retain-release.m revision 83300e884d0cfb78a2e8f889b65a77e6781456fe
1// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-check-objc-mem -analyzer-store=basic -fblocks -verify %s 2// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-check-objc-mem -analyzer-store=region -fblocks -verify %s 3 4#if __has_feature(attribute_ns_returns_retained) 5#define NS_RETURNS_RETAINED __attribute__((ns_returns_retained)) 6#endif 7#if __has_feature(attribute_cf_returns_retained) 8#define CF_RETURNS_RETAINED __attribute__((cf_returns_retained)) 9#endif 10#if __has_feature(attribute_ns_returns_not_retained) 11#define NS_RETURNS_NOT_RETAINED __attribute__((ns_returns_not_retained)) 12#endif 13#if __has_feature(attribute_cf_returns_not_retained) 14#define CF_RETURNS_NOT_RETAINED __attribute__((cf_returns_not_retained)) 15#endif 16 17//===----------------------------------------------------------------------===// 18// The following code is reduced using delta-debugging from Mac OS X headers: 19// 20// #include <Cocoa/Cocoa.h> 21// #include <CoreFoundation/CoreFoundation.h> 22// #include <DiskArbitration/DiskArbitration.h> 23// #include <QuartzCore/QuartzCore.h> 24// #include <Quartz/Quartz.h> 25// #include <IOKit/IOKitLib.h> 26// 27// It includes the basic definitions for the test cases below. 28//===----------------------------------------------------------------------===// 29 30typedef unsigned int __darwin_natural_t; 31typedef unsigned long uintptr_t; 32typedef unsigned int uint32_t; 33typedef unsigned long long uint64_t; 34typedef unsigned int UInt32; 35typedef signed long CFIndex; 36typedef struct { 37 CFIndex location; 38 CFIndex length; 39} CFRange; 40static __inline__ __attribute__((always_inline)) CFRange CFRangeMake(CFIndex loc, CFIndex len) { 41 CFRange range; 42 range.location = loc; 43 range.length = len; 44 return range; 45} 46typedef const void * CFTypeRef; 47typedef const struct __CFString * CFStringRef; 48typedef const struct __CFAllocator * CFAllocatorRef; 49extern const CFAllocatorRef kCFAllocatorDefault; 50extern CFTypeRef CFRetain(CFTypeRef cf); 51extern void CFRelease(CFTypeRef cf); 52typedef struct { 53} 54CFArrayCallBacks; 55extern const CFArrayCallBacks kCFTypeArrayCallBacks; 56typedef const struct __CFArray * CFArrayRef; 57typedef struct __CFArray * CFMutableArrayRef; 58extern CFMutableArrayRef CFArrayCreateMutable(CFAllocatorRef allocator, CFIndex capacity, const CFArrayCallBacks *callBacks); 59extern const void *CFArrayGetValueAtIndex(CFArrayRef theArray, CFIndex idx); 60extern void CFArrayAppendValue(CFMutableArrayRef theArray, const void *value); 61typedef struct { 62} 63CFDictionaryKeyCallBacks; 64extern const CFDictionaryKeyCallBacks kCFTypeDictionaryKeyCallBacks; 65typedef struct { 66} 67CFDictionaryValueCallBacks; 68extern const CFDictionaryValueCallBacks kCFTypeDictionaryValueCallBacks; 69typedef const struct __CFDictionary * CFDictionaryRef; 70typedef struct __CFDictionary * CFMutableDictionaryRef; 71extern CFMutableDictionaryRef CFDictionaryCreateMutable(CFAllocatorRef allocator, CFIndex capacity, const CFDictionaryKeyCallBacks *keyCallBacks, const CFDictionaryValueCallBacks *valueCallBacks); 72typedef UInt32 CFStringEncoding; 73enum { 74kCFStringEncodingMacRoman = 0, kCFStringEncodingWindowsLatin1 = 0x0500, kCFStringEncodingISOLatin1 = 0x0201, kCFStringEncodingNextStepLatin = 0x0B01, kCFStringEncodingASCII = 0x0600, kCFStringEncodingUnicode = 0x0100, kCFStringEncodingUTF8 = 0x08000100, kCFStringEncodingNonLossyASCII = 0x0BFF , kCFStringEncodingUTF16 = 0x0100, kCFStringEncodingUTF16BE = 0x10000100, kCFStringEncodingUTF16LE = 0x14000100, kCFStringEncodingUTF32 = 0x0c000100, kCFStringEncodingUTF32BE = 0x18000100, kCFStringEncodingUTF32LE = 0x1c000100 }; 75extern CFStringRef CFStringCreateWithCString(CFAllocatorRef alloc, const char *cStr, CFStringEncoding encoding); 76typedef double CFTimeInterval; 77typedef CFTimeInterval CFAbsoluteTime; 78extern CFAbsoluteTime CFAbsoluteTimeGetCurrent(void); 79typedef const struct __CFDate * CFDateRef; 80extern CFDateRef CFDateCreate(CFAllocatorRef allocator, CFAbsoluteTime at); 81extern CFAbsoluteTime CFDateGetAbsoluteTime(CFDateRef theDate); 82typedef __darwin_natural_t natural_t; 83typedef natural_t mach_port_name_t; 84typedef mach_port_name_t mach_port_t; 85typedef int kern_return_t; 86typedef kern_return_t mach_error_t; 87enum { 88kCFNumberSInt8Type = 1, kCFNumberSInt16Type = 2, kCFNumberSInt32Type = 3, kCFNumberSInt64Type = 4, kCFNumberFloat32Type = 5, kCFNumberFloat64Type = 6, kCFNumberCharType = 7, kCFNumberShortType = 8, kCFNumberIntType = 9, kCFNumberLongType = 10, kCFNumberLongLongType = 11, kCFNumberFloatType = 12, kCFNumberDoubleType = 13, kCFNumberCFIndexType = 14, kCFNumberNSIntegerType = 15, kCFNumberCGFloatType = 16, kCFNumberMaxType = 16 }; 89typedef CFIndex CFNumberType; 90typedef const struct __CFNumber * CFNumberRef; 91extern CFNumberRef CFNumberCreate(CFAllocatorRef allocator, CFNumberType theType, const void *valuePtr); 92typedef const struct __CFAttributedString *CFAttributedStringRef; 93typedef struct __CFAttributedString *CFMutableAttributedStringRef; 94extern CFAttributedStringRef CFAttributedStringCreate(CFAllocatorRef alloc, CFStringRef str, CFDictionaryRef attributes) ; 95extern CFMutableAttributedStringRef CFAttributedStringCreateMutableCopy(CFAllocatorRef alloc, CFIndex maxLength, CFAttributedStringRef aStr) ; 96extern void CFAttributedStringSetAttribute(CFMutableAttributedStringRef aStr, CFRange range, CFStringRef attrName, CFTypeRef value) ; 97typedef signed char BOOL; 98typedef unsigned long NSUInteger; 99@class NSString, Protocol; 100extern void NSLog(NSString *format, ...) __attribute__((format(__NSString__, 1, 2))); 101typedef struct _NSZone NSZone; 102@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator; 103@protocol NSObject 104- (BOOL)isEqual:(id)object; 105- (id)retain; 106- (oneway void)release; 107- (id)autorelease; 108@end @protocol NSCopying - (id)copyWithZone:(NSZone *)zone; 109@end @protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; 110@end @protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder; 111@end 112@interface NSObject <NSObject> {} 113+ (id)allocWithZone:(NSZone *)zone; 114+ (id)alloc; 115- (void)dealloc; 116@end 117@interface NSObject (NSCoderMethods) 118- (id)awakeAfterUsingCoder:(NSCoder *)aDecoder; 119@end 120extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 121typedef struct { 122} 123NSFastEnumerationState; 124@protocol NSFastEnumeration - (NSUInteger)countByEnumeratingWithState:(NSFastEnumerationState *)state objects:(id *)stackbuf count:(NSUInteger)len; 125@end @class NSString, NSDictionary; 126@interface NSValue : NSObject <NSCopying, NSCoding> - (void)getValue:(void *)value; 127@end @interface NSNumber : NSValue - (char)charValue; 128- (id)initWithInt:(int)value; 129@end @class NSString; 130@interface NSArray : NSObject <NSCopying, NSMutableCopying, NSCoding, NSFastEnumeration> - (NSUInteger)count; 131@end @interface NSArray (NSArrayCreation) + (id)array; 132@end @interface NSAutoreleasePool : NSObject { 133} 134- (void)drain; 135@end extern NSString * const NSBundleDidLoadNotification; 136typedef double NSTimeInterval; 137@interface NSDate : NSObject <NSCopying, NSCoding> - (NSTimeInterval)timeIntervalSinceReferenceDate; 138@end typedef unsigned short unichar; 139@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> - (NSUInteger)length; 140- ( const char *)UTF8String; 141- (id)initWithUTF8String:(const char *)nullTerminatedCString; 142+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 143@end @class NSString, NSURL, NSError; 144@interface NSData : NSObject <NSCopying, NSMutableCopying, NSCoding> - (NSUInteger)length; 145+ (id)dataWithBytesNoCopy:(void *)bytes length:(NSUInteger)length; 146+ (id)dataWithBytesNoCopy:(void *)bytes length:(NSUInteger)length freeWhenDone:(BOOL)b; 147@end @class NSLocale, NSDate, NSCalendar, NSTimeZone, NSError, NSArray, NSMutableDictionary; 148@interface NSDictionary : NSObject <NSCopying, NSMutableCopying, NSCoding, NSFastEnumeration> - (NSUInteger)count; 149@end @interface NSMutableDictionary : NSDictionary - (void)removeObjectForKey:(id)aKey; 150- (void)setObject:(id)anObject forKey:(id)aKey; 151@end @interface NSMutableDictionary (NSMutableDictionaryCreation) + (id)dictionaryWithCapacity:(NSUInteger)numItems; 152@end typedef double CGFloat; 153struct CGSize { 154}; 155typedef struct CGSize CGSize; 156struct CGRect { 157}; 158typedef struct CGRect CGRect; 159typedef mach_port_t io_object_t; 160typedef char io_name_t[128]; 161typedef io_object_t io_iterator_t; 162typedef io_object_t io_service_t; 163typedef struct IONotificationPort * IONotificationPortRef; 164typedef void (*IOServiceMatchingCallback)( void * refcon, io_iterator_t iterator ); 165io_service_t IOServiceGetMatchingService( mach_port_t masterPort, CFDictionaryRef matching ); 166kern_return_t IOServiceGetMatchingServices( mach_port_t masterPort, CFDictionaryRef matching, io_iterator_t * existing ); 167kern_return_t IOServiceAddNotification( mach_port_t masterPort, const io_name_t notificationType, CFDictionaryRef matching, mach_port_t wakePort, uintptr_t reference, io_iterator_t * notification ) __attribute__((deprecated)); 168kern_return_t IOServiceAddMatchingNotification( IONotificationPortRef notifyPort, const io_name_t notificationType, CFDictionaryRef matching, IOServiceMatchingCallback callback, void * refCon, io_iterator_t * notification ); 169CFMutableDictionaryRef IOServiceMatching( const char * name ); 170CFMutableDictionaryRef IOServiceNameMatching( const char * name ); 171CFMutableDictionaryRef IOBSDNameMatching( mach_port_t masterPort, uint32_t options, const char * bsdName ); 172CFMutableDictionaryRef IOOpenFirmwarePathMatching( mach_port_t masterPort, uint32_t options, const char * path ); 173CFMutableDictionaryRef IORegistryEntryIDMatching( uint64_t entryID ); 174typedef struct __DASession * DASessionRef; 175extern DASessionRef DASessionCreate( CFAllocatorRef allocator ); 176typedef struct __DADisk * DADiskRef; 177extern DADiskRef DADiskCreateFromBSDName( CFAllocatorRef allocator, DASessionRef session, const char * name ); 178extern DADiskRef DADiskCreateFromIOMedia( CFAllocatorRef allocator, DASessionRef session, io_service_t media ); 179extern CFDictionaryRef DADiskCopyDescription( DADiskRef disk ); 180extern DADiskRef DADiskCopyWholeDisk( DADiskRef disk ); 181@interface NSTask : NSObject - (id)init; 182@end typedef struct CGColorSpace *CGColorSpaceRef; 183typedef struct CGImage *CGImageRef; 184typedef struct CGLayer *CGLayerRef; 185@interface NSResponder : NSObject <NSCoding> { 186} 187@end @protocol NSAnimatablePropertyContainer - (id)animator; 188@end extern NSString *NSAnimationTriggerOrderIn ; 189@interface NSView : NSResponder <NSAnimatablePropertyContainer> { 190} 191@end @protocol NSValidatedUserInterfaceItem - (SEL)action; 192@end @protocol NSUserInterfaceValidations - (BOOL)validateUserInterfaceItem:(id <NSValidatedUserInterfaceItem>)anItem; 193@end @class NSDate, NSDictionary, NSError, NSException, NSNotification; 194@interface NSApplication : NSResponder <NSUserInterfaceValidations> { 195} 196@end enum { 197NSTerminateCancel = 0, NSTerminateNow = 1, NSTerminateLater = 2 }; 198typedef NSUInteger NSApplicationTerminateReply; 199@protocol NSApplicationDelegate <NSObject> @optional - (NSApplicationTerminateReply)applicationShouldTerminate:(NSApplication *)sender; 200@end @class NSAttributedString, NSEvent, NSFont, NSFormatter, NSImage, NSMenu, NSText, NSView, NSTextView; 201@interface NSCell : NSObject <NSCopying, NSCoding> { 202} 203@end @class NSTextField, NSPanel, NSArray, NSWindow, NSImage, NSButton, NSError; 204typedef struct { 205} 206CVTimeStamp; 207@interface CIImage : NSObject <NSCoding, NSCopying> { 208} 209typedef int CIFormat; 210@end enum { 211kDAReturnSuccess = 0, kDAReturnError = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x01, kDAReturnBusy = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x02, kDAReturnBadArgument = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x03, kDAReturnExclusiveAccess = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x04, kDAReturnNoResources = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x05, kDAReturnNotFound = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x06, kDAReturnNotMounted = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x07, kDAReturnNotPermitted = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x08, kDAReturnNotPrivileged = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x09, kDAReturnNotReady = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x0A, kDAReturnNotWritable = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x0B, kDAReturnUnsupported = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x0C }; 212typedef mach_error_t DAReturn; 213typedef const struct __DADissenter * DADissenterRef; 214extern DADissenterRef DADissenterCreate( CFAllocatorRef allocator, DAReturn status, CFStringRef string ); 215@interface CIContext: NSObject { 216} 217- (CGImageRef)createCGImage:(CIImage *)im fromRect:(CGRect)r; 218- (CGImageRef)createCGImage:(CIImage *)im fromRect:(CGRect)r format:(CIFormat)f colorSpace:(CGColorSpaceRef)cs; 219- (CGLayerRef)createCGLayerWithSize:(CGSize)size info:(CFDictionaryRef)d; 220@end extern NSString* const QCRendererEventKey; 221@protocol QCCompositionRenderer - (NSDictionary*) attributes; 222@end @interface QCRenderer : NSObject <QCCompositionRenderer> { 223} 224- (id) createSnapshotImageOfType:(NSString*)type; 225@end extern NSString* const QCViewDidStartRenderingNotification; 226@interface QCView : NSView <QCCompositionRenderer> { 227} 228- (id) createSnapshotImageOfType:(NSString*)type; 229@end enum { 230ICEXIFOrientation1 = 1, ICEXIFOrientation2 = 2, ICEXIFOrientation3 = 3, ICEXIFOrientation4 = 4, ICEXIFOrientation5 = 5, ICEXIFOrientation6 = 6, ICEXIFOrientation7 = 7, ICEXIFOrientation8 = 8, }; 231@class ICDevice; 232@protocol ICDeviceDelegate <NSObject> @required - (void)didRemoveDevice:(ICDevice*)device; 233@end extern NSString *const ICScannerStatusWarmingUp; 234@class ICScannerDevice; 235@protocol ICScannerDeviceDelegate <ICDeviceDelegate> @optional - (void)scannerDeviceDidBecomeAvailable:(ICScannerDevice*)scanner; 236@end 237 238typedef long unsigned int __darwin_size_t; 239typedef __darwin_size_t size_t; 240typedef unsigned long CFTypeID; 241struct CGPoint { 242 CGFloat x; 243 CGFloat y; 244}; 245typedef struct CGPoint CGPoint; 246typedef struct CGGradient *CGGradientRef; 247typedef uint32_t CGGradientDrawingOptions; 248extern CFTypeID CGGradientGetTypeID(void); 249extern CGGradientRef CGGradientCreateWithColorComponents(CGColorSpaceRef 250 space, const CGFloat components[], const CGFloat locations[], size_t count); 251extern CGGradientRef CGGradientCreateWithColors(CGColorSpaceRef space, 252 CFArrayRef colors, const CGFloat locations[]); 253extern CGGradientRef CGGradientRetain(CGGradientRef gradient); 254extern void CGGradientRelease(CGGradientRef gradient); 255typedef struct CGContext *CGContextRef; 256extern void CGContextDrawLinearGradient(CGContextRef context, 257 CGGradientRef gradient, CGPoint startPoint, CGPoint endPoint, 258 CGGradientDrawingOptions options); 259extern CGColorSpaceRef CGColorSpaceCreateDeviceRGB(void); 260 261//===----------------------------------------------------------------------===// 262// Test cases. 263//===----------------------------------------------------------------------===// 264 265CFAbsoluteTime f1() { 266 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 267 CFDateRef date = CFDateCreate(0, t); 268 CFRetain(date); 269 CFRelease(date); 270 CFDateGetAbsoluteTime(date); // no-warning 271 CFRelease(date); 272 t = CFDateGetAbsoluteTime(date); // expected-warning{{Reference-counted object is used after it is released.}} 273 return t; 274} 275 276CFAbsoluteTime f2() { 277 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 278 CFDateRef date = CFDateCreate(0, t); 279 [((NSDate*) date) retain]; 280 CFRelease(date); 281 CFDateGetAbsoluteTime(date); // no-warning 282 [((NSDate*) date) release]; 283 t = CFDateGetAbsoluteTime(date); // expected-warning{{Reference-counted object is used after it is released.}} 284 return t; 285} 286 287 288NSDate* global_x; 289 290// Test to see if we supresss an error when we store the pointer 291// to a global. 292 293CFAbsoluteTime f3() { 294 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 295 CFDateRef date = CFDateCreate(0, t); 296 [((NSDate*) date) retain]; 297 CFRelease(date); 298 CFDateGetAbsoluteTime(date); // no-warning 299 global_x = (NSDate*) date; 300 [((NSDate*) date) release]; 301 t = CFDateGetAbsoluteTime(date); // no-warning 302 return t; 303} 304 305//--------------------------------------------------------------------------- 306// Test case 'f4' differs for region store and basic store. See 307// retain-release-region-store.m and retain-release-basic-store.m. 308//--------------------------------------------------------------------------- 309 310// Test a leak. 311 312CFAbsoluteTime f5(int x) { 313 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 314 CFDateRef date = CFDateCreate(0, t); // expected-warning{{leak}} 315 316 if (x) 317 CFRelease(date); 318 319 return t; 320} 321 322// Test a leak involving the return. 323 324CFDateRef f6(int x) { 325 CFDateRef date = CFDateCreate(0, CFAbsoluteTimeGetCurrent()); // expected-warning{{leak}} 326 CFRetain(date); 327 return date; 328} 329 330// Test a leak involving an overwrite. 331 332CFDateRef f7() { 333 CFDateRef date = CFDateCreate(0, CFAbsoluteTimeGetCurrent()); //expected-warning{{leak}} 334 CFRetain(date); 335 date = CFDateCreate(0, CFAbsoluteTimeGetCurrent()); 336 return date; 337} 338 339// Generalization of Create rule. MyDateCreate returns a CFXXXTypeRef, and 340// has the word create. 341CFDateRef MyDateCreate(); 342 343CFDateRef f8() { 344 CFDateRef date = MyDateCreate(); // expected-warning{{leak}} 345 CFRetain(date); 346 return date; 347} 348 349CFDateRef f9() { 350 CFDateRef date = CFDateCreate(0, CFAbsoluteTimeGetCurrent()); 351 int *p = 0; 352 // When allocations fail, CFDateCreate can return null. 353 if (!date) *p = 1; // expected-warning{{null}} 354 return date; 355} 356 357// Handle DiskArbitration API: 358// 359// http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/DiscArbitrationFramework/ 360// 361void f10(io_service_t media, DADiskRef d, CFStringRef s) { 362 DADiskRef disk = DADiskCreateFromBSDName(kCFAllocatorDefault, 0, "hello"); // expected-warning{{leak}} 363 if (disk) NSLog(@"ok"); 364 365 disk = DADiskCreateFromIOMedia(kCFAllocatorDefault, 0, media); // expected-warning{{leak}} 366 if (disk) NSLog(@"ok"); 367 368 CFDictionaryRef dict = DADiskCopyDescription(d); // expected-warning{{leak}} 369 if (dict) NSLog(@"ok"); 370 371 disk = DADiskCopyWholeDisk(d); // expected-warning{{leak}} 372 if (disk) NSLog(@"ok"); 373 374 DADissenterRef dissenter = DADissenterCreate(kCFAllocatorDefault, // expected-warning{{leak}} 375 kDAReturnSuccess, s); 376 if (dissenter) NSLog(@"ok"); 377 378 DASessionRef session = DASessionCreate(kCFAllocatorDefault); // expected-warning{{leak}} 379 if (session) NSLog(@"ok"); 380} 381 382// Test retain/release checker with CFString and CFMutableArray. 383void f11() { 384 // Create the array. 385 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); 386 387 // Create a string. 388 CFStringRef s1 = CFStringCreateWithCString(0, "hello world", 389 kCFStringEncodingUTF8); 390 391 // Add the string to the array. 392 CFArrayAppendValue(A, s1); 393 394 // Decrement the reference count. 395 CFRelease(s1); // no-warning 396 397 // Get the string. We don't own it. 398 s1 = (CFStringRef) CFArrayGetValueAtIndex(A, 0); 399 400 // Release the array. 401 CFRelease(A); // no-warning 402 403 // Release the string. This is a bug. 404 CFRelease(s1); // expected-warning{{Incorrect decrement of the reference count}} 405} 406 407// PR 3337: Handle functions declared using typedefs. 408typedef CFTypeRef CREATEFUN(); 409CREATEFUN MyCreateFun; 410 411void f12() { 412 CFTypeRef o = MyCreateFun(); // expected-warning {{leak}} 413} 414 415void f13_autorelease() { 416 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); // no-warning 417 [(id) A autorelease]; // no-warning 418} 419 420void f13_autorelease_b() { 421 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); 422 [(id) A autorelease]; 423 [(id) A autorelease]; // expected-warning{{Object sent -autorelease too many times}} 424} 425 426CFMutableArrayRef f13_autorelease_c() { 427 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); 428 [(id) A autorelease]; 429 [(id) A autorelease]; 430 return A; // expected-warning{{Object sent -autorelease too many times}} 431} 432 433CFMutableArrayRef f13_autorelease_d() { 434 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); 435 [(id) A autorelease]; 436 [(id) A autorelease]; 437 CFMutableArrayRef B = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); // expected-warning{{Object sent -autorelease too many times}} 438 CFRelease(B); // no-warning 439 while (1) {} 440} 441 442 443// This case exercises the logic where the leak site is the same as the allocation site. 444void f14_leakimmediately() { 445 CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); // expected-warning{{leak}} 446} 447 448// Test that we track an allocated object beyond the point where the *name* 449// of the variable storing the reference is no longer live. 450void f15() { 451 // Create the array. 452 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); 453 CFMutableArrayRef *B = &A; 454 // At this point, the name 'A' is no longer live. 455 CFRelease(*B); // no-warning 456} 457 458// Test when we pass NULL to CFRetain/CFRelease. 459void f16(int x, CFTypeRef p) { 460 if (p) 461 return; 462 463 if (x) { 464 CFRelease(p); // expected-warning{{Null pointer argument in call to CFRelease}} 465 } 466 else { 467 CFRetain(p); // expected-warning{{Null pointer argument in call to CFRetain}} 468 } 469} 470 471// Test that an object is non-null after being CFRetained/CFReleased. 472void f17(int x, CFTypeRef p) { 473 if (x) { 474 CFRelease(p); 475 if (!p) 476 CFRelease(0); // no-warning 477 } 478 else { 479 CFRetain(p); 480 if (!p) 481 CFRetain(0); // no-warning 482 } 483} 484 485// Test basic tracking of ivars associated with 'self'. For the retain/release 486// checker we currently do not want to flag leaks associated with stores 487// of tracked objects to ivars. 488@interface SelfIvarTest : NSObject { 489 id myObj; 490} 491- (void)test_self_tracking; 492@end 493 494@implementation SelfIvarTest 495- (void)test_self_tracking { 496 myObj = (id) CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); // no-warning 497} 498@end 499 500// Test return of non-owned objects in contexts where an owned object 501// is expected. 502@interface TestReturnNotOwnedWhenExpectedOwned 503- (NSString*)newString; 504@end 505 506@implementation TestReturnNotOwnedWhenExpectedOwned 507- (NSString*)newString { 508 NSString *s = [NSString stringWithUTF8String:"hello"]; 509 return s; // expected-warning{{Object with +0 retain counts returned to caller where a +1 (owning) retain count is expected}} 510} 511@end 512 513// <rdar://problem/6659160> 514int isFoo(char c); 515 516static void rdar_6659160(char *inkind, char *inname) 517{ 518 // We currently expect that [NSObject alloc] cannot fail. This 519 // will be a toggled flag in the future. It can indeed return null, but 520 // Cocoa programmers generally aren't expected to reason about out-of-memory 521 // conditions. 522 NSString *kind = [[NSString alloc] initWithUTF8String:inkind]; // expected-warning{{leak}} 523 524 // We do allow stringWithUTF8String to fail. This isn't really correct, as 525 // far as returning 0. In most error conditions it will throw an exception. 526 // If allocation fails it could return 0, but again this 527 // isn't expected. 528 NSString *name = [NSString stringWithUTF8String:inname]; 529 if(!name) 530 return; 531 532 const char *kindC = 0; 533 const char *nameC = 0; 534 535 // In both cases, we cannot reach a point down below where we 536 // dereference kindC or nameC with either being null. This is because 537 // we assume that [NSObject alloc] doesn't fail and that we have the guard 538 // up above. 539 540 if(kind) 541 kindC = [kind UTF8String]; 542 if(name) 543 nameC = [name UTF8String]; 544 if(!isFoo(kindC[0])) // expected-warning{{null}} 545 return; 546 if(!isFoo(nameC[0])) // no-warning 547 return; 548 549 [kind release]; 550 [name release]; // expected-warning{{Incorrect decrement of the reference count}} 551} 552 553// PR 3677 - 'allocWithZone' should be treated as following the Cocoa naming 554// conventions with respect to 'return'ing ownership. 555@interface PR3677: NSObject @end 556@implementation PR3677 557+ (id)allocWithZone:(NSZone *)inZone { 558 return [super allocWithZone:inZone]; // no-warning 559} 560@end 561 562// PR 3820 - Reason about calls to -dealloc 563void pr3820_DeallocInsteadOfRelease(void) 564{ 565 id foo = [[NSString alloc] init]; // no-warning 566 [foo dealloc]; 567 // foo is not leaked, since it has been deallocated. 568} 569 570void pr3820_ReleaseAfterDealloc(void) 571{ 572 id foo = [[NSString alloc] init]; 573 [foo dealloc]; 574 [foo release]; // expected-warning{{used after it is release}} 575 // NSInternalInconsistencyException: message sent to deallocated object 576} 577 578void pr3820_DeallocAfterRelease(void) 579{ 580 NSLog(@"\n\n[%s]", __FUNCTION__); 581 id foo = [[NSString alloc] init]; 582 [foo release]; 583 [foo dealloc]; // expected-warning{{used after it is released}} 584 // message sent to released object 585} 586 587// From <rdar://problem/6704930>. The problem here is that 'length' binds to 588// '($0 - 1)' after '--length', but SimpleConstraintManager doesn't know how to 589// reason about '($0 - 1) > constant'. As a temporary hack, we drop the value 590// of '($0 - 1)' and conjure a new symbol. 591void rdar6704930(unsigned char *s, unsigned int length) { 592 NSString* name = 0; 593 if (s != 0) { 594 if (length > 0) { 595 while (length > 0) { 596 if (*s == ':') { 597 ++s; 598 --length; 599 name = [[NSString alloc] init]; // no-warning 600 break; 601 } 602 ++s; 603 --length; 604 } 605 if ((length == 0) && (name != 0)) { 606 [name release]; 607 name = 0; 608 } 609 if (length == 0) { // no ':' found -> use it all as name 610 name = [[NSString alloc] init]; // no-warning 611 } 612 } 613 } 614 615 if (name != 0) { 616 [name release]; 617 } 618} 619 620//===----------------------------------------------------------------------===// 621// <rdar://problem/6833332> 622// One build of the analyzer accidentally stopped tracking the allocated 623// object after the 'retain'. 624//===----------------------------------------------------------------------===// 625 626@interface rdar_6833332 : NSObject <NSApplicationDelegate> { 627 NSWindow *window; 628} 629@property (nonatomic, retain) NSWindow *window; 630@end 631 632@implementation rdar_6833332 633@synthesize window; 634- (void)applicationDidFinishLaunching:(NSNotification *)aNotification { 635 NSMutableDictionary *dict = [[NSMutableDictionary dictionaryWithCapacity:4] retain]; // expected-warning{{leak}} 636 637 [dict setObject:@"foo" forKey:@"bar"]; 638 639 NSLog(@"%@", dict); 640} 641- (void)dealloc { 642 [window release]; 643 [super dealloc]; 644} 645@end 646 647//===----------------------------------------------------------------------===// 648// <rdar://problem/6257780> clang checker fails to catch use-after-release 649//===----------------------------------------------------------------------===// 650 651int rdar_6257780_Case1() { 652 NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init]; 653 NSArray *array = [NSArray array]; 654 [array release]; // expected-warning{{Incorrect decrement of the reference count of an object that is not owned at this point by the caller}} 655 [pool drain]; 656 return 0; 657} 658 659//===----------------------------------------------------------------------===// 660// <rdar://problem/6866843> Checker should understand new/setObject:/release constructs 661//===----------------------------------------------------------------------===// 662 663void rdar_6866843() { 664 NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init]; 665 NSMutableDictionary* dictionary = [[NSMutableDictionary alloc] init]; 666 NSArray* array = [[NSArray alloc] init]; 667 [dictionary setObject:array forKey:@"key"]; 668 [array release]; 669 // Using 'array' here should be fine 670 NSLog(@"array = %@\n", array); // no-warning 671 // Now the array is released 672 [dictionary release]; 673 [pool drain]; 674} 675 676 677//===----------------------------------------------------------------------===// 678// <rdar://problem/6877235> Classes typedef-ed to CF objects should get the same treatment as CF objects 679//===----------------------------------------------------------------------===// 680 681typedef CFTypeRef OtherRef; 682 683@interface RDar6877235 : NSObject {} 684- (CFTypeRef)_copyCFTypeRef; 685- (OtherRef)_copyOtherRef; 686@end 687 688@implementation RDar6877235 689- (CFTypeRef)_copyCFTypeRef { 690 return [[NSString alloc] init]; // no-warning 691} 692- (OtherRef)_copyOtherRef { 693 return [[NSString alloc] init]; // no-warning 694} 695@end 696 697//===----------------------------------------------------------------------===// 698//<rdar://problem/6320065> false positive - init method returns an object 699// owned by caller 700//===----------------------------------------------------------------------===// 701 702@interface RDar6320065 : NSObject { 703 NSString *_foo; 704} 705- (id)initReturningNewClass; 706- (id)initReturningNewClassBad; 707- (id)initReturningNewClassBad2; 708@end 709 710@interface RDar6320065Subclass : RDar6320065 711@end 712 713@implementation RDar6320065 714- (id)initReturningNewClass { 715 [self release]; 716 self = [[RDar6320065Subclass alloc] init]; // no-warning 717 return self; 718} 719- (id)initReturningNewClassBad { 720 [self release]; 721 [[RDar6320065Subclass alloc] init]; // expected-warning {{leak}} 722 return self; 723} 724- (id)initReturningNewClassBad2 { 725 [self release]; 726 self = [[RDar6320065Subclass alloc] init]; 727 return [self autorelease]; // expected-warning{{Object with +0 retain counts returned to caller where a +1 (owning) retain count is expected}} 728} 729 730@end 731 732@implementation RDar6320065Subclass 733@end 734 735int RDar6320065_test() { 736 RDar6320065 *test = [[RDar6320065 alloc] init]; // no-warning 737 [test release]; 738 return 0; 739} 740 741//===----------------------------------------------------------------------===// 742// <rdar://problem/7129086> -awakeAfterUsingCoder: returns an owned object 743// and claims the receiver 744//===----------------------------------------------------------------------===// 745 746@interface RDar7129086 : NSObject {} @end 747@implementation RDar7129086 748- (id)awakeAfterUsingCoder:(NSCoder *)aDecoder { 749 [self release]; // no-warning 750 return [NSString alloc]; // no-warning 751} 752@end 753 754//===----------------------------------------------------------------------===// 755// <rdar://problem/6859457> [NSData dataWithBytesNoCopy] does not return a 756// retained object 757//===----------------------------------------------------------------------===// 758 759@interface RDar6859457 : NSObject {} 760- (NSString*) NoCopyString; 761- (NSString*) noCopyString; 762@end 763 764@implementation RDar6859457 765- (NSString*) NoCopyString { return [[NSString alloc] init]; } // no-warning 766- (NSString*) noCopyString { return [[NSString alloc] init]; } // no-warning 767@end 768 769void test_RDar6859457(RDar6859457 *x, void *bytes, NSUInteger dataLength) { 770 [x NoCopyString]; // expected-warning{{leak}} 771 [x noCopyString]; // expected-warning{{leak}} 772 [NSData dataWithBytesNoCopy:bytes length:dataLength]; // no-warning 773 [NSData dataWithBytesNoCopy:bytes length:dataLength freeWhenDone:1]; // no-warning 774} 775 776//===----------------------------------------------------------------------===// 777// PR 4230 - an autorelease pool is not necessarily leaked during a premature 778// return 779//===----------------------------------------------------------------------===// 780 781static void PR4230(void) 782{ 783 NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; // no-warning 784 NSString *object = [[[NSString alloc] init] autorelease]; // no-warning 785 return; 786} 787 788//===----------------------------------------------------------------------===// 789// Method name that has a null IdentifierInfo* for its first selector slot. 790// This test just makes sure that we handle it. 791//===----------------------------------------------------------------------===// 792 793@interface TestNullIdentifier 794@end 795 796@implementation TestNullIdentifier 797+ (id):(int)x, ... { 798 return [[NSString alloc] init]; // expected-warning{{leak}} 799} 800@end 801 802//===----------------------------------------------------------------------===// 803// <rdar://problem/6893565> don't flag leaks for return types that cannot be 804// determined to be CF types 805//===----------------------------------------------------------------------===// 806 807// We don't know if 'struct s6893565' represents a Core Foundation type, so 808// we shouldn't emit an error here. 809typedef struct s6893565* TD6893565; 810 811@interface RDar6893565 {} 812-(TD6893565)newThing; 813@end 814 815@implementation RDar6893565 816-(TD6893565)newThing { 817 return (TD6893565) [[NSString alloc] init]; // no-warning 818} 819@end 820 821//===----------------------------------------------------------------------===// 822// <rdar://problem/6902710> clang: false positives w/QC and CoreImage methods 823//===----------------------------------------------------------------------===// 824 825void rdar6902710(QCView *view, QCRenderer *renderer, CIContext *context, 826 NSString *str, CIImage *img, CGRect rect, 827 CIFormat form, CGColorSpaceRef cs) { 828 [view createSnapshotImageOfType:str]; // expected-warning{{leak}} 829 [renderer createSnapshotImageOfType:str]; // expected-warning{{leak}} 830 [context createCGImage:img fromRect:rect]; // expected-warning{{leak}} 831 [context createCGImage:img fromRect:rect format:form colorSpace:cs]; // expected-warning{{leak}} 832} 833 834//===----------------------------------------------------------------------===// 835// <rdar://problem/6945561> -[CIContext createCGLayerWithSize:info:] 836// misinterpreted by clang scan-build 837//===----------------------------------------------------------------------===// 838 839void rdar6945561(CIContext *context, CGSize size, CFDictionaryRef d) { 840 [context createCGLayerWithSize:size info:d]; // expected-warning{{leak}} 841} 842 843//===----------------------------------------------------------------------===// 844// <rdar://problem/6961230> add knowledge of IOKit functions to retain/release 845// checker 846//===----------------------------------------------------------------------===// 847 848void IOBSDNameMatching_wrapper(mach_port_t masterPort, uint32_t options, const char * bsdName) { 849 IOBSDNameMatching(masterPort, options, bsdName); // expected-warning{{leak}} 850} 851 852void IOServiceMatching_wrapper(const char * name) { 853 IOServiceMatching(name); // expected-warning{{leak}} 854} 855 856void IOServiceNameMatching_wrapper(const char * name) { 857 IOServiceNameMatching(name); // expected-warning{{leak}} 858} 859 860CF_RETURNS_RETAINED CFDictionaryRef CreateDict(); 861 862void IOServiceAddNotification_wrapper(mach_port_t masterPort, const io_name_t notificationType, 863 mach_port_t wakePort, uintptr_t reference, io_iterator_t * notification ) { 864 865 CFDictionaryRef matching = CreateDict(); 866 CFRelease(matching); 867 IOServiceAddNotification(masterPort, notificationType, matching, // expected-warning{{used after it is released}} expected-warning{{deprecated}} 868 wakePort, reference, notification); 869} 870 871void IORegistryEntryIDMatching_wrapper(uint64_t entryID ) { 872 IORegistryEntryIDMatching(entryID); // expected-warning{{leak}} 873} 874 875void IOOpenFirmwarePathMatching_wrapper(mach_port_t masterPort, uint32_t options, 876 const char * path) { 877 IOOpenFirmwarePathMatching(masterPort, options, path); // expected-warning{{leak}} 878} 879 880void IOServiceGetMatchingService_wrapper(mach_port_t masterPort) { 881 CFDictionaryRef matching = CreateDict(); 882 IOServiceGetMatchingService(masterPort, matching); 883 CFRelease(matching); // expected-warning{{used after it is released}} 884} 885 886void IOServiceGetMatchingServices_wrapper(mach_port_t masterPort, io_iterator_t *existing) { 887 CFDictionaryRef matching = CreateDict(); 888 IOServiceGetMatchingServices(masterPort, matching, existing); 889 CFRelease(matching); // expected-warning{{used after it is released}} 890} 891 892void IOServiceAddMatchingNotification_wrapper(IONotificationPortRef notifyPort, const io_name_t notificationType, 893 IOServiceMatchingCallback callback, void * refCon, io_iterator_t * notification) { 894 895 CFDictionaryRef matching = CreateDict(); 896 IOServiceAddMatchingNotification(notifyPort, notificationType, matching, callback, refCon, notification); 897 CFRelease(matching); // expected-warning{{used after it is released}} 898} 899 900//===----------------------------------------------------------------------===// 901// Test of handling objects whose references "escape" to containers. 902//===----------------------------------------------------------------------===// 903 904void CFDictionaryAddValue(); 905 906// <rdar://problem/6539791> 907void rdar_6539791(CFMutableDictionaryRef y, void* key, void* val_key) { 908 CFMutableDictionaryRef x = CFDictionaryCreateMutable(kCFAllocatorDefault, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); 909 CFDictionaryAddValue(y, key, x); 910 CFRelease(x); // the dictionary keeps a reference, so the object isn't deallocated yet 911 signed z = 1; 912 CFNumberRef value = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &z); 913 if (value) { 914 CFDictionaryAddValue(x, val_key, value); // no-warning 915 CFRelease(value); 916 CFDictionaryAddValue(y, val_key, value); // no-warning 917 } 918} 919 920// <rdar://problem/6560661> 921// Same issue, except with "AppendValue" functions. 922void rdar_6560661(CFMutableArrayRef x) { 923 signed z = 1; 924 CFNumberRef value = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &z); 925 // CFArrayAppendValue keeps a reference to value. 926 CFArrayAppendValue(x, value); 927 CFRelease(value); 928 CFRetain(value); 929 CFRelease(value); // no-warning 930} 931 932// <rdar://problem/7152619> 933// Same issue, excwept with "CFAttributeStringSetAttribute". 934void rdar_7152619(CFStringRef str) { 935 CFAttributedStringRef string = CFAttributedStringCreate(kCFAllocatorDefault, str, 0); 936 CFMutableAttributedStringRef attrString = CFAttributedStringCreateMutableCopy(kCFAllocatorDefault, 100, string); 937 CFRelease(string); 938 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // expected-warning{{leak}} 939 CFAttributedStringSetAttribute(attrString, CFRangeMake(0, 1), str, number); 940 [number release]; 941 [number retain]; 942 CFRelease(attrString); 943} 944 945//===----------------------------------------------------------------------===// 946// Test of handling CGGradientXXX functions. 947//===----------------------------------------------------------------------===// 948 949void rdar_7184450(CGContextRef myContext, CGFloat x, CGPoint myStartPoint, 950 CGPoint myEndPoint) { 951 size_t num_locations = 6; 952 CGFloat locations[6] = { 0.0, 0.265, 0.28, 0.31, 0.36, 1.0 }; 953 CGFloat components[28] = { 239.0/256.0, 167.0/256.0, 170.0/256.0, 954 x, // Start color 955 207.0/255.0, 39.0/255.0, 39.0/255.0, x, 956 147.0/255.0, 21.0/255.0, 22.0/255.0, x, 957 175.0/255.0, 175.0/255.0, 175.0/255.0, x, 958 255.0/255.0,255.0/255.0, 255.0/255.0, x, 959 255.0/255.0,255.0/255.0, 255.0/255.0, x 960 }; // End color 961 962 CGGradientRef myGradient = 963 CGGradientCreateWithColorComponents(CGColorSpaceCreateDeviceRGB(), // expected-warning{{leak}} 964 components, locations, num_locations); 965 966 CGContextDrawLinearGradient(myContext, myGradient, myStartPoint, myEndPoint, 967 0); 968 CGGradientRelease(myGradient); 969} 970 971void rdar_7184450_pos(CGContextRef myContext, CGFloat x, CGPoint myStartPoint, 972 CGPoint myEndPoint) { 973 size_t num_locations = 6; 974 CGFloat locations[6] = { 0.0, 0.265, 0.28, 0.31, 0.36, 1.0 }; 975 CGFloat components[28] = { 239.0/256.0, 167.0/256.0, 170.0/256.0, 976 x, // Start color 977 207.0/255.0, 39.0/255.0, 39.0/255.0, x, 978 147.0/255.0, 21.0/255.0, 22.0/255.0, x, 979 175.0/255.0, 175.0/255.0, 175.0/255.0, x, 980 255.0/255.0,255.0/255.0, 255.0/255.0, x, 981 255.0/255.0,255.0/255.0, 255.0/255.0, x 982 }; // End color 983 984 CGGradientRef myGradient = 985 CGGradientCreateWithColorComponents(CGColorSpaceCreateDeviceRGB(), components, locations, num_locations); // expected-warning 2 {{leak}} 986 987 CGContextDrawLinearGradient(myContext, myGradient, myStartPoint, myEndPoint, 988 0); 989} 990 991//===----------------------------------------------------------------------===// 992// <rdar://problem/7299394> clang false positive: retained instance passed to 993// thread in pthread_create marked as leak 994// 995// Until we have full IPA, the analyzer should stop tracking the reference 996// count of objects passed to pthread_create. 997// 998//===----------------------------------------------------------------------===// 999 1000struct _opaque_pthread_t {}; 1001struct _opaque_pthread_attr_t {}; 1002typedef struct _opaque_pthread_t *__darwin_pthread_t; 1003typedef struct _opaque_pthread_attr_t __darwin_pthread_attr_t; 1004typedef __darwin_pthread_t pthread_t; 1005typedef __darwin_pthread_attr_t pthread_attr_t; 1006 1007int pthread_create(pthread_t * restrict, const pthread_attr_t * restrict, 1008 void *(*)(void *), void * restrict); 1009 1010void *rdar_7299394_start_routine(void *p) { 1011 [((id) p) release]; 1012 return 0; 1013} 1014void rdar_7299394(pthread_attr_t *attr, pthread_t *thread, void *args) { 1015 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // no-warning 1016 pthread_create(thread, attr, rdar_7299394_start_routine, number); 1017} 1018void rdar_7299394_positive(pthread_attr_t *attr, pthread_t *thread) { 1019 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // expected-warning{{leak}} 1020} 1021 1022//===----------------------------------------------------------------------===// 1023// <rdar://problem/7283567> False leak associated with call to 1024// CVPixelBufferCreateWithBytes () 1025// 1026// According to the Core Video Reference (ADC), CVPixelBufferCreateWithBytes and 1027// CVPixelBufferCreateWithPlanarBytes can release (via a callback) the 1028// pixel buffer object. These test cases show how the analyzer stops tracking 1029// the reference count for the objects passed for this argument. This 1030// could be made smarter. 1031//===----------------------------------------------------------------------===// 1032 1033typedef int int32_t; 1034typedef UInt32 FourCharCode; 1035typedef FourCharCode OSType; 1036typedef uint64_t CVOptionFlags; 1037typedef int32_t CVReturn; 1038typedef struct __CVBuffer *CVBufferRef; 1039typedef CVBufferRef CVImageBufferRef; 1040typedef CVImageBufferRef CVPixelBufferRef; 1041typedef void (*CVPixelBufferReleaseBytesCallback)( void *releaseRefCon, const void *baseAddress ); 1042 1043extern CVReturn CVPixelBufferCreateWithBytes(CFAllocatorRef allocator, 1044 size_t width, 1045 size_t height, 1046 OSType pixelFormatType, 1047 void *baseAddress, 1048 size_t bytesPerRow, 1049 CVPixelBufferReleaseBytesCallback releaseCallback, 1050 void *releaseRefCon, 1051 CFDictionaryRef pixelBufferAttributes, 1052 CVPixelBufferRef *pixelBufferOut) ; 1053 1054typedef void (*CVPixelBufferReleasePlanarBytesCallback)( void *releaseRefCon, const void *dataPtr, size_t dataSize, size_t numberOfPlanes, const void *planeAddresses[] ); 1055 1056extern CVReturn CVPixelBufferCreateWithPlanarBytes(CFAllocatorRef allocator, 1057 size_t width, 1058 size_t height, 1059 OSType pixelFormatType, 1060 void *dataPtr, 1061 size_t dataSize, 1062 size_t numberOfPlanes, 1063 void *planeBaseAddress[], 1064 size_t planeWidth[], 1065 size_t planeHeight[], 1066 size_t planeBytesPerRow[], 1067 CVPixelBufferReleasePlanarBytesCallback releaseCallback, 1068 void *releaseRefCon, 1069 CFDictionaryRef pixelBufferAttributes, 1070 CVPixelBufferRef *pixelBufferOut) ; 1071 1072extern CVReturn CVPixelBufferCreateWithBytes(CFAllocatorRef allocator, 1073 size_t width, 1074 size_t height, 1075 OSType pixelFormatType, 1076 void *baseAddress, 1077 size_t bytesPerRow, 1078 CVPixelBufferReleaseBytesCallback releaseCallback, 1079 void *releaseRefCon, 1080 CFDictionaryRef pixelBufferAttributes, 1081 CVPixelBufferRef *pixelBufferOut) ; 1082 1083CVReturn rdar_7283567(CFAllocatorRef allocator, size_t width, size_t height, 1084 OSType pixelFormatType, void *baseAddress, 1085 size_t bytesPerRow, 1086 CVPixelBufferReleaseBytesCallback releaseCallback, 1087 CFDictionaryRef pixelBufferAttributes, 1088 CVPixelBufferRef *pixelBufferOut) { 1089 1090 // For the allocated object, it doesn't really matter what type it is 1091 // for the purpose of this test. All we want to show is that 1092 // this is freed later by the callback. 1093 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // no-warning 1094 1095 return CVPixelBufferCreateWithBytes(allocator, width, height, pixelFormatType, 1096 baseAddress, bytesPerRow, releaseCallback, 1097 number, // potentially released by callback 1098 pixelBufferAttributes, pixelBufferOut) ; 1099} 1100 1101CVReturn rdar_7283567_2(CFAllocatorRef allocator, size_t width, size_t height, 1102 OSType pixelFormatType, void *dataPtr, size_t dataSize, 1103 size_t numberOfPlanes, void *planeBaseAddress[], 1104 size_t planeWidth[], size_t planeHeight[], size_t planeBytesPerRow[], 1105 CVPixelBufferReleasePlanarBytesCallback releaseCallback, 1106 CFDictionaryRef pixelBufferAttributes, 1107 CVPixelBufferRef *pixelBufferOut) { 1108 1109 // For the allocated object, it doesn't really matter what type it is 1110 // for the purpose of this test. All we want to show is that 1111 // this is freed later by the callback. 1112 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // no-warning 1113 1114 return CVPixelBufferCreateWithPlanarBytes(allocator, 1115 width, height, pixelFormatType, dataPtr, dataSize, 1116 numberOfPlanes, planeBaseAddress, planeWidth, 1117 planeHeight, planeBytesPerRow, releaseCallback, 1118 number, // potentially released by callback 1119 pixelBufferAttributes, pixelBufferOut) ; 1120} 1121 1122//===----------------------------------------------------------------------===// 1123// <rdar://problem/7358899> False leak associated with 1124// CGBitmapContextCreateWithData 1125//===----------------------------------------------------------------------===// 1126typedef uint32_t CGBitmapInfo; 1127typedef void (*CGBitmapContextReleaseDataCallback)(void *releaseInfo, void *data); 1128 1129CGContextRef CGBitmapContextCreateWithData(void *data, 1130 size_t width, size_t height, size_t bitsPerComponent, 1131 size_t bytesPerRow, CGColorSpaceRef space, CGBitmapInfo bitmapInfo, 1132 CGBitmapContextReleaseDataCallback releaseCallback, void *releaseInfo); 1133 1134void rdar_7358899(void *data, 1135 size_t width, size_t height, size_t bitsPerComponent, 1136 size_t bytesPerRow, CGColorSpaceRef space, CGBitmapInfo bitmapInfo, 1137 CGBitmapContextReleaseDataCallback releaseCallback) { 1138 1139 // For the allocated object, it doesn't really matter what type it is 1140 // for the purpose of this test. All we want to show is that 1141 // this is freed later by the callback. 1142 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // no-warning 1143 1144 CGBitmapContextCreateWithData(data, width, height, bitsPerComponent, // expected-warning{{leak}} 1145 bytesPerRow, space, bitmapInfo, releaseCallback, number); 1146} 1147 1148//===----------------------------------------------------------------------===// 1149// <rdar://problem/7265711> allow 'new', 'copy', 'alloc', 'init' prefix to 1150// start before '_' when determining Cocoa fundamental rule 1151// 1152// Previously the retain/release checker just skipped prefixes before the 1153// first '_' entirely. Now the checker honors the prefix if it results in a 1154// recognizable naming convention (e.g., 'new', 'init'). 1155//===----------------------------------------------------------------------===// 1156 1157@interface RDar7265711 {} 1158- (id) new_stuff; 1159@end 1160 1161void rdar7265711_a(RDar7265711 *x) { 1162 id y = [x new_stuff]; // expected-warning{{leak}} 1163} 1164 1165void rdar7265711_b(RDar7265711 *x) { 1166 id y = [x new_stuff]; // no-warning 1167 [y release]; 1168} 1169 1170//===----------------------------------------------------------------------===// 1171// <rdar://problem/7306898> clang thinks [NSCursor dragCopyCursor] returns a 1172// retained reference 1173//===----------------------------------------------------------------------===// 1174 1175@interface NSCursor : NSObject 1176+ (NSCursor *)dragCopyCursor; 1177@end 1178 1179void rdar7306898(void) { 1180 // 'dragCopyCursor' does not follow Cocoa's fundamental rule. It is a noun, not an sentence 1181 // implying a 'copy' of something. 1182 NSCursor *c = [NSCursor dragCopyCursor]; // no-warning 1183 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // expected-warning{{leak}} 1184} 1185 1186//===----------------------------------------------------------------------===// 1187// <rdar://problem/7252064> sending 'release', 'retain', etc. to a Class 1188// directly is not likely what the user intended 1189//===----------------------------------------------------------------------===// 1190 1191@interface RDar7252064 : NSObject @end 1192void rdar7252064(void) { 1193 [RDar7252064 release]; // expected-warning{{The 'release' message should be sent to instances of class 'RDar7252064' and not the class directly}} 1194 [RDar7252064 retain]; // expected-warning{{The 'retain' message should be sent to instances of class 'RDar7252064' and not the class directly}} 1195 [RDar7252064 autorelease]; // expected-warning{{The 'autorelease' message should be sent to instances of class 'RDar7252064' and not the class directly}} 1196 [NSAutoreleasePool drain]; // expected-warning{{method '+drain' not found}} expected-warning{{The 'drain' message should be sent to instances of class 'NSAutoreleasePool' and not the class directly}} 1197} 1198 1199//===----------------------------------------------------------------------===// 1200// Tests of ownership attributes. 1201//===----------------------------------------------------------------------===// 1202 1203typedef NSString* MyStringTy; 1204 1205@protocol FooP; 1206 1207@interface TestOwnershipAttr : NSObject 1208- (NSString*) returnsAnOwnedString NS_RETURNS_RETAINED; // no-warning 1209- (NSString*) returnsAnOwnedCFString CF_RETURNS_RETAINED; // no-warning 1210- (MyStringTy) returnsAnOwnedTypedString NS_RETURNS_RETAINED; // no-warning 1211- (NSString*) newString NS_RETURNS_NOT_RETAINED; // no-warning 1212- (NSString*) newStringNoAttr; 1213- (int) returnsAnOwnedInt NS_RETURNS_RETAINED; // expected-warning{{'ns_returns_retained' attribute only applies to functions or methods that return a pointer or Objective-C object}} 1214@end 1215 1216static int ownership_attribute_doesnt_go_here NS_RETURNS_RETAINED; // expected-warning{{'ns_returns_retained' attribute only applies to function or method types}} 1217 1218void test_attr_1(TestOwnershipAttr *X) { 1219 NSString *str = [X returnsAnOwnedString]; // expected-warning{{leak}} 1220} 1221 1222void test_attr_1b(TestOwnershipAttr *X) { 1223 NSString *str = [X returnsAnOwnedCFString]; // expected-warning{{leak}} 1224} 1225 1226void test_attr1c(TestOwnershipAttr *X) { 1227 NSString *str = [X newString]; // no-warning 1228 NSString *str2 = [X newStringNoAttr]; // expected-warning{{leak}} 1229} 1230 1231@interface MyClassTestCFAttr : NSObject {} 1232- (NSDate*) returnsCFRetained CF_RETURNS_RETAINED; 1233- (CFDateRef) returnsCFRetainedAsCF CF_RETURNS_RETAINED; 1234- (CFDateRef) newCFRetainedAsCF CF_RETURNS_NOT_RETAINED; 1235- (CFDateRef) newCFRetainedAsCFNoAttr; 1236- (NSDate*) alsoReturnsRetained; 1237- (CFDateRef) alsoReturnsRetainedAsCF; 1238- (NSDate*) returnsNSRetained NS_RETURNS_RETAINED; 1239@end 1240 1241CF_RETURNS_RETAINED 1242CFDateRef returnsRetainedCFDate() { 1243 return CFDateCreate(0, CFAbsoluteTimeGetCurrent()); 1244} 1245 1246@implementation MyClassTestCFAttr 1247- (NSDate*) returnsCFRetained { 1248 return (NSDate*) returnsRetainedCFDate(); // No leak. 1249} 1250 1251- (CFDateRef) returnsCFRetainedAsCF { 1252 return returnsRetainedCFDate(); // No leak. 1253} 1254 1255- (CFDateRef) newCFRetainedAsCF { 1256 return (CFDateRef)[(id)[self returnsCFRetainedAsCF] autorelease]; 1257} 1258 1259- (CFDateRef) newCFRetainedAsCFNoAttr { 1260 return (CFDateRef)[(id)[self returnsCFRetainedAsCF] autorelease]; // expected-warning{{Object with +0 retain counts returned to caller where a +1 (owning) retain count is expected}} 1261} 1262 1263- (NSDate*) alsoReturnsRetained { 1264 return (NSDate*) returnsRetainedCFDate(); // expected-warning{{leak}} 1265} 1266 1267- (CFDateRef) alsoReturnsRetainedAsCF { 1268 return returnsRetainedCFDate(); // expected-warning{{leak}} 1269} 1270 1271 1272- (NSDate*) returnsNSRetained { 1273 return (NSDate*) returnsRetainedCFDate(); // no-warning 1274} 1275@end 1276 1277//===----------------------------------------------------------------------===// 1278// Test that leaks post-dominated by "panic" functions are not reported. 1279// 1280// <rdar://problem/5905851> do not report a leak when post-dominated by a call 1281// to a noreturn or panic function 1282//===----------------------------------------------------------------------===// 1283 1284void panic() __attribute__((noreturn)); 1285void panic_not_in_hardcoded_list() __attribute__((noreturn)); 1286 1287void test_panic_negative() { 1288 signed z = 1; 1289 CFNumberRef value = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &z); // expected-warning{{leak}} 1290} 1291 1292void test_panic_positive() { 1293 signed z = 1; 1294 CFNumberRef value = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &z); // no-warning 1295 panic(); 1296} 1297 1298void test_panic_neg_2(int x) { 1299 signed z = 1; 1300 CFNumberRef value = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &z); // expected-warning{{leak}} 1301 if (x) 1302 panic(); 1303} 1304 1305void test_panic_pos_2(int x) { 1306 signed z = 1; 1307 CFNumberRef value = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &z); // no-warning 1308 if (x) 1309 panic(); 1310 if (!x) { 1311 // This showed up in <rdar://problem/7796563>, where we silently missed checking 1312 // the function type for noreturn. "panic()" is a hard-coded known panic function 1313 // that isn't always noreturn. 1314 panic_not_in_hardcoded_list(); 1315 } 1316} 1317 1318//===----------------------------------------------------------------------===// 1319// Test uses of blocks (closures) 1320//===----------------------------------------------------------------------===// 1321 1322void test_blocks_1_pos(void) { 1323 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // expected-warning{{leak}} 1324 ^{}(); 1325} 1326 1327void test_blocks_1_indirect_release(void) { 1328 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // no-warning 1329 ^{ [number release]; }(); 1330} 1331 1332void test_blocks_1_indirect_retain(void) { 1333 // Eventually this should be reported as a leak. 1334 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // no-warning 1335 ^{ [number retain]; }(); 1336} 1337 1338void test_blocks_1_indirect_release_via_call(void) { 1339 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // no-warning 1340 ^(NSObject *o){ [o release]; }(number); 1341} 1342 1343void test_blocks_1_indirect_retain_via_call(void) { 1344 // Eventually this should be reported as a leak. 1345 NSNumber *number = [[NSNumber alloc] initWithInt:5]; // no-warning 1346 ^(NSObject *o){ [o retain]; }(number); 1347} 1348 1349//===--------------------------------------------------------------------===// 1350// Test sending message to super that returns an object alias. Previously 1351// this caused a crash in the analyzer. 1352//===--------------------------------------------------------------------===// 1353 1354@interface Rdar8015556 : NSObject {} @end 1355@implementation Rdar8015556 1356- (id)retain { 1357 return [super retain]; 1358} 1359@end 1360 1361// <rdar://problem/8272168> - Correcly handle Class<...> in Cocoa Conventions 1362// detector. 1363 1364@protocol Prot_R8272168 @end 1365Class <Prot_R8272168> GetAClassThatImplementsProt_R8272168(); 1366void r8272168() { 1367 GetAClassThatImplementsProt_R8272168(); 1368} 1369 1370// Test case for <rdar://problem/8356342>, which in the past triggered 1371// a false positive. 1372@interface RDar8356342 1373- (NSDate*) rdar8356342:(NSDate *)inValue; 1374@end 1375 1376@implementation RDar8356342 1377- (NSDate*) rdar8356342:(NSDate*)inValue { 1378 NSDate *outValue = inValue; 1379 if (outValue == 0) 1380 outValue = [[NSDate alloc] init]; // no-warning 1381 1382 if (outValue != inValue) 1383 [outValue autorelease]; 1384 1385 return outValue; 1386} 1387@end 1388 1389// <rdar://problem/8724287> - This test case previously crashed because 1390// of a bug in BugReporter. 1391extern const void *CFDictionaryGetValue(CFDictionaryRef theDict, const void *key); 1392typedef struct __CFError * CFErrorRef; 1393extern const CFStringRef kCFErrorUnderlyingErrorKey; 1394extern CFDictionaryRef CFErrorCopyUserInfo(CFErrorRef err); 1395 1396static void rdar_8724287(CFErrorRef error) 1397{ 1398 CFErrorRef error_to_dump; 1399 1400 error_to_dump = error; 1401 while (error_to_dump != ((void*)0)) { 1402 CFDictionaryRef info; 1403 1404 info = CFErrorCopyUserInfo(error_to_dump); // expected-warning{{Potential leak of an object allocated on line 1404 and stored into 'info'}} 1405 1406 if (info != ((void*)0)) { 1407 } 1408 1409 error_to_dump = (CFErrorRef) CFDictionaryGetValue(info, kCFErrorUnderlyingErrorKey); 1410 } 1411} 1412 1413