Factory &RefBFactory = state->get_context<RefBindings>(); 3630 3631 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { 3632 // Check if the symbol is null stop tracking the symbol. 3633 ConstraintManager &CMgr = state->getConstraintManager(); 3634 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 3635 if (AllocFailed.isConstrainedTrue()) { 3636 changed = true; 3637 B = RefBFactory.remove(B, I.getKey()); 3638 } 3639 } 3640 3641 if (changed) 3642 state = state->set<RefBindings>(B); 3643 3644 return state; 3645 } 3646 3647 ProgramStateRef 3648 RetainCountChecker::checkRegionChanges(ProgramStateRef state, 3649 const InvalidatedSymbols *invalidated, 3650 ArrayRef<const MemRegion *> ExplicitRegions, 3651 ArrayRef<const MemRegion *> Regions, 3652 const CallEvent *Call) const { 3653 if (!invalidated) 3654 return state; 3655 3656 llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols; 3657 for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(), 3658 E = ExplicitRegions.end(); I != E; ++I) { 3659 if (const SymbolicRegion *SR = (*I)->StripCasts()->getAs<SymbolicRegion>()) 3660 WhitelistedSymbols.insert(SR->getSymbol()); 3661 } 3662 3663 for (InvalidatedSymbols::const_iterator I=invalidated->begin(), 3664 E = invalidated->end(); I!=E; ++I) { 3665 SymbolRef sym = *I; 3666 if (WhitelistedSymbols.count(sym)) 3667 continue; 3668 // Remove any existing reference-count binding. 3669 state = removeRefBinding(state, sym); 3670 } 3671 return state; 3672 } 3673 3674 //===----------------------------------------------------------------------===// 3675 // Handle dead symbols and end-of-path. 3676 //===----------------------------------------------------------------------===// 3677 3678 ProgramStateRef 3679 RetainCountChecker::handleAutoreleaseCounts(ProgramStateRef state, 3680 ExplodedNode *Pred, 3681 const ProgramPointTag *Tag, 3682 CheckerContext &Ctx, 3683 SymbolRef Sym, RefVal V) const { 3684 unsigned ACnt = V.getAutoreleaseCount(); 3685 3686 // No autorelease counts? Nothing to be done. 3687 if (!ACnt) 3688 return state; 3689 3690 assert(!Ctx.isObjCGCEnabled() && "Autorelease counts in GC mode?"); 3691 unsigned Cnt = V.getCount(); 3692 3693 // FIXME: Handle sending 'autorelease' to already released object. 3694 3695 if (V.getKind() == RefVal::ReturnedOwned) 3696 ++Cnt; 3697 3698 // If we would over-release here, but we know the value came from an ivar, 3699 // assume it was a strong ivar that's just been relinquished. 3700 if (ACnt > Cnt && 3701 V.getIvarAccessHistory() == RefVal::IvarAccessHistory::AccessedDirectly) { 3702 V = V.releaseViaIvar(); 3703 --ACnt; 3704 } 3705 3706 if (ACnt <= Cnt) { 3707 if (ACnt == Cnt) { 3708 V.clearCounts(); 3709 if (V.getKind() == RefVal::ReturnedOwned) 3710 V = V ^ RefVal::ReturnedNotOwned; 3711 else 3712 V = V ^ RefVal::NotOwned; 3713 } else { 3714 V.setCount(V.getCount() - ACnt); 3715 V.setAutoreleaseCount(0); 3716 } 3717 return setRefBinding(state, Sym, V); 3718 } 3719 3720 // HACK: Ignore retain-count issues on values accessed through ivars, 3721 // because of cases like this: 3722 // [_contentView retain]; 3723 // [_contentView removeFromSuperview]; 3724 // [self addSubview:_contentView]; // invalidates 'self' 3725 // [_contentView release]; 3726 if (V.getIvarAccessHistory() != RefVal::IvarAccessHistory::None) 3727 return state; 3728 3729 // Woah! More autorelease counts then retain counts left. 3730 // Emit hard error. 3731 V = V ^ RefVal::ErrorOverAutorelease; 3732 state = setRefBinding(state, Sym, V); 3733 3734 ExplodedNode *N = Ctx.generateSink(state, Pred, Tag); 3735 if (N) { 3736 SmallString<128> sbuf; 3737 llvm::raw_svector_ostream os(sbuf); 3738 os << "Object was autoreleased "; 3739 if (V.getAutoreleaseCount() > 1) 3740 os << V.getAutoreleaseCount() << " times but the object "; 3741 else 3742 os << "but "; 3743 os << "has a +" << V.getCount() << " retain count"; 3744 3745 if (!overAutorelease) 3746 overAutorelease.reset(new OverAutorelease(this)); 3747 3748 const LangOptions &LOpts = Ctx.getASTContext().getLangOpts(); 3749 CFRefReport *report = 3750 new CFRefReport(*overAutorelease, LOpts, /* GCEnabled = */ false, 3751 SummaryLog, N, Sym, os.str()); 3752 Ctx.emitReport(report); 3753 } 3754 3755 return nullptr; 3756 } 3757 3758 ProgramStateRef 3759 RetainCountChecker::handleSymbolDeath(ProgramStateRef state, 3760 SymbolRef sid, RefVal V, 3761 SmallVectorImpl<SymbolRef> &Leaked) const { 3762 bool hasLeak; 3763 3764 // HACK: Ignore retain-count issues on values accessed through ivars, 3765 // because of cases like this: 3766 // [_contentView retain]; 3767 // [_contentView removeFromSuperview]; 3768 // [self addSubview:_contentView]; // invalidates 'self' 3769 // [_contentView release]; 3770 if (V.getIvarAccessHistory() != RefVal::IvarAccessHistory::None) 3771 hasLeak = false; 3772 else if (V.isOwned()) 3773 hasLeak = true; 3774 else if (V.isNotOwned() || V.isReturnedOwned()) 3775 hasLeak = (V.getCount() > 0); 3776 else 3777 hasLeak = false; 3778 3779 if (!hasLeak) 3780 return removeRefBinding(state, sid); 3781 3782 Leaked.push_back(sid); 3783 return setRefBinding(state, sid, V ^ RefVal::ErrorLeak); 3784 } 3785 3786 ExplodedNode * 3787 RetainCountChecker::processLeaks(ProgramStateRef state, 3788 SmallVectorImpl<SymbolRef> &Leaked, 3789 CheckerContext &Ctx, 3790 ExplodedNode *Pred) const { 3791 // Generate an intermediate node representing the leak point. 3792 ExplodedNode *N = Ctx.addTransition(state, Pred); 3793 3794 if (N) { 3795 for (SmallVectorImpl<SymbolRef>::iterator 3796 I = Leaked.begin(), E = Leaked.end(); I != E; ++I) { 3797 3798 const LangOptions &LOpts = Ctx.getASTContext().getLangOpts(); 3799 bool GCEnabled = Ctx.isObjCGCEnabled(); 3800 CFRefBug *BT = Pred ? getLeakWithinFunctionBug(LOpts, GCEnabled) 3801 : getLeakAtReturnBug(LOpts, GCEnabled); 3802 assert(BT && "BugType not initialized."); 3803 3804 CFRefLeakReport *report = new CFRefLeakReport(*BT, LOpts, GCEnabled, 3805 SummaryLog, N, *I, Ctx, 3806 IncludeAllocationLine); 3807 Ctx.emitReport(report); 3808 } 3809 } 3810 3811 return N; 3812 } 3813 3814 void RetainCountChecker::checkEndFunction(CheckerContext &Ctx) const { 3815 ProgramStateRef state = Ctx.getState(); 3816 RefBindingsTy B = state->get<RefBindings>(); 3817 ExplodedNode *Pred = Ctx.getPredecessor(); 3818 3819 // Don't process anything within synthesized bodies. 3820 const LocationContext *LCtx = Pred->getLocationContext(); 3821 if (LCtx->getAnalysisDeclContext()->isBodyAutosynthesized()) { 3822 assert(LCtx->getParent()); 3823 return; 3824 } 3825 3826 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { 3827 state = handleAutoreleaseCounts(state, Pred, /*Tag=*/nullptr, Ctx, 3828 I->first, I->second); 3829 if (!state) 3830 return; 3831 } 3832 3833 // If the current LocationContext has a parent, don't check for leaks. 3834 // We will do that later. 3835 // FIXME: we should instead check for imbalances of the retain/releases, 3836 // and suggest annotations. 3837 if (LCtx->getParent()) 3838 return; 3839 3840 B = state->get<RefBindings>(); 3841 SmallVector<SymbolRef, 10> Leaked; 3842 3843 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) 3844 state = handleSymbolDeath(state, I->first, I->second, Leaked); 3845 3846 processLeaks(state, Leaked, Ctx, Pred); 3847 } 3848 3849 const ProgramPointTag * 3850 RetainCountChecker::getDeadSymbolTag(SymbolRef sym) const { 3851 const CheckerProgramPointTag *&tag = DeadSymbolTags[sym]; 3852 if (!tag) { 3853 SmallString<64> buf; 3854 llvm::raw_svector_ostream out(buf); 3855 out << "Dead Symbol : "; 3856 sym->dumpToStream(out); 3857 tag = new CheckerProgramPointTag(this, out.str()); 3858 } 3859 return tag; 3860 } 3861 3862 void RetainCountChecker::checkDeadSymbols(SymbolReaper &SymReaper, 3863 CheckerContext &C) const { 3864 ExplodedNode *Pred = C.getPredecessor(); 3865 3866 ProgramStateRef state = C.getState(); 3867 RefBindingsTy B = state->get<RefBindings>(); 3868 SmallVector<SymbolRef, 10> Leaked; 3869 3870 // Update counts from autorelease pools 3871 for (SymbolReaper::dead_iterator I = SymReaper.dead_begin(), 3872 E = SymReaper.dead_end(); I != E; ++I) { 3873 SymbolRef Sym = *I; 3874 if (const RefVal *T = B.lookup(Sym)){ 3875 // Use the symbol as the tag. 3876 // FIXME: This might not be as unique as we would like. 3877 const ProgramPointTag *Tag = getDeadSymbolTag(Sym); 3878 state = handleAutoreleaseCounts(state, Pred, Tag, C, Sym, *T); 3879 if (!state) 3880 return; 3881 3882 // Fetch the new reference count from the state, and use it to handle 3883 // this symbol. 3884 state = handleSymbolDeath(state, *I, *getRefBinding(state, Sym), Leaked); 3885 } 3886 } 3887 3888 if (Leaked.empty()) { 3889 C.addTransition(state); 3890 return; 3891 } 3892 3893 Pred = processLeaks(state, Leaked, C, Pred); 3894 3895 // Did we cache out? 3896 if (!Pred) 3897 return; 3898 3899 // Now generate a new node that nukes the old bindings. 3900 // The only bindings left at this point are the leaked symbols. 3901 RefBindingsTy::Factory &F = state->get_context<RefBindings>(); 3902 B = state->get<RefBindings>(); 3903 3904 for (SmallVectorImpl<SymbolRef>::iterator I = Leaked.begin(), 3905 E = Leaked.end(); 3906 I != E; ++I) 3907 B = F.remove(B, *I); 3908 3909 state = state->set<RefBindings>(B); 3910 C.addTransition(state, Pred); 3911 } 3912 3913 void RetainCountChecker::printState(raw_ostream &Out, ProgramStateRef State, 3914 const char *NL, const char *Sep) const { 3915 3916 RefBindingsTy B = State->get<RefBindings>(); 3917 3918 if (B.isEmpty()) 3919 return; 3920 3921 Out << Sep << NL; 3922 3923 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { 3924 Out << I->first << " : "; 3925 I->second.print(Out); 3926 Out << NL; 3927 } 3928 } 3929 3930 //===----------------------------------------------------------------------===// 3931 // Checker registration. 3932 //===----------------------------------------------------------------------===// 3933 3934 void ento::registerRetainCountChecker(CheckerManager &Mgr) { 3935 Mgr.registerChecker<RetainCountChecker>(Mgr.getAnalyzerOptions()); 3936 } 3937 3938 //===----------------------------------------------------------------------===// 3939 // Implementation of the CallEffects API. 3940 //===----------------------------------------------------------------------===// 3941 3942 namespace clang { namespace ento { namespace objc_retain { 3943 3944 // This is a bit gross, but it allows us to populate CallEffects without 3945 // creating a bunch of accessors. This kind is very localized, so the 3946 // damage of this macro is limited. 3947 #define createCallEffect(D, KIND)\ 3948 ASTContext &Ctx = D->getASTContext();\ 3949 LangOptions L = Ctx.getLangOpts();\ 3950 RetainSummaryManager M(Ctx, L.GCOnly, L.ObjCAutoRefCount);\ 3951 const RetainSummary *S = M.get ## KIND ## Summary(D);\ 3952 CallEffects CE(S->getRetEffect());\ 3953 CE.Receiver = S->getReceiverEffect();\ 3954 unsigned N = D->param_size();\ 3955 for (unsigned i = 0; i < N; ++i) {\ 3956 CE.Args.push_back(S->getArg(i));\ 3957 } 3958 3959 CallEffects CallEffects::getEffect(const ObjCMethodDecl *MD) { 3960 createCallEffect(MD, Method); 3961 return CE; 3962 } 3963 3964 CallEffects CallEffects::getEffect(const FunctionDecl *FD) { 3965 createCallEffect(FD, Function); 3966 return CE; 3967 } 3968 3969 #undef createCallEffect 3970 3971 }}} 3972
