1 //==-- RetainCountChecker.cpp - Checks for leaks and other issues -*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines the methods for RetainCountChecker, which implements 11 // a reference count checker for Core Foundation and Cocoa on (Mac OS X). 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "AllocationDiagnostics.h" 17 #include "SelectorExtras.h" 18 #include "clang/AST/Attr.h" 19 #include "clang/AST/DeclCXX.h" 20 #include "clang/AST/DeclObjC.h" 21 #include "clang/AST/ParentMap.h" 22 #include "clang/Analysis/DomainSpecific/CocoaConventions.h" 23 #include "clang/Basic/LangOptions.h" 24 #include "clang/Basic/SourceManager.h" 25 #include "clang/StaticAnalyzer/Checkers/ObjCRetainCount.h" 26 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 27 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 28 #include "clang/StaticAnalyzer/Core/Checker.h" 29 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 30 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 31 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 32 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 33 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 34 #include "llvm/ADT/DenseMap.h" 35 #include "llvm/ADT/FoldingSet.h" 36 #include "llvm/ADT/ImmutableList.h" 37 #include "llvm/ADT/ImmutableMap.h" 38 #include "llvm/ADT/STLExtras.h" 39 #include "llvm/ADT/SmallString.h" 40 #include "llvm/ADT/StringExtras.h" 41 #include <cstdarg> 42 43 using namespace clang; 44 using namespace ento; 45 using namespace objc_retain; 46 using llvm::StrInStrNoCase; 47 48 //===----------------------------------------------------------------------===// 49 // Adapters for FoldingSet. 50 //===----------------------------------------------------------------------===// 51 52 namespace llvm { 53 template <> struct FoldingSetTrait<ArgEffect> { 54 static inline void Profile(const ArgEffect X, FoldingSetNodeID &ID) { 55 ID.AddInteger((unsigned) X); 56 } 57 }; 58 template <> struct FoldingSetTrait<RetEffect> { 59 static inline void Profile(const RetEffect &X, FoldingSetNodeID &ID) { 60 ID.AddInteger((unsigned) X.getKind()); 61 ID.AddInteger((unsigned) X.getObjKind()); 62 } 63 }; 64 } // end llvm namespace 65 66 //===----------------------------------------------------------------------===// 67 // Reference-counting logic (typestate + counts). 68 //===----------------------------------------------------------------------===// 69 70 /// ArgEffects summarizes the effects of a function/method call on all of 71 /// its arguments. 72 typedef llvm::ImmutableMap<unsigned,ArgEffect> ArgEffects; 73 74 namespace { 75 class RefVal { 76 public: 77 enum Kind { 78 Owned = 0, // Owning reference. 79 NotOwned, // Reference is not owned by still valid (not freed). 80 Released, // Object has been released. 81 ReturnedOwned, // Returned object passes ownership to caller. 82 ReturnedNotOwned, // Return object does not pass ownership to caller. 83 ERROR_START, 84 ErrorDeallocNotOwned, // -dealloc called on non-owned object. 85 ErrorDeallocGC, // Calling -dealloc with GC enabled. 86 ErrorUseAfterRelease, // Object used after released. 87 ErrorReleaseNotOwned, // Release of an object that was not owned. 88 ERROR_LEAK_START, 89 ErrorLeak, // A memory leak due to excessive reference counts. 90 ErrorLeakReturned, // A memory leak due to the returning method not having 91 // the correct naming conventions. 92 ErrorGCLeakReturned, 93 ErrorOverAutorelease, 94 ErrorReturnedNotOwned 95 }; 96 97 /// Tracks how an object referenced by an ivar has been used. 98 /// 99 /// This accounts for us not knowing if an arbitrary ivar is supposed to be 100 /// stored at +0 or +1. 101 enum class IvarAccessHistory { 102 None, 103 AccessedDirectly, 104 ReleasedAfterDirectAccess 105 }; 106 107 private: 108 /// The number of outstanding retains. 109 unsigned Cnt; 110 /// The number of outstanding autoreleases. 111 unsigned ACnt; 112 /// The (static) type of the object at the time we started tracking it. 113 QualType T; 114 115 /// The current state of the object. 116 /// 117 /// See the RefVal::Kind enum for possible values. 118 unsigned RawKind : 5; 119 120 /// The kind of object being tracked (CF or ObjC), if known. 121 /// 122 /// See the RetEffect::ObjKind enum for possible values. 123 unsigned RawObjectKind : 2; 124 125 /// True if the current state and/or retain count may turn out to not be the 126 /// best possible approximation of the reference counting state. 127 /// 128 /// If true, the checker may decide to throw away ("override") this state 129 /// in favor of something else when it sees the object being used in new ways. 130 /// 131 /// This setting should not be propagated to state derived from this state. 132 /// Once we start deriving new states, it would be inconsistent to override 133 /// them. 134 unsigned RawIvarAccessHistory : 2; 135 136 RefVal(Kind k, RetEffect::ObjKind o, unsigned cnt, unsigned acnt, QualType t, 137 IvarAccessHistory IvarAccess) 138 : Cnt(cnt), ACnt(acnt), T(t), RawKind(static_cast<unsigned>(k)), 139 RawObjectKind(static_cast<unsigned>(o)), 140 RawIvarAccessHistory(static_cast<unsigned>(IvarAccess)) { 141 assert(getKind() == k && "not enough bits for the kind"); 142 assert(getObjKind() == o && "not enough bits for the object kind"); 143 assert(getIvarAccessHistory() == IvarAccess && "not enough bits"); 144 } 145 146 public: 147 Kind getKind() const { return static_cast<Kind>(RawKind); } 148 149 RetEffect::ObjKind getObjKind() const { 150 return static_cast<RetEffect::ObjKind>(RawObjectKind); 151 } 152 153 unsigned getCount() const { return Cnt; } 154 unsigned getAutoreleaseCount() const { return ACnt; } 155 unsigned getCombinedCounts() const { return Cnt + ACnt; } 156 void clearCounts() { 157 Cnt = 0; 158 ACnt = 0; 159 } 160 void setCount(unsigned i) { 161 Cnt = i; 162 } 163 void setAutoreleaseCount(unsigned i) { 164 ACnt = i; 165 } 166 167 QualType getType() const { return T; } 168 169 /// Returns what the analyzer knows about direct accesses to a particular 170 /// instance variable. 171 /// 172 /// If the object with this refcount wasn't originally from an Objective-C 173 /// ivar region, this should always return IvarAccessHistory::None. 174 IvarAccessHistory getIvarAccessHistory() const { 175 return static_cast<IvarAccessHistory>(RawIvarAccessHistory); 176 } 177 178 bool isOwned() const { 179 return getKind() == Owned; 180 } 181 182 bool isNotOwned() const { 183 return getKind() == NotOwned; 184 } 185 186 bool isReturnedOwned() const { 187 return getKind() == ReturnedOwned; 188 } 189 190 bool isReturnedNotOwned() const { 191 return getKind() == ReturnedNotOwned; 192 } 193 194 /// Create a state for an object whose lifetime is the responsibility of the 195 /// current function, at least partially. 196 /// 197 /// Most commonly, this is an owned object with a retain count of +1. 198 static RefVal makeOwned(RetEffect::ObjKind o, QualType t, 199 unsigned Count = 1) { 200 return RefVal(Owned, o, Count, 0, t, IvarAccessHistory::None); 201 } 202 203 /// Create a state for an object whose lifetime is not the responsibility of 204 /// the current function. 205 /// 206 /// Most commonly, this is an unowned object with a retain count of +0. 207 static RefVal makeNotOwned(RetEffect::ObjKind o, QualType t, 208 unsigned Count = 0) { 209 return RefVal(NotOwned, o, Count, 0, t, IvarAccessHistory::None); 210 } 211 212 RefVal operator-(size_t i) const { 213 return RefVal(getKind(), getObjKind(), getCount() - i, 214 getAutoreleaseCount(), getType(), getIvarAccessHistory()); 215 } 216 217 RefVal operator+(size_t i) const { 218 return RefVal(getKind(), getObjKind(), getCount() + i, 219 getAutoreleaseCount(), getType(), getIvarAccessHistory()); 220 } 221 222 RefVal operator^(Kind k) const { 223 return RefVal(k, getObjKind(), getCount(), getAutoreleaseCount(), 224 getType(), getIvarAccessHistory()); 225 } 226 227 RefVal autorelease() const { 228 return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount()+1, 229 getType(), getIvarAccessHistory()); 230 } 231 232 RefVal withIvarAccess() const { 233 assert(getIvarAccessHistory() == IvarAccessHistory::None); 234 return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount(), 235 getType(), IvarAccessHistory::AccessedDirectly); 236 } 237 238 RefVal releaseViaIvar() const { 239 assert(getIvarAccessHistory() == IvarAccessHistory::AccessedDirectly); 240 return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount(), 241 getType(), IvarAccessHistory::ReleasedAfterDirectAccess); 242 } 243 244 // Comparison, profiling, and pretty-printing. 245 246 bool hasSameState(const RefVal &X) const { 247 return getKind() == X.getKind() && Cnt == X.Cnt && ACnt == X.ACnt && 248 getIvarAccessHistory() == X.getIvarAccessHistory(); 249 } 250 251 bool operator==(const RefVal& X) const { 252 return T == X.T && hasSameState(X) && getObjKind() == X.getObjKind(); 253 } 254 255 void Profile(llvm::FoldingSetNodeID& ID) const { 256 ID.Add(T); 257 ID.AddInteger(RawKind); 258 ID.AddInteger(Cnt); 259 ID.AddInteger(ACnt); 260 ID.AddInteger(RawObjectKind); 261 ID.AddInteger(RawIvarAccessHistory); 262 } 263 264 void print(raw_ostream &Out) const; 265 }; 266 267 void RefVal::print(raw_ostream &Out) const { 268 if (!T.isNull()) 269 Out << "Tracked " << T.getAsString() << '/'; 270 271 switch (getKind()) { 272 default: llvm_unreachable("Invalid RefVal kind"); 273 case Owned: { 274 Out << "Owned"; 275 unsigned cnt = getCount(); 276 if (cnt) Out << " (+ " << cnt << ")"; 277 break; 278 } 279 280 case NotOwned: { 281 Out << "NotOwned"; 282 unsigned cnt = getCount(); 283 if (cnt) Out << " (+ " << cnt << ")"; 284 break; 285 } 286 287 case ReturnedOwned: { 288 Out << "ReturnedOwned"; 289 unsigned cnt = getCount(); 290 if (cnt) Out << " (+ " << cnt << ")"; 291 break; 292 } 293 294 case ReturnedNotOwned: { 295 Out << "ReturnedNotOwned"; 296 unsigned cnt = getCount(); 297 if (cnt) Out << " (+ " << cnt << ")"; 298 break; 299 } 300 301 case Released: 302 Out << "Released"; 303 break; 304 305 case ErrorDeallocGC: 306 Out << "-dealloc (GC)"; 307 break; 308 309 case ErrorDeallocNotOwned: 310 Out << "-dealloc (not-owned)"; 311 break; 312 313 case ErrorLeak: 314 Out << "Leaked"; 315 break; 316 317 case ErrorLeakReturned: 318 Out << "Leaked (Bad naming)"; 319 break; 320 321 case ErrorGCLeakReturned: 322 Out << "Leaked (GC-ed at return)"; 323 break; 324 325 case ErrorUseAfterRelease: 326 Out << "Use-After-Release [ERROR]"; 327 break; 328 329 case ErrorReleaseNotOwned: 330 Out << "Release of Not-Owned [ERROR]"; 331 break; 332 333 case RefVal::ErrorOverAutorelease: 334 Out << "Over-autoreleased"; 335 break; 336 337 case RefVal::ErrorReturnedNotOwned: 338 Out << "Non-owned object returned instead of owned"; 339 break; 340 } 341 342 switch (getIvarAccessHistory()) { 343 case IvarAccessHistory::None: 344 break; 345 case IvarAccessHistory::AccessedDirectly: 346 Out << " [direct ivar access]"; 347 break; 348 case IvarAccessHistory::ReleasedAfterDirectAccess: 349 Out << " [released after direct ivar access]"; 350 } 351 352 if (ACnt) { 353 Out << " [autorelease -" << ACnt << ']'; 354 } 355 } 356 } //end anonymous namespace 357 358 //===----------------------------------------------------------------------===// 359 // RefBindings - State used to track object reference counts. 360 //===----------------------------------------------------------------------===// 361 362 REGISTER_MAP_WITH_PROGRAMSTATE(RefBindings, SymbolRef, RefVal) 363 364 static inline const RefVal *getRefBinding(ProgramStateRef State, 365 SymbolRef Sym) { 366 return State->get<RefBindings>(Sym); 367 } 368 369 static inline ProgramStateRef setRefBinding(ProgramStateRef State, 370 SymbolRef Sym, RefVal Val) { 371 return State->set<RefBindings>(Sym, Val); 372 } 373 374 static ProgramStateRef removeRefBinding(ProgramStateRef State, SymbolRef Sym) { 375 return State->remove<RefBindings>(Sym); 376 } 377 378 //===----------------------------------------------------------------------===// 379 // Function/Method behavior summaries. 380 //===----------------------------------------------------------------------===// 381 382 namespace { 383 class RetainSummary { 384 /// Args - a map of (index, ArgEffect) pairs, where index 385 /// specifies the argument (starting from 0). This can be sparsely 386 /// populated; arguments with no entry in Args use 'DefaultArgEffect'. 387 ArgEffects Args; 388 389 /// DefaultArgEffect - The default ArgEffect to apply to arguments that 390 /// do not have an entry in Args. 391 ArgEffect DefaultArgEffect; 392 393 /// Receiver - If this summary applies to an Objective-C message expression, 394 /// this is the effect applied to the state of the receiver. 395 ArgEffect Receiver; 396 397 /// Ret - The effect on the return value. Used to indicate if the 398 /// function/method call returns a new tracked symbol. 399 RetEffect Ret; 400 401 public: 402 RetainSummary(ArgEffects A, RetEffect R, ArgEffect defaultEff, 403 ArgEffect ReceiverEff) 404 : Args(A), DefaultArgEffect(defaultEff), Receiver(ReceiverEff), Ret(R) {} 405 406 /// getArg - Return the argument effect on the argument specified by 407 /// idx (starting from 0). 408 ArgEffect getArg(unsigned idx) const { 409 if (const ArgEffect *AE = Args.lookup(idx)) 410 return *AE; 411 412 return DefaultArgEffect; 413 } 414 415 void addArg(ArgEffects::Factory &af, unsigned idx, ArgEffect e) { 416 Args = af.add(Args, idx, e); 417 } 418 419 /// setDefaultArgEffect - Set the default argument effect. 420 void setDefaultArgEffect(ArgEffect E) { 421 DefaultArgEffect = E; 422 } 423 424 /// getRetEffect - Returns the effect on the return value of the call. 425 RetEffect getRetEffect() const { return Ret; } 426 427 /// setRetEffect - Set the effect of the return value of the call. 428 void setRetEffect(RetEffect E) { Ret = E; } 429 430 431 /// Sets the effect on the receiver of the message. 432 void setReceiverEffect(ArgEffect e) { Receiver = e; } 433 434 /// getReceiverEffect - Returns the effect on the receiver of the call. 435 /// This is only meaningful if the summary applies to an ObjCMessageExpr*. 436 ArgEffect getReceiverEffect() const { return Receiver; } 437 438 /// Test if two retain summaries are identical. Note that merely equivalent 439 /// summaries are not necessarily identical (for example, if an explicit 440 /// argument effect matches the default effect). 441 bool operator==(const RetainSummary &Other) const { 442 return Args == Other.Args && DefaultArgEffect == Other.DefaultArgEffect && 443 Receiver == Other.Receiver && Ret == Other.Ret; 444 } 445 446 /// Profile this summary for inclusion in a FoldingSet. 447 void Profile(llvm::FoldingSetNodeID& ID) const { 448 ID.Add(Args); 449 ID.Add(DefaultArgEffect); 450 ID.Add(Receiver); 451 ID.Add(Ret); 452 } 453 454 /// A retain summary is simple if it has no ArgEffects other than the default. 455 bool isSimple() const { 456 return Args.isEmpty(); 457 } 458 459 private: 460 ArgEffects getArgEffects() const { return Args; } 461 ArgEffect getDefaultArgEffect() const { return DefaultArgEffect; } 462 463 friend class RetainSummaryManager; 464 }; 465 } // end anonymous namespace 466 467 //===----------------------------------------------------------------------===// 468 // Data structures for constructing summaries. 469 //===----------------------------------------------------------------------===// 470 471 namespace { 472 class ObjCSummaryKey { 473 IdentifierInfo* II; 474 Selector S; 475 public: 476 ObjCSummaryKey(IdentifierInfo* ii, Selector s) 477 : II(ii), S(s) {} 478 479 ObjCSummaryKey(const ObjCInterfaceDecl *d, Selector s) 480 : II(d ? d->getIdentifier() : nullptr), S(s) {} 481 482 ObjCSummaryKey(Selector s) 483 : II(nullptr), S(s) {} 484 485 IdentifierInfo *getIdentifier() const { return II; } 486 Selector getSelector() const { return S; } 487 }; 488 } // end anonymous namespace 489 490 namespace llvm { 491 template <> struct DenseMapInfo<ObjCSummaryKey> { 492 static inline ObjCSummaryKey getEmptyKey() { 493 return ObjCSummaryKey(DenseMapInfo<IdentifierInfo*>::getEmptyKey(), 494 DenseMapInfo<Selector>::getEmptyKey()); 495 } 496 497 static inline ObjCSummaryKey getTombstoneKey() { 498 return ObjCSummaryKey(DenseMapInfo<IdentifierInfo*>::getTombstoneKey(), 499 DenseMapInfo<Selector>::getTombstoneKey()); 500 } 501 502 static unsigned getHashValue(const ObjCSummaryKey &V) { 503 typedef std::pair<IdentifierInfo*, Selector> PairTy; 504 return DenseMapInfo<PairTy>::getHashValue(PairTy(V.getIdentifier(), 505 V.getSelector())); 506 } 507 508 static bool isEqual(const ObjCSummaryKey& LHS, const ObjCSummaryKey& RHS) { 509 return LHS.getIdentifier() == RHS.getIdentifier() && 510 LHS.getSelector() == RHS.getSelector(); 511 } 512 513 }; 514 } // end llvm namespace 515 516 namespace { 517 class ObjCSummaryCache { 518 typedef llvm::DenseMap<ObjCSummaryKey, const RetainSummary *> MapTy; 519 MapTy M; 520 public: 521 ObjCSummaryCache() {} 522 523 const RetainSummary * find(const ObjCInterfaceDecl *D, Selector S) { 524 // Do a lookup with the (D,S) pair. If we find a match return 525 // the iterator. 526 ObjCSummaryKey K(D, S); 527 MapTy::iterator I = M.find(K); 528 529 if (I != M.end()) 530 return I->second; 531 if (!D) 532 return nullptr; 533 534 // Walk the super chain. If we find a hit with a parent, we'll end 535 // up returning that summary. We actually allow that key (null,S), as 536 // we cache summaries for the null ObjCInterfaceDecl* to allow us to 537 // generate initial summaries without having to worry about NSObject 538 // being declared. 539 // FIXME: We may change this at some point. 540 for (ObjCInterfaceDecl *C=D->getSuperClass() ;; C=C->getSuperClass()) { 541 if ((I = M.find(ObjCSummaryKey(C, S))) != M.end()) 542 break; 543 544 if (!C) 545 return nullptr; 546 } 547 548 // Cache the summary with original key to make the next lookup faster 549 // and return the iterator. 550 const RetainSummary *Summ = I->second; 551 M[K] = Summ; 552 return Summ; 553 } 554 555 const RetainSummary *find(IdentifierInfo* II, Selector S) { 556 // FIXME: Class method lookup. Right now we dont' have a good way 557 // of going between IdentifierInfo* and the class hierarchy. 558 MapTy::iterator I = M.find(ObjCSummaryKey(II, S)); 559 560 if (I == M.end()) 561 I = M.find(ObjCSummaryKey(S)); 562 563 return I == M.end() ? nullptr : I->second; 564 } 565 566 const RetainSummary *& operator[](ObjCSummaryKey K) { 567 return M[K]; 568 } 569 570 const RetainSummary *& operator[](Selector S) { 571 return M[ ObjCSummaryKey(S) ]; 572 } 573 }; 574 } // end anonymous namespace 575 576 //===----------------------------------------------------------------------===// 577 // Data structures for managing collections of summaries. 578 //===----------------------------------------------------------------------===// 579 580 namespace { 581 class RetainSummaryManager { 582 583 //==-----------------------------------------------------------------==// 584 // Typedefs. 585 //==-----------------------------------------------------------------==// 586 587 typedef llvm::DenseMap<const FunctionDecl*, const RetainSummary *> 588 FuncSummariesTy; 589 590 typedef ObjCSummaryCache ObjCMethodSummariesTy; 591 592 typedef llvm::FoldingSetNodeWrapper<RetainSummary> CachedSummaryNode; 593 594 //==-----------------------------------------------------------------==// 595 // Data. 596 //==-----------------------------------------------------------------==// 597 598 /// Ctx - The ASTContext object for the analyzed ASTs. 599 ASTContext &Ctx; 600 601 /// GCEnabled - Records whether or not the analyzed code runs in GC mode. 602 const bool GCEnabled; 603 604 /// Records whether or not the analyzed code runs in ARC mode. 605 const bool ARCEnabled; 606 607 /// FuncSummaries - A map from FunctionDecls to summaries. 608 FuncSummariesTy FuncSummaries; 609 610 /// ObjCClassMethodSummaries - A map from selectors (for instance methods) 611 /// to summaries. 612 ObjCMethodSummariesTy ObjCClassMethodSummaries; 613 614 /// ObjCMethodSummaries - A map from selectors to summaries. 615 ObjCMethodSummariesTy ObjCMethodSummaries; 616 617 /// BPAlloc - A BumpPtrAllocator used for allocating summaries, ArgEffects, 618 /// and all other data used by the checker. 619 llvm::BumpPtrAllocator BPAlloc; 620 621 /// AF - A factory for ArgEffects objects. 622 ArgEffects::Factory AF; 623 624 /// ScratchArgs - A holding buffer for construct ArgEffects. 625 ArgEffects ScratchArgs; 626 627 /// ObjCAllocRetE - Default return effect for methods returning Objective-C 628 /// objects. 629 RetEffect ObjCAllocRetE; 630 631 /// ObjCInitRetE - Default return effect for init methods returning 632 /// Objective-C objects. 633 RetEffect ObjCInitRetE; 634 635 /// SimpleSummaries - Used for uniquing summaries that don't have special 636 /// effects. 637 llvm::FoldingSet<CachedSummaryNode> SimpleSummaries; 638 639 //==-----------------------------------------------------------------==// 640 // Methods. 641 //==-----------------------------------------------------------------==// 642 643 /// getArgEffects - Returns a persistent ArgEffects object based on the 644 /// data in ScratchArgs. 645 ArgEffects getArgEffects(); 646 647 enum UnaryFuncKind { cfretain, cfrelease, cfautorelease, cfmakecollectable }; 648 649 const RetainSummary *getUnarySummary(const FunctionType* FT, 650 UnaryFuncKind func); 651 652 const RetainSummary *getCFSummaryCreateRule(const FunctionDecl *FD); 653 const RetainSummary *getCFSummaryGetRule(const FunctionDecl *FD); 654 const RetainSummary *getCFCreateGetRuleSummary(const FunctionDecl *FD); 655 656 const RetainSummary *getPersistentSummary(const RetainSummary &OldSumm); 657 658 const RetainSummary *getPersistentSummary(RetEffect RetEff, 659 ArgEffect ReceiverEff = DoNothing, 660 ArgEffect DefaultEff = MayEscape) { 661 RetainSummary Summ(getArgEffects(), RetEff, DefaultEff, ReceiverEff); 662 return getPersistentSummary(Summ); 663 } 664 665 const RetainSummary *getDoNothingSummary() { 666 return getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 667 } 668 669 const RetainSummary *getDefaultSummary() { 670 return getPersistentSummary(RetEffect::MakeNoRet(), 671 DoNothing, MayEscape); 672 } 673 674 const RetainSummary *getPersistentStopSummary() { 675 return getPersistentSummary(RetEffect::MakeNoRet(), 676 StopTracking, StopTracking); 677 } 678 679 void InitializeClassMethodSummaries(); 680 void InitializeMethodSummaries(); 681 private: 682 void addNSObjectClsMethSummary(Selector S, const RetainSummary *Summ) { 683 ObjCClassMethodSummaries[S] = Summ; 684 } 685 686 void addNSObjectMethSummary(Selector S, const RetainSummary *Summ) { 687 ObjCMethodSummaries[S] = Summ; 688 } 689 690 void addClassMethSummary(const char* Cls, const char* name, 691 const RetainSummary *Summ, bool isNullary = true) { 692 IdentifierInfo* ClsII = &Ctx.Idents.get(Cls); 693 Selector S = isNullary ? GetNullarySelector(name, Ctx) 694 : GetUnarySelector(name, Ctx); 695 ObjCClassMethodSummaries[ObjCSummaryKey(ClsII, S)] = Summ; 696 } 697 698 void addInstMethSummary(const char* Cls, const char* nullaryName, 699 const RetainSummary *Summ) { 700 IdentifierInfo* ClsII = &Ctx.Idents.get(Cls); 701 Selector S = GetNullarySelector(nullaryName, Ctx); 702 ObjCMethodSummaries[ObjCSummaryKey(ClsII, S)] = Summ; 703 } 704 705 void addMethodSummary(IdentifierInfo *ClsII, ObjCMethodSummariesTy &Summaries, 706 const RetainSummary *Summ, va_list argp) { 707 Selector S = getKeywordSelector(Ctx, argp); 708 Summaries[ObjCSummaryKey(ClsII, S)] = Summ; 709 } 710 711 void addInstMethSummary(const char* Cls, const RetainSummary * Summ, ...) { 712 va_list argp; 713 va_start(argp, Summ); 714 addMethodSummary(&Ctx.Idents.get(Cls), ObjCMethodSummaries, Summ, argp); 715 va_end(argp); 716 } 717 718 void addClsMethSummary(const char* Cls, const RetainSummary * Summ, ...) { 719 va_list argp; 720 va_start(argp, Summ); 721 addMethodSummary(&Ctx.Idents.get(Cls),ObjCClassMethodSummaries, Summ, argp); 722 va_end(argp); 723 } 724 725 void addClsMethSummary(IdentifierInfo *II, const RetainSummary * Summ, ...) { 726 va_list argp; 727 va_start(argp, Summ); 728 addMethodSummary(II, ObjCClassMethodSummaries, Summ, argp); 729 va_end(argp); 730 } 731 732 public: 733 734 RetainSummaryManager(ASTContext &ctx, bool gcenabled, bool usesARC) 735 : Ctx(ctx), 736 GCEnabled(gcenabled), 737 ARCEnabled(usesARC), 738 AF(BPAlloc), ScratchArgs(AF.getEmptyMap()), 739 ObjCAllocRetE(gcenabled 740 ? RetEffect::MakeGCNotOwned() 741 : (usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC) 742 : RetEffect::MakeOwned(RetEffect::ObjC, true))), 743 ObjCInitRetE(gcenabled 744 ? RetEffect::MakeGCNotOwned() 745 : (usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC) 746 : RetEffect::MakeOwnedWhenTrackedReceiver())) { 747 InitializeClassMethodSummaries(); 748 InitializeMethodSummaries(); 749 } 750 751 const RetainSummary *getSummary(const CallEvent &Call, 752 ProgramStateRef State = nullptr); 753 754 const RetainSummary *getFunctionSummary(const FunctionDecl *FD); 755 756 const RetainSummary *getMethodSummary(Selector S, const ObjCInterfaceDecl *ID, 757 const ObjCMethodDecl *MD, 758 QualType RetTy, 759 ObjCMethodSummariesTy &CachedSummaries); 760 761 const RetainSummary *getInstanceMethodSummary(const ObjCMethodCall &M, 762 ProgramStateRef State); 763 764 const RetainSummary *getClassMethodSummary(const ObjCMethodCall &M) { 765 assert(!M.isInstanceMessage()); 766 const ObjCInterfaceDecl *Class = M.getReceiverInterface(); 767 768 return getMethodSummary(M.getSelector(), Class, M.getDecl(), 769 M.getResultType(), ObjCClassMethodSummaries); 770 } 771 772 /// getMethodSummary - This version of getMethodSummary is used to query 773 /// the summary for the current method being analyzed. 774 const RetainSummary *getMethodSummary(const ObjCMethodDecl *MD) { 775 const ObjCInterfaceDecl *ID = MD->getClassInterface(); 776 Selector S = MD->getSelector(); 777 QualType ResultTy = MD->getReturnType(); 778 779 ObjCMethodSummariesTy *CachedSummaries; 780 if (MD->isInstanceMethod()) 781 CachedSummaries = &ObjCMethodSummaries; 782 else 783 CachedSummaries = &ObjCClassMethodSummaries; 784 785 return getMethodSummary(S, ID, MD, ResultTy, *CachedSummaries); 786 } 787 788 const RetainSummary *getStandardMethodSummary(const ObjCMethodDecl *MD, 789 Selector S, QualType RetTy); 790 791 /// Determine if there is a special return effect for this function or method. 792 Optional<RetEffect> getRetEffectFromAnnotations(QualType RetTy, 793 const Decl *D); 794 795 void updateSummaryFromAnnotations(const RetainSummary *&Summ, 796 const ObjCMethodDecl *MD); 797 798 void updateSummaryFromAnnotations(const RetainSummary *&Summ, 799 const FunctionDecl *FD); 800 801 void updateSummaryForCall(const RetainSummary *&Summ, 802 const CallEvent &Call); 803 804 bool isGCEnabled() const { return GCEnabled; } 805 806 bool isARCEnabled() const { return ARCEnabled; } 807 808 bool isARCorGCEnabled() const { return GCEnabled || ARCEnabled; } 809 810 RetEffect getObjAllocRetEffect() const { return ObjCAllocRetE; } 811 812 friend class RetainSummaryTemplate; 813 }; 814 815 // Used to avoid allocating long-term (BPAlloc'd) memory for default retain 816 // summaries. If a function or method looks like it has a default summary, but 817 // it has annotations, the annotations are added to the stack-based template 818 // and then copied into managed memory. 819 class RetainSummaryTemplate { 820 RetainSummaryManager &Manager; 821 const RetainSummary *&RealSummary; 822 RetainSummary ScratchSummary; 823 bool Accessed; 824 public: 825 RetainSummaryTemplate(const RetainSummary *&real, RetainSummaryManager &mgr) 826 : Manager(mgr), RealSummary(real), ScratchSummary(*real), Accessed(false) {} 827 828 ~RetainSummaryTemplate() { 829 if (Accessed) 830 RealSummary = Manager.getPersistentSummary(ScratchSummary); 831 } 832 833 RetainSummary &operator*() { 834 Accessed = true; 835 return ScratchSummary; 836 } 837 838 RetainSummary *operator->() { 839 Accessed = true; 840 return &ScratchSummary; 841 } 842 }; 843 844 } // end anonymous namespace 845 846 //===----------------------------------------------------------------------===// 847 // Implementation of checker data structures. 848 //===----------------------------------------------------------------------===// 849 850 ArgEffects RetainSummaryManager::getArgEffects() { 851 ArgEffects AE = ScratchArgs; 852 ScratchArgs = AF.getEmptyMap(); 853 return AE; 854 } 855 856 const RetainSummary * 857 RetainSummaryManager::getPersistentSummary(const RetainSummary &OldSumm) { 858 // Unique "simple" summaries -- those without ArgEffects. 859 if (OldSumm.isSimple()) { 860 llvm::FoldingSetNodeID ID; 861 OldSumm.Profile(ID); 862 863 void *Pos; 864 CachedSummaryNode *N = SimpleSummaries.FindNodeOrInsertPos(ID, Pos); 865 866 if (!N) { 867 N = (CachedSummaryNode *) BPAlloc.Allocate<CachedSummaryNode>(); 868 new (N) CachedSummaryNode(OldSumm); 869 SimpleSummaries.InsertNode(N, Pos); 870 } 871 872 return &N->getValue(); 873 } 874 875 RetainSummary *Summ = (RetainSummary *) BPAlloc.Allocate<RetainSummary>(); 876 new (Summ) RetainSummary(OldSumm); 877 return Summ; 878 } 879 880 //===----------------------------------------------------------------------===// 881 // Summary creation for functions (largely uses of Core Foundation). 882 //===----------------------------------------------------------------------===// 883 884 static bool isRetain(const FunctionDecl *FD, StringRef FName) { 885 return FName.endswith("Retain"); 886 } 887 888 static bool isRelease(const FunctionDecl *FD, StringRef FName) { 889 return FName.endswith("Release"); 890 } 891 892 static bool isAutorelease(const FunctionDecl *FD, StringRef FName) { 893 return FName.endswith("Autorelease"); 894 } 895 896 static bool isMakeCollectable(const FunctionDecl *FD, StringRef FName) { 897 // FIXME: Remove FunctionDecl parameter. 898 // FIXME: Is it really okay if MakeCollectable isn't a suffix? 899 return FName.find("MakeCollectable") != StringRef::npos; 900 } 901 902 static ArgEffect getStopTrackingHardEquivalent(ArgEffect E) { 903 switch (E) { 904 case DoNothing: 905 case Autorelease: 906 case DecRefBridgedTransferred: 907 case IncRef: 908 case IncRefMsg: 909 case MakeCollectable: 910 case UnretainedOutParameter: 911 case RetainedOutParameter: 912 case MayEscape: 913 case StopTracking: 914 case StopTrackingHard: 915 return StopTrackingHard; 916 case DecRef: 917 case DecRefAndStopTrackingHard: 918 return DecRefAndStopTrackingHard; 919 case DecRefMsg: 920 case DecRefMsgAndStopTrackingHard: 921 return DecRefMsgAndStopTrackingHard; 922 case Dealloc: 923 return Dealloc; 924 } 925 926 llvm_unreachable("Unknown ArgEffect kind"); 927 } 928 929 void RetainSummaryManager::updateSummaryForCall(const RetainSummary *&S, 930 const CallEvent &Call) { 931 if (Call.hasNonZeroCallbackArg()) { 932 ArgEffect RecEffect = 933 getStopTrackingHardEquivalent(S->getReceiverEffect()); 934 ArgEffect DefEffect = 935 getStopTrackingHardEquivalent(S->getDefaultArgEffect()); 936 937 ArgEffects CustomArgEffects = S->getArgEffects(); 938 for (ArgEffects::iterator I = CustomArgEffects.begin(), 939 E = CustomArgEffects.end(); 940 I != E; ++I) { 941 ArgEffect Translated = getStopTrackingHardEquivalent(I->second); 942 if (Translated != DefEffect) 943 ScratchArgs = AF.add(ScratchArgs, I->first, Translated); 944 } 945 946 RetEffect RE = RetEffect::MakeNoRetHard(); 947 948 // Special cases where the callback argument CANNOT free the return value. 949 // This can generally only happen if we know that the callback will only be 950 // called when the return value is already being deallocated. 951 if (const SimpleFunctionCall *FC = dyn_cast<SimpleFunctionCall>(&Call)) { 952 if (IdentifierInfo *Name = FC->getDecl()->getIdentifier()) { 953 // When the CGBitmapContext is deallocated, the callback here will free 954 // the associated data buffer. 955 if (Name->isStr("CGBitmapContextCreateWithData")) 956 RE = S->getRetEffect(); 957 } 958 } 959 960 S = getPersistentSummary(RE, RecEffect, DefEffect); 961 } 962 963 // Special case '[super init];' and '[self init];' 964 // 965 // Even though calling '[super init]' without assigning the result to self 966 // and checking if the parent returns 'nil' is a bad pattern, it is common. 967 // Additionally, our Self Init checker already warns about it. To avoid 968 // overwhelming the user with messages from both checkers, we model the case 969 // of '[super init]' in cases when it is not consumed by another expression 970 // as if the call preserves the value of 'self'; essentially, assuming it can 971 // never fail and return 'nil'. 972 // Note, we don't want to just stop tracking the value since we want the 973 // RetainCount checker to report leaks and use-after-free if SelfInit checker 974 // is turned off. 975 if (const ObjCMethodCall *MC = dyn_cast<ObjCMethodCall>(&Call)) { 976 if (MC->getMethodFamily() == OMF_init && MC->isReceiverSelfOrSuper()) { 977 978 // Check if the message is not consumed, we know it will not be used in 979 // an assignment, ex: "self = [super init]". 980 const Expr *ME = MC->getOriginExpr(); 981 const LocationContext *LCtx = MC->getLocationContext(); 982 ParentMap &PM = LCtx->getAnalysisDeclContext()->getParentMap(); 983 if (!PM.isConsumedExpr(ME)) { 984 RetainSummaryTemplate ModifiableSummaryTemplate(S, *this); 985 ModifiableSummaryTemplate->setReceiverEffect(DoNothing); 986 ModifiableSummaryTemplate->setRetEffect(RetEffect::MakeNoRet()); 987 } 988 } 989 } 990 } 991 992 const RetainSummary * 993 RetainSummaryManager::getSummary(const CallEvent &Call, 994 ProgramStateRef State) { 995 const RetainSummary *Summ; 996 switch (Call.getKind()) { 997 case CE_Function: 998 Summ = getFunctionSummary(cast<SimpleFunctionCall>(Call).getDecl()); 999 break; 1000 case CE_CXXMember: 1001 case CE_CXXMemberOperator: 1002 case CE_Block: 1003 case CE_CXXConstructor: 1004 case CE_CXXDestructor: 1005 case CE_CXXAllocator: 1006 // FIXME: These calls are currently unsupported. 1007 return getPersistentStopSummary(); 1008 case CE_ObjCMessage: { 1009 const ObjCMethodCall &Msg = cast<ObjCMethodCall>(Call); 1010 if (Msg.isInstanceMessage()) 1011 Summ = getInstanceMethodSummary(Msg, State); 1012 else 1013 Summ = getClassMethodSummary(Msg); 1014 break; 1015 } 1016 } 1017 1018 updateSummaryForCall(Summ, Call); 1019 1020 assert(Summ && "Unknown call type?"); 1021 return Summ; 1022 } 1023 1024 const RetainSummary * 1025 RetainSummaryManager::getFunctionSummary(const FunctionDecl *FD) { 1026 // If we don't know what function we're calling, use our default summary. 1027 if (!FD) 1028 return getDefaultSummary(); 1029 1030 // Look up a summary in our cache of FunctionDecls -> Summaries. 1031 FuncSummariesTy::iterator I = FuncSummaries.find(FD); 1032 if (I != FuncSummaries.end()) 1033 return I->second; 1034 1035 // No summary? Generate one. 1036 const RetainSummary *S = nullptr; 1037 bool AllowAnnotations = true; 1038 1039 do { 1040 // We generate "stop" summaries for implicitly defined functions. 1041 if (FD->isImplicit()) { 1042 S = getPersistentStopSummary(); 1043 break; 1044 } 1045 1046 // [PR 3337] Use 'getAs<FunctionType>' to strip away any typedefs on the 1047 // function's type. 1048 const FunctionType* FT = FD->getType()->getAs<FunctionType>(); 1049 const IdentifierInfo *II = FD->getIdentifier(); 1050 if (!II) 1051 break; 1052 1053 StringRef FName = II->getName(); 1054 1055 // Strip away preceding '_'. Doing this here will effect all the checks 1056 // down below. 1057 FName = FName.substr(FName.find_first_not_of('_')); 1058 1059 // Inspect the result type. 1060 QualType RetTy = FT->getReturnType(); 1061 1062 // FIXME: This should all be refactored into a chain of "summary lookup" 1063 // filters. 1064 assert(ScratchArgs.isEmpty()); 1065 1066 if (FName == "pthread_create" || FName == "pthread_setspecific") { 1067 // Part of: <rdar://problem/7299394> and <rdar://problem/11282706>. 1068 // This will be addressed better with IPA. 1069 S = getPersistentStopSummary(); 1070 } else if (FName == "NSMakeCollectable") { 1071 // Handle: id NSMakeCollectable(CFTypeRef) 1072 S = (RetTy->isObjCIdType()) 1073 ? getUnarySummary(FT, cfmakecollectable) 1074 : getPersistentStopSummary(); 1075 // The headers on OS X 10.8 use cf_consumed/ns_returns_retained, 1076 // but we can fully model NSMakeCollectable ourselves. 1077 AllowAnnotations = false; 1078 } else if (FName == "CFPlugInInstanceCreate") { 1079 S = getPersistentSummary(RetEffect::MakeNoRet()); 1080 } else if (FName == "IOBSDNameMatching" || 1081 FName == "IOServiceMatching" || 1082 FName == "IOServiceNameMatching" || 1083 FName == "IORegistryEntrySearchCFProperty" || 1084 FName == "IORegistryEntryIDMatching" || 1085 FName == "IOOpenFirmwarePathMatching") { 1086 // Part of <rdar://problem/6961230>. (IOKit) 1087 // This should be addressed using a API table. 1088 S = getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true), 1089 DoNothing, DoNothing); 1090 } else if (FName == "IOServiceGetMatchingService" || 1091 FName == "IOServiceGetMatchingServices") { 1092 // FIXES: <rdar://problem/6326900> 1093 // This should be addressed using a API table. This strcmp is also 1094 // a little gross, but there is no need to super optimize here. 1095 ScratchArgs = AF.add(ScratchArgs, 1, DecRef); 1096 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1097 } else if (FName == "IOServiceAddNotification" || 1098 FName == "IOServiceAddMatchingNotification") { 1099 // Part of <rdar://problem/6961230>. (IOKit) 1100 // This should be addressed using a API table. 1101 ScratchArgs = AF.add(ScratchArgs, 2, DecRef); 1102 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1103 } else if (FName == "CVPixelBufferCreateWithBytes") { 1104 // FIXES: <rdar://problem/7283567> 1105 // Eventually this can be improved by recognizing that the pixel 1106 // buffer passed to CVPixelBufferCreateWithBytes is released via 1107 // a callback and doing full IPA to make sure this is done correctly. 1108 // FIXME: This function has an out parameter that returns an 1109 // allocated object. 1110 ScratchArgs = AF.add(ScratchArgs, 7, StopTracking); 1111 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1112 } else if (FName == "CGBitmapContextCreateWithData") { 1113 // FIXES: <rdar://problem/7358899> 1114 // Eventually this can be improved by recognizing that 'releaseInfo' 1115 // passed to CGBitmapContextCreateWithData is released via 1116 // a callback and doing full IPA to make sure this is done correctly. 1117 ScratchArgs = AF.add(ScratchArgs, 8, StopTracking); 1118 S = getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true), 1119 DoNothing, DoNothing); 1120 } else if (FName == "CVPixelBufferCreateWithPlanarBytes") { 1121 // FIXES: <rdar://problem/7283567> 1122 // Eventually this can be improved by recognizing that the pixel 1123 // buffer passed to CVPixelBufferCreateWithPlanarBytes is released 1124 // via a callback and doing full IPA to make sure this is done 1125 // correctly. 1126 ScratchArgs = AF.add(ScratchArgs, 12, StopTracking); 1127 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1128 } else if (FName == "dispatch_set_context" || 1129 FName == "xpc_connection_set_context") { 1130 // <rdar://problem/11059275> - The analyzer currently doesn't have 1131 // a good way to reason about the finalizer function for libdispatch. 1132 // If we pass a context object that is memory managed, stop tracking it. 1133 // <rdar://problem/13783514> - Same problem, but for XPC. 1134 // FIXME: this hack should possibly go away once we can handle 1135 // libdispatch and XPC finalizers. 1136 ScratchArgs = AF.add(ScratchArgs, 1, StopTracking); 1137 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1138 } else if (FName.startswith("NSLog")) { 1139 S = getDoNothingSummary(); 1140 } else if (FName.startswith("NS") && 1141 (FName.find("Insert") != StringRef::npos)) { 1142 // Whitelist NSXXInsertXX, for example NSMapInsertIfAbsent, since they can 1143 // be deallocated by NSMapRemove. (radar://11152419) 1144 ScratchArgs = AF.add(ScratchArgs, 1, StopTracking); 1145 ScratchArgs = AF.add(ScratchArgs, 2, StopTracking); 1146 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1147 } 1148 1149 // Did we get a summary? 1150 if (S) 1151 break; 1152 1153 if (RetTy->isPointerType()) { 1154 // For CoreFoundation ('CF') types. 1155 if (cocoa::isRefType(RetTy, "CF", FName)) { 1156 if (isRetain(FD, FName)) { 1157 S = getUnarySummary(FT, cfretain); 1158 } else if (isAutorelease(FD, FName)) { 1159 S = getUnarySummary(FT, cfautorelease); 1160 // The headers use cf_consumed, but we can fully model CFAutorelease 1161 // ourselves. 1162 AllowAnnotations = false; 1163 } else if (isMakeCollectable(FD, FName)) { 1164 S = getUnarySummary(FT, cfmakecollectable); 1165 AllowAnnotations = false; 1166 } else { 1167 S = getCFCreateGetRuleSummary(FD); 1168 } 1169 1170 break; 1171 } 1172 1173 // For CoreGraphics ('CG') types. 1174 if (cocoa::isRefType(RetTy, "CG", FName)) { 1175 if (isRetain(FD, FName)) 1176 S = getUnarySummary(FT, cfretain); 1177 else 1178 S = getCFCreateGetRuleSummary(FD); 1179 1180 break; 1181 } 1182 1183 // For the Disk Arbitration API (DiskArbitration/DADisk.h) 1184 if (cocoa::isRefType(RetTy, "DADisk") || 1185 cocoa::isRefType(RetTy, "DADissenter") || 1186 cocoa::isRefType(RetTy, "DASessionRef")) { 1187 S = getCFCreateGetRuleSummary(FD); 1188 break; 1189 } 1190 1191 if (FD->hasAttr<CFAuditedTransferAttr>()) { 1192 S = getCFCreateGetRuleSummary(FD); 1193 break; 1194 } 1195 1196 break; 1197 } 1198 1199 // Check for release functions, the only kind of functions that we care 1200 // about that don't return a pointer type. 1201 if (FName[0] == 'C' && (FName[1] == 'F' || FName[1] == 'G')) { 1202 // Test for 'CGCF'. 1203 FName = FName.substr(FName.startswith("CGCF") ? 4 : 2); 1204 1205 if (isRelease(FD, FName)) 1206 S = getUnarySummary(FT, cfrelease); 1207 else { 1208 assert (ScratchArgs.isEmpty()); 1209 // Remaining CoreFoundation and CoreGraphics functions. 1210 // We use to assume that they all strictly followed the ownership idiom 1211 // and that ownership cannot be transferred. While this is technically 1212 // correct, many methods allow a tracked object to escape. For example: 1213 // 1214 // CFMutableDictionaryRef x = CFDictionaryCreateMutable(...); 1215 // CFDictionaryAddValue(y, key, x); 1216 // CFRelease(x); 1217 // ... it is okay to use 'x' since 'y' has a reference to it 1218 // 1219 // We handle this and similar cases with the follow heuristic. If the 1220 // function name contains "InsertValue", "SetValue", "AddValue", 1221 // "AppendValue", or "SetAttribute", then we assume that arguments may 1222 // "escape." This means that something else holds on to the object, 1223 // allowing it be used even after its local retain count drops to 0. 1224 ArgEffect E = (StrInStrNoCase(FName, "InsertValue") != StringRef::npos|| 1225 StrInStrNoCase(FName, "AddValue") != StringRef::npos || 1226 StrInStrNoCase(FName, "SetValue") != StringRef::npos || 1227 StrInStrNoCase(FName, "AppendValue") != StringRef::npos|| 1228 StrInStrNoCase(FName, "SetAttribute") != StringRef::npos) 1229 ? MayEscape : DoNothing; 1230 1231 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, E); 1232 } 1233 } 1234 } 1235 while (0); 1236 1237 // If we got all the way here without any luck, use a default summary. 1238 if (!S) 1239 S = getDefaultSummary(); 1240 1241 // Annotations override defaults. 1242 if (AllowAnnotations) 1243 updateSummaryFromAnnotations(S, FD); 1244 1245 FuncSummaries[FD] = S; 1246 return S; 1247 } 1248 1249 const RetainSummary * 1250 RetainSummaryManager::getCFCreateGetRuleSummary(const FunctionDecl *FD) { 1251 if (coreFoundation::followsCreateRule(FD)) 1252 return getCFSummaryCreateRule(FD); 1253 1254 return getCFSummaryGetRule(FD); 1255 } 1256 1257 const RetainSummary * 1258 RetainSummaryManager::getUnarySummary(const FunctionType* FT, 1259 UnaryFuncKind func) { 1260 1261 // Sanity check that this is *really* a unary function. This can 1262 // happen if people do weird things. 1263 const FunctionProtoType* FTP = dyn_cast<FunctionProtoType>(FT); 1264 if (!FTP || FTP->getNumParams() != 1) 1265 return getPersistentStopSummary(); 1266 1267 assert (ScratchArgs.isEmpty()); 1268 1269 ArgEffect Effect; 1270 switch (func) { 1271 case cfretain: Effect = IncRef; break; 1272 case cfrelease: Effect = DecRef; break; 1273 case cfautorelease: Effect = Autorelease; break; 1274 case cfmakecollectable: Effect = MakeCollectable; break; 1275 } 1276 1277 ScratchArgs = AF.add(ScratchArgs, 0, Effect); 1278 return getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1279 } 1280 1281 const RetainSummary * 1282 RetainSummaryManager::getCFSummaryCreateRule(const FunctionDecl *FD) { 1283 assert (ScratchArgs.isEmpty()); 1284 1285 return getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true)); 1286 } 1287 1288 const RetainSummary * 1289 RetainSummaryManager::getCFSummaryGetRule(const FunctionDecl *FD) { 1290 assert (ScratchArgs.isEmpty()); 1291 return getPersistentSummary(RetEffect::MakeNotOwned(RetEffect::CF), 1292 DoNothing, DoNothing); 1293 } 1294 1295 //===----------------------------------------------------------------------===// 1296 // Summary creation for Selectors. 1297 //===----------------------------------------------------------------------===// 1298 1299 Optional<RetEffect> 1300 RetainSummaryManager::getRetEffectFromAnnotations(QualType RetTy, 1301 const Decl *D) { 1302 if (cocoa::isCocoaObjectRef(RetTy)) { 1303 if (D->hasAttr<NSReturnsRetainedAttr>()) 1304 return ObjCAllocRetE; 1305 1306 if (D->hasAttr<NSReturnsNotRetainedAttr>() || 1307 D->hasAttr<NSReturnsAutoreleasedAttr>()) 1308 return RetEffect::MakeNotOwned(RetEffect::ObjC); 1309 1310 } else if (!RetTy->isPointerType()) { 1311 return None; 1312 } 1313 1314 if (D->hasAttr<CFReturnsRetainedAttr>()) 1315 return RetEffect::MakeOwned(RetEffect::CF, true); 1316 1317 if (D->hasAttr<CFReturnsNotRetainedAttr>()) 1318 return RetEffect::MakeNotOwned(RetEffect::CF); 1319 1320 return None; 1321 } 1322 1323 void 1324 RetainSummaryManager::updateSummaryFromAnnotations(const RetainSummary *&Summ, 1325 const FunctionDecl *FD) { 1326 if (!FD) 1327 return; 1328 1329 assert(Summ && "Must have a summary to add annotations to."); 1330 RetainSummaryTemplate Template(Summ, *this); 1331 1332 // Effects on the parameters. 1333 unsigned parm_idx = 0; 1334 for (FunctionDecl::param_const_iterator pi = FD->param_begin(), 1335 pe = FD->param_end(); pi != pe; ++pi, ++parm_idx) { 1336 const ParmVarDecl *pd = *pi; 1337 if (pd->hasAttr<NSConsumedAttr>()) 1338 Template->addArg(AF, parm_idx, DecRefMsg); 1339 else if (pd->hasAttr<CFConsumedAttr>()) 1340 Template->addArg(AF, parm_idx, DecRef); 1341 else if (pd->hasAttr<CFReturnsRetainedAttr>()) { 1342 QualType PointeeTy = pd->getType()->getPointeeType(); 1343 if (!PointeeTy.isNull()) 1344 if (coreFoundation::isCFObjectRef(PointeeTy)) 1345 Template->addArg(AF, parm_idx, RetainedOutParameter); 1346 } else if (pd->hasAttr<CFReturnsNotRetainedAttr>()) { 1347 QualType PointeeTy = pd->getType()->getPointeeType(); 1348 if (!PointeeTy.isNull()) 1349 if (coreFoundation::isCFObjectRef(PointeeTy)) 1350 Template->addArg(AF, parm_idx, UnretainedOutParameter); 1351 } 1352 } 1353 1354 QualType RetTy = FD->getReturnType(); 1355 if (Optional<RetEffect> RetE = getRetEffectFromAnnotations(RetTy, FD)) 1356 Template->setRetEffect(*RetE); 1357 } 1358 1359 void 1360 RetainSummaryManager::updateSummaryFromAnnotations(const RetainSummary *&Summ, 1361 const ObjCMethodDecl *MD) { 1362 if (!MD) 1363 return; 1364 1365 assert(Summ && "Must have a valid summary to add annotations to"); 1366 RetainSummaryTemplate Template(Summ, *this); 1367 1368 // Effects on the receiver. 1369 if (MD->hasAttr<NSConsumesSelfAttr>()) 1370 Template->setReceiverEffect(DecRefMsg); 1371 1372 // Effects on the parameters. 1373 unsigned parm_idx = 0; 1374 for (ObjCMethodDecl::param_const_iterator 1375 pi=MD->param_begin(), pe=MD->param_end(); 1376 pi != pe; ++pi, ++parm_idx) { 1377 const ParmVarDecl *pd = *pi; 1378 if (pd->hasAttr<NSConsumedAttr>()) 1379 Template->addArg(AF, parm_idx, DecRefMsg); 1380 else if (pd->hasAttr<CFConsumedAttr>()) { 1381 Template->addArg(AF, parm_idx, DecRef); 1382 } else if (pd->hasAttr<CFReturnsRetainedAttr>()) { 1383 QualType PointeeTy = pd->getType()->getPointeeType(); 1384 if (!PointeeTy.isNull()) 1385 if (coreFoundation::isCFObjectRef(PointeeTy)) 1386 Template->addArg(AF, parm_idx, RetainedOutParameter); 1387 } else if (pd->hasAttr<CFReturnsNotRetainedAttr>()) { 1388 QualType PointeeTy = pd->getType()->getPointeeType(); 1389 if (!PointeeTy.isNull()) 1390 if (coreFoundation::isCFObjectRef(PointeeTy)) 1391 Template->addArg(AF, parm_idx, UnretainedOutParameter); 1392 } 1393 } 1394 1395 QualType RetTy = MD->getReturnType(); 1396 if (Optional<RetEffect> RetE = getRetEffectFromAnnotations(RetTy, MD)) 1397 Template->setRetEffect(*RetE); 1398 } 1399 1400 const RetainSummary * 1401 RetainSummaryManager::getStandardMethodSummary(const ObjCMethodDecl *MD, 1402 Selector S, QualType RetTy) { 1403 // Any special effects? 1404 ArgEffect ReceiverEff = DoNothing; 1405 RetEffect ResultEff = RetEffect::MakeNoRet(); 1406 1407 // Check the method family, and apply any default annotations. 1408 switch (MD ? MD->getMethodFamily() : S.getMethodFamily()) { 1409 case OMF_None: 1410 case OMF_initialize: 1411 case OMF_performSelector: 1412 // Assume all Objective-C methods follow Cocoa Memory Management rules. 1413 // FIXME: Does the non-threaded performSelector family really belong here? 1414 // The selector could be, say, @selector(copy). 1415 if (cocoa::isCocoaObjectRef(RetTy)) 1416 ResultEff = RetEffect::MakeNotOwned(RetEffect::ObjC); 1417 else if (coreFoundation::isCFObjectRef(RetTy)) { 1418 // ObjCMethodDecl currently doesn't consider CF objects as valid return 1419 // values for alloc, new, copy, or mutableCopy, so we have to 1420 // double-check with the selector. This is ugly, but there aren't that 1421 // many Objective-C methods that return CF objects, right? 1422 if (MD) { 1423 switch (S.getMethodFamily()) { 1424 case OMF_alloc: 1425 case OMF_new: 1426 case OMF_copy: 1427 case OMF_mutableCopy: 1428 ResultEff = RetEffect::MakeOwned(RetEffect::CF, true); 1429 break; 1430 default: 1431 ResultEff = RetEffect::MakeNotOwned(RetEffect::CF); 1432 break; 1433 } 1434 } else { 1435 ResultEff = RetEffect::MakeNotOwned(RetEffect::CF); 1436 } 1437 } 1438 break; 1439 case OMF_init: 1440 ResultEff = ObjCInitRetE; 1441 ReceiverEff = DecRefMsg; 1442 break; 1443 case OMF_alloc: 1444 case OMF_new: 1445 case OMF_copy: 1446 case OMF_mutableCopy: 1447 if (cocoa::isCocoaObjectRef(RetTy)) 1448 ResultEff = ObjCAllocRetE; 1449 else if (coreFoundation::isCFObjectRef(RetTy)) 1450 ResultEff = RetEffect::MakeOwned(RetEffect::CF, true); 1451 break; 1452 case OMF_autorelease: 1453 ReceiverEff = Autorelease; 1454 break; 1455 case OMF_retain: 1456 ReceiverEff = IncRefMsg; 1457 break; 1458 case OMF_release: 1459 ReceiverEff = DecRefMsg; 1460 break; 1461 case OMF_dealloc: 1462 ReceiverEff = Dealloc; 1463 break; 1464 case OMF_self: 1465 // -self is handled specially by the ExprEngine to propagate the receiver. 1466 break; 1467 case OMF_retainCount: 1468 case OMF_finalize: 1469 // These methods don't return objects. 1470 break; 1471 } 1472 1473 // If one of the arguments in the selector has the keyword 'delegate' we 1474 // should stop tracking the reference count for the receiver. This is 1475 // because the reference count is quite possibly handled by a delegate 1476 // method. 1477 if (S.isKeywordSelector()) { 1478 for (unsigned i = 0, e = S.getNumArgs(); i != e; ++i) { 1479 StringRef Slot = S.getNameForSlot(i); 1480 if (Slot.substr(Slot.size() - 8).equals_lower("delegate")) { 1481 if (ResultEff == ObjCInitRetE) 1482 ResultEff = RetEffect::MakeNoRetHard(); 1483 else 1484 ReceiverEff = StopTrackingHard; 1485 } 1486 } 1487 } 1488 1489 if (ScratchArgs.isEmpty() && ReceiverEff == DoNothing && 1490 ResultEff.getKind() == RetEffect::NoRet) 1491 return getDefaultSummary(); 1492 1493 return getPersistentSummary(ResultEff, ReceiverEff, MayEscape); 1494 } 1495 1496 const RetainSummary * 1497 RetainSummaryManager::getInstanceMethodSummary(const ObjCMethodCall &Msg, 1498 ProgramStateRef State) { 1499 const ObjCInterfaceDecl *ReceiverClass = nullptr; 1500 1501 // We do better tracking of the type of the object than the core ExprEngine. 1502 // See if we have its type in our private state. 1503 // FIXME: Eventually replace the use of state->get<RefBindings> with 1504 // a generic API for reasoning about the Objective-C types of symbolic 1505 // objects. 1506 SVal ReceiverV = Msg.getReceiverSVal(); 1507 if (SymbolRef Sym = ReceiverV.getAsLocSymbol()) 1508 if (const RefVal *T = getRefBinding(State, Sym)) 1509 if (const ObjCObjectPointerType *PT = 1510 T->getType()->getAs<ObjCObjectPointerType>()) 1511 ReceiverClass = PT->getInterfaceDecl(); 1512 1513 // If we don't know what kind of object this is, fall back to its static type. 1514 if (!ReceiverClass) 1515 ReceiverClass = Msg.getReceiverInterface(); 1516 1517 // FIXME: The receiver could be a reference to a class, meaning that 1518 // we should use the class method. 1519 // id x = [NSObject class]; 1520 // [x performSelector:... withObject:... afterDelay:...]; 1521 Selector S = Msg.getSelector(); 1522 const ObjCMethodDecl *Method = Msg.getDecl(); 1523 if (!Method && ReceiverClass) 1524 Method = ReceiverClass->getInstanceMethod(S); 1525 1526 return getMethodSummary(S, ReceiverClass, Method, Msg.getResultType(), 1527 ObjCMethodSummaries); 1528 } 1529 1530 const RetainSummary * 1531 RetainSummaryManager::getMethodSummary(Selector S, const ObjCInterfaceDecl *ID, 1532 const ObjCMethodDecl *MD, QualType RetTy, 1533 ObjCMethodSummariesTy &CachedSummaries) { 1534 1535 // Look up a summary in our summary cache. 1536 const RetainSummary *Summ = CachedSummaries.find(ID, S); 1537 1538 if (!Summ) { 1539 Summ = getStandardMethodSummary(MD, S, RetTy); 1540 1541 // Annotations override defaults. 1542 updateSummaryFromAnnotations(Summ, MD); 1543 1544 // Memoize the summary. 1545 CachedSummaries[ObjCSummaryKey(ID, S)] = Summ; 1546 } 1547 1548 return Summ; 1549 } 1550 1551 void RetainSummaryManager::InitializeClassMethodSummaries() { 1552 assert(ScratchArgs.isEmpty()); 1553 // Create the [NSAssertionHandler currentHander] summary. 1554 addClassMethSummary("NSAssertionHandler", "currentHandler", 1555 getPersistentSummary(RetEffect::MakeNotOwned(RetEffect::ObjC))); 1556 1557 // Create the [NSAutoreleasePool addObject:] summary. 1558 ScratchArgs = AF.add(ScratchArgs, 0, Autorelease); 1559 addClassMethSummary("NSAutoreleasePool", "addObject", 1560 getPersistentSummary(RetEffect::MakeNoRet(), 1561 DoNothing, Autorelease)); 1562 } 1563 1564 void RetainSummaryManager::InitializeMethodSummaries() { 1565 1566 assert (ScratchArgs.isEmpty()); 1567 1568 // Create the "init" selector. It just acts as a pass-through for the 1569 // receiver. 1570 const RetainSummary *InitSumm = getPersistentSummary(ObjCInitRetE, DecRefMsg); 1571 addNSObjectMethSummary(GetNullarySelector("init", Ctx), InitSumm); 1572 1573 // awakeAfterUsingCoder: behaves basically like an 'init' method. It 1574 // claims the receiver and returns a retained object. 1575 addNSObjectMethSummary(GetUnarySelector("awakeAfterUsingCoder", Ctx), 1576 InitSumm); 1577 1578 // The next methods are allocators. 1579 const RetainSummary *AllocSumm = getPersistentSummary(ObjCAllocRetE); 1580 const RetainSummary *CFAllocSumm = 1581 getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true)); 1582 1583 // Create the "retain" selector. 1584 RetEffect NoRet = RetEffect::MakeNoRet(); 1585 const RetainSummary *Summ = getPersistentSummary(NoRet, IncRefMsg); 1586 addNSObjectMethSummary(GetNullarySelector("retain", Ctx), Summ); 1587 1588 // Create the "release" selector. 1589 Summ = getPersistentSummary(NoRet, DecRefMsg); 1590 addNSObjectMethSummary(GetNullarySelector("release", Ctx), Summ); 1591 1592 // Create the -dealloc summary. 1593 Summ = getPersistentSummary(NoRet, Dealloc); 1594 addNSObjectMethSummary(GetNullarySelector("dealloc", Ctx), Summ); 1595 1596 // Create the "autorelease" selector. 1597 Summ = getPersistentSummary(NoRet, Autorelease); 1598 addNSObjectMethSummary(GetNullarySelector("autorelease", Ctx), Summ); 1599 1600 // For NSWindow, allocated objects are (initially) self-owned. 1601 // FIXME: For now we opt for false negatives with NSWindow, as these objects 1602 // self-own themselves. However, they only do this once they are displayed. 1603 // Thus, we need to track an NSWindow's display status. 1604 // This is tracked in <rdar://problem/6062711>. 1605 // See also http://llvm.org/bugs/show_bug.cgi?id=3714. 1606 const RetainSummary *NoTrackYet = getPersistentSummary(RetEffect::MakeNoRet(), 1607 StopTracking, 1608 StopTracking); 1609 1610 addClassMethSummary("NSWindow", "alloc", NoTrackYet); 1611 1612 // For NSPanel (which subclasses NSWindow), allocated objects are not 1613 // self-owned. 1614 // FIXME: For now we don't track NSPanels. object for the same reason 1615 // as for NSWindow objects. 1616 addClassMethSummary("NSPanel", "alloc", NoTrackYet); 1617 1618 // For NSNull, objects returned by +null are singletons that ignore 1619 // retain/release semantics. Just don't track them. 1620 // <rdar://problem/12858915> 1621 addClassMethSummary("NSNull", "null", NoTrackYet); 1622 1623 // Don't track allocated autorelease pools, as it is okay to prematurely 1624 // exit a method. 1625 addClassMethSummary("NSAutoreleasePool", "alloc", NoTrackYet); 1626 addClassMethSummary("NSAutoreleasePool", "allocWithZone", NoTrackYet, false); 1627 addClassMethSummary("NSAutoreleasePool", "new", NoTrackYet); 1628 1629 // Create summaries QCRenderer/QCView -createSnapShotImageOfType: 1630 addInstMethSummary("QCRenderer", AllocSumm, 1631 "createSnapshotImageOfType", nullptr); 1632 addInstMethSummary("QCView", AllocSumm, 1633 "createSnapshotImageOfType", nullptr); 1634 1635 // Create summaries for CIContext, 'createCGImage' and 1636 // 'createCGLayerWithSize'. These objects are CF objects, and are not 1637 // automatically garbage collected. 1638 addInstMethSummary("CIContext", CFAllocSumm, 1639 "createCGImage", "fromRect", nullptr); 1640 addInstMethSummary("CIContext", CFAllocSumm, "createCGImage", "fromRect", 1641 "format", "colorSpace", nullptr); 1642 addInstMethSummary("CIContext", CFAllocSumm, "createCGLayerWithSize", "info", 1643 nullptr); 1644 } 1645 1646 //===----------------------------------------------------------------------===// 1647 // Error reporting. 1648 //===----------------------------------------------------------------------===// 1649 namespace { 1650 typedef llvm::DenseMap<const ExplodedNode *, const RetainSummary *> 1651 SummaryLogTy; 1652 1653 //===-------------===// 1654 // Bug Descriptions. // 1655 //===-------------===// 1656 1657 class CFRefBug : public BugType { 1658 protected: 1659 CFRefBug(const CheckerBase *checker, StringRef name) 1660 : BugType(checker, name, categories::MemoryCoreFoundationObjectiveC) {} 1661 1662 public: 1663 1664 // FIXME: Eventually remove. 1665 virtual const char *getDescription() const = 0; 1666 1667 virtual bool isLeak() const { return false; } 1668 }; 1669 1670 class UseAfterRelease : public CFRefBug { 1671 public: 1672 UseAfterRelease(const CheckerBase *checker) 1673 : CFRefBug(checker, "Use-after-release") {} 1674 1675 const char *getDescription() const override { 1676 return "Reference-counted object is used after it is released"; 1677 } 1678 }; 1679 1680 class BadRelease : public CFRefBug { 1681 public: 1682 BadRelease(const CheckerBase *checker) : CFRefBug(checker, "Bad release") {} 1683 1684 const char *getDescription() const override { 1685 return "Incorrect decrement of the reference count of an object that is " 1686 "not owned at this point by the caller"; 1687 } 1688 }; 1689 1690 class DeallocGC : public CFRefBug { 1691 public: 1692 DeallocGC(const CheckerBase *checker) 1693 : CFRefBug(checker, "-dealloc called while using garbage collection") {} 1694 1695 const char *getDescription() const override { 1696 return "-dealloc called while using garbage collection"; 1697 } 1698 }; 1699 1700 class DeallocNotOwned : public CFRefBug { 1701 public: 1702 DeallocNotOwned(const CheckerBase *checker) 1703 : CFRefBug(checker, "-dealloc sent to non-exclusively owned object") {} 1704 1705 const char *getDescription() const override { 1706 return "-dealloc sent to object that may be referenced elsewhere"; 1707 } 1708 }; 1709 1710 class OverAutorelease : public CFRefBug { 1711 public: 1712 OverAutorelease(const CheckerBase *checker) 1713 : CFRefBug(checker, "Object autoreleased too many times") {} 1714 1715 const char *getDescription() const override { 1716 return "Object autoreleased too many times"; 1717 } 1718 }; 1719 1720 class ReturnedNotOwnedForOwned : public CFRefBug { 1721 public: 1722 ReturnedNotOwnedForOwned(const CheckerBase *checker) 1723 : CFRefBug(checker, "Method should return an owned object") {} 1724 1725 const char *getDescription() const override { 1726 return "Object with a +0 retain count returned to caller where a +1 " 1727 "(owning) retain count is expected"; 1728 } 1729 }; 1730 1731 class Leak : public CFRefBug { 1732 public: 1733 Leak(const CheckerBase *checker, StringRef name) : CFRefBug(checker, name) { 1734 // Leaks should not be reported if they are post-dominated by a sink. 1735 setSuppressOnSink(true); 1736 } 1737 1738 const char *getDescription() const override { return ""; } 1739 1740 bool isLeak() const override { return true; } 1741 }; 1742 1743 //===---------===// 1744 // Bug Reports. // 1745 //===---------===// 1746 1747 class CFRefReportVisitor : public BugReporterVisitorImpl<CFRefReportVisitor> { 1748 protected: 1749 SymbolRef Sym; 1750 const SummaryLogTy &SummaryLog; 1751 bool GCEnabled; 1752 1753 public: 1754 CFRefReportVisitor(SymbolRef sym, bool gcEnabled, const SummaryLogTy &log) 1755 : Sym(sym), SummaryLog(log), GCEnabled(gcEnabled) {} 1756 1757 void Profile(llvm::FoldingSetNodeID &ID) const override { 1758 static int x = 0; 1759 ID.AddPointer(&x); 1760 ID.AddPointer(Sym); 1761 } 1762 1763 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 1764 const ExplodedNode *PrevN, 1765 BugReporterContext &BRC, 1766 BugReport &BR) override; 1767 1768 std::unique_ptr<PathDiagnosticPiece> getEndPath(BugReporterContext &BRC, 1769 const ExplodedNode *N, 1770 BugReport &BR) override; 1771 }; 1772 1773 class CFRefLeakReportVisitor : public CFRefReportVisitor { 1774 public: 1775 CFRefLeakReportVisitor(SymbolRef sym, bool GCEnabled, 1776 const SummaryLogTy &log) 1777 : CFRefReportVisitor(sym, GCEnabled, log) {} 1778 1779 std::unique_ptr<PathDiagnosticPiece> getEndPath(BugReporterContext &BRC, 1780 const ExplodedNode *N, 1781 BugReport &BR) override; 1782 1783 std::unique_ptr<BugReporterVisitor> clone() const override { 1784 // The curiously-recurring template pattern only works for one level of 1785 // subclassing. Rather than make a new template base for 1786 // CFRefReportVisitor, we simply override clone() to do the right thing. 1787 // This could be trouble someday if BugReporterVisitorImpl is ever 1788 // used for something else besides a convenient implementation of clone(). 1789 return llvm::make_unique<CFRefLeakReportVisitor>(*this); 1790 } 1791 }; 1792 1793 class CFRefReport : public BugReport { 1794 void addGCModeDescription(const LangOptions &LOpts, bool GCEnabled); 1795 1796 public: 1797 CFRefReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled, 1798 const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym, 1799 bool registerVisitor = true) 1800 : BugReport(D, D.getDescription(), n) { 1801 if (registerVisitor) 1802 addVisitor(llvm::make_unique<CFRefReportVisitor>(sym, GCEnabled, Log)); 1803 addGCModeDescription(LOpts, GCEnabled); 1804 } 1805 1806 CFRefReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled, 1807 const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym, 1808 StringRef endText) 1809 : BugReport(D, D.getDescription(), endText, n) { 1810 addVisitor(llvm::make_unique<CFRefReportVisitor>(sym, GCEnabled, Log)); 1811 addGCModeDescription(LOpts, GCEnabled); 1812 } 1813 1814 llvm::iterator_range<ranges_iterator> getRanges() override { 1815 const CFRefBug& BugTy = static_cast<CFRefBug&>(getBugType()); 1816 if (!BugTy.isLeak()) 1817 return BugReport::getRanges(); 1818 return llvm::make_range(ranges_iterator(), ranges_iterator()); 1819 } 1820 }; 1821 1822 class CFRefLeakReport : public CFRefReport { 1823 const MemRegion* AllocBinding; 1824 public: 1825 CFRefLeakReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled, 1826 const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym, 1827 CheckerContext &Ctx, 1828 bool IncludeAllocationLine); 1829 1830 PathDiagnosticLocation getLocation(const SourceManager &SM) const override { 1831 assert(Location.isValid()); 1832 return Location; 1833 } 1834 }; 1835 } // end anonymous namespace 1836 1837 void CFRefReport::addGCModeDescription(const LangOptions &LOpts, 1838 bool GCEnabled) { 1839 const char *GCModeDescription = nullptr; 1840 1841 switch (LOpts.getGC()) { 1842 case LangOptions::GCOnly: 1843 assert(GCEnabled); 1844 GCModeDescription = "Code is compiled to only use garbage collection"; 1845 break; 1846 1847 case LangOptions::NonGC: 1848 assert(!GCEnabled); 1849 GCModeDescription = "Code is compiled to use reference counts"; 1850 break; 1851 1852 case LangOptions::HybridGC: 1853 if (GCEnabled) { 1854 GCModeDescription = "Code is compiled to use either garbage collection " 1855 "(GC) or reference counts (non-GC). The bug occurs " 1856 "with GC enabled"; 1857 break; 1858 } else { 1859 GCModeDescription = "Code is compiled to use either garbage collection " 1860 "(GC) or reference counts (non-GC). The bug occurs " 1861 "in non-GC mode"; 1862 break; 1863 } 1864 } 1865 1866 assert(GCModeDescription && "invalid/unknown GC mode"); 1867 addExtraText(GCModeDescription); 1868 } 1869 1870 static bool isNumericLiteralExpression(const Expr *E) { 1871 // FIXME: This set of cases was copied from SemaExprObjC. 1872 return isa<IntegerLiteral>(E) || 1873 isa<CharacterLiteral>(E) || 1874 isa<FloatingLiteral>(E) || 1875 isa<ObjCBoolLiteralExpr>(E) || 1876 isa<CXXBoolLiteralExpr>(E); 1877 } 1878 1879 /// Returns true if this stack frame is for an Objective-C method that is a 1880 /// property getter or setter whose body has been synthesized by the analyzer. 1881 static bool isSynthesizedAccessor(const StackFrameContext *SFC) { 1882 auto Method = dyn_cast_or_null<ObjCMethodDecl>(SFC->getDecl()); 1883 if (!Method || !Method->isPropertyAccessor()) 1884 return false; 1885 1886 return SFC->getAnalysisDeclContext()->isBodyAutosynthesized(); 1887 } 1888 1889 PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N, 1890 const ExplodedNode *PrevN, 1891 BugReporterContext &BRC, 1892 BugReport &BR) { 1893 // FIXME: We will eventually need to handle non-statement-based events 1894 // (__attribute__((cleanup))). 1895 if (!N->getLocation().getAs<StmtPoint>()) 1896 return nullptr; 1897 1898 // Check if the type state has changed. 1899 ProgramStateRef PrevSt = PrevN->getState(); 1900 ProgramStateRef CurrSt = N->getState(); 1901 const LocationContext *LCtx = N->getLocationContext(); 1902 1903 const RefVal* CurrT = getRefBinding(CurrSt, Sym); 1904 if (!CurrT) return nullptr; 1905 1906 const RefVal &CurrV = *CurrT; 1907 const RefVal *PrevT = getRefBinding(PrevSt, Sym); 1908 1909 // Create a string buffer to constain all the useful things we want 1910 // to tell the user. 1911 std::string sbuf; 1912 llvm::raw_string_ostream os(sbuf); 1913 1914 // This is the allocation site since the previous node had no bindings 1915 // for this symbol. 1916 if (!PrevT) { 1917 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 1918 1919 if (isa<ObjCIvarRefExpr>(S) && 1920 isSynthesizedAccessor(LCtx->getCurrentStackFrame())) { 1921 S = LCtx->getCurrentStackFrame()->getCallSite(); 1922 } 1923 1924 if (isa<ObjCArrayLiteral>(S)) { 1925 os << "NSArray literal is an object with a +0 retain count"; 1926 } 1927 else if (isa<ObjCDictionaryLiteral>(S)) { 1928 os << "NSDictionary literal is an object with a +0 retain count"; 1929 } 1930 else if (const ObjCBoxedExpr *BL = dyn_cast<ObjCBoxedExpr>(S)) { 1931 if (isNumericLiteralExpression(BL->getSubExpr())) 1932 os << "NSNumber literal is an object with a +0 retain count"; 1933 else { 1934 const ObjCInterfaceDecl *BoxClass = nullptr; 1935 if (const ObjCMethodDecl *Method = BL->getBoxingMethod()) 1936 BoxClass = Method->getClassInterface(); 1937 1938 // We should always be able to find the boxing class interface, 1939 // but consider this future-proofing. 1940 if (BoxClass) 1941 os << *BoxClass << " b"; 1942 else 1943 os << "B"; 1944 1945 os << "oxed expression produces an object with a +0 retain count"; 1946 } 1947 } 1948 else if (isa<ObjCIvarRefExpr>(S)) { 1949 os << "Object loaded from instance variable"; 1950 } 1951 else { 1952 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 1953 // Get the name of the callee (if it is available). 1954 SVal X = CurrSt->getSValAsScalarOrLoc(CE->getCallee(), LCtx); 1955 if (const FunctionDecl *FD = X.getAsFunctionDecl()) 1956 os << "Call to function '" << *FD << '\''; 1957 else 1958 os << "function call"; 1959 } 1960 else { 1961 assert(isa<ObjCMessageExpr>(S)); 1962 CallEventManager &Mgr = CurrSt->getStateManager().getCallEventManager(); 1963 CallEventRef<ObjCMethodCall> Call 1964 = Mgr.getObjCMethodCall(cast<ObjCMessageExpr>(S), CurrSt, LCtx); 1965 1966 switch (Call->getMessageKind()) { 1967 case OCM_Message: 1968 os << "Method"; 1969 break; 1970 case OCM_PropertyAccess: 1971 os << "Property"; 1972 break; 1973 case OCM_Subscript: 1974 os << "Subscript"; 1975 break; 1976 } 1977 } 1978 1979 if (CurrV.getObjKind() == RetEffect::CF) { 1980 os << " returns a Core Foundation object with a "; 1981 } 1982 else { 1983 assert (CurrV.getObjKind() == RetEffect::ObjC); 1984 os << " returns an Objective-C object with a "; 1985 } 1986 1987 if (CurrV.isOwned()) { 1988 os << "+1 retain count"; 1989 1990 if (GCEnabled) { 1991 assert(CurrV.getObjKind() == RetEffect::CF); 1992 os << ". " 1993 "Core Foundation objects are not automatically garbage collected."; 1994 } 1995 } 1996 else { 1997 assert (CurrV.isNotOwned()); 1998 os << "+0 retain count"; 1999 } 2000 } 2001 2002 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2003 N->getLocationContext()); 2004 return new PathDiagnosticEventPiece(Pos, os.str()); 2005 } 2006 2007 // Gather up the effects that were performed on the object at this 2008 // program point 2009 SmallVector<ArgEffect, 2> AEffects; 2010 2011 const ExplodedNode *OrigNode = BRC.getNodeResolver().getOriginalNode(N); 2012 if (const RetainSummary *Summ = SummaryLog.lookup(OrigNode)) { 2013 // We only have summaries attached to nodes after evaluating CallExpr and 2014 // ObjCMessageExprs. 2015 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 2016 2017 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 2018 // Iterate through the parameter expressions and see if the symbol 2019 // was ever passed as an argument. 2020 unsigned i = 0; 2021 2022 for (CallExpr::const_arg_iterator AI=CE->arg_begin(), AE=CE->arg_end(); 2023 AI!=AE; ++AI, ++i) { 2024 2025 // Retrieve the value of the argument. Is it the symbol 2026 // we are interested in? 2027 if (CurrSt->getSValAsScalarOrLoc(*AI, LCtx).getAsLocSymbol() != Sym) 2028 continue; 2029 2030 // We have an argument. Get the effect! 2031 AEffects.push_back(Summ->getArg(i)); 2032 } 2033 } 2034 else if (const ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(S)) { 2035 if (const Expr *receiver = ME->getInstanceReceiver()) 2036 if (CurrSt->getSValAsScalarOrLoc(receiver, LCtx) 2037 .getAsLocSymbol() == Sym) { 2038 // The symbol we are tracking is the receiver. 2039 AEffects.push_back(Summ->getReceiverEffect()); 2040 } 2041 } 2042 } 2043 2044 do { 2045 // Get the previous type state. 2046 RefVal PrevV = *PrevT; 2047 2048 // Specially handle -dealloc. 2049 if (!GCEnabled && std::find(AEffects.begin(), AEffects.end(), Dealloc) != 2050 AEffects.end()) { 2051 // Determine if the object's reference count was pushed to zero. 2052 assert(!PrevV.hasSameState(CurrV) && "The state should have changed."); 2053 // We may not have transitioned to 'release' if we hit an error. 2054 // This case is handled elsewhere. 2055 if (CurrV.getKind() == RefVal::Released) { 2056 assert(CurrV.getCombinedCounts() == 0); 2057 os << "Object released by directly sending the '-dealloc' message"; 2058 break; 2059 } 2060 } 2061 2062 // Specially handle CFMakeCollectable and friends. 2063 if (std::find(AEffects.begin(), AEffects.end(), MakeCollectable) != 2064 AEffects.end()) { 2065 // Get the name of the function. 2066 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 2067 SVal X = 2068 CurrSt->getSValAsScalarOrLoc(cast<CallExpr>(S)->getCallee(), LCtx); 2069 const FunctionDecl *FD = X.getAsFunctionDecl(); 2070 2071 if (GCEnabled) { 2072 // Determine if the object's reference count was pushed to zero. 2073 assert(!PrevV.hasSameState(CurrV) && "The state should have changed."); 2074 2075 os << "In GC mode a call to '" << *FD 2076 << "' decrements an object's retain count and registers the " 2077 "object with the garbage collector. "; 2078 2079 if (CurrV.getKind() == RefVal::Released) { 2080 assert(CurrV.getCount() == 0); 2081 os << "Since it now has a 0 retain count the object can be " 2082 "automatically collected by the garbage collector."; 2083 } 2084 else 2085 os << "An object must have a 0 retain count to be garbage collected. " 2086 "After this call its retain count is +" << CurrV.getCount() 2087 << '.'; 2088 } 2089 else 2090 os << "When GC is not enabled a call to '" << *FD 2091 << "' has no effect on its argument."; 2092 2093 // Nothing more to say. 2094 break; 2095 } 2096 2097 // Determine if the typestate has changed. 2098 if (!PrevV.hasSameState(CurrV)) 2099 switch (CurrV.getKind()) { 2100 case RefVal::Owned: 2101 case RefVal::NotOwned: 2102 if (PrevV.getCount() == CurrV.getCount()) { 2103 // Did an autorelease message get sent? 2104 if (PrevV.getAutoreleaseCount() == CurrV.getAutoreleaseCount()) 2105 return nullptr; 2106 2107 assert(PrevV.getAutoreleaseCount() < CurrV.getAutoreleaseCount()); 2108 os << "Object autoreleased"; 2109 break; 2110 } 2111 2112 if (PrevV.getCount() > CurrV.getCount()) 2113 os << "Reference count decremented."; 2114 else 2115 os << "Reference count incremented."; 2116 2117 if (unsigned Count = CurrV.getCount()) 2118 os << " The object now has a +" << Count << " retain count."; 2119 2120 if (PrevV.getKind() == RefVal::Released) { 2121 assert(GCEnabled && CurrV.getCount() > 0); 2122 os << " The object is not eligible for garbage collection until " 2123 "the retain count reaches 0 again."; 2124 } 2125 2126 break; 2127 2128 case RefVal::Released: 2129 if (CurrV.getIvarAccessHistory() == 2130 RefVal::IvarAccessHistory::ReleasedAfterDirectAccess && 2131 CurrV.getIvarAccessHistory() != PrevV.getIvarAccessHistory()) { 2132 os << "Strong instance variable relinquished. "; 2133 } 2134 os << "Object released."; 2135 break; 2136 2137 case RefVal::ReturnedOwned: 2138 // Autoreleases can be applied after marking a node ReturnedOwned. 2139 if (CurrV.getAutoreleaseCount()) 2140 return nullptr; 2141 2142 os << "Object returned to caller as an owning reference (single " 2143 "retain count transferred to caller)"; 2144 break; 2145 2146 case RefVal::ReturnedNotOwned: 2147 os << "Object returned to caller with a +0 retain count"; 2148 break; 2149 2150 default: 2151 return nullptr; 2152 } 2153 2154 // Emit any remaining diagnostics for the argument effects (if any). 2155 for (SmallVectorImpl<ArgEffect>::iterator I=AEffects.begin(), 2156 E=AEffects.end(); I != E; ++I) { 2157 2158 // A bunch of things have alternate behavior under GC. 2159 if (GCEnabled) 2160 switch (*I) { 2161 default: break; 2162 case Autorelease: 2163 os << "In GC mode an 'autorelease' has no effect."; 2164 continue; 2165 case IncRefMsg: 2166 os << "In GC mode the 'retain' message has no effect."; 2167 continue; 2168 case DecRefMsg: 2169 os << "In GC mode the 'release' message has no effect."; 2170 continue; 2171 } 2172 } 2173 } while (0); 2174 2175 if (os.str().empty()) 2176 return nullptr; // We have nothing to say! 2177 2178 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 2179 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2180 N->getLocationContext()); 2181 PathDiagnosticPiece *P = new PathDiagnosticEventPiece(Pos, os.str()); 2182 2183 // Add the range by scanning the children of the statement for any bindings 2184 // to Sym. 2185 for (const Stmt *Child : S->children()) 2186 if (const Expr *Exp = dyn_cast_or_null<Expr>(Child)) 2187 if (CurrSt->getSValAsScalarOrLoc(Exp, LCtx).getAsLocSymbol() == Sym) { 2188 P->addRange(Exp->getSourceRange()); 2189 break; 2190 } 2191 2192 return P; 2193 } 2194 2195 namespace { 2196 // Find the first node in the current function context that referred to the 2197 // tracked symbol and the memory location that value was stored to. Note, the 2198 // value is only reported if the allocation occurred in the same function as 2199 // the leak. The function can also return a location context, which should be 2200 // treated as interesting. 2201 struct AllocationInfo { 2202 const ExplodedNode* N; 2203 const MemRegion *R; 2204 const LocationContext *InterestingMethodContext; 2205 AllocationInfo(const ExplodedNode *InN, 2206 const MemRegion *InR, 2207 const LocationContext *InInterestingMethodContext) : 2208 N(InN), R(InR), InterestingMethodContext(InInterestingMethodContext) {} 2209 }; 2210 } // end anonymous namespace 2211 2212 static AllocationInfo 2213 GetAllocationSite(ProgramStateManager& StateMgr, const ExplodedNode *N, 2214 SymbolRef Sym) { 2215 const ExplodedNode *AllocationNode = N; 2216 const ExplodedNode *AllocationNodeInCurrentOrParentContext = N; 2217 const MemRegion *FirstBinding = nullptr; 2218 const LocationContext *LeakContext = N->getLocationContext(); 2219 2220 // The location context of the init method called on the leaked object, if 2221 // available. 2222 const LocationContext *InitMethodContext = nullptr; 2223 2224 while (N) { 2225 ProgramStateRef St = N->getState(); 2226 const LocationContext *NContext = N->getLocationContext(); 2227 2228 if (!getRefBinding(St, Sym)) 2229 break; 2230 2231 StoreManager::FindUniqueBinding FB(Sym); 2232 StateMgr.iterBindings(St, FB); 2233 2234 if (FB) { 2235 const MemRegion *R = FB.getRegion(); 2236 const VarRegion *VR = R->getBaseRegion()->getAs<VarRegion>(); 2237 // Do not show local variables belonging to a function other than 2238 // where the error is reported. 2239 if (!VR || VR->getStackFrame() == LeakContext->getCurrentStackFrame()) 2240 FirstBinding = R; 2241 } 2242 2243 // AllocationNode is the last node in which the symbol was tracked. 2244 AllocationNode = N; 2245 2246 // AllocationNodeInCurrentContext, is the last node in the current or 2247 // parent context in which the symbol was tracked. 2248 // 2249 // Note that the allocation site might be in the parent conext. For example, 2250 // the case where an allocation happens in a block that captures a reference 2251 // to it and that reference is overwritten/dropped by another call to 2252 // the block. 2253 if (NContext == LeakContext || NContext->isParentOf(LeakContext)) 2254 AllocationNodeInCurrentOrParentContext = N; 2255 2256 // Find the last init that was called on the given symbol and store the 2257 // init method's location context. 2258 if (!InitMethodContext) 2259 if (Optional<CallEnter> CEP = N->getLocation().getAs<CallEnter>()) { 2260 const Stmt *CE = CEP->getCallExpr(); 2261 if (const ObjCMessageExpr *ME = dyn_cast_or_null<ObjCMessageExpr>(CE)) { 2262 const Stmt *RecExpr = ME->getInstanceReceiver(); 2263 if (RecExpr) { 2264 SVal RecV = St->getSVal(RecExpr, NContext); 2265 if (ME->getMethodFamily() == OMF_init && RecV.getAsSymbol() == Sym) 2266 InitMethodContext = CEP->getCalleeContext(); 2267 } 2268 } 2269 } 2270 2271 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 2272 } 2273 2274 // If we are reporting a leak of the object that was allocated with alloc, 2275 // mark its init method as interesting. 2276 const LocationContext *InterestingMethodContext = nullptr; 2277 if (InitMethodContext) { 2278 const ProgramPoint AllocPP = AllocationNode->getLocation(); 2279 if (Optional<StmtPoint> SP = AllocPP.getAs<StmtPoint>()) 2280 if (const ObjCMessageExpr *ME = SP->getStmtAs<ObjCMessageExpr>()) 2281 if (ME->getMethodFamily() == OMF_alloc) 2282 InterestingMethodContext = InitMethodContext; 2283 } 2284 2285 // If allocation happened in a function different from the leak node context, 2286 // do not report the binding. 2287 assert(N && "Could not find allocation node"); 2288 if (N->getLocationContext() != LeakContext) { 2289 FirstBinding = nullptr; 2290 } 2291 2292 return AllocationInfo(AllocationNodeInCurrentOrParentContext, 2293 FirstBinding, 2294 InterestingMethodContext); 2295 } 2296 2297 std::unique_ptr<PathDiagnosticPiece> 2298 CFRefReportVisitor::getEndPath(BugReporterContext &BRC, 2299 const ExplodedNode *EndN, BugReport &BR) { 2300 BR.markInteresting(Sym); 2301 return BugReporterVisitor::getDefaultEndPath(BRC, EndN, BR); 2302 } 2303 2304 std::unique_ptr<PathDiagnosticPiece> 2305 CFRefLeakReportVisitor::getEndPath(BugReporterContext &BRC, 2306 const ExplodedNode *EndN, BugReport &BR) { 2307 2308 // Tell the BugReporterContext to report cases when the tracked symbol is 2309 // assigned to different variables, etc. 2310 BR.markInteresting(Sym); 2311 2312 // We are reporting a leak. Walk up the graph to get to the first node where 2313 // the symbol appeared, and also get the first VarDecl that tracked object 2314 // is stored to. 2315 AllocationInfo AllocI = 2316 GetAllocationSite(BRC.getStateManager(), EndN, Sym); 2317 2318 const MemRegion* FirstBinding = AllocI.R; 2319 BR.markInteresting(AllocI.InterestingMethodContext); 2320 2321 SourceManager& SM = BRC.getSourceManager(); 2322 2323 // Compute an actual location for the leak. Sometimes a leak doesn't 2324 // occur at an actual statement (e.g., transition between blocks; end 2325 // of function) so we need to walk the graph and compute a real location. 2326 const ExplodedNode *LeakN = EndN; 2327 PathDiagnosticLocation L = PathDiagnosticLocation::createEndOfPath(LeakN, SM); 2328 2329 std::string sbuf; 2330 llvm::raw_string_ostream os(sbuf); 2331 2332 os << "Object leaked: "; 2333 2334 if (FirstBinding) { 2335 os << "object allocated and stored into '" 2336 << FirstBinding->getString() << '\''; 2337 } 2338 else 2339 os << "allocated object"; 2340 2341 // Get the retain count. 2342 const RefVal* RV = getRefBinding(EndN->getState(), Sym); 2343 assert(RV); 2344 2345 if (RV->getKind() == RefVal::ErrorLeakReturned) { 2346 // FIXME: Per comments in rdar://6320065, "create" only applies to CF 2347 // objects. Only "copy", "alloc", "retain" and "new" transfer ownership 2348 // to the caller for NS objects. 2349 const Decl *D = &EndN->getCodeDecl(); 2350 2351 os << (isa<ObjCMethodDecl>(D) ? " is returned from a method " 2352 : " is returned from a function "); 2353 2354 if (D->hasAttr<CFReturnsNotRetainedAttr>()) 2355 os << "that is annotated as CF_RETURNS_NOT_RETAINED"; 2356 else if (D->hasAttr<NSReturnsNotRetainedAttr>()) 2357 os << "that is annotated as NS_RETURNS_NOT_RETAINED"; 2358 else { 2359 if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) { 2360 os << "whose name ('" << MD->getSelector().getAsString() 2361 << "') does not start with 'copy', 'mutableCopy', 'alloc' or 'new'." 2362 " This violates the naming convention rules" 2363 " given in the Memory Management Guide for Cocoa"; 2364 } 2365 else { 2366 const FunctionDecl *FD = cast<FunctionDecl>(D); 2367 os << "whose name ('" << *FD 2368 << "') does not contain 'Copy' or 'Create'. This violates the naming" 2369 " convention rules given in the Memory Management Guide for Core" 2370 " Foundation"; 2371 } 2372 } 2373 } 2374 else if (RV->getKind() == RefVal::ErrorGCLeakReturned) { 2375 const ObjCMethodDecl &MD = cast<ObjCMethodDecl>(EndN->getCodeDecl()); 2376 os << " and returned from method '" << MD.getSelector().getAsString() 2377 << "' is potentially leaked when using garbage collection. Callers " 2378 "of this method do not expect a returned object with a +1 retain " 2379 "count since they expect the object to be managed by the garbage " 2380 "collector"; 2381 } 2382 else 2383 os << " is not referenced later in this execution path and has a retain " 2384 "count of +" << RV->getCount(); 2385 2386 return llvm::make_unique<PathDiagnosticEventPiece>(L, os.str()); 2387 } 2388 2389 CFRefLeakReport::CFRefLeakReport(CFRefBug &D, const LangOptions &LOpts, 2390 bool GCEnabled, const SummaryLogTy &Log, 2391 ExplodedNode *n, SymbolRef sym, 2392 CheckerContext &Ctx, 2393 bool IncludeAllocationLine) 2394 : CFRefReport(D, LOpts, GCEnabled, Log, n, sym, false) { 2395 2396 // Most bug reports are cached at the location where they occurred. 2397 // With leaks, we want to unique them by the location where they were 2398 // allocated, and only report a single path. To do this, we need to find 2399 // the allocation site of a piece of tracked memory, which we do via a 2400 // call to GetAllocationSite. This will walk the ExplodedGraph backwards. 2401 // Note that this is *not* the trimmed graph; we are guaranteed, however, 2402 // that all ancestor nodes that represent the allocation site have the 2403 // same SourceLocation. 2404 const ExplodedNode *AllocNode = nullptr; 2405 2406 const SourceManager& SMgr = Ctx.getSourceManager(); 2407 2408 AllocationInfo AllocI = 2409 GetAllocationSite(Ctx.getStateManager(), getErrorNode(), sym); 2410 2411 AllocNode = AllocI.N; 2412 AllocBinding = AllocI.R; 2413 markInteresting(AllocI.InterestingMethodContext); 2414 2415 // Get the SourceLocation for the allocation site. 2416 // FIXME: This will crash the analyzer if an allocation comes from an 2417 // implicit call (ex: a destructor call). 2418 // (Currently there are no such allocations in Cocoa, though.) 2419 const Stmt *AllocStmt = nullptr; 2420 ProgramPoint P = AllocNode->getLocation(); 2421 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 2422 AllocStmt = Exit->getCalleeContext()->getCallSite(); 2423 else 2424 AllocStmt = P.castAs<PostStmt>().getStmt(); 2425 assert(AllocStmt && "Cannot find allocation statement"); 2426 2427 PathDiagnosticLocation AllocLocation = 2428 PathDiagnosticLocation::createBegin(AllocStmt, SMgr, 2429 AllocNode->getLocationContext()); 2430 Location = AllocLocation; 2431 2432 // Set uniqieing info, which will be used for unique the bug reports. The 2433 // leaks should be uniqued on the allocation site. 2434 UniqueingLocation = AllocLocation; 2435 UniqueingDecl = AllocNode->getLocationContext()->getDecl(); 2436 2437 // Fill in the description of the bug. 2438 Description.clear(); 2439 llvm::raw_string_ostream os(Description); 2440 os << "Potential leak "; 2441 if (GCEnabled) 2442 os << "(when using garbage collection) "; 2443 os << "of an object"; 2444 2445 if (AllocBinding) { 2446 os << " stored into '" << AllocBinding->getString() << '\''; 2447 if (IncludeAllocationLine) { 2448 FullSourceLoc SL(AllocStmt->getLocStart(), Ctx.getSourceManager()); 2449 os << " (allocated on line " << SL.getSpellingLineNumber() << ")"; 2450 } 2451 } 2452 2453 addVisitor(llvm::make_unique<CFRefLeakReportVisitor>(sym, GCEnabled, Log)); 2454 } 2455 2456 //===----------------------------------------------------------------------===// 2457 // Main checker logic. 2458 //===----------------------------------------------------------------------===// 2459 2460 namespace { 2461 class RetainCountChecker 2462 : public Checker< check::Bind, 2463 check::DeadSymbols, 2464 check::EndAnalysis, 2465 check::EndFunction, 2466 check::PostStmt<BlockExpr>, 2467 check::PostStmt<CastExpr>, 2468 check::PostStmt<ObjCArrayLiteral>, 2469 check::PostStmt<ObjCDictionaryLiteral>, 2470 check::PostStmt<ObjCBoxedExpr>, 2471 check::PostStmt<ObjCIvarRefExpr>, 2472 check::PostCall, 2473 check::PreStmt<ReturnStmt>, 2474 check::RegionChanges, 2475 eval::Assume, 2476 eval::Call > { 2477 mutable std::unique_ptr<CFRefBug> useAfterRelease, releaseNotOwned; 2478 mutable std::unique_ptr<CFRefBug> deallocGC, deallocNotOwned; 2479 mutable std::unique_ptr<CFRefBug> overAutorelease, returnNotOwnedForOwned; 2480 mutable std::unique_ptr<CFRefBug> leakWithinFunction, leakAtReturn; 2481 mutable std::unique_ptr<CFRefBug> leakWithinFunctionGC, leakAtReturnGC; 2482 2483 typedef llvm::DenseMap<SymbolRef, const CheckerProgramPointTag *> SymbolTagMap; 2484 2485 // This map is only used to ensure proper deletion of any allocated tags. 2486 mutable SymbolTagMap DeadSymbolTags; 2487 2488 mutable std::unique_ptr<RetainSummaryManager> Summaries; 2489 mutable std::unique_ptr<RetainSummaryManager> SummariesGC; 2490 mutable SummaryLogTy SummaryLog; 2491 mutable bool ShouldResetSummaryLog; 2492 2493 /// Optional setting to indicate if leak reports should include 2494 /// the allocation line. 2495 mutable bool IncludeAllocationLine; 2496 2497 public: 2498 RetainCountChecker(AnalyzerOptions &AO) 2499 : ShouldResetSummaryLog(false), 2500 IncludeAllocationLine(shouldIncludeAllocationSiteInLeakDiagnostics(AO)) {} 2501 2502 ~RetainCountChecker() override { DeleteContainerSeconds(DeadSymbolTags); } 2503 2504 void checkEndAnalysis(ExplodedGraph &G, BugReporter &BR, 2505 ExprEngine &Eng) const { 2506 // FIXME: This is a hack to make sure the summary log gets cleared between 2507 // analyses of different code bodies. 2508 // 2509 // Why is this necessary? Because a checker's lifetime is tied to a 2510 // translation unit, but an ExplodedGraph's lifetime is just a code body. 2511 // Once in a blue moon, a new ExplodedNode will have the same address as an 2512 // old one with an associated summary, and the bug report visitor gets very 2513 // confused. (To make things worse, the summary lifetime is currently also 2514 // tied to a code body, so we get a crash instead of incorrect results.) 2515 // 2516 // Why is this a bad solution? Because if the lifetime of the ExplodedGraph 2517 // changes, things will start going wrong again. Really the lifetime of this 2518 // log needs to be tied to either the specific nodes in it or the entire 2519 // ExplodedGraph, not to a specific part of the code being analyzed. 2520 // 2521 // (Also, having stateful local data means that the same checker can't be 2522 // used from multiple threads, but a lot of checkers have incorrect 2523 // assumptions about that anyway. So that wasn't a priority at the time of 2524 // this fix.) 2525 // 2526 // This happens at the end of analysis, but bug reports are emitted /after/ 2527 // this point. So we can't just clear the summary log now. Instead, we mark 2528 // that the next time we access the summary log, it should be cleared. 2529 2530 // If we never reset the summary log during /this/ code body analysis, 2531 // there were no new summaries. There might still have been summaries from 2532 // the /last/ analysis, so clear them out to make sure the bug report 2533 // visitors don't get confused. 2534 if (ShouldResetSummaryLog) 2535 SummaryLog.clear(); 2536 2537 ShouldResetSummaryLog = !SummaryLog.empty(); 2538 } 2539 2540 CFRefBug *getLeakWithinFunctionBug(const LangOptions &LOpts, 2541 bool GCEnabled) const { 2542 if (GCEnabled) { 2543 if (!leakWithinFunctionGC) 2544 leakWithinFunctionGC.reset(new Leak(this, "Leak of object when using " 2545 "garbage collection")); 2546 return leakWithinFunctionGC.get(); 2547 } else { 2548 if (!leakWithinFunction) { 2549 if (LOpts.getGC() == LangOptions::HybridGC) { 2550 leakWithinFunction.reset(new Leak(this, 2551 "Leak of object when not using " 2552 "garbage collection (GC) in " 2553 "dual GC/non-GC code")); 2554 } else { 2555 leakWithinFunction.reset(new Leak(this, "Leak")); 2556 } 2557 } 2558 return leakWithinFunction.get(); 2559 } 2560 } 2561 2562 CFRefBug *getLeakAtReturnBug(const LangOptions &LOpts, bool GCEnabled) const { 2563 if (GCEnabled) { 2564 if (!leakAtReturnGC) 2565 leakAtReturnGC.reset(new Leak(this, 2566 "Leak of returned object when using " 2567 "garbage collection")); 2568 return leakAtReturnGC.get(); 2569 } else { 2570 if (!leakAtReturn) { 2571 if (LOpts.getGC() == LangOptions::HybridGC) { 2572 leakAtReturn.reset(new Leak(this, 2573 "Leak of returned object when not using " 2574 "garbage collection (GC) in dual " 2575 "GC/non-GC code")); 2576 } else { 2577 leakAtReturn.reset(new Leak(this, "Leak of returned object")); 2578 } 2579 } 2580 return leakAtReturn.get(); 2581 } 2582 } 2583 2584 RetainSummaryManager &getSummaryManager(ASTContext &Ctx, 2585 bool GCEnabled) const { 2586 // FIXME: We don't support ARC being turned on and off during one analysis. 2587 // (nor, for that matter, do we support changing ASTContexts) 2588 bool ARCEnabled = (bool)Ctx.getLangOpts().ObjCAutoRefCount; 2589 if (GCEnabled) { 2590 if (!SummariesGC) 2591 SummariesGC.reset(new RetainSummaryManager(Ctx, true, ARCEnabled)); 2592 else 2593 assert(SummariesGC->isARCEnabled() == ARCEnabled); 2594 return *SummariesGC; 2595 } else { 2596 if (!Summaries) 2597 Summaries.reset(new RetainSummaryManager(Ctx, false, ARCEnabled)); 2598 else 2599 assert(Summaries->isARCEnabled() == ARCEnabled); 2600 return *Summaries; 2601 } 2602 } 2603 2604 RetainSummaryManager &getSummaryManager(CheckerContext &C) const { 2605 return getSummaryManager(C.getASTContext(), C.isObjCGCEnabled()); 2606 } 2607 2608 void printState(raw_ostream &Out, ProgramStateRef State, 2609 const char *NL, const char *Sep) const override; 2610 2611 void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const; 2612 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 2613 void checkPostStmt(const CastExpr *CE, CheckerContext &C) const; 2614 2615 void checkPostStmt(const ObjCArrayLiteral *AL, CheckerContext &C) const; 2616 void checkPostStmt(const ObjCDictionaryLiteral *DL, CheckerContext &C) const; 2617 void checkPostStmt(const ObjCBoxedExpr *BE, CheckerContext &C) const; 2618 2619 void checkPostStmt(const ObjCIvarRefExpr *IRE, CheckerContext &C) const; 2620 2621 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 2622 2623 void checkSummary(const RetainSummary &Summ, const CallEvent &Call, 2624 CheckerContext &C) const; 2625 2626 void processSummaryOfInlined(const RetainSummary &Summ, 2627 const CallEvent &Call, 2628 CheckerContext &C) const; 2629 2630 bool evalCall(const CallExpr *CE, CheckerContext &C) const; 2631 2632 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 2633 bool Assumption) const; 2634 2635 ProgramStateRef 2636 checkRegionChanges(ProgramStateRef state, 2637 const InvalidatedSymbols *invalidated, 2638 ArrayRef<const MemRegion *> ExplicitRegions, 2639 ArrayRef<const MemRegion *> Regions, 2640 const CallEvent *Call) const; 2641 2642 bool wantsRegionChangeUpdate(ProgramStateRef state) const { 2643 return true; 2644 } 2645 2646 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 2647 void checkReturnWithRetEffect(const ReturnStmt *S, CheckerContext &C, 2648 ExplodedNode *Pred, RetEffect RE, RefVal X, 2649 SymbolRef Sym, ProgramStateRef state) const; 2650 2651 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 2652 void checkEndFunction(CheckerContext &C) const; 2653 2654 ProgramStateRef updateSymbol(ProgramStateRef state, SymbolRef sym, 2655 RefVal V, ArgEffect E, RefVal::Kind &hasErr, 2656 CheckerContext &C) const; 2657 2658 void processNonLeakError(ProgramStateRef St, SourceRange ErrorRange, 2659 RefVal::Kind ErrorKind, SymbolRef Sym, 2660 CheckerContext &C) const; 2661 2662 void processObjCLiterals(CheckerContext &C, const Expr *Ex) const; 2663 2664 const ProgramPointTag *getDeadSymbolTag(SymbolRef sym) const; 2665 2666 ProgramStateRef handleSymbolDeath(ProgramStateRef state, 2667 SymbolRef sid, RefVal V, 2668 SmallVectorImpl<SymbolRef> &Leaked) const; 2669 2670 ProgramStateRef 2671 handleAutoreleaseCounts(ProgramStateRef state, ExplodedNode *Pred, 2672 const ProgramPointTag *Tag, CheckerContext &Ctx, 2673 SymbolRef Sym, RefVal V) const; 2674 2675 ExplodedNode *processLeaks(ProgramStateRef state, 2676 SmallVectorImpl<SymbolRef> &Leaked, 2677 CheckerContext &Ctx, 2678 ExplodedNode *Pred = nullptr) const; 2679 }; 2680 } // end anonymous namespace 2681 2682 namespace { 2683 class StopTrackingCallback final : public SymbolVisitor { 2684 ProgramStateRef state; 2685 public: 2686 StopTrackingCallback(ProgramStateRef st) : state(st) {} 2687 ProgramStateRef getState() const { return state; } 2688 2689 bool VisitSymbol(SymbolRef sym) override { 2690 state = state->remove<RefBindings>(sym); 2691 return true; 2692 } 2693 }; 2694 } // end anonymous namespace 2695 2696 //===----------------------------------------------------------------------===// 2697 // Handle statements that may have an effect on refcounts. 2698 //===----------------------------------------------------------------------===// 2699 2700 void RetainCountChecker::checkPostStmt(const BlockExpr *BE, 2701 CheckerContext &C) const { 2702 2703 // Scan the BlockDecRefExprs for any object the retain count checker 2704 // may be tracking. 2705 if (!BE->getBlockDecl()->hasCaptures()) 2706 return; 2707 2708 ProgramStateRef state = C.getState(); 2709 const BlockDataRegion *R = 2710 cast<BlockDataRegion>(state->getSVal(BE, 2711 C.getLocationContext()).getAsRegion()); 2712 2713 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2714 E = R->referenced_vars_end(); 2715 2716 if (I == E) 2717 return; 2718 2719 // FIXME: For now we invalidate the tracking of all symbols passed to blocks 2720 // via captured variables, even though captured variables result in a copy 2721 // and in implicit increment/decrement of a retain count. 2722 SmallVector<const MemRegion*, 10> Regions; 2723 const LocationContext *LC = C.getLocationContext(); 2724 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2725 2726 for ( ; I != E; ++I) { 2727 const VarRegion *VR = I.getCapturedRegion(); 2728 if (VR->getSuperRegion() == R) { 2729 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2730 } 2731 Regions.push_back(VR); 2732 } 2733 2734 state = 2735 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 2736 Regions.data() + Regions.size()).getState(); 2737 C.addTransition(state); 2738 } 2739 2740 void RetainCountChecker::checkPostStmt(const CastExpr *CE, 2741 CheckerContext &C) const { 2742 const ObjCBridgedCastExpr *BE = dyn_cast<ObjCBridgedCastExpr>(CE); 2743 if (!BE) 2744 return; 2745 2746 ArgEffect AE = IncRef; 2747 2748 switch (BE->getBridgeKind()) { 2749 case clang::OBC_Bridge: 2750 // Do nothing. 2751 return; 2752 case clang::OBC_BridgeRetained: 2753 AE = IncRef; 2754 break; 2755 case clang::OBC_BridgeTransfer: 2756 AE = DecRefBridgedTransferred; 2757 break; 2758 } 2759 2760 ProgramStateRef state = C.getState(); 2761 SymbolRef Sym = state->getSVal(CE, C.getLocationContext()).getAsLocSymbol(); 2762 if (!Sym) 2763 return; 2764 const RefVal* T = getRefBinding(state, Sym); 2765 if (!T) 2766 return; 2767 2768 RefVal::Kind hasErr = (RefVal::Kind) 0; 2769 state = updateSymbol(state, Sym, *T, AE, hasErr, C); 2770 2771 if (hasErr) { 2772 // FIXME: If we get an error during a bridge cast, should we report it? 2773 return; 2774 } 2775 2776 C.addTransition(state); 2777 } 2778 2779 void RetainCountChecker::processObjCLiterals(CheckerContext &C, 2780 const Expr *Ex) const { 2781 ProgramStateRef state = C.getState(); 2782 const ExplodedNode *pred = C.getPredecessor(); 2783 for (const Stmt *Child : Ex->children()) { 2784 SVal V = state->getSVal(Child, pred->getLocationContext()); 2785 if (SymbolRef sym = V.getAsSymbol()) 2786 if (const RefVal* T = getRefBinding(state, sym)) { 2787 RefVal::Kind hasErr = (RefVal::Kind) 0; 2788 state = updateSymbol(state, sym, *T, MayEscape, hasErr, C); 2789 if (hasErr) { 2790 processNonLeakError(state, Child->getSourceRange(), hasErr, sym, C); 2791 return; 2792 } 2793 } 2794 } 2795 2796 // Return the object as autoreleased. 2797 // RetEffect RE = RetEffect::MakeNotOwned(RetEffect::ObjC); 2798 if (SymbolRef sym = 2799 state->getSVal(Ex, pred->getLocationContext()).getAsSymbol()) { 2800 QualType ResultTy = Ex->getType(); 2801 state = setRefBinding(state, sym, 2802 RefVal::makeNotOwned(RetEffect::ObjC, ResultTy)); 2803 } 2804 2805 C.addTransition(state); 2806 } 2807 2808 void RetainCountChecker::checkPostStmt(const ObjCArrayLiteral *AL, 2809 CheckerContext &C) const { 2810 // Apply the 'MayEscape' to all values. 2811 processObjCLiterals(C, AL); 2812 } 2813 2814 void RetainCountChecker::checkPostStmt(const ObjCDictionaryLiteral *DL, 2815 CheckerContext &C) const { 2816 // Apply the 'MayEscape' to all keys and values. 2817 processObjCLiterals(C, DL); 2818 } 2819 2820 void RetainCountChecker::checkPostStmt(const ObjCBoxedExpr *Ex, 2821 CheckerContext &C) const { 2822 const ExplodedNode *Pred = C.getPredecessor(); 2823 const LocationContext *LCtx = Pred->getLocationContext(); 2824 ProgramStateRef State = Pred->getState(); 2825 2826 if (SymbolRef Sym = State->getSVal(Ex, LCtx).getAsSymbol()) { 2827 QualType ResultTy = Ex->getType(); 2828 State = setRefBinding(State, Sym, 2829 RefVal::makeNotOwned(RetEffect::ObjC, ResultTy)); 2830 } 2831 2832 C.addTransition(State); 2833 } 2834 2835 static bool wasLoadedFromIvar(SymbolRef Sym) { 2836 if (auto DerivedVal = dyn_cast<SymbolDerived>(Sym)) 2837 return isa<ObjCIvarRegion>(DerivedVal->getRegion()); 2838 if (auto RegionVal = dyn_cast<SymbolRegionValue>(Sym)) 2839 return isa<ObjCIvarRegion>(RegionVal->getRegion()); 2840 return false; 2841 } 2842 2843 void RetainCountChecker::checkPostStmt(const ObjCIvarRefExpr *IRE, 2844 CheckerContext &C) const { 2845 Optional<Loc> IVarLoc = C.getSVal(IRE).getAs<Loc>(); 2846 if (!IVarLoc) 2847 return; 2848 2849 ProgramStateRef State = C.getState(); 2850 SymbolRef Sym = State->getSVal(*IVarLoc).getAsSymbol(); 2851 if (!Sym || !wasLoadedFromIvar(Sym)) 2852 return; 2853 2854 // Accessing an ivar directly is unusual. If we've done that, be more 2855 // forgiving about what the surrounding code is allowed to do. 2856 2857 QualType Ty = Sym->getType(); 2858 RetEffect::ObjKind Kind; 2859 if (Ty->isObjCRetainableType()) 2860 Kind = RetEffect::ObjC; 2861 else if (coreFoundation::isCFObjectRef(Ty)) 2862 Kind = RetEffect::CF; 2863 else 2864 return; 2865 2866 // If the value is already known to be nil, don't bother tracking it. 2867 ConstraintManager &CMgr = State->getConstraintManager(); 2868 if (CMgr.isNull(State, Sym).isConstrainedTrue()) 2869 return; 2870 2871 if (const RefVal *RV = getRefBinding(State, Sym)) { 2872 // If we've seen this symbol before, or we're only seeing it now because 2873 // of something the analyzer has synthesized, don't do anything. 2874 if (RV->getIvarAccessHistory() != RefVal::IvarAccessHistory::None || 2875 isSynthesizedAccessor(C.getStackFrame())) { 2876 return; 2877 } 2878 2879 // Note that this value has been loaded from an ivar. 2880 C.addTransition(setRefBinding(State, Sym, RV->withIvarAccess())); 2881 return; 2882 } 2883 2884 RefVal PlusZero = RefVal::makeNotOwned(Kind, Ty); 2885 2886 // In a synthesized accessor, the effective retain count is +0. 2887 if (isSynthesizedAccessor(C.getStackFrame())) { 2888 C.addTransition(setRefBinding(State, Sym, PlusZero)); 2889 return; 2890 } 2891 2892 State = setRefBinding(State, Sym, PlusZero.withIvarAccess()); 2893 C.addTransition(State); 2894 } 2895 2896 void RetainCountChecker::checkPostCall(const CallEvent &Call, 2897 CheckerContext &C) const { 2898 RetainSummaryManager &Summaries = getSummaryManager(C); 2899 const RetainSummary *Summ = Summaries.getSummary(Call, C.getState()); 2900 2901 if (C.wasInlined) { 2902 processSummaryOfInlined(*Summ, Call, C); 2903 return; 2904 } 2905 checkSummary(*Summ, Call, C); 2906 } 2907 2908 /// GetReturnType - Used to get the return type of a message expression or 2909 /// function call with the intention of affixing that type to a tracked symbol. 2910 /// While the return type can be queried directly from RetEx, when 2911 /// invoking class methods we augment to the return type to be that of 2912 /// a pointer to the class (as opposed it just being id). 2913 // FIXME: We may be able to do this with related result types instead. 2914 // This function is probably overestimating. 2915 static QualType GetReturnType(const Expr *RetE, ASTContext &Ctx) { 2916 QualType RetTy = RetE->getType(); 2917 // If RetE is not a message expression just return its type. 2918 // If RetE is a message expression, return its types if it is something 2919 /// more specific than id. 2920 if (const ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(RetE)) 2921 if (const ObjCObjectPointerType *PT = RetTy->getAs<ObjCObjectPointerType>()) 2922 if (PT->isObjCQualifiedIdType() || PT->isObjCIdType() || 2923 PT->isObjCClassType()) { 2924 // At this point we know the return type of the message expression is 2925 // id, id<...>, or Class. If we have an ObjCInterfaceDecl, we know this 2926 // is a call to a class method whose type we can resolve. In such 2927 // cases, promote the return type to XXX* (where XXX is the class). 2928 const ObjCInterfaceDecl *D = ME->getReceiverInterface(); 2929 return !D ? RetTy : 2930 Ctx.getObjCObjectPointerType(Ctx.getObjCInterfaceType(D)); 2931 } 2932 2933 return RetTy; 2934 } 2935 2936 // We don't always get the exact modeling of the function with regards to the 2937 // retain count checker even when the function is inlined. For example, we need 2938 // to stop tracking the symbols which were marked with StopTrackingHard. 2939 void RetainCountChecker::processSummaryOfInlined(const RetainSummary &Summ, 2940 const CallEvent &CallOrMsg, 2941 CheckerContext &C) const { 2942 ProgramStateRef state = C.getState(); 2943 2944 // Evaluate the effect of the arguments. 2945 for (unsigned idx = 0, e = CallOrMsg.getNumArgs(); idx != e; ++idx) { 2946 if (Summ.getArg(idx) == StopTrackingHard) { 2947 SVal V = CallOrMsg.getArgSVal(idx); 2948 if (SymbolRef Sym = V.getAsLocSymbol()) { 2949 state = removeRefBinding(state, Sym); 2950 } 2951 } 2952 } 2953 2954 // Evaluate the effect on the message receiver. 2955 const ObjCMethodCall *MsgInvocation = dyn_cast<ObjCMethodCall>(&CallOrMsg); 2956 if (MsgInvocation) { 2957 if (SymbolRef Sym = MsgInvocation->getReceiverSVal().getAsLocSymbol()) { 2958 if (Summ.getReceiverEffect() == StopTrackingHard) { 2959 state = removeRefBinding(state, Sym); 2960 } 2961 } 2962 } 2963 2964 // Consult the summary for the return value. 2965 RetEffect RE = Summ.getRetEffect(); 2966 if (RE.getKind() == RetEffect::NoRetHard) { 2967 SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol(); 2968 if (Sym) 2969 state = removeRefBinding(state, Sym); 2970 } 2971 2972 C.addTransition(state); 2973 } 2974 2975 static ProgramStateRef updateOutParameter(ProgramStateRef State, 2976 SVal ArgVal, 2977 ArgEffect Effect) { 2978 auto *ArgRegion = dyn_cast_or_null<TypedValueRegion>(ArgVal.getAsRegion()); 2979 if (!ArgRegion) 2980 return State; 2981 2982 QualType PointeeTy = ArgRegion->getValueType(); 2983 if (!coreFoundation::isCFObjectRef(PointeeTy)) 2984 return State; 2985 2986 SVal PointeeVal = State->getSVal(ArgRegion); 2987 SymbolRef Pointee = PointeeVal.getAsLocSymbol(); 2988 if (!Pointee) 2989 return State; 2990 2991 switch (Effect) { 2992 case UnretainedOutParameter: 2993 State = setRefBinding(State, Pointee, 2994 RefVal::makeNotOwned(RetEffect::CF, PointeeTy)); 2995 break; 2996 case RetainedOutParameter: 2997 // Do nothing. Retained out parameters will either point to a +1 reference 2998 // or NULL, but the way you check for failure differs depending on the API. 2999 // Consequently, we don't have a good way to track them yet. 3000 break; 3001 3002 default: 3003 llvm_unreachable("only for out parameters"); 3004 } 3005 3006 return State; 3007 } 3008 3009 void RetainCountChecker::checkSummary(const RetainSummary &Summ, 3010 const CallEvent &CallOrMsg, 3011 CheckerContext &C) const { 3012 ProgramStateRef state = C.getState(); 3013 3014 // Evaluate the effect of the arguments. 3015 RefVal::Kind hasErr = (RefVal::Kind) 0; 3016 SourceRange ErrorRange; 3017 SymbolRef ErrorSym = nullptr; 3018 3019 for (unsigned idx = 0, e = CallOrMsg.getNumArgs(); idx != e; ++idx) { 3020 SVal V = CallOrMsg.getArgSVal(idx); 3021 3022 ArgEffect Effect = Summ.getArg(idx); 3023 if (Effect == RetainedOutParameter || Effect == UnretainedOutParameter) { 3024 state = updateOutParameter(state, V, Effect); 3025 } else if (SymbolRef Sym = V.getAsLocSymbol()) { 3026 if (const RefVal *T = getRefBinding(state, Sym)) { 3027 state = updateSymbol(state, Sym, *T, Effect, hasErr, C); 3028 if (hasErr) { 3029 ErrorRange = CallOrMsg.getArgSourceRange(idx); 3030 ErrorSym = Sym; 3031 break; 3032 } 3033 } 3034 } 3035 } 3036 3037 // Evaluate the effect on the message receiver. 3038 bool ReceiverIsTracked = false; 3039 if (!hasErr) { 3040 const ObjCMethodCall *MsgInvocation = dyn_cast<ObjCMethodCall>(&CallOrMsg); 3041 if (MsgInvocation) { 3042 if (SymbolRef Sym = MsgInvocation->getReceiverSVal().getAsLocSymbol()) { 3043 if (const RefVal *T = getRefBinding(state, Sym)) { 3044 ReceiverIsTracked = true; 3045 state = updateSymbol(state, Sym, *T, Summ.getReceiverEffect(), 3046 hasErr, C); 3047 if (hasErr) { 3048 ErrorRange = MsgInvocation->getOriginExpr()->getReceiverRange(); 3049 ErrorSym = Sym; 3050 } 3051 } 3052 } 3053 } 3054 } 3055 3056 // Process any errors. 3057 if (hasErr) { 3058 processNonLeakError(state, ErrorRange, hasErr, ErrorSym, C); 3059 return; 3060 } 3061 3062 // Consult the summary for the return value. 3063 RetEffect RE = Summ.getRetEffect(); 3064 3065 if (RE.getKind() == RetEffect::OwnedWhenTrackedReceiver) { 3066 if (ReceiverIsTracked) 3067 RE = getSummaryManager(C).getObjAllocRetEffect(); 3068 else 3069 RE = RetEffect::MakeNoRet(); 3070 } 3071 3072 switch (RE.getKind()) { 3073 default: 3074 llvm_unreachable("Unhandled RetEffect."); 3075 3076 case RetEffect::NoRet: 3077 case RetEffect::NoRetHard: 3078 // No work necessary. 3079 break; 3080 3081 case RetEffect::OwnedAllocatedSymbol: 3082 case RetEffect::OwnedSymbol: { 3083 SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol(); 3084 if (!Sym) 3085 break; 3086 3087 // Use the result type from the CallEvent as it automatically adjusts 3088 // for methods/functions that return references. 3089 QualType ResultTy = CallOrMsg.getResultType(); 3090 state = setRefBinding(state, Sym, RefVal::makeOwned(RE.getObjKind(), 3091 ResultTy)); 3092 3093 // FIXME: Add a flag to the checker where allocations are assumed to 3094 // *not* fail. 3095 break; 3096 } 3097 3098 case RetEffect::GCNotOwnedSymbol: 3099 case RetEffect::NotOwnedSymbol: { 3100 const Expr *Ex = CallOrMsg.getOriginExpr(); 3101 SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol(); 3102 if (!Sym) 3103 break; 3104 assert(Ex); 3105 // Use GetReturnType in order to give [NSFoo alloc] the type NSFoo *. 3106 QualType ResultTy = GetReturnType(Ex, C.getASTContext()); 3107 state = setRefBinding(state, Sym, RefVal::makeNotOwned(RE.getObjKind(), 3108 ResultTy)); 3109 break; 3110 } 3111 } 3112 3113 // This check is actually necessary; otherwise the statement builder thinks 3114 // we've hit a previously-found path. 3115 // Normally addTransition takes care of this, but we want the node pointer. 3116 ExplodedNode *NewNode; 3117 if (state == C.getState()) { 3118 NewNode = C.getPredecessor(); 3119 } else { 3120 NewNode = C.addTransition(state); 3121 } 3122 3123 // Annotate the node with summary we used. 3124 if (NewNode) { 3125 // FIXME: This is ugly. See checkEndAnalysis for why it's necessary. 3126 if (ShouldResetSummaryLog) { 3127 SummaryLog.clear(); 3128 ShouldResetSummaryLog = false; 3129 } 3130 SummaryLog[NewNode] = &Summ; 3131 } 3132 } 3133 3134 ProgramStateRef 3135 RetainCountChecker::updateSymbol(ProgramStateRef state, SymbolRef sym, 3136 RefVal V, ArgEffect E, RefVal::Kind &hasErr, 3137 CheckerContext &C) const { 3138 // In GC mode [... release] and [... retain] do nothing. 3139 // In ARC mode they shouldn't exist at all, but we just ignore them. 3140 bool IgnoreRetainMsg = C.isObjCGCEnabled(); 3141 if (!IgnoreRetainMsg) 3142 IgnoreRetainMsg = (bool)C.getASTContext().getLangOpts().ObjCAutoRefCount; 3143 3144 switch (E) { 3145 default: 3146 break; 3147 case IncRefMsg: 3148 E = IgnoreRetainMsg ? DoNothing : IncRef; 3149 break; 3150 case DecRefMsg: 3151 E = IgnoreRetainMsg ? DoNothing : DecRef; 3152 break; 3153 case DecRefMsgAndStopTrackingHard: 3154 E = IgnoreRetainMsg ? StopTracking : DecRefAndStopTrackingHard; 3155 break; 3156 case MakeCollectable: 3157 E = C.isObjCGCEnabled() ? DecRef : DoNothing; 3158 break; 3159 } 3160 3161 // Handle all use-after-releases. 3162 if (!C.isObjCGCEnabled() && V.getKind() == RefVal::Released) { 3163 V = V ^ RefVal::ErrorUseAfterRelease; 3164 hasErr = V.getKind(); 3165 return setRefBinding(state, sym, V); 3166 } 3167 3168 switch (E) { 3169 case DecRefMsg: 3170 case IncRefMsg: 3171 case MakeCollectable: 3172 case DecRefMsgAndStopTrackingHard: 3173 llvm_unreachable("DecRefMsg/IncRefMsg/MakeCollectable already converted"); 3174 3175 case UnretainedOutParameter: 3176 case RetainedOutParameter: 3177 llvm_unreachable("Applies to pointer-to-pointer parameters, which should " 3178 "not have ref state."); 3179 3180 case Dealloc: 3181 // Any use of -dealloc in GC is *bad*. 3182 if (C.isObjCGCEnabled()) { 3183 V = V ^ RefVal::ErrorDeallocGC; 3184 hasErr = V.getKind(); 3185 break; 3186 } 3187 3188 switch (V.getKind()) { 3189 default: 3190 llvm_unreachable("Invalid RefVal state for an explicit dealloc."); 3191 case RefVal::Owned: 3192 // The object immediately transitions to the released state. 3193 V = V ^ RefVal::Released; 3194 V.clearCounts(); 3195 return setRefBinding(state, sym, V); 3196 case RefVal::NotOwned: 3197 V = V ^ RefVal::ErrorDeallocNotOwned; 3198 hasErr = V.getKind(); 3199 break; 3200 } 3201 break; 3202 3203 case MayEscape: 3204 if (V.getKind() == RefVal::Owned) { 3205 V = V ^ RefVal::NotOwned; 3206 break; 3207 } 3208 3209 // Fall-through. 3210 3211 case DoNothing: 3212 return state; 3213 3214 case Autorelease: 3215 if (C.isObjCGCEnabled()) 3216 return state; 3217 // Update the autorelease counts. 3218 V = V.autorelease(); 3219 break; 3220 3221 case StopTracking: 3222 case StopTrackingHard: 3223 return removeRefBinding(state, sym); 3224 3225 case IncRef: 3226 switch (V.getKind()) { 3227 default: 3228 llvm_unreachable("Invalid RefVal state for a retain."); 3229 case RefVal::Owned: 3230 case RefVal::NotOwned: 3231 V = V + 1; 3232 break; 3233 case RefVal::Released: 3234 // Non-GC cases are handled above. 3235 assert(C.isObjCGCEnabled()); 3236 V = (V ^ RefVal::Owned) + 1; 3237 break; 3238 } 3239 break; 3240 3241 case DecRef: 3242 case DecRefBridgedTransferred: 3243 case DecRefAndStopTrackingHard: 3244 switch (V.getKind()) { 3245 default: 3246 // case 'RefVal::Released' handled above. 3247 llvm_unreachable("Invalid RefVal state for a release."); 3248 3249 case RefVal::Owned: 3250 assert(V.getCount() > 0); 3251 if (V.getCount() == 1) { 3252 if (E == DecRefBridgedTransferred || 3253 V.getIvarAccessHistory() == 3254 RefVal::IvarAccessHistory::AccessedDirectly) 3255 V = V ^ RefVal::NotOwned; 3256 else 3257 V = V ^ RefVal::Released; 3258 } else if (E == DecRefAndStopTrackingHard) { 3259 return removeRefBinding(state, sym); 3260 } 3261 3262 V = V - 1; 3263 break; 3264 3265 case RefVal::NotOwned: 3266 if (V.getCount() > 0) { 3267 if (E == DecRefAndStopTrackingHard) 3268 return removeRefBinding(state, sym); 3269 V = V - 1; 3270 } else if (V.getIvarAccessHistory() == 3271 RefVal::IvarAccessHistory::AccessedDirectly) { 3272 // Assume that the instance variable was holding on the object at 3273 // +1, and we just didn't know. 3274 if (E == DecRefAndStopTrackingHard) 3275 return removeRefBinding(state, sym); 3276 V = V.releaseViaIvar() ^ RefVal::Released; 3277 } else { 3278 V = V ^ RefVal::ErrorReleaseNotOwned; 3279 hasErr = V.getKind(); 3280 } 3281 break; 3282 3283 case RefVal::Released: 3284 // Non-GC cases are handled above. 3285 assert(C.isObjCGCEnabled()); 3286 V = V ^ RefVal::ErrorUseAfterRelease; 3287 hasErr = V.getKind(); 3288 break; 3289 } 3290 break; 3291 } 3292 return setRefBinding(state, sym, V); 3293 } 3294 3295 void RetainCountChecker::processNonLeakError(ProgramStateRef St, 3296 SourceRange ErrorRange, 3297 RefVal::Kind ErrorKind, 3298 SymbolRef Sym, 3299 CheckerContext &C) const { 3300 // HACK: Ignore retain-count issues on values accessed through ivars, 3301 // because of cases like this: 3302 // [_contentView retain]; 3303 // [_contentView removeFromSuperview]; 3304 // [self addSubview:_contentView]; // invalidates 'self' 3305 // [_contentView release]; 3306 if (const RefVal *RV = getRefBinding(St, Sym)) 3307 if (RV->getIvarAccessHistory() != RefVal::IvarAccessHistory::None) 3308 return; 3309 3310 ExplodedNode *N = C.generateErrorNode(St); 3311 if (!N) 3312 return; 3313 3314 CFRefBug *BT; 3315 switch (ErrorKind) { 3316 default: 3317 llvm_unreachable("Unhandled error."); 3318 case RefVal::ErrorUseAfterRelease: 3319 if (!useAfterRelease) 3320 useAfterRelease.reset(new UseAfterRelease(this)); 3321 BT = useAfterRelease.get(); 3322 break; 3323 case RefVal::ErrorReleaseNotOwned: 3324 if (!releaseNotOwned) 3325 releaseNotOwned.reset(new BadRelease(this)); 3326 BT = releaseNotOwned.get(); 3327 break; 3328 case RefVal::ErrorDeallocGC: 3329 if (!deallocGC) 3330 deallocGC.reset(new DeallocGC(this)); 3331 BT = deallocGC.get(); 3332 break; 3333 case RefVal::ErrorDeallocNotOwned: 3334 if (!deallocNotOwned) 3335 deallocNotOwned.reset(new DeallocNotOwned(this)); 3336 BT = deallocNotOwned.get(); 3337 break; 3338 } 3339 3340 assert(BT); 3341 auto report = std::unique_ptr<BugReport>( 3342 new CFRefReport(*BT, C.getASTContext().getLangOpts(), C.isObjCGCEnabled(), 3343 SummaryLog, N, Sym)); 3344 report->addRange(ErrorRange); 3345 C.emitReport(std::move(report)); 3346 } 3347 3348 //===----------------------------------------------------------------------===// 3349 // Handle the return values of retain-count-related functions. 3350 //===----------------------------------------------------------------------===// 3351 3352 bool RetainCountChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { 3353 // Get the callee. We're only interested in simple C functions. 3354 ProgramStateRef state = C.getState(); 3355 const FunctionDecl *FD = C.getCalleeDecl(CE); 3356 if (!FD) 3357 return false; 3358 3359 IdentifierInfo *II = FD->getIdentifier(); 3360 if (!II) 3361 return false; 3362 3363 // For now, we're only handling the functions that return aliases of their 3364 // arguments: CFRetain and CFMakeCollectable (and their families). 3365 // Eventually we should add other functions we can model entirely, 3366 // such as CFRelease, which don't invalidate their arguments or globals. 3367 if (CE->getNumArgs() != 1) 3368 return false; 3369 3370 // Get the name of the function. 3371 StringRef FName = II->getName(); 3372 FName = FName.substr(FName.find_first_not_of('_')); 3373 3374 // See if it's one of the specific functions we know how to eval. 3375 bool canEval = false; 3376 3377 QualType ResultTy = CE->getCallReturnType(C.getASTContext()); 3378 if (ResultTy->isObjCIdType()) { 3379 // Handle: id NSMakeCollectable(CFTypeRef) 3380 canEval = II->isStr("NSMakeCollectable"); 3381 } else if (ResultTy->isPointerType()) { 3382 // Handle: (CF|CG)Retain 3383 // CFAutorelease 3384 // CFMakeCollectable 3385 // It's okay to be a little sloppy here (CGMakeCollectable doesn't exist). 3386 if (cocoa::isRefType(ResultTy, "CF", FName) || 3387 cocoa::isRefType(ResultTy, "CG", FName)) { 3388 canEval = isRetain(FD, FName) || isAutorelease(FD, FName) || 3389 isMakeCollectable(FD, FName); 3390 } 3391 } 3392 3393 if (!canEval) 3394 return false; 3395 3396 // Bind the return value. 3397 const LocationContext *LCtx = C.getLocationContext(); 3398 SVal RetVal = state->getSVal(CE->getArg(0), LCtx); 3399 if (RetVal.isUnknown()) { 3400 // If the receiver is unknown, conjure a return value. 3401 SValBuilder &SVB = C.getSValBuilder(); 3402 RetVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, ResultTy, C.blockCount()); 3403 } 3404 state = state->BindExpr(CE, LCtx, RetVal, false); 3405 3406 // FIXME: This should not be necessary, but otherwise the argument seems to be 3407 // considered alive during the next statement. 3408 if (const MemRegion *ArgRegion = RetVal.getAsRegion()) { 3409 // Save the refcount status of the argument. 3410 SymbolRef Sym = RetVal.getAsLocSymbol(); 3411 const RefVal *Binding = nullptr; 3412 if (Sym) 3413 Binding = getRefBinding(state, Sym); 3414 3415 // Invalidate the argument region. 3416 state = state->invalidateRegions(ArgRegion, CE, C.blockCount(), LCtx, 3417 /*CausesPointerEscape*/ false); 3418 3419 // Restore the refcount status of the argument. 3420 if (Binding) 3421 state = setRefBinding(state, Sym, *Binding); 3422 } 3423 3424 C.addTransition(state); 3425 return true; 3426 } 3427 3428 //===----------------------------------------------------------------------===// 3429 // Handle return statements. 3430 //===----------------------------------------------------------------------===// 3431 3432 void RetainCountChecker::checkPreStmt(const ReturnStmt *S, 3433 CheckerContext &C) const { 3434 3435 // Only adjust the reference count if this is the top-level call frame, 3436 // and not the result of inlining. In the future, we should do 3437 // better checking even for inlined calls, and see if they match 3438 // with their expected semantics (e.g., the method should return a retained 3439 // object, etc.). 3440 if (!C.inTopFrame()) 3441 return; 3442 3443 const Expr *RetE = S->getRetValue(); 3444 if (!RetE) 3445 return; 3446 3447 ProgramStateRef state = C.getState(); 3448 SymbolRef Sym = 3449 state->getSValAsScalarOrLoc(RetE, C.getLocationContext()).getAsLocSymbol(); 3450 if (!Sym) 3451 return; 3452 3453 // Get the reference count binding (if any). 3454 const RefVal *T = getRefBinding(state, Sym); 3455 if (!T) 3456 return; 3457 3458 // Change the reference count. 3459 RefVal X = *T; 3460 3461 switch (X.getKind()) { 3462 case RefVal::Owned: { 3463 unsigned cnt = X.getCount(); 3464 assert(cnt > 0); 3465 X.setCount(cnt - 1); 3466 X = X ^ RefVal::ReturnedOwned; 3467 break; 3468 } 3469 3470 case RefVal::NotOwned: { 3471 unsigned cnt = X.getCount(); 3472 if (cnt) { 3473 X.setCount(cnt - 1); 3474 X = X ^ RefVal::ReturnedOwned; 3475 } 3476 else { 3477 X = X ^ RefVal::ReturnedNotOwned; 3478 } 3479 break; 3480 } 3481 3482 default: 3483 return; 3484 } 3485 3486 // Update the binding. 3487 state = setRefBinding(state, Sym, X); 3488 ExplodedNode *Pred = C.addTransition(state); 3489 3490 // At this point we have updated the state properly. 3491 // Everything after this is merely checking to see if the return value has 3492 // been over- or under-retained. 3493 3494 // Did we cache out? 3495 if (!Pred) 3496 return; 3497 3498 // Update the autorelease counts. 3499 static CheckerProgramPointTag AutoreleaseTag(this, "Autorelease"); 3500 state = handleAutoreleaseCounts(state, Pred, &AutoreleaseTag, C, Sym, X); 3501 3502 // Did we cache out? 3503 if (!state) 3504 return; 3505 3506 // Get the updated binding. 3507 T = getRefBinding(state, Sym); 3508 assert(T); 3509 X = *T; 3510 3511 // Consult the summary of the enclosing method. 3512 RetainSummaryManager &Summaries = getSummaryManager(C); 3513 const Decl *CD = &Pred->getCodeDecl(); 3514 RetEffect RE = RetEffect::MakeNoRet(); 3515 3516 // FIXME: What is the convention for blocks? Is there one? 3517 if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(CD)) { 3518 const RetainSummary *Summ = Summaries.getMethodSummary(MD); 3519 RE = Summ->getRetEffect(); 3520 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CD)) { 3521 if (!isa<CXXMethodDecl>(FD)) { 3522 const RetainSummary *Summ = Summaries.getFunctionSummary(FD); 3523 RE = Summ->getRetEffect(); 3524 } 3525 } 3526 3527 checkReturnWithRetEffect(S, C, Pred, RE, X, Sym, state); 3528 } 3529 3530 void RetainCountChecker::checkReturnWithRetEffect(const ReturnStmt *S, 3531 CheckerContext &C, 3532 ExplodedNode *Pred, 3533 RetEffect RE, RefVal X, 3534 SymbolRef Sym, 3535 ProgramStateRef state) const { 3536 // HACK: Ignore retain-count issues on values accessed through ivars, 3537 // because of cases like this: 3538 // [_contentView retain]; 3539 // [_contentView removeFromSuperview]; 3540 // [self addSubview:_contentView]; // invalidates 'self' 3541 // [_contentView release]; 3542 if (X.getIvarAccessHistory() != RefVal::IvarAccessHistory::None) 3543 return; 3544 3545 // Any leaks or other errors? 3546 if (X.isReturnedOwned() && X.getCount() == 0) { 3547 if (RE.getKind() != RetEffect::NoRet) { 3548 bool hasError = false; 3549 if (C.isObjCGCEnabled() && RE.getObjKind() == RetEffect::ObjC) { 3550 // Things are more complicated with garbage collection. If the 3551 // returned object is suppose to be an Objective-C object, we have 3552 // a leak (as the caller expects a GC'ed object) because no 3553 // method should return ownership unless it returns a CF object. 3554 hasError = true; 3555 X = X ^ RefVal::ErrorGCLeakReturned; 3556 } 3557 else if (!RE.isOwned()) { 3558 // Either we are using GC and the returned object is a CF type 3559 // or we aren't using GC. In either case, we expect that the 3560 // enclosing method is expected to return ownership. 3561 hasError = true; 3562 X = X ^ RefVal::ErrorLeakReturned; 3563 } 3564 3565 if (hasError) { 3566 // Generate an error node. 3567 state = setRefBinding(state, Sym, X); 3568 3569 static CheckerProgramPointTag ReturnOwnLeakTag(this, "ReturnsOwnLeak"); 3570 ExplodedNode *N = C.addTransition(state, Pred, &ReturnOwnLeakTag); 3571 if (N) { 3572 const LangOptions &LOpts = C.getASTContext().getLangOpts(); 3573 bool GCEnabled = C.isObjCGCEnabled(); 3574 C.emitReport(std::unique_ptr<BugReport>(new CFRefLeakReport( 3575 *getLeakAtReturnBug(LOpts, GCEnabled), LOpts, GCEnabled, 3576 SummaryLog, N, Sym, C, IncludeAllocationLine))); 3577 } 3578 } 3579 } 3580 } else if (X.isReturnedNotOwned()) { 3581 if (RE.isOwned()) { 3582 if (X.getIvarAccessHistory() == 3583 RefVal::IvarAccessHistory::AccessedDirectly) { 3584 // Assume the method was trying to transfer a +1 reference from a 3585 // strong ivar to the caller. 3586 state = setRefBinding(state, Sym, 3587 X.releaseViaIvar() ^ RefVal::ReturnedOwned); 3588 } else { 3589 // Trying to return a not owned object to a caller expecting an 3590 // owned object. 3591 state = setRefBinding(state, Sym, X ^ RefVal::ErrorReturnedNotOwned); 3592 3593 static CheckerProgramPointTag 3594 ReturnNotOwnedTag(this, "ReturnNotOwnedForOwned"); 3595 3596 ExplodedNode *N = C.addTransition(state, Pred, &ReturnNotOwnedTag); 3597 if (N) { 3598 if (!returnNotOwnedForOwned) 3599 returnNotOwnedForOwned.reset(new ReturnedNotOwnedForOwned(this)); 3600 3601 C.emitReport(std::unique_ptr<BugReport>(new CFRefReport( 3602 *returnNotOwnedForOwned, C.getASTContext().getLangOpts(), 3603 C.isObjCGCEnabled(), SummaryLog, N, Sym))); 3604 } 3605 } 3606 } 3607 } 3608 } 3609 3610 //===----------------------------------------------------------------------===// 3611 // Check various ways a symbol can be invalidated. 3612 //===----------------------------------------------------------------------===// 3613 3614 void RetainCountChecker::checkBind(SVal loc, SVal val, const Stmt *S, 3615 CheckerContext &C) const { 3616 // Are we storing to something that causes the value to "escape"? 3617 bool escapes = true; 3618 3619 // A value escapes in three possible cases (this may change): 3620 // 3621 // (1) we are binding to something that is not a memory region. 3622 // (2) we are binding to a memregion that does not have stack storage 3623 // (3) we are binding to a memregion with stack storage that the store 3624 // does not understand. 3625 ProgramStateRef state = C.getState(); 3626 3627 if (Optional<loc::MemRegionVal> regionLoc = loc.getAs<loc::MemRegionVal>()) { 3628 escapes = !regionLoc->getRegion()->hasStackStorage(); 3629 3630 if (!escapes) { 3631 // To test (3), generate a new state with the binding added. If it is 3632 // the same state, then it escapes (since the store cannot represent 3633 // the binding). 3634 // Do this only if we know that the store is not supposed to generate the 3635 // same state. 3636 SVal StoredVal = state->getSVal(regionLoc->getRegion()); 3637 if (StoredVal != val) 3638 escapes = (state == (state->bindLoc(*regionLoc, val))); 3639 } 3640 if (!escapes) { 3641 // Case 4: We do not currently model what happens when a symbol is 3642 // assigned to a struct field, so be conservative here and let the symbol 3643 // go. TODO: This could definitely be improved upon. 3644 escapes = !isa<VarRegion>(regionLoc->getRegion()); 3645 } 3646 } 3647 3648 // If we are storing the value into an auto function scope variable annotated 3649 // with (__attribute__((cleanup))), stop tracking the value to avoid leak 3650 // false positives. 3651 if (const VarRegion *LVR = dyn_cast_or_null<VarRegion>(loc.getAsRegion())) { 3652 const VarDecl *VD = LVR->getDecl(); 3653 if (VD->hasAttr<CleanupAttr>()) { 3654 escapes = true; 3655 } 3656 } 3657 3658 // If our store can represent the binding and we aren't storing to something 3659 // that doesn't have local storage then just return and have the simulation 3660 // state continue as is. 3661 if (!escapes) 3662 return; 3663 3664 // Otherwise, find all symbols referenced by 'val' that we are tracking 3665 // and stop tracking them. 3666 state = state->scanReachableSymbols<StopTrackingCallback>(val).getState(); 3667 C.addTransition(state); 3668 } 3669 3670 ProgramStateRef RetainCountChecker::evalAssume(ProgramStateRef state, 3671 SVal Cond, 3672 bool Assumption) const { 3673 // FIXME: We may add to the interface of evalAssume the list of symbols 3674 // whose assumptions have changed. For now we just iterate through the 3675 // bindings and check if any of the tracked symbols are NULL. This isn't 3676 // too bad since the number of symbols we will track in practice are 3677 // probably small and evalAssume is only called at branches and a few 3678 // other places. 3679 RefBindingsTy B = state->get<RefBindings>(); 3680 3681 if (B.isEmpty()) 3682 return state; 3683 3684 bool changed = false; 3685 RefBindingsTy::Factory &RefBFactory = state->get_context<RefBindings>(); 3686 3687 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { 3688 // Check if the symbol is null stop tracking the symbol. 3689 ConstraintManager &CMgr = state->getConstraintManager(); 3690 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 3691 if (AllocFailed.isConstrainedTrue()) { 3692 changed = true; 3693 B = RefBFactory.remove(B, I.getKey()); 3694 } 3695 } 3696 3697 if (changed) 3698 state = state->set<RefBindings>(B); 3699 3700 return state; 3701 } 3702 3703 ProgramStateRef 3704 RetainCountChecker::checkRegionChanges(ProgramStateRef state, 3705 const InvalidatedSymbols *invalidated, 3706 ArrayRef<const MemRegion *> ExplicitRegions, 3707 ArrayRef<const MemRegion *> Regions, 3708 const CallEvent *Call) const { 3709 if (!invalidated) 3710 return state; 3711 3712 llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols; 3713 for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(), 3714 E = ExplicitRegions.end(); I != E; ++I) { 3715 if (const SymbolicRegion *SR = (*I)->StripCasts()->getAs<SymbolicRegion>()) 3716 WhitelistedSymbols.insert(SR->getSymbol()); 3717 } 3718 3719 for (InvalidatedSymbols::const_iterator I=invalidated->begin(), 3720 E = invalidated->end(); I!=E; ++I) { 3721 SymbolRef sym = *I; 3722 if (WhitelistedSymbols.count(sym)) 3723 continue; 3724 // Remove any existing reference-count binding. 3725 state = removeRefBinding(state, sym); 3726 } 3727 return state; 3728 } 3729 3730 //===----------------------------------------------------------------------===// 3731 // Handle dead symbols and end-of-path. 3732 //===----------------------------------------------------------------------===// 3733 3734 ProgramStateRef 3735 RetainCountChecker::handleAutoreleaseCounts(ProgramStateRef state, 3736 ExplodedNode *Pred, 3737 const ProgramPointTag *Tag, 3738 CheckerContext &Ctx, 3739 SymbolRef Sym, RefVal V) const { 3740 unsigned ACnt = V.getAutoreleaseCount(); 3741 3742 // No autorelease counts? Nothing to be done. 3743 if (!ACnt) 3744 return state; 3745 3746 assert(!Ctx.isObjCGCEnabled() && "Autorelease counts in GC mode?"); 3747 unsigned Cnt = V.getCount(); 3748 3749 // FIXME: Handle sending 'autorelease' to already released object. 3750 3751 if (V.getKind() == RefVal::ReturnedOwned) 3752 ++Cnt; 3753 3754 // If we would over-release here, but we know the value came from an ivar, 3755 // assume it was a strong ivar that's just been relinquished. 3756 if (ACnt > Cnt && 3757 V.getIvarAccessHistory() == RefVal::IvarAccessHistory::AccessedDirectly) { 3758 V = V.releaseViaIvar(); 3759 --ACnt; 3760 } 3761 3762 if (ACnt <= Cnt) { 3763 if (ACnt == Cnt) { 3764 V.clearCounts(); 3765 if (V.getKind() == RefVal::ReturnedOwned) 3766 V = V ^ RefVal::ReturnedNotOwned; 3767 else 3768 V = V ^ RefVal::NotOwned; 3769 } else { 3770 V.setCount(V.getCount() - ACnt); 3771 V.setAutoreleaseCount(0); 3772 } 3773 return setRefBinding(state, Sym, V); 3774 } 3775 3776 // HACK: Ignore retain-count issues on values accessed through ivars, 3777 // because of cases like this: 3778 // [_contentView retain]; 3779 // [_contentView removeFromSuperview]; 3780 // [self addSubview:_contentView]; // invalidates 'self' 3781 // [_contentView release]; 3782 if (V.getIvarAccessHistory() != RefVal::IvarAccessHistory::None) 3783 return state; 3784 3785 // Woah! More autorelease counts then retain counts left. 3786 // Emit hard error. 3787 V = V ^ RefVal::ErrorOverAutorelease; 3788 state = setRefBinding(state, Sym, V); 3789 3790 ExplodedNode *N = Ctx.generateSink(state, Pred, Tag); 3791 if (N) { 3792 SmallString<128> sbuf; 3793 llvm::raw_svector_ostream os(sbuf); 3794 os << "Object was autoreleased "; 3795 if (V.getAutoreleaseCount() > 1) 3796 os << V.getAutoreleaseCount() << " times but the object "; 3797 else 3798 os << "but "; 3799 os << "has a +" << V.getCount() << " retain count"; 3800 3801 if (!overAutorelease) 3802 overAutorelease.reset(new OverAutorelease(this)); 3803 3804 const LangOptions &LOpts = Ctx.getASTContext().getLangOpts(); 3805 Ctx.emitReport(std::unique_ptr<BugReport>( 3806 new CFRefReport(*overAutorelease, LOpts, /* GCEnabled = */ false, 3807 SummaryLog, N, Sym, os.str()))); 3808 } 3809 3810 return nullptr; 3811 } 3812 3813 ProgramStateRef 3814 RetainCountChecker::handleSymbolDeath(ProgramStateRef state, 3815 SymbolRef sid, RefVal V, 3816 SmallVectorImpl<SymbolRef> &Leaked) const { 3817 bool hasLeak; 3818 3819 // HACK: Ignore retain-count issues on values accessed through ivars, 3820 // because of cases like this: 3821 // [_contentView retain]; 3822 // [_contentView removeFromSuperview]; 3823 // [self addSubview:_contentView]; // invalidates 'self' 3824 // [_contentView release]; 3825 if (V.getIvarAccessHistory() != RefVal::IvarAccessHistory::None) 3826 hasLeak = false; 3827 else if (V.isOwned()) 3828 hasLeak = true; 3829 else if (V.isNotOwned() || V.isReturnedOwned()) 3830 hasLeak = (V.getCount() > 0); 3831 else 3832 hasLeak = false; 3833 3834 if (!hasLeak) 3835 return removeRefBinding(state, sid); 3836 3837 Leaked.push_back(sid); 3838 return setRefBinding(state, sid, V ^ RefVal::ErrorLeak); 3839 } 3840 3841 ExplodedNode * 3842 RetainCountChecker::processLeaks(ProgramStateRef state, 3843 SmallVectorImpl<SymbolRef> &Leaked, 3844 CheckerContext &Ctx, 3845 ExplodedNode *Pred) const { 3846 // Generate an intermediate node representing the leak point. 3847 ExplodedNode *N = Ctx.addTransition(state, Pred); 3848 3849 if (N) { 3850 for (SmallVectorImpl<SymbolRef>::iterator 3851 I = Leaked.begin(), E = Leaked.end(); I != E; ++I) { 3852 3853 const LangOptions &LOpts = Ctx.getASTContext().getLangOpts(); 3854 bool GCEnabled = Ctx.isObjCGCEnabled(); 3855 CFRefBug *BT = Pred ? getLeakWithinFunctionBug(LOpts, GCEnabled) 3856 : getLeakAtReturnBug(LOpts, GCEnabled); 3857 assert(BT && "BugType not initialized."); 3858 3859 Ctx.emitReport(std::unique_ptr<BugReport>( 3860 new CFRefLeakReport(*BT, LOpts, GCEnabled, SummaryLog, N, *I, Ctx, 3861 IncludeAllocationLine))); 3862 } 3863 } 3864 3865 return N; 3866 } 3867 3868 void RetainCountChecker::checkEndFunction(CheckerContext &Ctx) const { 3869 ProgramStateRef state = Ctx.getState(); 3870 RefBindingsTy B = state->get<RefBindings>(); 3871 ExplodedNode *Pred = Ctx.getPredecessor(); 3872 3873 // Don't process anything within synthesized bodies. 3874 const LocationContext *LCtx = Pred->getLocationContext(); 3875 if (LCtx->getAnalysisDeclContext()->isBodyAutosynthesized()) { 3876 assert(LCtx->getParent()); 3877 return; 3878 } 3879 3880 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { 3881 state = handleAutoreleaseCounts(state, Pred, /*Tag=*/nullptr, Ctx, 3882 I->first, I->second); 3883 if (!state) 3884 return; 3885 } 3886 3887 // If the current LocationContext has a parent, don't check for leaks. 3888 // We will do that later. 3889 // FIXME: we should instead check for imbalances of the retain/releases, 3890 // and suggest annotations. 3891 if (LCtx->getParent()) 3892 return; 3893 3894 B = state->get<RefBindings>(); 3895 SmallVector<SymbolRef, 10> Leaked; 3896 3897 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) 3898 state = handleSymbolDeath(state, I->first, I->second, Leaked); 3899 3900 processLeaks(state, Leaked, Ctx, Pred); 3901 } 3902 3903 const ProgramPointTag * 3904 RetainCountChecker::getDeadSymbolTag(SymbolRef sym) const { 3905 const CheckerProgramPointTag *&tag = DeadSymbolTags[sym]; 3906 if (!tag) { 3907 SmallString<64> buf; 3908 llvm::raw_svector_ostream out(buf); 3909 out << "Dead Symbol : "; 3910 sym->dumpToStream(out); 3911 tag = new CheckerProgramPointTag(this, out.str()); 3912 } 3913 return tag; 3914 } 3915 3916 void RetainCountChecker::checkDeadSymbols(SymbolReaper &SymReaper, 3917 CheckerContext &C) const { 3918 ExplodedNode *Pred = C.getPredecessor(); 3919 3920 ProgramStateRef state = C.getState(); 3921 RefBindingsTy B = state->get<RefBindings>(); 3922 SmallVector<SymbolRef, 10> Leaked; 3923 3924 // Update counts from autorelease pools 3925 for (SymbolReaper::dead_iterator I = SymReaper.dead_begin(), 3926 E = SymReaper.dead_end(); I != E; ++I) { 3927 SymbolRef Sym = *I; 3928 if (const RefVal *T = B.lookup(Sym)){ 3929 // Use the symbol as the tag. 3930 // FIXME: This might not be as unique as we would like. 3931 const ProgramPointTag *Tag = getDeadSymbolTag(Sym); 3932 state = handleAutoreleaseCounts(state, Pred, Tag, C, Sym, *T); 3933 if (!state) 3934 return; 3935 3936 // Fetch the new reference count from the state, and use it to handle 3937 // this symbol. 3938 state = handleSymbolDeath(state, *I, *getRefBinding(state, Sym), Leaked); 3939 } 3940 } 3941 3942 if (Leaked.empty()) { 3943 C.addTransition(state); 3944 return; 3945 } 3946 3947 Pred = processLeaks(state, Leaked, C, Pred); 3948 3949 // Did we cache out? 3950 if (!Pred) 3951 return; 3952 3953 // Now generate a new node that nukes the old bindings. 3954 // The only bindings left at this point are the leaked symbols. 3955 RefBindingsTy::Factory &F = state->get_context<RefBindings>(); 3956 B = state->get<RefBindings>(); 3957 3958 for (SmallVectorImpl<SymbolRef>::iterator I = Leaked.begin(), 3959 E = Leaked.end(); 3960 I != E; ++I) 3961 B = F.remove(B, *I); 3962 3963 state = state->set<RefBindings>(B); 3964 C.addTransition(state, Pred); 3965 } 3966 3967 void RetainCountChecker::printState(raw_ostream &Out, ProgramStateRef State, 3968 const char *NL, const char *Sep) const { 3969 3970 RefBindingsTy B = State->get<RefBindings>(); 3971 3972 if (B.isEmpty()) 3973 return; 3974 3975 Out << Sep << NL; 3976 3977 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { 3978 Out << I->first << " : "; 3979 I->second.print(Out); 3980 Out << NL; 3981 } 3982 } 3983 3984 //===----------------------------------------------------------------------===// 3985 // Checker registration. 3986 //===----------------------------------------------------------------------===// 3987 3988 void ento::registerRetainCountChecker(CheckerManager &Mgr) { 3989 Mgr.registerChecker<RetainCountChecker>(Mgr.getAnalyzerOptions()); 3990 } 3991 3992 //===----------------------------------------------------------------------===// 3993 // Implementation of the CallEffects API. 3994 //===----------------------------------------------------------------------===// 3995 3996 namespace clang { 3997 namespace ento { 3998 namespace objc_retain { 3999 4000 // This is a bit gross, but it allows us to populate CallEffects without 4001 // creating a bunch of accessors. This kind is very localized, so the 4002 // damage of this macro is limited. 4003 #define createCallEffect(D, KIND)\ 4004 ASTContext &Ctx = D->getASTContext();\ 4005 LangOptions L = Ctx.getLangOpts();\ 4006 RetainSummaryManager M(Ctx, L.GCOnly, L.ObjCAutoRefCount);\ 4007 const RetainSummary *S = M.get ## KIND ## Summary(D);\ 4008 CallEffects CE(S->getRetEffect());\ 4009 CE.Receiver = S->getReceiverEffect();\ 4010 unsigned N = D->param_size();\ 4011 for (unsigned i = 0; i < N; ++i) {\ 4012 CE.Args.push_back(S->getArg(i));\ 4013 } 4014 4015 CallEffects CallEffects::getEffect(const ObjCMethodDecl *MD) { 4016 createCallEffect(MD, Method); 4017 return CE; 4018 } 4019 4020 CallEffects CallEffects::getEffect(const FunctionDecl *FD) { 4021 createCallEffect(FD, Function); 4022 return CE; 4023 } 4024 4025 #undef createCallEffect 4026 4027 } // end namespace objc_retain 4028 } // end namespace ento 4029 } // end namespace clang 4030
