retain-release.m revision a0cc00dfb19897873cba1a1ff29e09a7f6ef9562
1// RUN: clang-cc -analyze -checker-cfref -verify %s && 2// RUN: clang-cc -analyze -checker-cfref -analyzer-store=region -verify %s 3 4 5//===----------------------------------------------------------------------===// 6// The following code is reduced using delta-debugging from 7// Foundation.h (Mac OS X). 8// 9// It includes the basic definitions for the test cases below. 10// Not including Foundation.h directly makes this test case both svelte and 11// portable to non-Mac platforms. 12//===----------------------------------------------------------------------===// 13 14typedef unsigned int __darwin_natural_t; 15typedef unsigned int UInt32; 16typedef signed long CFIndex; 17typedef const void * CFTypeRef; 18typedef const struct __CFString * CFStringRef; 19typedef const struct __CFAllocator * CFAllocatorRef; 20extern const CFAllocatorRef kCFAllocatorDefault; 21extern CFTypeRef CFRetain(CFTypeRef cf); 22extern void CFRelease(CFTypeRef cf); 23typedef struct { 24} 25CFArrayCallBacks; 26extern const CFArrayCallBacks kCFTypeArrayCallBacks; 27typedef const struct __CFArray * CFArrayRef; 28typedef struct __CFArray * CFMutableArrayRef; 29extern CFMutableArrayRef CFArrayCreateMutable(CFAllocatorRef allocator, CFIndex capacity, const CFArrayCallBacks *callBacks); 30extern const void *CFArrayGetValueAtIndex(CFArrayRef theArray, CFIndex idx); 31extern void CFArrayAppendValue(CFMutableArrayRef theArray, const void *value); 32typedef const struct __CFDictionary * CFDictionaryRef; 33typedef UInt32 CFStringEncoding; 34enum { 35kCFStringEncodingMacRoman = 0, kCFStringEncodingWindowsLatin1 = 0x0500, kCFStringEncodingISOLatin1 = 0x0201, kCFStringEncodingNextStepLatin = 0x0B01, kCFStringEncodingASCII = 0x0600, kCFStringEncodingUnicode = 0x0100, kCFStringEncodingUTF8 = 0x08000100, kCFStringEncodingNonLossyASCII = 0x0BFF , kCFStringEncodingUTF16 = 0x0100, kCFStringEncodingUTF16BE = 0x10000100, kCFStringEncodingUTF16LE = 0x14000100, kCFStringEncodingUTF32 = 0x0c000100, kCFStringEncodingUTF32BE = 0x18000100, kCFStringEncodingUTF32LE = 0x1c000100 }; 36extern CFStringRef CFStringCreateWithCString(CFAllocatorRef alloc, const char *cStr, CFStringEncoding encoding); 37typedef double CFTimeInterval; 38typedef CFTimeInterval CFAbsoluteTime; 39extern CFAbsoluteTime CFAbsoluteTimeGetCurrent(void); 40typedef const struct __CFDate * CFDateRef; 41extern CFDateRef CFDateCreate(CFAllocatorRef allocator, CFAbsoluteTime at); 42extern CFAbsoluteTime CFDateGetAbsoluteTime(CFDateRef theDate); 43typedef __darwin_natural_t natural_t; 44typedef natural_t mach_port_name_t; 45typedef mach_port_name_t mach_port_t; 46typedef int kern_return_t; 47typedef kern_return_t mach_error_t; 48typedef struct objc_selector *SEL; 49typedef signed char BOOL; 50typedef unsigned long NSUInteger; 51@class NSString, Protocol; 52extern void NSLog(NSString *format, ...) __attribute__((format(__NSString__, 1, 2))); 53typedef struct _NSZone NSZone; 54@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator; 55@protocol NSObject - (BOOL)isEqual:(id)object; 56- (id)retain; 57- (oneway void)release; 58- (id)autorelease; 59@end @protocol NSCopying - (id)copyWithZone:(NSZone *)zone; 60@end @protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; 61@end @protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder; 62@end @interface NSObject <NSObject> { 63} 64+ (id)allocWithZone:(NSZone *)zone; 65+ (id)alloc; 66- (void)dealloc; 67@end extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone); 68typedef struct { 69} 70NSFastEnumerationState; 71@protocol NSFastEnumeration - (NSUInteger)countByEnumeratingWithState:(NSFastEnumerationState *)state objects:(id *)stackbuf count:(NSUInteger)len; 72@end @class NSString, NSDictionary; 73typedef double NSTimeInterval; 74@interface NSDate : NSObject <NSCopying, NSCoding> - (NSTimeInterval)timeIntervalSinceReferenceDate; 75@end typedef unsigned short unichar; 76@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding> - (NSUInteger)length; 77- ( const char *)UTF8String; 78- (id)initWithUTF8String:(const char *)nullTerminatedCString; 79+ (id)stringWithUTF8String:(const char *)nullTerminatedCString; 80@end @class NSDictionary; 81@interface NSDictionary : NSObject <NSCopying, NSMutableCopying, NSCoding, NSFastEnumeration> - (NSUInteger)count; 82@end @interface NSMutableDictionary : NSDictionary - (void)removeObjectForKey:(id)aKey; 83- (void)setObject:(id)anObject forKey:(id)aKey; 84@end @interface NSMutableDictionary (NSMutableDictionaryCreation) + (id)dictionaryWithCapacity:(NSUInteger)numItems; 85@end @class NSString, NSDictionary, NSArray; 86typedef mach_port_t io_object_t; 87typedef io_object_t io_service_t; 88typedef struct __DASession * DASessionRef; 89extern DASessionRef DASessionCreate( CFAllocatorRef allocator ); 90typedef struct __DADisk * DADiskRef; 91extern DADiskRef DADiskCreateFromBSDName( CFAllocatorRef allocator, DASessionRef session, const char * name ); 92extern DADiskRef DADiskCreateFromIOMedia( CFAllocatorRef allocator, DASessionRef session, io_service_t media ); 93extern CFDictionaryRef DADiskCopyDescription( DADiskRef disk ); 94extern DADiskRef DADiskCopyWholeDisk( DADiskRef disk ); 95@interface NSTask : NSObject - (id)init; 96@end extern NSString * const NSTaskDidTerminateNotification; 97@interface NSResponder : NSObject <NSCoding> { 98struct __vaFlags { 99} 100_vaFlags; 101} 102@end @protocol NSAnimatablePropertyContainer - (id)animator; 103@end extern NSString *NSAnimationTriggerOrderIn ; 104@class NSBitmapImageRep, NSCursor, NSGraphicsContext, NSImage, NSPasteboard, NSScrollView, NSTextInputContext, NSWindow, NSAttributedString; 105@interface NSView : NSResponder <NSAnimatablePropertyContainer> { 106struct __VFlags2 { 107} 108_vFlags2; 109} 110@end @class NSColor, NSFont, NSNotification; 111@interface NSTextTab : NSObject <NSCopying, NSCoding> { 112} 113@end @protocol NSValidatedUserInterfaceItem - (SEL)action; 114@end @protocol NSUserInterfaceValidations - (BOOL)validateUserInterfaceItem:(id <NSValidatedUserInterfaceItem>)anItem; 115@end @class NSArray, NSError, NSImage, NSView, NSNotificationCenter, NSURL, NSScreen, NSRunningApplication; 116@interface NSApplication : NSResponder <NSUserInterfaceValidations> { 117} 118@end enum { 119NSTerminateCancel = 0, NSTerminateNow = 1, NSTerminateLater = 2 }; 120typedef NSUInteger NSApplicationTerminateReply; 121@protocol NSApplicationDelegate <NSObject> @optional - (NSApplicationTerminateReply)applicationShouldTerminate:(NSApplication *)sender; 122@end enum { 123NSUserInterfaceLayoutDirectionLeftToRight = 0, NSUserInterfaceLayoutDirectionRightToLeft = 1 }; 124@interface NSManagedObject : NSObject { 125} 126@end enum { 127kDAReturnSuccess = 0, kDAReturnError = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x01, kDAReturnBusy = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x02, kDAReturnBadArgument = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x03, kDAReturnExclusiveAccess = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x04, kDAReturnNoResources = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x05, kDAReturnNotFound = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x06, kDAReturnNotMounted = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x07, kDAReturnNotPermitted = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x08, kDAReturnNotPrivileged = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x09, kDAReturnNotReady = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x0A, kDAReturnNotWritable = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x0B, kDAReturnUnsupported = (((0x3e)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x0C }; 128typedef mach_error_t DAReturn; 129typedef const struct __DADissenter * DADissenterRef; 130extern DADissenterRef DADissenterCreate( CFAllocatorRef allocator, DAReturn status, CFStringRef string ); 131 132 @interface NSArray : NSObject <NSCopying, NSMutableCopying, NSCoding, NSFastEnumeration> 133 - (NSUInteger)count; 134 + (id)array; 135 @end 136 137@interface NSAutoreleasePool : NSObject {} 138+ (void)addObject:(id)anObject; 139- (void)addObject:(id)anObject; 140- (void)drain; 141@end 142 143//===----------------------------------------------------------------------===// 144// Test cases. 145//===----------------------------------------------------------------------===// 146 147CFAbsoluteTime f1() { 148 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 149 CFDateRef date = CFDateCreate(0, t); 150 CFRetain(date); 151 CFRelease(date); 152 CFDateGetAbsoluteTime(date); // no-warning 153 CFRelease(date); 154 t = CFDateGetAbsoluteTime(date); // expected-warning{{Reference-counted object is used after it is released.}} 155 return t; 156} 157 158CFAbsoluteTime f2() { 159 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 160 CFDateRef date = CFDateCreate(0, t); 161 [((NSDate*) date) retain]; 162 CFRelease(date); 163 CFDateGetAbsoluteTime(date); // no-warning 164 [((NSDate*) date) release]; 165 t = CFDateGetAbsoluteTime(date); // expected-warning{{Reference-counted object is used after it is released.}} 166 return t; 167} 168 169 170NSDate* global_x; 171 172// Test to see if we supresss an error when we store the pointer 173// to a global. 174 175CFAbsoluteTime f3() { 176 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 177 CFDateRef date = CFDateCreate(0, t); 178 [((NSDate*) date) retain]; 179 CFRelease(date); 180 CFDateGetAbsoluteTime(date); // no-warning 181 global_x = (NSDate*) date; 182 [((NSDate*) date) release]; 183 t = CFDateGetAbsoluteTime(date); // no-warning 184 return t; 185} 186 187//--------------------------------------------------------------------------- 188// Test case 'f4' differs for region store and basic store. See 189// retain-release-region-store.m and retain-release-basic-store.m. 190//--------------------------------------------------------------------------- 191 192// Test a leak. 193 194CFAbsoluteTime f5(int x) { 195 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 196 CFDateRef date = CFDateCreate(0, t); // expected-warning{{leak}} 197 198 if (x) 199 CFRelease(date); 200 201 return t; 202} 203 204// Test a leak involving the return. 205 206CFDateRef f6(int x) { 207 CFDateRef date = CFDateCreate(0, CFAbsoluteTimeGetCurrent()); // expected-warning{{leak}} 208 CFRetain(date); 209 return date; 210} 211 212// Test a leak involving an overwrite. 213 214CFDateRef f7() { 215 CFDateRef date = CFDateCreate(0, CFAbsoluteTimeGetCurrent()); //expected-warning{{leak}} 216 CFRetain(date); 217 date = CFDateCreate(0, CFAbsoluteTimeGetCurrent()); 218 return date; 219} 220 221// Generalization of Create rule. MyDateCreate returns a CFXXXTypeRef, and 222// has the word create. 223CFDateRef MyDateCreate(); 224 225CFDateRef f8() { 226 CFDateRef date = MyDateCreate(); // expected-warning{{leak}} 227 CFRetain(date); 228 return date; 229} 230 231CFDateRef f9() { 232 CFDateRef date = CFDateCreate(0, CFAbsoluteTimeGetCurrent()); 233 int *p = 0; 234 // When allocations fail, CFDateCreate can return null. 235 if (!date) *p = 1; // expected-warning{{null}} 236 return date; 237} 238 239// Handle DiskArbitration API: 240// 241// http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/DiscArbitrationFramework/ 242// 243void f10(io_service_t media, DADiskRef d, CFStringRef s) { 244 DADiskRef disk = DADiskCreateFromBSDName(kCFAllocatorDefault, 0, "hello"); // expected-warning{{leak}} 245 if (disk) NSLog(@"ok"); 246 247 disk = DADiskCreateFromIOMedia(kCFAllocatorDefault, 0, media); // expected-warning{{leak}} 248 if (disk) NSLog(@"ok"); 249 250 CFDictionaryRef dict = DADiskCopyDescription(d); // expected-warning{{leak}} 251 if (dict) NSLog(@"ok"); 252 253 disk = DADiskCopyWholeDisk(d); // expected-warning{{leak}} 254 if (disk) NSLog(@"ok"); 255 256 DADissenterRef dissenter = DADissenterCreate(kCFAllocatorDefault, // expected-warning{{leak}} 257 kDAReturnSuccess, s); 258 if (dissenter) NSLog(@"ok"); 259 260 DASessionRef session = DASessionCreate(kCFAllocatorDefault); // expected-warning{{leak}} 261 if (session) NSLog(@"ok"); 262} 263 264// Test retain/release checker with CFString and CFMutableArray. 265void f11() { 266 // Create the array. 267 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); 268 269 // Create a string. 270 CFStringRef s1 = CFStringCreateWithCString(0, "hello world", 271 kCFStringEncodingUTF8); 272 273 // Add the string to the array. 274 CFArrayAppendValue(A, s1); 275 276 // Decrement the reference count. 277 CFRelease(s1); // no-warning 278 279 // Get the string. We don't own it. 280 s1 = (CFStringRef) CFArrayGetValueAtIndex(A, 0); 281 282 // Release the array. 283 CFRelease(A); // no-warning 284 285 // Release the string. This is a bug. 286 CFRelease(s1); // expected-warning{{Incorrect decrement of the reference count}} 287} 288 289// PR 3337: Handle functions declared using typedefs. 290typedef CFTypeRef CREATEFUN(); 291CREATEFUN MyCreateFun; 292 293void f12() { 294 CFTypeRef o = MyCreateFun(); // expected-warning {{leak}} 295} 296 297void f13_autorelease() { 298 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); // no-warning 299 [(id) A autorelease]; // no-warning 300} 301 302void f13_autorelease_b() { 303 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); 304 [(id) A autorelease]; 305 [(id) A autorelease]; // expected-warning{{Object sent -autorelease too many times}} 306} 307 308CFMutableArrayRef f13_autorelease_c() { 309 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); 310 [(id) A autorelease]; 311 [(id) A autorelease]; 312 return A; // expected-warning{{Object sent -autorelease too many times}} 313} 314 315CFMutableArrayRef f13_autorelease_d() { 316 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); 317 [(id) A autorelease]; 318 [(id) A autorelease]; 319 CFMutableArrayRef B = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); // expected-warning{{Object sent -autorelease too many times}} 320 CFRelease(B); // no-warning 321} 322 323 324// This case exercises the logic where the leak site is the same as the allocation site. 325void f14_leakimmediately() { 326 CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); // expected-warning{{leak}} 327} 328 329// Test that we track an allocated object beyond the point where the *name* 330// of the variable storing the reference is no longer live. 331void f15() { 332 // Create the array. 333 CFMutableArrayRef A = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); 334 CFMutableArrayRef *B = &A; 335 // At this point, the name 'A' is no longer live. 336 CFRelease(*B); // no-warning 337} 338 339 340// Test basic tracking of ivars associated with 'self'. For the retain/release 341// checker we currently do not want to flag leaks associated with stores 342// of tracked objects to ivars. 343@interface SelfIvarTest : NSObject { 344 id myObj; 345} 346- (void)test_self_tracking; 347@end 348 349@implementation SelfIvarTest 350- (void)test_self_tracking { 351 myObj = (id) CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); // no-warning 352} 353@end 354 355// Test return of non-owned objects in contexts where an owned object 356// is expected. 357@interface TestReturnNotOwnedWhenExpectedOwned 358- (NSString*)newString; 359@end 360 361@implementation TestReturnNotOwnedWhenExpectedOwned 362- (NSString*)newString { 363 NSString *s = [NSString stringWithUTF8String:"hello"]; 364 return s; // expected-warning{{Object with +0 retain counts returned to caller where a +1 (owning) retain count is expected}} 365} 366@end 367 368// <rdar://problem/6659160> 369int isFoo(char c); 370 371static void rdar_6659160(char *inkind, char *inname) 372{ 373 // We currently expect that [NSObject alloc] cannot fail. This 374 // will be a toggled flag in the future. It can indeed return null, but 375 // Cocoa programmers generally aren't expected to reason about out-of-memory 376 // conditions. 377 NSString *kind = [[NSString alloc] initWithUTF8String:inkind]; // expected-warning{{leak}} 378 379 // We do allow stringWithUTF8String to fail. This isn't really correct, as 380 // far as returning 0. In most error conditions it will throw an exception. 381 // If allocation fails it could return 0, but again this 382 // isn't expected. 383 NSString *name = [NSString stringWithUTF8String:inname]; 384 if(!name) 385 return; 386 387 const char *kindC = 0; 388 const char *nameC = 0; 389 390 // In both cases, we cannot reach a point down below where we 391 // dereference kindC or nameC with either being null. This is because 392 // we assume that [NSObject alloc] doesn't fail and that we have the guard 393 // up above. 394 395 if(kind) 396 kindC = [kind UTF8String]; 397 if(name) 398 nameC = [name UTF8String]; 399 if(!isFoo(kindC[0])) // expected-warning{{null}} 400 return; 401 if(!isFoo(nameC[0])) // no-warning 402 return; 403 404 [kind release]; 405 [name release]; // expected-warning{{Incorrect decrement of the reference count}} 406} 407 408// PR 3677 - 'allocWithZone' should be treated as following the Cocoa naming 409// conventions with respect to 'return'ing ownership. 410@interface PR3677: NSObject @end 411@implementation PR3677 412+ (id)allocWithZone:(NSZone *)inZone { 413 return [super allocWithZone:inZone]; // no-warning 414} 415@end 416 417// PR 3820 - Reason about calls to -dealloc 418void pr3820_DeallocInsteadOfRelease(void) 419{ 420 id foo = [[NSString alloc] init]; // no-warning 421 [foo dealloc]; 422 // foo is not leaked, since it has been deallocated. 423} 424 425void pr3820_ReleaseAfterDealloc(void) 426{ 427 id foo = [[NSString alloc] init]; 428 [foo dealloc]; 429 [foo release]; // expected-warning{{used after it is release}} 430 // NSInternalInconsistencyException: message sent to deallocated object 431} 432 433void pr3820_DeallocAfterRelease(void) 434{ 435 NSLog(@"\n\n[%s]", __FUNCTION__); 436 id foo = [[NSString alloc] init]; 437 [foo release]; 438 [foo dealloc]; // expected-warning{{used after it is released}} 439 // message sent to released object 440} 441 442// From <rdar://problem/6704930>. The problem here is that 'length' binds to 443// '($0 - 1)' after '--length', but SimpleConstraintManager doesn't know how to 444// reason about '($0 - 1) > constant'. As a temporary hack, we drop the value 445// of '($0 - 1)' and conjure a new symbol. 446void rdar6704930(unsigned char *s, unsigned int length) { 447 NSString* name = 0; 448 if (s != 0) { 449 if (length > 0) { 450 while (length > 0) { 451 if (*s == ':') { 452 ++s; 453 --length; 454 name = [[NSString alloc] init]; // no-warning 455 break; 456 } 457 ++s; 458 --length; 459 } 460 if ((length == 0) && (name != 0)) { 461 [name release]; 462 name = 0; 463 } 464 if (length == 0) { // no ':' found -> use it all as name 465 name = [[NSString alloc] init]; // no-warning 466 } 467 } 468 } 469 470 if (name != 0) { 471 [name release]; 472 } 473} 474 475//===----------------------------------------------------------------------===// 476// <rdar://problem/6833332> 477// One build of the analyzer accidentally stopped tracking the allocated 478// object after the 'retain'. 479//===----------------------------------------------------------------------===// 480 481@interface rdar_6833332 : NSObject <NSApplicationDelegate> { 482 NSWindow *window; 483} 484@property (nonatomic, retain) NSWindow *window; 485@end 486 487@implementation rdar_6833332 488@synthesize window; 489- (void)applicationDidFinishLaunching:(NSNotification *)aNotification { 490 NSMutableDictionary *dict = [[NSMutableDictionary dictionaryWithCapacity:4] retain]; // expected-warning{{leak}} 491 492 [dict setObject:@"foo" forKey:@"bar"]; 493 494 NSLog(@"%@", dict); 495} 496- (void)dealloc { 497 [window release]; 498 [super dealloc]; 499} 500@end 501 502//===----------------------------------------------------------------------===// 503// <rdar://problem/6257780> clang checker fails to catch use-after-release 504//===----------------------------------------------------------------------===// 505 506int rdar_6257780() { 507 NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init]; 508 NSArray *array = [NSArray array]; 509 [array release]; // expected-warning{{Incorrect decrement of the reference count of an object is not owned at this point by the caller}} 510 [pool drain]; 511 return 0; 512} 513 514//===----------------------------------------------------------------------===// 515// Tests of ownership attributes. 516//===----------------------------------------------------------------------===// 517 518@interface TestOwnershipAttr : NSObject 519- (NSString*) returnsAnOwnedString __attribute__((ns_returns_retained)); 520- (NSString*) returnsAnOwnedCFString __attribute__((cf_returns_retained)); 521@end 522 523void test_attr_1(TestOwnershipAttr *X) { 524 NSString *str = [X returnsAnOwnedString]; // expected-warning{{leak}} 525} 526 527void test_attr_1b(TestOwnershipAttr *X) { 528 NSString *str = [X returnsAnOwnedCFString]; // expected-warning{{leak}} 529} 530 531