RetainCountChecker.cpp revision 3ea9e33ea25e0c2b12db56418ba3f994eb662c04
1//==-- RetainCountChecker.cpp - Checks for leaks and other issues -*- C++ -*--// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines the methods for RetainCountChecker, which implements 11// a reference count checker for Core Foundation and Cocoa on (Mac OS X). 12// 13//===----------------------------------------------------------------------===// 14 15#include "ClangSACheckers.h" 16#include "AllocationDiagnostics.h" 17#include "SelectorExtras.h" 18#include "clang/AST/Attr.h" 19#include "clang/AST/DeclCXX.h" 20#include "clang/AST/DeclObjC.h" 21#include "clang/AST/ParentMap.h" 22#include "clang/Analysis/DomainSpecific/CocoaConventions.h" 23#include "clang/Basic/LangOptions.h" 24#include "clang/Basic/SourceManager.h" 25#include "clang/StaticAnalyzer/Checkers/ObjCRetainCount.h" 26#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 27#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 28#include "clang/StaticAnalyzer/Core/Checker.h" 29#include "clang/StaticAnalyzer/Core/CheckerManager.h" 30#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 31#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 32#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 33#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 34#include "llvm/ADT/DenseMap.h" 35#include "llvm/ADT/FoldingSet.h" 36#include "llvm/ADT/ImmutableList.h" 37#include "llvm/ADT/ImmutableMap.h" 38#include "llvm/ADT/STLExtras.h" 39#include "llvm/ADT/SmallString.h" 40#include "llvm/ADT/StringExtras.h" 41#include <cstdarg> 42 43using namespace clang; 44using namespace ento; 45using namespace objc_retain; 46using llvm::StrInStrNoCase; 47 48//===----------------------------------------------------------------------===// 49// Adapters for FoldingSet. 50//===----------------------------------------------------------------------===// 51 52namespace llvm { 53template <> struct FoldingSetTrait<ArgEffect> { 54static inline void Profile(const ArgEffect X, FoldingSetNodeID &ID) { 55 ID.AddInteger((unsigned) X); 56} 57}; 58template <> struct FoldingSetTrait<RetEffect> { 59 static inline void Profile(const RetEffect &X, FoldingSetNodeID &ID) { 60 ID.AddInteger((unsigned) X.getKind()); 61 ID.AddInteger((unsigned) X.getObjKind()); 62} 63}; 64} // end llvm namespace 65 66//===----------------------------------------------------------------------===// 67// Reference-counting logic (typestate + counts). 68//===----------------------------------------------------------------------===// 69 70/// ArgEffects summarizes the effects of a function/method call on all of 71/// its arguments. 72typedef llvm::ImmutableMap<unsigned,ArgEffect> ArgEffects; 73 74namespace { 75class RefVal { 76public: 77 enum Kind { 78 Owned = 0, // Owning reference. 79 NotOwned, // Reference is not owned by still valid (not freed). 80 Released, // Object has been released. 81 ReturnedOwned, // Returned object passes ownership to caller. 82 ReturnedNotOwned, // Return object does not pass ownership to caller. 83 ERROR_START, 84 ErrorDeallocNotOwned, // -dealloc called on non-owned object. 85 ErrorDeallocGC, // Calling -dealloc with GC enabled. 86 ErrorUseAfterRelease, // Object used after released. 87 ErrorReleaseNotOwned, // Release of an object that was not owned. 88 ERROR_LEAK_START, 89 ErrorLeak, // A memory leak due to excessive reference counts. 90 ErrorLeakReturned, // A memory leak due to the returning method not having 91 // the correct naming conventions. 92 ErrorGCLeakReturned, 93 ErrorOverAutorelease, 94 ErrorReturnedNotOwned 95 }; 96 97 /// Tracks how an object referenced by an ivar has been used. 98 /// 99 /// This accounts for us not knowing if an arbitrary ivar is supposed to be 100 /// stored at +0 or +1. 101 enum class IvarAccessHistory { 102 None, 103 AccessedDirectly, 104 ReleasedAfterDirectAccess 105 }; 106 107private: 108 /// The number of outstanding retains. 109 unsigned Cnt; 110 /// The number of outstanding autoreleases. 111 unsigned ACnt; 112 /// The (static) type of the object at the time we started tracking it. 113 QualType T; 114 115 /// The current state of the object. 116 /// 117 /// See the RefVal::Kind enum for possible values. 118 unsigned RawKind : 5; 119 120 /// The kind of object being tracked (CF or ObjC), if known. 121 /// 122 /// See the RetEffect::ObjKind enum for possible values. 123 unsigned RawObjectKind : 2; 124 125 /// True if the current state and/or retain count may turn out to not be the 126 /// best possible approximation of the reference counting state. 127 /// 128 /// If true, the checker may decide to throw away ("override") this state 129 /// in favor of something else when it sees the object being used in new ways. 130 /// 131 /// This setting should not be propagated to state derived from this state. 132 /// Once we start deriving new states, it would be inconsistent to override 133 /// them. 134 unsigned RawIvarAccessHistory : 2; 135 136 RefVal(Kind k, RetEffect::ObjKind o, unsigned cnt, unsigned acnt, QualType t, 137 IvarAccessHistory IvarAccess) 138 : Cnt(cnt), ACnt(acnt), T(t), RawKind(static_cast<unsigned>(k)), 139 RawObjectKind(static_cast<unsigned>(o)), 140 RawIvarAccessHistory(static_cast<unsigned>(IvarAccess)) { 141 assert(getKind() == k && "not enough bits for the kind"); 142 assert(getObjKind() == o && "not enough bits for the object kind"); 143 assert(getIvarAccessHistory() == IvarAccess && "not enough bits"); 144 } 145 146public: 147 Kind getKind() const { return static_cast<Kind>(RawKind); } 148 149 RetEffect::ObjKind getObjKind() const { 150 return static_cast<RetEffect::ObjKind>(RawObjectKind); 151 } 152 153 unsigned getCount() const { return Cnt; } 154 unsigned getAutoreleaseCount() const { return ACnt; } 155 unsigned getCombinedCounts() const { return Cnt + ACnt; } 156 void clearCounts() { 157 Cnt = 0; 158 ACnt = 0; 159 } 160 void setCount(unsigned i) { 161 Cnt = i; 162 } 163 void setAutoreleaseCount(unsigned i) { 164 ACnt = i; 165 } 166 167 QualType getType() const { return T; } 168 169 /// Returns what the analyzer knows about direct accesses to a particular 170 /// instance variable. 171 /// 172 /// If the object with this refcount wasn't originally from an Objective-C 173 /// ivar region, this should always return IvarAccessHistory::None. 174 IvarAccessHistory getIvarAccessHistory() const { 175 return static_cast<IvarAccessHistory>(RawIvarAccessHistory); 176 } 177 178 bool isOwned() const { 179 return getKind() == Owned; 180 } 181 182 bool isNotOwned() const { 183 return getKind() == NotOwned; 184 } 185 186 bool isReturnedOwned() const { 187 return getKind() == ReturnedOwned; 188 } 189 190 bool isReturnedNotOwned() const { 191 return getKind() == ReturnedNotOwned; 192 } 193 194 /// Create a state for an object whose lifetime is the responsibility of the 195 /// current function, at least partially. 196 /// 197 /// Most commonly, this is an owned object with a retain count of +1. 198 static RefVal makeOwned(RetEffect::ObjKind o, QualType t, 199 unsigned Count = 1) { 200 return RefVal(Owned, o, Count, 0, t, IvarAccessHistory::None); 201 } 202 203 /// Create a state for an object whose lifetime is not the responsibility of 204 /// the current function. 205 /// 206 /// Most commonly, this is an unowned object with a retain count of +0. 207 static RefVal makeNotOwned(RetEffect::ObjKind o, QualType t, 208 unsigned Count = 0) { 209 return RefVal(NotOwned, o, Count, 0, t, IvarAccessHistory::None); 210 } 211 212 RefVal operator-(size_t i) const { 213 return RefVal(getKind(), getObjKind(), getCount() - i, 214 getAutoreleaseCount(), getType(), getIvarAccessHistory()); 215 } 216 217 RefVal operator+(size_t i) const { 218 return RefVal(getKind(), getObjKind(), getCount() + i, 219 getAutoreleaseCount(), getType(), getIvarAccessHistory()); 220 } 221 222 RefVal operator^(Kind k) const { 223 return RefVal(k, getObjKind(), getCount(), getAutoreleaseCount(), 224 getType(), getIvarAccessHistory()); 225 } 226 227 RefVal autorelease() const { 228 return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount()+1, 229 getType(), getIvarAccessHistory()); 230 } 231 232 RefVal withIvarAccess() const { 233 assert(getIvarAccessHistory() == IvarAccessHistory::None); 234 return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount(), 235 getType(), IvarAccessHistory::AccessedDirectly); 236 } 237 RefVal releaseViaIvar() const { 238 assert(getIvarAccessHistory() == IvarAccessHistory::AccessedDirectly); 239 return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount(), 240 getType(), IvarAccessHistory::ReleasedAfterDirectAccess); 241 } 242 243 // Comparison, profiling, and pretty-printing. 244 245 bool hasSameState(const RefVal &X) const { 246 return getKind() == X.getKind() && Cnt == X.Cnt && ACnt == X.ACnt && 247 getIvarAccessHistory() == X.getIvarAccessHistory(); 248 } 249 250 bool operator==(const RefVal& X) const { 251 return T == X.T && hasSameState(X) && getObjKind() == X.getObjKind(); 252 } 253 254 void Profile(llvm::FoldingSetNodeID& ID) const { 255 ID.Add(T); 256 ID.AddInteger(RawKind); 257 ID.AddInteger(Cnt); 258 ID.AddInteger(ACnt); 259 ID.AddInteger(RawObjectKind); 260 ID.AddInteger(RawIvarAccessHistory); 261 } 262 263 void print(raw_ostream &Out) const; 264}; 265 266void RefVal::print(raw_ostream &Out) const { 267 if (!T.isNull()) 268 Out << "Tracked " << T.getAsString() << '/'; 269 270 switch (getKind()) { 271 default: llvm_unreachable("Invalid RefVal kind"); 272 case Owned: { 273 Out << "Owned"; 274 unsigned cnt = getCount(); 275 if (cnt) Out << " (+ " << cnt << ")"; 276 break; 277 } 278 279 case NotOwned: { 280 Out << "NotOwned"; 281 unsigned cnt = getCount(); 282 if (cnt) Out << " (+ " << cnt << ")"; 283 break; 284 } 285 286 case ReturnedOwned: { 287 Out << "ReturnedOwned"; 288 unsigned cnt = getCount(); 289 if (cnt) Out << " (+ " << cnt << ")"; 290 break; 291 } 292 293 case ReturnedNotOwned: { 294 Out << "ReturnedNotOwned"; 295 unsigned cnt = getCount(); 296 if (cnt) Out << " (+ " << cnt << ")"; 297 break; 298 } 299 300 case Released: 301 Out << "Released"; 302 break; 303 304 case ErrorDeallocGC: 305 Out << "-dealloc (GC)"; 306 break; 307 308 case ErrorDeallocNotOwned: 309 Out << "-dealloc (not-owned)"; 310 break; 311 312 case ErrorLeak: 313 Out << "Leaked"; 314 break; 315 316 case ErrorLeakReturned: 317 Out << "Leaked (Bad naming)"; 318 break; 319 320 case ErrorGCLeakReturned: 321 Out << "Leaked (GC-ed at return)"; 322 break; 323 324 case ErrorUseAfterRelease: 325 Out << "Use-After-Release [ERROR]"; 326 break; 327 328 case ErrorReleaseNotOwned: 329 Out << "Release of Not-Owned [ERROR]"; 330 break; 331 332 case RefVal::ErrorOverAutorelease: 333 Out << "Over-autoreleased"; 334 break; 335 336 case RefVal::ErrorReturnedNotOwned: 337 Out << "Non-owned object returned instead of owned"; 338 break; 339 } 340 341 switch (getIvarAccessHistory()) { 342 case IvarAccessHistory::None: 343 break; 344 case IvarAccessHistory::AccessedDirectly: 345 Out << " [direct ivar access]"; 346 break; 347 case IvarAccessHistory::ReleasedAfterDirectAccess: 348 Out << " [released after direct ivar access]"; 349 } 350 351 if (ACnt) { 352 Out << " [autorelease -" << ACnt << ']'; 353 } 354} 355} //end anonymous namespace 356 357//===----------------------------------------------------------------------===// 358// RefBindings - State used to track object reference counts. 359//===----------------------------------------------------------------------===// 360 361REGISTER_MAP_WITH_PROGRAMSTATE(RefBindings, SymbolRef, RefVal) 362 363static inline const RefVal *getRefBinding(ProgramStateRef State, 364 SymbolRef Sym) { 365 return State->get<RefBindings>(Sym); 366} 367 368static inline ProgramStateRef setRefBinding(ProgramStateRef State, 369 SymbolRef Sym, RefVal Val) { 370 return State->set<RefBindings>(Sym, Val); 371} 372 373static ProgramStateRef removeRefBinding(ProgramStateRef State, SymbolRef Sym) { 374 return State->remove<RefBindings>(Sym); 375} 376 377//===----------------------------------------------------------------------===// 378// Function/Method behavior summaries. 379//===----------------------------------------------------------------------===// 380 381namespace { 382class RetainSummary { 383 /// Args - a map of (index, ArgEffect) pairs, where index 384 /// specifies the argument (starting from 0). This can be sparsely 385 /// populated; arguments with no entry in Args use 'DefaultArgEffect'. 386 ArgEffects Args; 387 388 /// DefaultArgEffect - The default ArgEffect to apply to arguments that 389 /// do not have an entry in Args. 390 ArgEffect DefaultArgEffect; 391 392 /// Receiver - If this summary applies to an Objective-C message expression, 393 /// this is the effect applied to the state of the receiver. 394 ArgEffect Receiver; 395 396 /// Ret - The effect on the return value. Used to indicate if the 397 /// function/method call returns a new tracked symbol. 398 RetEffect Ret; 399 400public: 401 RetainSummary(ArgEffects A, RetEffect R, ArgEffect defaultEff, 402 ArgEffect ReceiverEff) 403 : Args(A), DefaultArgEffect(defaultEff), Receiver(ReceiverEff), Ret(R) {} 404 405 /// getArg - Return the argument effect on the argument specified by 406 /// idx (starting from 0). 407 ArgEffect getArg(unsigned idx) const { 408 if (const ArgEffect *AE = Args.lookup(idx)) 409 return *AE; 410 411 return DefaultArgEffect; 412 } 413 414 void addArg(ArgEffects::Factory &af, unsigned idx, ArgEffect e) { 415 Args = af.add(Args, idx, e); 416 } 417 418 /// setDefaultArgEffect - Set the default argument effect. 419 void setDefaultArgEffect(ArgEffect E) { 420 DefaultArgEffect = E; 421 } 422 423 /// getRetEffect - Returns the effect on the return value of the call. 424 RetEffect getRetEffect() const { return Ret; } 425 426 /// setRetEffect - Set the effect of the return value of the call. 427 void setRetEffect(RetEffect E) { Ret = E; } 428 429 430 /// Sets the effect on the receiver of the message. 431 void setReceiverEffect(ArgEffect e) { Receiver = e; } 432 433 /// getReceiverEffect - Returns the effect on the receiver of the call. 434 /// This is only meaningful if the summary applies to an ObjCMessageExpr*. 435 ArgEffect getReceiverEffect() const { return Receiver; } 436 437 /// Test if two retain summaries are identical. Note that merely equivalent 438 /// summaries are not necessarily identical (for example, if an explicit 439 /// argument effect matches the default effect). 440 bool operator==(const RetainSummary &Other) const { 441 return Args == Other.Args && DefaultArgEffect == Other.DefaultArgEffect && 442 Receiver == Other.Receiver && Ret == Other.Ret; 443 } 444 445 /// Profile this summary for inclusion in a FoldingSet. 446 void Profile(llvm::FoldingSetNodeID& ID) const { 447 ID.Add(Args); 448 ID.Add(DefaultArgEffect); 449 ID.Add(Receiver); 450 ID.Add(Ret); 451 } 452 453 /// A retain summary is simple if it has no ArgEffects other than the default. 454 bool isSimple() const { 455 return Args.isEmpty(); 456 } 457 458private: 459 ArgEffects getArgEffects() const { return Args; } 460 ArgEffect getDefaultArgEffect() const { return DefaultArgEffect; } 461 462 friend class RetainSummaryManager; 463}; 464} // end anonymous namespace 465 466//===----------------------------------------------------------------------===// 467// Data structures for constructing summaries. 468//===----------------------------------------------------------------------===// 469 470namespace { 471class ObjCSummaryKey { 472 IdentifierInfo* II; 473 Selector S; 474public: 475 ObjCSummaryKey(IdentifierInfo* ii, Selector s) 476 : II(ii), S(s) {} 477 478 ObjCSummaryKey(const ObjCInterfaceDecl *d, Selector s) 479 : II(d ? d->getIdentifier() : nullptr), S(s) {} 480 481 ObjCSummaryKey(Selector s) 482 : II(nullptr), S(s) {} 483 484 IdentifierInfo *getIdentifier() const { return II; } 485 Selector getSelector() const { return S; } 486}; 487} 488 489namespace llvm { 490template <> struct DenseMapInfo<ObjCSummaryKey> { 491 static inline ObjCSummaryKey getEmptyKey() { 492 return ObjCSummaryKey(DenseMapInfo<IdentifierInfo*>::getEmptyKey(), 493 DenseMapInfo<Selector>::getEmptyKey()); 494 } 495 496 static inline ObjCSummaryKey getTombstoneKey() { 497 return ObjCSummaryKey(DenseMapInfo<IdentifierInfo*>::getTombstoneKey(), 498 DenseMapInfo<Selector>::getTombstoneKey()); 499 } 500 501 static unsigned getHashValue(const ObjCSummaryKey &V) { 502 typedef std::pair<IdentifierInfo*, Selector> PairTy; 503 return DenseMapInfo<PairTy>::getHashValue(PairTy(V.getIdentifier(), 504 V.getSelector())); 505 } 506 507 static bool isEqual(const ObjCSummaryKey& LHS, const ObjCSummaryKey& RHS) { 508 return LHS.getIdentifier() == RHS.getIdentifier() && 509 LHS.getSelector() == RHS.getSelector(); 510 } 511 512}; 513} // end llvm namespace 514 515namespace { 516class ObjCSummaryCache { 517 typedef llvm::DenseMap<ObjCSummaryKey, const RetainSummary *> MapTy; 518 MapTy M; 519public: 520 ObjCSummaryCache() {} 521 522 const RetainSummary * find(const ObjCInterfaceDecl *D, Selector S) { 523 // Do a lookup with the (D,S) pair. If we find a match return 524 // the iterator. 525 ObjCSummaryKey K(D, S); 526 MapTy::iterator I = M.find(K); 527 528 if (I != M.end()) 529 return I->second; 530 if (!D) 531 return nullptr; 532 533 // Walk the super chain. If we find a hit with a parent, we'll end 534 // up returning that summary. We actually allow that key (null,S), as 535 // we cache summaries for the null ObjCInterfaceDecl* to allow us to 536 // generate initial summaries without having to worry about NSObject 537 // being declared. 538 // FIXME: We may change this at some point. 539 for (ObjCInterfaceDecl *C=D->getSuperClass() ;; C=C->getSuperClass()) { 540 if ((I = M.find(ObjCSummaryKey(C, S))) != M.end()) 541 break; 542 543 if (!C) 544 return nullptr; 545 } 546 547 // Cache the summary with original key to make the next lookup faster 548 // and return the iterator. 549 const RetainSummary *Summ = I->second; 550 M[K] = Summ; 551 return Summ; 552 } 553 554 const RetainSummary *find(IdentifierInfo* II, Selector S) { 555 // FIXME: Class method lookup. Right now we dont' have a good way 556 // of going between IdentifierInfo* and the class hierarchy. 557 MapTy::iterator I = M.find(ObjCSummaryKey(II, S)); 558 559 if (I == M.end()) 560 I = M.find(ObjCSummaryKey(S)); 561 562 return I == M.end() ? nullptr : I->second; 563 } 564 565 const RetainSummary *& operator[](ObjCSummaryKey K) { 566 return M[K]; 567 } 568 569 const RetainSummary *& operator[](Selector S) { 570 return M[ ObjCSummaryKey(S) ]; 571 } 572}; 573} // end anonymous namespace 574 575//===----------------------------------------------------------------------===// 576// Data structures for managing collections of summaries. 577//===----------------------------------------------------------------------===// 578 579namespace { 580class RetainSummaryManager { 581 582 //==-----------------------------------------------------------------==// 583 // Typedefs. 584 //==-----------------------------------------------------------------==// 585 586 typedef llvm::DenseMap<const FunctionDecl*, const RetainSummary *> 587 FuncSummariesTy; 588 589 typedef ObjCSummaryCache ObjCMethodSummariesTy; 590 591 typedef llvm::FoldingSetNodeWrapper<RetainSummary> CachedSummaryNode; 592 593 //==-----------------------------------------------------------------==// 594 // Data. 595 //==-----------------------------------------------------------------==// 596 597 /// Ctx - The ASTContext object for the analyzed ASTs. 598 ASTContext &Ctx; 599 600 /// GCEnabled - Records whether or not the analyzed code runs in GC mode. 601 const bool GCEnabled; 602 603 /// Records whether or not the analyzed code runs in ARC mode. 604 const bool ARCEnabled; 605 606 /// FuncSummaries - A map from FunctionDecls to summaries. 607 FuncSummariesTy FuncSummaries; 608 609 /// ObjCClassMethodSummaries - A map from selectors (for instance methods) 610 /// to summaries. 611 ObjCMethodSummariesTy ObjCClassMethodSummaries; 612 613 /// ObjCMethodSummaries - A map from selectors to summaries. 614 ObjCMethodSummariesTy ObjCMethodSummaries; 615 616 /// BPAlloc - A BumpPtrAllocator used for allocating summaries, ArgEffects, 617 /// and all other data used by the checker. 618 llvm::BumpPtrAllocator BPAlloc; 619 620 /// AF - A factory for ArgEffects objects. 621 ArgEffects::Factory AF; 622 623 /// ScratchArgs - A holding buffer for construct ArgEffects. 624 ArgEffects ScratchArgs; 625 626 /// ObjCAllocRetE - Default return effect for methods returning Objective-C 627 /// objects. 628 RetEffect ObjCAllocRetE; 629 630 /// ObjCInitRetE - Default return effect for init methods returning 631 /// Objective-C objects. 632 RetEffect ObjCInitRetE; 633 634 /// SimpleSummaries - Used for uniquing summaries that don't have special 635 /// effects. 636 llvm::FoldingSet<CachedSummaryNode> SimpleSummaries; 637 638 //==-----------------------------------------------------------------==// 639 // Methods. 640 //==-----------------------------------------------------------------==// 641 642 /// getArgEffects - Returns a persistent ArgEffects object based on the 643 /// data in ScratchArgs. 644 ArgEffects getArgEffects(); 645 646 enum UnaryFuncKind { cfretain, cfrelease, cfautorelease, cfmakecollectable }; 647 648 const RetainSummary *getUnarySummary(const FunctionType* FT, 649 UnaryFuncKind func); 650 651 const RetainSummary *getCFSummaryCreateRule(const FunctionDecl *FD); 652 const RetainSummary *getCFSummaryGetRule(const FunctionDecl *FD); 653 const RetainSummary *getCFCreateGetRuleSummary(const FunctionDecl *FD); 654 655 const RetainSummary *getPersistentSummary(const RetainSummary &OldSumm); 656 657 const RetainSummary *getPersistentSummary(RetEffect RetEff, 658 ArgEffect ReceiverEff = DoNothing, 659 ArgEffect DefaultEff = MayEscape) { 660 RetainSummary Summ(getArgEffects(), RetEff, DefaultEff, ReceiverEff); 661 return getPersistentSummary(Summ); 662 } 663 664 const RetainSummary *getDoNothingSummary() { 665 return getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 666 } 667 668 const RetainSummary *getDefaultSummary() { 669 return getPersistentSummary(RetEffect::MakeNoRet(), 670 DoNothing, MayEscape); 671 } 672 673 const RetainSummary *getPersistentStopSummary() { 674 return getPersistentSummary(RetEffect::MakeNoRet(), 675 StopTracking, StopTracking); 676 } 677 678 void InitializeClassMethodSummaries(); 679 void InitializeMethodSummaries(); 680private: 681 void addNSObjectClsMethSummary(Selector S, const RetainSummary *Summ) { 682 ObjCClassMethodSummaries[S] = Summ; 683 } 684 685 void addNSObjectMethSummary(Selector S, const RetainSummary *Summ) { 686 ObjCMethodSummaries[S] = Summ; 687 } 688 689 void addClassMethSummary(const char* Cls, const char* name, 690 const RetainSummary *Summ, bool isNullary = true) { 691 IdentifierInfo* ClsII = &Ctx.Idents.get(Cls); 692 Selector S = isNullary ? GetNullarySelector(name, Ctx) 693 : GetUnarySelector(name, Ctx); 694 ObjCClassMethodSummaries[ObjCSummaryKey(ClsII, S)] = Summ; 695 } 696 697 void addInstMethSummary(const char* Cls, const char* nullaryName, 698 const RetainSummary *Summ) { 699 IdentifierInfo* ClsII = &Ctx.Idents.get(Cls); 700 Selector S = GetNullarySelector(nullaryName, Ctx); 701 ObjCMethodSummaries[ObjCSummaryKey(ClsII, S)] = Summ; 702 } 703 704 void addMethodSummary(IdentifierInfo *ClsII, ObjCMethodSummariesTy &Summaries, 705 const RetainSummary *Summ, va_list argp) { 706 Selector S = getKeywordSelector(Ctx, argp); 707 Summaries[ObjCSummaryKey(ClsII, S)] = Summ; 708 } 709 710 void addInstMethSummary(const char* Cls, const RetainSummary * Summ, ...) { 711 va_list argp; 712 va_start(argp, Summ); 713 addMethodSummary(&Ctx.Idents.get(Cls), ObjCMethodSummaries, Summ, argp); 714 va_end(argp); 715 } 716 717 void addClsMethSummary(const char* Cls, const RetainSummary * Summ, ...) { 718 va_list argp; 719 va_start(argp, Summ); 720 addMethodSummary(&Ctx.Idents.get(Cls),ObjCClassMethodSummaries, Summ, argp); 721 va_end(argp); 722 } 723 724 void addClsMethSummary(IdentifierInfo *II, const RetainSummary * Summ, ...) { 725 va_list argp; 726 va_start(argp, Summ); 727 addMethodSummary(II, ObjCClassMethodSummaries, Summ, argp); 728 va_end(argp); 729 } 730 731public: 732 733 RetainSummaryManager(ASTContext &ctx, bool gcenabled, bool usesARC) 734 : Ctx(ctx), 735 GCEnabled(gcenabled), 736 ARCEnabled(usesARC), 737 AF(BPAlloc), ScratchArgs(AF.getEmptyMap()), 738 ObjCAllocRetE(gcenabled 739 ? RetEffect::MakeGCNotOwned() 740 : (usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC) 741 : RetEffect::MakeOwned(RetEffect::ObjC, true))), 742 ObjCInitRetE(gcenabled 743 ? RetEffect::MakeGCNotOwned() 744 : (usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC) 745 : RetEffect::MakeOwnedWhenTrackedReceiver())) { 746 InitializeClassMethodSummaries(); 747 InitializeMethodSummaries(); 748 } 749 750 const RetainSummary *getSummary(const CallEvent &Call, 751 ProgramStateRef State = nullptr); 752 753 const RetainSummary *getFunctionSummary(const FunctionDecl *FD); 754 755 const RetainSummary *getMethodSummary(Selector S, const ObjCInterfaceDecl *ID, 756 const ObjCMethodDecl *MD, 757 QualType RetTy, 758 ObjCMethodSummariesTy &CachedSummaries); 759 760 const RetainSummary *getInstanceMethodSummary(const ObjCMethodCall &M, 761 ProgramStateRef State); 762 763 const RetainSummary *getClassMethodSummary(const ObjCMethodCall &M) { 764 assert(!M.isInstanceMessage()); 765 const ObjCInterfaceDecl *Class = M.getReceiverInterface(); 766 767 return getMethodSummary(M.getSelector(), Class, M.getDecl(), 768 M.getResultType(), ObjCClassMethodSummaries); 769 } 770 771 /// getMethodSummary - This version of getMethodSummary is used to query 772 /// the summary for the current method being analyzed. 773 const RetainSummary *getMethodSummary(const ObjCMethodDecl *MD) { 774 const ObjCInterfaceDecl *ID = MD->getClassInterface(); 775 Selector S = MD->getSelector(); 776 QualType ResultTy = MD->getReturnType(); 777 778 ObjCMethodSummariesTy *CachedSummaries; 779 if (MD->isInstanceMethod()) 780 CachedSummaries = &ObjCMethodSummaries; 781 else 782 CachedSummaries = &ObjCClassMethodSummaries; 783 784 return getMethodSummary(S, ID, MD, ResultTy, *CachedSummaries); 785 } 786 787 const RetainSummary *getStandardMethodSummary(const ObjCMethodDecl *MD, 788 Selector S, QualType RetTy); 789 790 /// Determine if there is a special return effect for this function or method. 791 Optional<RetEffect> getRetEffectFromAnnotations(QualType RetTy, 792 const Decl *D); 793 794 void updateSummaryFromAnnotations(const RetainSummary *&Summ, 795 const ObjCMethodDecl *MD); 796 797 void updateSummaryFromAnnotations(const RetainSummary *&Summ, 798 const FunctionDecl *FD); 799 800 void updateSummaryForCall(const RetainSummary *&Summ, 801 const CallEvent &Call); 802 803 bool isGCEnabled() const { return GCEnabled; } 804 805 bool isARCEnabled() const { return ARCEnabled; } 806 807 bool isARCorGCEnabled() const { return GCEnabled || ARCEnabled; } 808 809 RetEffect getObjAllocRetEffect() const { return ObjCAllocRetE; } 810 811 friend class RetainSummaryTemplate; 812}; 813 814// Used to avoid allocating long-term (BPAlloc'd) memory for default retain 815// summaries. If a function or method looks like it has a default summary, but 816// it has annotations, the annotations are added to the stack-based template 817// and then copied into managed memory. 818class RetainSummaryTemplate { 819 RetainSummaryManager &Manager; 820 const RetainSummary *&RealSummary; 821 RetainSummary ScratchSummary; 822 bool Accessed; 823public: 824 RetainSummaryTemplate(const RetainSummary *&real, RetainSummaryManager &mgr) 825 : Manager(mgr), RealSummary(real), ScratchSummary(*real), Accessed(false) {} 826 827 ~RetainSummaryTemplate() { 828 if (Accessed) 829 RealSummary = Manager.getPersistentSummary(ScratchSummary); 830 } 831 832 RetainSummary &operator*() { 833 Accessed = true; 834 return ScratchSummary; 835 } 836 837 RetainSummary *operator->() { 838 Accessed = true; 839 return &ScratchSummary; 840 } 841}; 842 843} // end anonymous namespace 844 845//===----------------------------------------------------------------------===// 846// Implementation of checker data structures. 847//===----------------------------------------------------------------------===// 848 849ArgEffects RetainSummaryManager::getArgEffects() { 850 ArgEffects AE = ScratchArgs; 851 ScratchArgs = AF.getEmptyMap(); 852 return AE; 853} 854 855const RetainSummary * 856RetainSummaryManager::getPersistentSummary(const RetainSummary &OldSumm) { 857 // Unique "simple" summaries -- those without ArgEffects. 858 if (OldSumm.isSimple()) { 859 llvm::FoldingSetNodeID ID; 860 OldSumm.Profile(ID); 861 862 void *Pos; 863 CachedSummaryNode *N = SimpleSummaries.FindNodeOrInsertPos(ID, Pos); 864 865 if (!N) { 866 N = (CachedSummaryNode *) BPAlloc.Allocate<CachedSummaryNode>(); 867 new (N) CachedSummaryNode(OldSumm); 868 SimpleSummaries.InsertNode(N, Pos); 869 } 870 871 return &N->getValue(); 872 } 873 874 RetainSummary *Summ = (RetainSummary *) BPAlloc.Allocate<RetainSummary>(); 875 new (Summ) RetainSummary(OldSumm); 876 return Summ; 877} 878 879//===----------------------------------------------------------------------===// 880// Summary creation for functions (largely uses of Core Foundation). 881//===----------------------------------------------------------------------===// 882 883static bool isRetain(const FunctionDecl *FD, StringRef FName) { 884 return FName.endswith("Retain"); 885} 886 887static bool isRelease(const FunctionDecl *FD, StringRef FName) { 888 return FName.endswith("Release"); 889} 890 891static bool isAutorelease(const FunctionDecl *FD, StringRef FName) { 892 return FName.endswith("Autorelease"); 893} 894 895static bool isMakeCollectable(const FunctionDecl *FD, StringRef FName) { 896 // FIXME: Remove FunctionDecl parameter. 897 // FIXME: Is it really okay if MakeCollectable isn't a suffix? 898 return FName.find("MakeCollectable") != StringRef::npos; 899} 900 901static ArgEffect getStopTrackingHardEquivalent(ArgEffect E) { 902 switch (E) { 903 case DoNothing: 904 case Autorelease: 905 case DecRefBridgedTransferred: 906 case IncRef: 907 case IncRefMsg: 908 case MakeCollectable: 909 case MayEscape: 910 case StopTracking: 911 case StopTrackingHard: 912 return StopTrackingHard; 913 case DecRef: 914 case DecRefAndStopTrackingHard: 915 return DecRefAndStopTrackingHard; 916 case DecRefMsg: 917 case DecRefMsgAndStopTrackingHard: 918 return DecRefMsgAndStopTrackingHard; 919 case Dealloc: 920 return Dealloc; 921 } 922 923 llvm_unreachable("Unknown ArgEffect kind"); 924} 925 926void RetainSummaryManager::updateSummaryForCall(const RetainSummary *&S, 927 const CallEvent &Call) { 928 if (Call.hasNonZeroCallbackArg()) { 929 ArgEffect RecEffect = 930 getStopTrackingHardEquivalent(S->getReceiverEffect()); 931 ArgEffect DefEffect = 932 getStopTrackingHardEquivalent(S->getDefaultArgEffect()); 933 934 ArgEffects CustomArgEffects = S->getArgEffects(); 935 for (ArgEffects::iterator I = CustomArgEffects.begin(), 936 E = CustomArgEffects.end(); 937 I != E; ++I) { 938 ArgEffect Translated = getStopTrackingHardEquivalent(I->second); 939 if (Translated != DefEffect) 940 ScratchArgs = AF.add(ScratchArgs, I->first, Translated); 941 } 942 943 RetEffect RE = RetEffect::MakeNoRetHard(); 944 945 // Special cases where the callback argument CANNOT free the return value. 946 // This can generally only happen if we know that the callback will only be 947 // called when the return value is already being deallocated. 948 if (const SimpleFunctionCall *FC = dyn_cast<SimpleFunctionCall>(&Call)) { 949 if (IdentifierInfo *Name = FC->getDecl()->getIdentifier()) { 950 // When the CGBitmapContext is deallocated, the callback here will free 951 // the associated data buffer. 952 if (Name->isStr("CGBitmapContextCreateWithData")) 953 RE = S->getRetEffect(); 954 } 955 } 956 957 S = getPersistentSummary(RE, RecEffect, DefEffect); 958 } 959 960 // Special case '[super init];' and '[self init];' 961 // 962 // Even though calling '[super init]' without assigning the result to self 963 // and checking if the parent returns 'nil' is a bad pattern, it is common. 964 // Additionally, our Self Init checker already warns about it. To avoid 965 // overwhelming the user with messages from both checkers, we model the case 966 // of '[super init]' in cases when it is not consumed by another expression 967 // as if the call preserves the value of 'self'; essentially, assuming it can 968 // never fail and return 'nil'. 969 // Note, we don't want to just stop tracking the value since we want the 970 // RetainCount checker to report leaks and use-after-free if SelfInit checker 971 // is turned off. 972 if (const ObjCMethodCall *MC = dyn_cast<ObjCMethodCall>(&Call)) { 973 if (MC->getMethodFamily() == OMF_init && MC->isReceiverSelfOrSuper()) { 974 975 // Check if the message is not consumed, we know it will not be used in 976 // an assignment, ex: "self = [super init]". 977 const Expr *ME = MC->getOriginExpr(); 978 const LocationContext *LCtx = MC->getLocationContext(); 979 ParentMap &PM = LCtx->getAnalysisDeclContext()->getParentMap(); 980 if (!PM.isConsumedExpr(ME)) { 981 RetainSummaryTemplate ModifiableSummaryTemplate(S, *this); 982 ModifiableSummaryTemplate->setReceiverEffect(DoNothing); 983 ModifiableSummaryTemplate->setRetEffect(RetEffect::MakeNoRet()); 984 } 985 } 986 987 } 988} 989 990const RetainSummary * 991RetainSummaryManager::getSummary(const CallEvent &Call, 992 ProgramStateRef State) { 993 const RetainSummary *Summ; 994 switch (Call.getKind()) { 995 case CE_Function: 996 Summ = getFunctionSummary(cast<SimpleFunctionCall>(Call).getDecl()); 997 break; 998 case CE_CXXMember: 999 case CE_CXXMemberOperator: 1000 case CE_Block: 1001 case CE_CXXConstructor: 1002 case CE_CXXDestructor: 1003 case CE_CXXAllocator: 1004 // FIXME: These calls are currently unsupported. 1005 return getPersistentStopSummary(); 1006 case CE_ObjCMessage: { 1007 const ObjCMethodCall &Msg = cast<ObjCMethodCall>(Call); 1008 if (Msg.isInstanceMessage()) 1009 Summ = getInstanceMethodSummary(Msg, State); 1010 else 1011 Summ = getClassMethodSummary(Msg); 1012 break; 1013 } 1014 } 1015 1016 updateSummaryForCall(Summ, Call); 1017 1018 assert(Summ && "Unknown call type?"); 1019 return Summ; 1020} 1021 1022const RetainSummary * 1023RetainSummaryManager::getFunctionSummary(const FunctionDecl *FD) { 1024 // If we don't know what function we're calling, use our default summary. 1025 if (!FD) 1026 return getDefaultSummary(); 1027 1028 // Look up a summary in our cache of FunctionDecls -> Summaries. 1029 FuncSummariesTy::iterator I = FuncSummaries.find(FD); 1030 if (I != FuncSummaries.end()) 1031 return I->second; 1032 1033 // No summary? Generate one. 1034 const RetainSummary *S = nullptr; 1035 bool AllowAnnotations = true; 1036 1037 do { 1038 // We generate "stop" summaries for implicitly defined functions. 1039 if (FD->isImplicit()) { 1040 S = getPersistentStopSummary(); 1041 break; 1042 } 1043 1044 // [PR 3337] Use 'getAs<FunctionType>' to strip away any typedefs on the 1045 // function's type. 1046 const FunctionType* FT = FD->getType()->getAs<FunctionType>(); 1047 const IdentifierInfo *II = FD->getIdentifier(); 1048 if (!II) 1049 break; 1050 1051 StringRef FName = II->getName(); 1052 1053 // Strip away preceding '_'. Doing this here will effect all the checks 1054 // down below. 1055 FName = FName.substr(FName.find_first_not_of('_')); 1056 1057 // Inspect the result type. 1058 QualType RetTy = FT->getReturnType(); 1059 1060 // FIXME: This should all be refactored into a chain of "summary lookup" 1061 // filters. 1062 assert(ScratchArgs.isEmpty()); 1063 1064 if (FName == "pthread_create" || FName == "pthread_setspecific") { 1065 // Part of: <rdar://problem/7299394> and <rdar://problem/11282706>. 1066 // This will be addressed better with IPA. 1067 S = getPersistentStopSummary(); 1068 } else if (FName == "NSMakeCollectable") { 1069 // Handle: id NSMakeCollectable(CFTypeRef) 1070 S = (RetTy->isObjCIdType()) 1071 ? getUnarySummary(FT, cfmakecollectable) 1072 : getPersistentStopSummary(); 1073 // The headers on OS X 10.8 use cf_consumed/ns_returns_retained, 1074 // but we can fully model NSMakeCollectable ourselves. 1075 AllowAnnotations = false; 1076 } else if (FName == "CFPlugInInstanceCreate") { 1077 S = getPersistentSummary(RetEffect::MakeNoRet()); 1078 } else if (FName == "IOBSDNameMatching" || 1079 FName == "IOServiceMatching" || 1080 FName == "IOServiceNameMatching" || 1081 FName == "IORegistryEntrySearchCFProperty" || 1082 FName == "IORegistryEntryIDMatching" || 1083 FName == "IOOpenFirmwarePathMatching") { 1084 // Part of <rdar://problem/6961230>. (IOKit) 1085 // This should be addressed using a API table. 1086 S = getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true), 1087 DoNothing, DoNothing); 1088 } else if (FName == "IOServiceGetMatchingService" || 1089 FName == "IOServiceGetMatchingServices") { 1090 // FIXES: <rdar://problem/6326900> 1091 // This should be addressed using a API table. This strcmp is also 1092 // a little gross, but there is no need to super optimize here. 1093 ScratchArgs = AF.add(ScratchArgs, 1, DecRef); 1094 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1095 } else if (FName == "IOServiceAddNotification" || 1096 FName == "IOServiceAddMatchingNotification") { 1097 // Part of <rdar://problem/6961230>. (IOKit) 1098 // This should be addressed using a API table. 1099 ScratchArgs = AF.add(ScratchArgs, 2, DecRef); 1100 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1101 } else if (FName == "CVPixelBufferCreateWithBytes") { 1102 // FIXES: <rdar://problem/7283567> 1103 // Eventually this can be improved by recognizing that the pixel 1104 // buffer passed to CVPixelBufferCreateWithBytes is released via 1105 // a callback and doing full IPA to make sure this is done correctly. 1106 // FIXME: This function has an out parameter that returns an 1107 // allocated object. 1108 ScratchArgs = AF.add(ScratchArgs, 7, StopTracking); 1109 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1110 } else if (FName == "CGBitmapContextCreateWithData") { 1111 // FIXES: <rdar://problem/7358899> 1112 // Eventually this can be improved by recognizing that 'releaseInfo' 1113 // passed to CGBitmapContextCreateWithData is released via 1114 // a callback and doing full IPA to make sure this is done correctly. 1115 ScratchArgs = AF.add(ScratchArgs, 8, StopTracking); 1116 S = getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true), 1117 DoNothing, DoNothing); 1118 } else if (FName == "CVPixelBufferCreateWithPlanarBytes") { 1119 // FIXES: <rdar://problem/7283567> 1120 // Eventually this can be improved by recognizing that the pixel 1121 // buffer passed to CVPixelBufferCreateWithPlanarBytes is released 1122 // via a callback and doing full IPA to make sure this is done 1123 // correctly. 1124 ScratchArgs = AF.add(ScratchArgs, 12, StopTracking); 1125 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1126 } else if (FName == "dispatch_set_context" || 1127 FName == "xpc_connection_set_context") { 1128 // <rdar://problem/11059275> - The analyzer currently doesn't have 1129 // a good way to reason about the finalizer function for libdispatch. 1130 // If we pass a context object that is memory managed, stop tracking it. 1131 // <rdar://problem/13783514> - Same problem, but for XPC. 1132 // FIXME: this hack should possibly go away once we can handle 1133 // libdispatch and XPC finalizers. 1134 ScratchArgs = AF.add(ScratchArgs, 1, StopTracking); 1135 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1136 } else if (FName.startswith("NSLog")) { 1137 S = getDoNothingSummary(); 1138 } else if (FName.startswith("NS") && 1139 (FName.find("Insert") != StringRef::npos)) { 1140 // Whitelist NSXXInsertXX, for example NSMapInsertIfAbsent, since they can 1141 // be deallocated by NSMapRemove. (radar://11152419) 1142 ScratchArgs = AF.add(ScratchArgs, 1, StopTracking); 1143 ScratchArgs = AF.add(ScratchArgs, 2, StopTracking); 1144 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1145 } 1146 1147 // Did we get a summary? 1148 if (S) 1149 break; 1150 1151 if (RetTy->isPointerType()) { 1152 // For CoreFoundation ('CF') types. 1153 if (cocoa::isRefType(RetTy, "CF", FName)) { 1154 if (isRetain(FD, FName)) { 1155 S = getUnarySummary(FT, cfretain); 1156 } else if (isAutorelease(FD, FName)) { 1157 S = getUnarySummary(FT, cfautorelease); 1158 // The headers use cf_consumed, but we can fully model CFAutorelease 1159 // ourselves. 1160 AllowAnnotations = false; 1161 } else if (isMakeCollectable(FD, FName)) { 1162 S = getUnarySummary(FT, cfmakecollectable); 1163 AllowAnnotations = false; 1164 } else { 1165 S = getCFCreateGetRuleSummary(FD); 1166 } 1167 1168 break; 1169 } 1170 1171 // For CoreGraphics ('CG') types. 1172 if (cocoa::isRefType(RetTy, "CG", FName)) { 1173 if (isRetain(FD, FName)) 1174 S = getUnarySummary(FT, cfretain); 1175 else 1176 S = getCFCreateGetRuleSummary(FD); 1177 1178 break; 1179 } 1180 1181 // For the Disk Arbitration API (DiskArbitration/DADisk.h) 1182 if (cocoa::isRefType(RetTy, "DADisk") || 1183 cocoa::isRefType(RetTy, "DADissenter") || 1184 cocoa::isRefType(RetTy, "DASessionRef")) { 1185 S = getCFCreateGetRuleSummary(FD); 1186 break; 1187 } 1188 1189 if (FD->hasAttr<CFAuditedTransferAttr>()) { 1190 S = getCFCreateGetRuleSummary(FD); 1191 break; 1192 } 1193 1194 break; 1195 } 1196 1197 // Check for release functions, the only kind of functions that we care 1198 // about that don't return a pointer type. 1199 if (FName[0] == 'C' && (FName[1] == 'F' || FName[1] == 'G')) { 1200 // Test for 'CGCF'. 1201 FName = FName.substr(FName.startswith("CGCF") ? 4 : 2); 1202 1203 if (isRelease(FD, FName)) 1204 S = getUnarySummary(FT, cfrelease); 1205 else { 1206 assert (ScratchArgs.isEmpty()); 1207 // Remaining CoreFoundation and CoreGraphics functions. 1208 // We use to assume that they all strictly followed the ownership idiom 1209 // and that ownership cannot be transferred. While this is technically 1210 // correct, many methods allow a tracked object to escape. For example: 1211 // 1212 // CFMutableDictionaryRef x = CFDictionaryCreateMutable(...); 1213 // CFDictionaryAddValue(y, key, x); 1214 // CFRelease(x); 1215 // ... it is okay to use 'x' since 'y' has a reference to it 1216 // 1217 // We handle this and similar cases with the follow heuristic. If the 1218 // function name contains "InsertValue", "SetValue", "AddValue", 1219 // "AppendValue", or "SetAttribute", then we assume that arguments may 1220 // "escape." This means that something else holds on to the object, 1221 // allowing it be used even after its local retain count drops to 0. 1222 ArgEffect E = (StrInStrNoCase(FName, "InsertValue") != StringRef::npos|| 1223 StrInStrNoCase(FName, "AddValue") != StringRef::npos || 1224 StrInStrNoCase(FName, "SetValue") != StringRef::npos || 1225 StrInStrNoCase(FName, "AppendValue") != StringRef::npos|| 1226 StrInStrNoCase(FName, "SetAttribute") != StringRef::npos) 1227 ? MayEscape : DoNothing; 1228 1229 S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, E); 1230 } 1231 } 1232 } 1233 while (0); 1234 1235 // If we got all the way here without any luck, use a default summary. 1236 if (!S) 1237 S = getDefaultSummary(); 1238 1239 // Annotations override defaults. 1240 if (AllowAnnotations) 1241 updateSummaryFromAnnotations(S, FD); 1242 1243 FuncSummaries[FD] = S; 1244 return S; 1245} 1246 1247const RetainSummary * 1248RetainSummaryManager::getCFCreateGetRuleSummary(const FunctionDecl *FD) { 1249 if (coreFoundation::followsCreateRule(FD)) 1250 return getCFSummaryCreateRule(FD); 1251 1252 return getCFSummaryGetRule(FD); 1253} 1254 1255const RetainSummary * 1256RetainSummaryManager::getUnarySummary(const FunctionType* FT, 1257 UnaryFuncKind func) { 1258 1259 // Sanity check that this is *really* a unary function. This can 1260 // happen if people do weird things. 1261 const FunctionProtoType* FTP = dyn_cast<FunctionProtoType>(FT); 1262 if (!FTP || FTP->getNumParams() != 1) 1263 return getPersistentStopSummary(); 1264 1265 assert (ScratchArgs.isEmpty()); 1266 1267 ArgEffect Effect; 1268 switch (func) { 1269 case cfretain: Effect = IncRef; break; 1270 case cfrelease: Effect = DecRef; break; 1271 case cfautorelease: Effect = Autorelease; break; 1272 case cfmakecollectable: Effect = MakeCollectable; break; 1273 } 1274 1275 ScratchArgs = AF.add(ScratchArgs, 0, Effect); 1276 return getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing); 1277} 1278 1279const RetainSummary * 1280RetainSummaryManager::getCFSummaryCreateRule(const FunctionDecl *FD) { 1281 assert (ScratchArgs.isEmpty()); 1282 1283 return getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true)); 1284} 1285 1286const RetainSummary * 1287RetainSummaryManager::getCFSummaryGetRule(const FunctionDecl *FD) { 1288 assert (ScratchArgs.isEmpty()); 1289 return getPersistentSummary(RetEffect::MakeNotOwned(RetEffect::CF), 1290 DoNothing, DoNothing); 1291} 1292 1293//===----------------------------------------------------------------------===// 1294// Summary creation for Selectors. 1295//===----------------------------------------------------------------------===// 1296 1297Optional<RetEffect> 1298RetainSummaryManager::getRetEffectFromAnnotations(QualType RetTy, 1299 const Decl *D) { 1300 if (cocoa::isCocoaObjectRef(RetTy)) { 1301 if (D->hasAttr<NSReturnsRetainedAttr>()) 1302 return ObjCAllocRetE; 1303 1304 if (D->hasAttr<NSReturnsNotRetainedAttr>() || 1305 D->hasAttr<NSReturnsAutoreleasedAttr>()) 1306 return RetEffect::MakeNotOwned(RetEffect::ObjC); 1307 1308 } else if (!RetTy->isPointerType()) { 1309 return None; 1310 } 1311 1312 if (D->hasAttr<CFReturnsRetainedAttr>()) 1313 return RetEffect::MakeOwned(RetEffect::CF, true); 1314 1315 if (D->hasAttr<CFReturnsNotRetainedAttr>()) 1316 return RetEffect::MakeNotOwned(RetEffect::CF); 1317 1318 return None; 1319} 1320 1321void 1322RetainSummaryManager::updateSummaryFromAnnotations(const RetainSummary *&Summ, 1323 const FunctionDecl *FD) { 1324 if (!FD) 1325 return; 1326 1327 assert(Summ && "Must have a summary to add annotations to."); 1328 RetainSummaryTemplate Template(Summ, *this); 1329 1330 // Effects on the parameters. 1331 unsigned parm_idx = 0; 1332 for (FunctionDecl::param_const_iterator pi = FD->param_begin(), 1333 pe = FD->param_end(); pi != pe; ++pi, ++parm_idx) { 1334 const ParmVarDecl *pd = *pi; 1335 if (pd->hasAttr<NSConsumedAttr>()) 1336 Template->addArg(AF, parm_idx, DecRefMsg); 1337 else if (pd->hasAttr<CFConsumedAttr>()) 1338 Template->addArg(AF, parm_idx, DecRef); 1339 } 1340 1341 QualType RetTy = FD->getReturnType(); 1342 if (Optional<RetEffect> RetE = getRetEffectFromAnnotations(RetTy, FD)) 1343 Template->setRetEffect(*RetE); 1344} 1345 1346void 1347RetainSummaryManager::updateSummaryFromAnnotations(const RetainSummary *&Summ, 1348 const ObjCMethodDecl *MD) { 1349 if (!MD) 1350 return; 1351 1352 assert(Summ && "Must have a valid summary to add annotations to"); 1353 RetainSummaryTemplate Template(Summ, *this); 1354 1355 // Effects on the receiver. 1356 if (MD->hasAttr<NSConsumesSelfAttr>()) 1357 Template->setReceiverEffect(DecRefMsg); 1358 1359 // Effects on the parameters. 1360 unsigned parm_idx = 0; 1361 for (ObjCMethodDecl::param_const_iterator 1362 pi=MD->param_begin(), pe=MD->param_end(); 1363 pi != pe; ++pi, ++parm_idx) { 1364 const ParmVarDecl *pd = *pi; 1365 if (pd->hasAttr<NSConsumedAttr>()) 1366 Template->addArg(AF, parm_idx, DecRefMsg); 1367 else if (pd->hasAttr<CFConsumedAttr>()) { 1368 Template->addArg(AF, parm_idx, DecRef); 1369 } 1370 } 1371 1372 QualType RetTy = MD->getReturnType(); 1373 if (Optional<RetEffect> RetE = getRetEffectFromAnnotations(RetTy, MD)) 1374 Template->setRetEffect(*RetE); 1375} 1376 1377const RetainSummary * 1378RetainSummaryManager::getStandardMethodSummary(const ObjCMethodDecl *MD, 1379 Selector S, QualType RetTy) { 1380 // Any special effects? 1381 ArgEffect ReceiverEff = DoNothing; 1382 RetEffect ResultEff = RetEffect::MakeNoRet(); 1383 1384 // Check the method family, and apply any default annotations. 1385 switch (MD ? MD->getMethodFamily() : S.getMethodFamily()) { 1386 case OMF_None: 1387 case OMF_initialize: 1388 case OMF_performSelector: 1389 // Assume all Objective-C methods follow Cocoa Memory Management rules. 1390 // FIXME: Does the non-threaded performSelector family really belong here? 1391 // The selector could be, say, @selector(copy). 1392 if (cocoa::isCocoaObjectRef(RetTy)) 1393 ResultEff = RetEffect::MakeNotOwned(RetEffect::ObjC); 1394 else if (coreFoundation::isCFObjectRef(RetTy)) { 1395 // ObjCMethodDecl currently doesn't consider CF objects as valid return 1396 // values for alloc, new, copy, or mutableCopy, so we have to 1397 // double-check with the selector. This is ugly, but there aren't that 1398 // many Objective-C methods that return CF objects, right? 1399 if (MD) { 1400 switch (S.getMethodFamily()) { 1401 case OMF_alloc: 1402 case OMF_new: 1403 case OMF_copy: 1404 case OMF_mutableCopy: 1405 ResultEff = RetEffect::MakeOwned(RetEffect::CF, true); 1406 break; 1407 default: 1408 ResultEff = RetEffect::MakeNotOwned(RetEffect::CF); 1409 break; 1410 } 1411 } else { 1412 ResultEff = RetEffect::MakeNotOwned(RetEffect::CF); 1413 } 1414 } 1415 break; 1416 case OMF_init: 1417 ResultEff = ObjCInitRetE; 1418 ReceiverEff = DecRefMsg; 1419 break; 1420 case OMF_alloc: 1421 case OMF_new: 1422 case OMF_copy: 1423 case OMF_mutableCopy: 1424 if (cocoa::isCocoaObjectRef(RetTy)) 1425 ResultEff = ObjCAllocRetE; 1426 else if (coreFoundation::isCFObjectRef(RetTy)) 1427 ResultEff = RetEffect::MakeOwned(RetEffect::CF, true); 1428 break; 1429 case OMF_autorelease: 1430 ReceiverEff = Autorelease; 1431 break; 1432 case OMF_retain: 1433 ReceiverEff = IncRefMsg; 1434 break; 1435 case OMF_release: 1436 ReceiverEff = DecRefMsg; 1437 break; 1438 case OMF_dealloc: 1439 ReceiverEff = Dealloc; 1440 break; 1441 case OMF_self: 1442 // -self is handled specially by the ExprEngine to propagate the receiver. 1443 break; 1444 case OMF_retainCount: 1445 case OMF_finalize: 1446 // These methods don't return objects. 1447 break; 1448 } 1449 1450 // If one of the arguments in the selector has the keyword 'delegate' we 1451 // should stop tracking the reference count for the receiver. This is 1452 // because the reference count is quite possibly handled by a delegate 1453 // method. 1454 if (S.isKeywordSelector()) { 1455 for (unsigned i = 0, e = S.getNumArgs(); i != e; ++i) { 1456 StringRef Slot = S.getNameForSlot(i); 1457 if (Slot.substr(Slot.size() - 8).equals_lower("delegate")) { 1458 if (ResultEff == ObjCInitRetE) 1459 ResultEff = RetEffect::MakeNoRetHard(); 1460 else 1461 ReceiverEff = StopTrackingHard; 1462 } 1463 } 1464 } 1465 1466 if (ScratchArgs.isEmpty() && ReceiverEff == DoNothing && 1467 ResultEff.getKind() == RetEffect::NoRet) 1468 return getDefaultSummary(); 1469 1470 return getPersistentSummary(ResultEff, ReceiverEff, MayEscape); 1471} 1472 1473const RetainSummary * 1474RetainSummaryManager::getInstanceMethodSummary(const ObjCMethodCall &Msg, 1475 ProgramStateRef State) { 1476 const ObjCInterfaceDecl *ReceiverClass = nullptr; 1477 1478 // We do better tracking of the type of the object than the core ExprEngine. 1479 // See if we have its type in our private state. 1480 // FIXME: Eventually replace the use of state->get<RefBindings> with 1481 // a generic API for reasoning about the Objective-C types of symbolic 1482 // objects. 1483 SVal ReceiverV = Msg.getReceiverSVal(); 1484 if (SymbolRef Sym = ReceiverV.getAsLocSymbol()) 1485 if (const RefVal *T = getRefBinding(State, Sym)) 1486 if (const ObjCObjectPointerType *PT = 1487 T->getType()->getAs<ObjCObjectPointerType>()) 1488 ReceiverClass = PT->getInterfaceDecl(); 1489 1490 // If we don't know what kind of object this is, fall back to its static type. 1491 if (!ReceiverClass) 1492 ReceiverClass = Msg.getReceiverInterface(); 1493 1494 // FIXME: The receiver could be a reference to a class, meaning that 1495 // we should use the class method. 1496 // id x = [NSObject class]; 1497 // [x performSelector:... withObject:... afterDelay:...]; 1498 Selector S = Msg.getSelector(); 1499 const ObjCMethodDecl *Method = Msg.getDecl(); 1500 if (!Method && ReceiverClass) 1501 Method = ReceiverClass->getInstanceMethod(S); 1502 1503 return getMethodSummary(S, ReceiverClass, Method, Msg.getResultType(), 1504 ObjCMethodSummaries); 1505} 1506 1507const RetainSummary * 1508RetainSummaryManager::getMethodSummary(Selector S, const ObjCInterfaceDecl *ID, 1509 const ObjCMethodDecl *MD, QualType RetTy, 1510 ObjCMethodSummariesTy &CachedSummaries) { 1511 1512 // Look up a summary in our summary cache. 1513 const RetainSummary *Summ = CachedSummaries.find(ID, S); 1514 1515 if (!Summ) { 1516 Summ = getStandardMethodSummary(MD, S, RetTy); 1517 1518 // Annotations override defaults. 1519 updateSummaryFromAnnotations(Summ, MD); 1520 1521 // Memoize the summary. 1522 CachedSummaries[ObjCSummaryKey(ID, S)] = Summ; 1523 } 1524 1525 return Summ; 1526} 1527 1528void RetainSummaryManager::InitializeClassMethodSummaries() { 1529 assert(ScratchArgs.isEmpty()); 1530 // Create the [NSAssertionHandler currentHander] summary. 1531 addClassMethSummary("NSAssertionHandler", "currentHandler", 1532 getPersistentSummary(RetEffect::MakeNotOwned(RetEffect::ObjC))); 1533 1534 // Create the [NSAutoreleasePool addObject:] summary. 1535 ScratchArgs = AF.add(ScratchArgs, 0, Autorelease); 1536 addClassMethSummary("NSAutoreleasePool", "addObject", 1537 getPersistentSummary(RetEffect::MakeNoRet(), 1538 DoNothing, Autorelease)); 1539} 1540 1541void RetainSummaryManager::InitializeMethodSummaries() { 1542 1543 assert (ScratchArgs.isEmpty()); 1544 1545 // Create the "init" selector. It just acts as a pass-through for the 1546 // receiver. 1547 const RetainSummary *InitSumm = getPersistentSummary(ObjCInitRetE, DecRefMsg); 1548 addNSObjectMethSummary(GetNullarySelector("init", Ctx), InitSumm); 1549 1550 // awakeAfterUsingCoder: behaves basically like an 'init' method. It 1551 // claims the receiver and returns a retained object. 1552 addNSObjectMethSummary(GetUnarySelector("awakeAfterUsingCoder", Ctx), 1553 InitSumm); 1554 1555 // The next methods are allocators. 1556 const RetainSummary *AllocSumm = getPersistentSummary(ObjCAllocRetE); 1557 const RetainSummary *CFAllocSumm = 1558 getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true)); 1559 1560 // Create the "retain" selector. 1561 RetEffect NoRet = RetEffect::MakeNoRet(); 1562 const RetainSummary *Summ = getPersistentSummary(NoRet, IncRefMsg); 1563 addNSObjectMethSummary(GetNullarySelector("retain", Ctx), Summ); 1564 1565 // Create the "release" selector. 1566 Summ = getPersistentSummary(NoRet, DecRefMsg); 1567 addNSObjectMethSummary(GetNullarySelector("release", Ctx), Summ); 1568 1569 // Create the -dealloc summary. 1570 Summ = getPersistentSummary(NoRet, Dealloc); 1571 addNSObjectMethSummary(GetNullarySelector("dealloc", Ctx), Summ); 1572 1573 // Create the "autorelease" selector. 1574 Summ = getPersistentSummary(NoRet, Autorelease); 1575 addNSObjectMethSummary(GetNullarySelector("autorelease", Ctx), Summ); 1576 1577 // For NSWindow, allocated objects are (initially) self-owned. 1578 // FIXME: For now we opt for false negatives with NSWindow, as these objects 1579 // self-own themselves. However, they only do this once they are displayed. 1580 // Thus, we need to track an NSWindow's display status. 1581 // This is tracked in <rdar://problem/6062711>. 1582 // See also http://llvm.org/bugs/show_bug.cgi?id=3714. 1583 const RetainSummary *NoTrackYet = getPersistentSummary(RetEffect::MakeNoRet(), 1584 StopTracking, 1585 StopTracking); 1586 1587 addClassMethSummary("NSWindow", "alloc", NoTrackYet); 1588 1589 // For NSPanel (which subclasses NSWindow), allocated objects are not 1590 // self-owned. 1591 // FIXME: For now we don't track NSPanels. object for the same reason 1592 // as for NSWindow objects. 1593 addClassMethSummary("NSPanel", "alloc", NoTrackYet); 1594 1595 // For NSNull, objects returned by +null are singletons that ignore 1596 // retain/release semantics. Just don't track them. 1597 // <rdar://problem/12858915> 1598 addClassMethSummary("NSNull", "null", NoTrackYet); 1599 1600 // Don't track allocated autorelease pools, as it is okay to prematurely 1601 // exit a method. 1602 addClassMethSummary("NSAutoreleasePool", "alloc", NoTrackYet); 1603 addClassMethSummary("NSAutoreleasePool", "allocWithZone", NoTrackYet, false); 1604 addClassMethSummary("NSAutoreleasePool", "new", NoTrackYet); 1605 1606 // Create summaries QCRenderer/QCView -createSnapShotImageOfType: 1607 addInstMethSummary("QCRenderer", AllocSumm, 1608 "createSnapshotImageOfType", nullptr); 1609 addInstMethSummary("QCView", AllocSumm, 1610 "createSnapshotImageOfType", nullptr); 1611 1612 // Create summaries for CIContext, 'createCGImage' and 1613 // 'createCGLayerWithSize'. These objects are CF objects, and are not 1614 // automatically garbage collected. 1615 addInstMethSummary("CIContext", CFAllocSumm, 1616 "createCGImage", "fromRect", nullptr); 1617 addInstMethSummary("CIContext", CFAllocSumm, "createCGImage", "fromRect", 1618 "format", "colorSpace", nullptr); 1619 addInstMethSummary("CIContext", CFAllocSumm, "createCGLayerWithSize", "info", 1620 nullptr); 1621} 1622 1623//===----------------------------------------------------------------------===// 1624// Error reporting. 1625//===----------------------------------------------------------------------===// 1626namespace { 1627 typedef llvm::DenseMap<const ExplodedNode *, const RetainSummary *> 1628 SummaryLogTy; 1629 1630 //===-------------===// 1631 // Bug Descriptions. // 1632 //===-------------===// 1633 1634 class CFRefBug : public BugType { 1635 protected: 1636 CFRefBug(const CheckerBase *checker, StringRef name) 1637 : BugType(checker, name, categories::MemoryCoreFoundationObjectiveC) {} 1638 1639 public: 1640 1641 // FIXME: Eventually remove. 1642 virtual const char *getDescription() const = 0; 1643 1644 virtual bool isLeak() const { return false; } 1645 }; 1646 1647 class UseAfterRelease : public CFRefBug { 1648 public: 1649 UseAfterRelease(const CheckerBase *checker) 1650 : CFRefBug(checker, "Use-after-release") {} 1651 1652 const char *getDescription() const override { 1653 return "Reference-counted object is used after it is released"; 1654 } 1655 }; 1656 1657 class BadRelease : public CFRefBug { 1658 public: 1659 BadRelease(const CheckerBase *checker) : CFRefBug(checker, "Bad release") {} 1660 1661 const char *getDescription() const override { 1662 return "Incorrect decrement of the reference count of an object that is " 1663 "not owned at this point by the caller"; 1664 } 1665 }; 1666 1667 class DeallocGC : public CFRefBug { 1668 public: 1669 DeallocGC(const CheckerBase *checker) 1670 : CFRefBug(checker, "-dealloc called while using garbage collection") {} 1671 1672 const char *getDescription() const override { 1673 return "-dealloc called while using garbage collection"; 1674 } 1675 }; 1676 1677 class DeallocNotOwned : public CFRefBug { 1678 public: 1679 DeallocNotOwned(const CheckerBase *checker) 1680 : CFRefBug(checker, "-dealloc sent to non-exclusively owned object") {} 1681 1682 const char *getDescription() const override { 1683 return "-dealloc sent to object that may be referenced elsewhere"; 1684 } 1685 }; 1686 1687 class OverAutorelease : public CFRefBug { 1688 public: 1689 OverAutorelease(const CheckerBase *checker) 1690 : CFRefBug(checker, "Object autoreleased too many times") {} 1691 1692 const char *getDescription() const override { 1693 return "Object autoreleased too many times"; 1694 } 1695 }; 1696 1697 class ReturnedNotOwnedForOwned : public CFRefBug { 1698 public: 1699 ReturnedNotOwnedForOwned(const CheckerBase *checker) 1700 : CFRefBug(checker, "Method should return an owned object") {} 1701 1702 const char *getDescription() const override { 1703 return "Object with a +0 retain count returned to caller where a +1 " 1704 "(owning) retain count is expected"; 1705 } 1706 }; 1707 1708 class Leak : public CFRefBug { 1709 public: 1710 Leak(const CheckerBase *checker, StringRef name) : CFRefBug(checker, name) { 1711 // Leaks should not be reported if they are post-dominated by a sink. 1712 setSuppressOnSink(true); 1713 } 1714 1715 const char *getDescription() const override { return ""; } 1716 1717 bool isLeak() const override { return true; } 1718 }; 1719 1720 //===---------===// 1721 // Bug Reports. // 1722 //===---------===// 1723 1724 class CFRefReportVisitor : public BugReporterVisitorImpl<CFRefReportVisitor> { 1725 protected: 1726 SymbolRef Sym; 1727 const SummaryLogTy &SummaryLog; 1728 bool GCEnabled; 1729 1730 public: 1731 CFRefReportVisitor(SymbolRef sym, bool gcEnabled, const SummaryLogTy &log) 1732 : Sym(sym), SummaryLog(log), GCEnabled(gcEnabled) {} 1733 1734 void Profile(llvm::FoldingSetNodeID &ID) const override { 1735 static int x = 0; 1736 ID.AddPointer(&x); 1737 ID.AddPointer(Sym); 1738 } 1739 1740 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 1741 const ExplodedNode *PrevN, 1742 BugReporterContext &BRC, 1743 BugReport &BR) override; 1744 1745 std::unique_ptr<PathDiagnosticPiece> getEndPath(BugReporterContext &BRC, 1746 const ExplodedNode *N, 1747 BugReport &BR) override; 1748 }; 1749 1750 class CFRefLeakReportVisitor : public CFRefReportVisitor { 1751 public: 1752 CFRefLeakReportVisitor(SymbolRef sym, bool GCEnabled, 1753 const SummaryLogTy &log) 1754 : CFRefReportVisitor(sym, GCEnabled, log) {} 1755 1756 std::unique_ptr<PathDiagnosticPiece> getEndPath(BugReporterContext &BRC, 1757 const ExplodedNode *N, 1758 BugReport &BR) override; 1759 1760 std::unique_ptr<BugReporterVisitor> clone() const override { 1761 // The curiously-recurring template pattern only works for one level of 1762 // subclassing. Rather than make a new template base for 1763 // CFRefReportVisitor, we simply override clone() to do the right thing. 1764 // This could be trouble someday if BugReporterVisitorImpl is ever 1765 // used for something else besides a convenient implementation of clone(). 1766 return llvm::make_unique<CFRefLeakReportVisitor>(*this); 1767 } 1768 }; 1769 1770 class CFRefReport : public BugReport { 1771 void addGCModeDescription(const LangOptions &LOpts, bool GCEnabled); 1772 1773 public: 1774 CFRefReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled, 1775 const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym, 1776 bool registerVisitor = true) 1777 : BugReport(D, D.getDescription(), n) { 1778 if (registerVisitor) 1779 addVisitor(llvm::make_unique<CFRefReportVisitor>(sym, GCEnabled, Log)); 1780 addGCModeDescription(LOpts, GCEnabled); 1781 } 1782 1783 CFRefReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled, 1784 const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym, 1785 StringRef endText) 1786 : BugReport(D, D.getDescription(), endText, n) { 1787 addVisitor(llvm::make_unique<CFRefReportVisitor>(sym, GCEnabled, Log)); 1788 addGCModeDescription(LOpts, GCEnabled); 1789 } 1790 1791 llvm::iterator_range<ranges_iterator> getRanges() override { 1792 const CFRefBug& BugTy = static_cast<CFRefBug&>(getBugType()); 1793 if (!BugTy.isLeak()) 1794 return BugReport::getRanges(); 1795 return llvm::make_range(ranges_iterator(), ranges_iterator()); 1796 } 1797 }; 1798 1799 class CFRefLeakReport : public CFRefReport { 1800 const MemRegion* AllocBinding; 1801 public: 1802 CFRefLeakReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled, 1803 const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym, 1804 CheckerContext &Ctx, 1805 bool IncludeAllocationLine); 1806 1807 PathDiagnosticLocation getLocation(const SourceManager &SM) const override { 1808 assert(Location.isValid()); 1809 return Location; 1810 } 1811 }; 1812} // end anonymous namespace 1813 1814void CFRefReport::addGCModeDescription(const LangOptions &LOpts, 1815 bool GCEnabled) { 1816 const char *GCModeDescription = nullptr; 1817 1818 switch (LOpts.getGC()) { 1819 case LangOptions::GCOnly: 1820 assert(GCEnabled); 1821 GCModeDescription = "Code is compiled to only use garbage collection"; 1822 break; 1823 1824 case LangOptions::NonGC: 1825 assert(!GCEnabled); 1826 GCModeDescription = "Code is compiled to use reference counts"; 1827 break; 1828 1829 case LangOptions::HybridGC: 1830 if (GCEnabled) { 1831 GCModeDescription = "Code is compiled to use either garbage collection " 1832 "(GC) or reference counts (non-GC). The bug occurs " 1833 "with GC enabled"; 1834 break; 1835 } else { 1836 GCModeDescription = "Code is compiled to use either garbage collection " 1837 "(GC) or reference counts (non-GC). The bug occurs " 1838 "in non-GC mode"; 1839 break; 1840 } 1841 } 1842 1843 assert(GCModeDescription && "invalid/unknown GC mode"); 1844 addExtraText(GCModeDescription); 1845} 1846 1847static bool isNumericLiteralExpression(const Expr *E) { 1848 // FIXME: This set of cases was copied from SemaExprObjC. 1849 return isa<IntegerLiteral>(E) || 1850 isa<CharacterLiteral>(E) || 1851 isa<FloatingLiteral>(E) || 1852 isa<ObjCBoolLiteralExpr>(E) || 1853 isa<CXXBoolLiteralExpr>(E); 1854} 1855 1856/// Returns true if this stack frame is for an Objective-C method that is a 1857/// property getter or setter whose body has been synthesized by the analyzer. 1858static bool isSynthesizedAccessor(const StackFrameContext *SFC) { 1859 auto Method = dyn_cast_or_null<ObjCMethodDecl>(SFC->getDecl()); 1860 if (!Method || !Method->isPropertyAccessor()) 1861 return false; 1862 1863 return SFC->getAnalysisDeclContext()->isBodyAutosynthesized(); 1864} 1865 1866PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N, 1867 const ExplodedNode *PrevN, 1868 BugReporterContext &BRC, 1869 BugReport &BR) { 1870 // FIXME: We will eventually need to handle non-statement-based events 1871 // (__attribute__((cleanup))). 1872 if (!N->getLocation().getAs<StmtPoint>()) 1873 return nullptr; 1874 1875 // Check if the type state has changed. 1876 ProgramStateRef PrevSt = PrevN->getState(); 1877 ProgramStateRef CurrSt = N->getState(); 1878 const LocationContext *LCtx = N->getLocationContext(); 1879 1880 const RefVal* CurrT = getRefBinding(CurrSt, Sym); 1881 if (!CurrT) return nullptr; 1882 1883 const RefVal &CurrV = *CurrT; 1884 const RefVal *PrevT = getRefBinding(PrevSt, Sym); 1885 1886 // Create a string buffer to constain all the useful things we want 1887 // to tell the user. 1888 std::string sbuf; 1889 llvm::raw_string_ostream os(sbuf); 1890 1891 // This is the allocation site since the previous node had no bindings 1892 // for this symbol. 1893 if (!PrevT) { 1894 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 1895 1896 if (isa<ObjCIvarRefExpr>(S) && 1897 isSynthesizedAccessor(LCtx->getCurrentStackFrame())) { 1898 S = LCtx->getCurrentStackFrame()->getCallSite(); 1899 } 1900 1901 if (isa<ObjCArrayLiteral>(S)) { 1902 os << "NSArray literal is an object with a +0 retain count"; 1903 } 1904 else if (isa<ObjCDictionaryLiteral>(S)) { 1905 os << "NSDictionary literal is an object with a +0 retain count"; 1906 } 1907 else if (const ObjCBoxedExpr *BL = dyn_cast<ObjCBoxedExpr>(S)) { 1908 if (isNumericLiteralExpression(BL->getSubExpr())) 1909 os << "NSNumber literal is an object with a +0 retain count"; 1910 else { 1911 const ObjCInterfaceDecl *BoxClass = nullptr; 1912 if (const ObjCMethodDecl *Method = BL->getBoxingMethod()) 1913 BoxClass = Method->getClassInterface(); 1914 1915 // We should always be able to find the boxing class interface, 1916 // but consider this future-proofing. 1917 if (BoxClass) 1918 os << *BoxClass << " b"; 1919 else 1920 os << "B"; 1921 1922 os << "oxed expression produces an object with a +0 retain count"; 1923 } 1924 } 1925 else if (isa<ObjCIvarRefExpr>(S)) { 1926 os << "Object loaded from instance variable"; 1927 } 1928 else { 1929 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 1930 // Get the name of the callee (if it is available). 1931 SVal X = CurrSt->getSValAsScalarOrLoc(CE->getCallee(), LCtx); 1932 if (const FunctionDecl *FD = X.getAsFunctionDecl()) 1933 os << "Call to function '" << *FD << '\''; 1934 else 1935 os << "function call"; 1936 } 1937 else { 1938 assert(isa<ObjCMessageExpr>(S)); 1939 CallEventManager &Mgr = CurrSt->getStateManager().getCallEventManager(); 1940 CallEventRef<ObjCMethodCall> Call 1941 = Mgr.getObjCMethodCall(cast<ObjCMessageExpr>(S), CurrSt, LCtx); 1942 1943 switch (Call->getMessageKind()) { 1944 case OCM_Message: 1945 os << "Method"; 1946 break; 1947 case OCM_PropertyAccess: 1948 os << "Property"; 1949 break; 1950 case OCM_Subscript: 1951 os << "Subscript"; 1952 break; 1953 } 1954 } 1955 1956 if (CurrV.getObjKind() == RetEffect::CF) { 1957 os << " returns a Core Foundation object with a "; 1958 } 1959 else { 1960 assert (CurrV.getObjKind() == RetEffect::ObjC); 1961 os << " returns an Objective-C object with a "; 1962 } 1963 1964 if (CurrV.isOwned()) { 1965 os << "+1 retain count"; 1966 1967 if (GCEnabled) { 1968 assert(CurrV.getObjKind() == RetEffect::CF); 1969 os << ". " 1970 "Core Foundation objects are not automatically garbage collected."; 1971 } 1972 } 1973 else { 1974 assert (CurrV.isNotOwned()); 1975 os << "+0 retain count"; 1976 } 1977 } 1978 1979 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 1980 N->getLocationContext()); 1981 return new PathDiagnosticEventPiece(Pos, os.str()); 1982 } 1983 1984 // Gather up the effects that were performed on the object at this 1985 // program point 1986 SmallVector<ArgEffect, 2> AEffects; 1987 1988 const ExplodedNode *OrigNode = BRC.getNodeResolver().getOriginalNode(N); 1989 if (const RetainSummary *Summ = SummaryLog.lookup(OrigNode)) { 1990 // We only have summaries attached to nodes after evaluating CallExpr and 1991 // ObjCMessageExprs. 1992 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 1993 1994 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 1995 // Iterate through the parameter expressions and see if the symbol 1996 // was ever passed as an argument. 1997 unsigned i = 0; 1998 1999 for (CallExpr::const_arg_iterator AI=CE->arg_begin(), AE=CE->arg_end(); 2000 AI!=AE; ++AI, ++i) { 2001 2002 // Retrieve the value of the argument. Is it the symbol 2003 // we are interested in? 2004 if (CurrSt->getSValAsScalarOrLoc(*AI, LCtx).getAsLocSymbol() != Sym) 2005 continue; 2006 2007 // We have an argument. Get the effect! 2008 AEffects.push_back(Summ->getArg(i)); 2009 } 2010 } 2011 else if (const ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(S)) { 2012 if (const Expr *receiver = ME->getInstanceReceiver()) 2013 if (CurrSt->getSValAsScalarOrLoc(receiver, LCtx) 2014 .getAsLocSymbol() == Sym) { 2015 // The symbol we are tracking is the receiver. 2016 AEffects.push_back(Summ->getReceiverEffect()); 2017 } 2018 } 2019 } 2020 2021 do { 2022 // Get the previous type state. 2023 RefVal PrevV = *PrevT; 2024 2025 // Specially handle -dealloc. 2026 if (!GCEnabled && std::find(AEffects.begin(), AEffects.end(), Dealloc) != 2027 AEffects.end()) { 2028 // Determine if the object's reference count was pushed to zero. 2029 assert(!PrevV.hasSameState(CurrV) && "The state should have changed."); 2030 // We may not have transitioned to 'release' if we hit an error. 2031 // This case is handled elsewhere. 2032 if (CurrV.getKind() == RefVal::Released) { 2033 assert(CurrV.getCombinedCounts() == 0); 2034 os << "Object released by directly sending the '-dealloc' message"; 2035 break; 2036 } 2037 } 2038 2039 // Specially handle CFMakeCollectable and friends. 2040 if (std::find(AEffects.begin(), AEffects.end(), MakeCollectable) != 2041 AEffects.end()) { 2042 // Get the name of the function. 2043 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 2044 SVal X = 2045 CurrSt->getSValAsScalarOrLoc(cast<CallExpr>(S)->getCallee(), LCtx); 2046 const FunctionDecl *FD = X.getAsFunctionDecl(); 2047 2048 if (GCEnabled) { 2049 // Determine if the object's reference count was pushed to zero. 2050 assert(!PrevV.hasSameState(CurrV) && "The state should have changed."); 2051 2052 os << "In GC mode a call to '" << *FD 2053 << "' decrements an object's retain count and registers the " 2054 "object with the garbage collector. "; 2055 2056 if (CurrV.getKind() == RefVal::Released) { 2057 assert(CurrV.getCount() == 0); 2058 os << "Since it now has a 0 retain count the object can be " 2059 "automatically collected by the garbage collector."; 2060 } 2061 else 2062 os << "An object must have a 0 retain count to be garbage collected. " 2063 "After this call its retain count is +" << CurrV.getCount() 2064 << '.'; 2065 } 2066 else 2067 os << "When GC is not enabled a call to '" << *FD 2068 << "' has no effect on its argument."; 2069 2070 // Nothing more to say. 2071 break; 2072 } 2073 2074 // Determine if the typestate has changed. 2075 if (!PrevV.hasSameState(CurrV)) 2076 switch (CurrV.getKind()) { 2077 case RefVal::Owned: 2078 case RefVal::NotOwned: 2079 if (PrevV.getCount() == CurrV.getCount()) { 2080 // Did an autorelease message get sent? 2081 if (PrevV.getAutoreleaseCount() == CurrV.getAutoreleaseCount()) 2082 return nullptr; 2083 2084 assert(PrevV.getAutoreleaseCount() < CurrV.getAutoreleaseCount()); 2085 os << "Object autoreleased"; 2086 break; 2087 } 2088 2089 if (PrevV.getCount() > CurrV.getCount()) 2090 os << "Reference count decremented."; 2091 else 2092 os << "Reference count incremented."; 2093 2094 if (unsigned Count = CurrV.getCount()) 2095 os << " The object now has a +" << Count << " retain count."; 2096 2097 if (PrevV.getKind() == RefVal::Released) { 2098 assert(GCEnabled && CurrV.getCount() > 0); 2099 os << " The object is not eligible for garbage collection until " 2100 "the retain count reaches 0 again."; 2101 } 2102 2103 break; 2104 2105 case RefVal::Released: 2106 if (CurrV.getIvarAccessHistory() == 2107 RefVal::IvarAccessHistory::ReleasedAfterDirectAccess && 2108 CurrV.getIvarAccessHistory() != PrevV.getIvarAccessHistory()) { 2109 os << "Strong instance variable relinquished. "; 2110 } 2111 os << "Object released."; 2112 break; 2113 2114 case RefVal::ReturnedOwned: 2115 // Autoreleases can be applied after marking a node ReturnedOwned. 2116 if (CurrV.getAutoreleaseCount()) 2117 return nullptr; 2118 2119 os << "Object returned to caller as an owning reference (single " 2120 "retain count transferred to caller)"; 2121 break; 2122 2123 case RefVal::ReturnedNotOwned: 2124 os << "Object returned to caller with a +0 retain count"; 2125 break; 2126 2127 default: 2128 return nullptr; 2129 } 2130 2131 // Emit any remaining diagnostics for the argument effects (if any). 2132 for (SmallVectorImpl<ArgEffect>::iterator I=AEffects.begin(), 2133 E=AEffects.end(); I != E; ++I) { 2134 2135 // A bunch of things have alternate behavior under GC. 2136 if (GCEnabled) 2137 switch (*I) { 2138 default: break; 2139 case Autorelease: 2140 os << "In GC mode an 'autorelease' has no effect."; 2141 continue; 2142 case IncRefMsg: 2143 os << "In GC mode the 'retain' message has no effect."; 2144 continue; 2145 case DecRefMsg: 2146 os << "In GC mode the 'release' message has no effect."; 2147 continue; 2148 } 2149 } 2150 } while (0); 2151 2152 if (os.str().empty()) 2153 return nullptr; // We have nothing to say! 2154 2155 const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt(); 2156 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2157 N->getLocationContext()); 2158 PathDiagnosticPiece *P = new PathDiagnosticEventPiece(Pos, os.str()); 2159 2160 // Add the range by scanning the children of the statement for any bindings 2161 // to Sym. 2162 for (Stmt::const_child_iterator I = S->child_begin(), E = S->child_end(); 2163 I!=E; ++I) 2164 if (const Expr *Exp = dyn_cast_or_null<Expr>(*I)) 2165 if (CurrSt->getSValAsScalarOrLoc(Exp, LCtx).getAsLocSymbol() == Sym) { 2166 P->addRange(Exp->getSourceRange()); 2167 break; 2168 } 2169 2170 return P; 2171} 2172 2173// Find the first node in the current function context that referred to the 2174// tracked symbol and the memory location that value was stored to. Note, the 2175// value is only reported if the allocation occurred in the same function as 2176// the leak. The function can also return a location context, which should be 2177// treated as interesting. 2178struct AllocationInfo { 2179 const ExplodedNode* N; 2180 const MemRegion *R; 2181 const LocationContext *InterestingMethodContext; 2182 AllocationInfo(const ExplodedNode *InN, 2183 const MemRegion *InR, 2184 const LocationContext *InInterestingMethodContext) : 2185 N(InN), R(InR), InterestingMethodContext(InInterestingMethodContext) {} 2186}; 2187 2188static AllocationInfo 2189GetAllocationSite(ProgramStateManager& StateMgr, const ExplodedNode *N, 2190 SymbolRef Sym) { 2191 const ExplodedNode *AllocationNode = N; 2192 const ExplodedNode *AllocationNodeInCurrentOrParentContext = N; 2193 const MemRegion *FirstBinding = nullptr; 2194 const LocationContext *LeakContext = N->getLocationContext(); 2195 2196 // The location context of the init method called on the leaked object, if 2197 // available. 2198 const LocationContext *InitMethodContext = nullptr; 2199 2200 while (N) { 2201 ProgramStateRef St = N->getState(); 2202 const LocationContext *NContext = N->getLocationContext(); 2203 2204 if (!getRefBinding(St, Sym)) 2205 break; 2206 2207 StoreManager::FindUniqueBinding FB(Sym); 2208 StateMgr.iterBindings(St, FB); 2209 2210 if (FB) { 2211 const MemRegion *R = FB.getRegion(); 2212 const VarRegion *VR = R->getBaseRegion()->getAs<VarRegion>(); 2213 // Do not show local variables belonging to a function other than 2214 // where the error is reported. 2215 if (!VR || VR->getStackFrame() == LeakContext->getCurrentStackFrame()) 2216 FirstBinding = R; 2217 } 2218 2219 // AllocationNode is the last node in which the symbol was tracked. 2220 AllocationNode = N; 2221 2222 // AllocationNodeInCurrentContext, is the last node in the current or 2223 // parent context in which the symbol was tracked. 2224 // 2225 // Note that the allocation site might be in the parent conext. For example, 2226 // the case where an allocation happens in a block that captures a reference 2227 // to it and that reference is overwritten/dropped by another call to 2228 // the block. 2229 if (NContext == LeakContext || NContext->isParentOf(LeakContext)) 2230 AllocationNodeInCurrentOrParentContext = N; 2231 2232 // Find the last init that was called on the given symbol and store the 2233 // init method's location context. 2234 if (!InitMethodContext) 2235 if (Optional<CallEnter> CEP = N->getLocation().getAs<CallEnter>()) { 2236 const Stmt *CE = CEP->getCallExpr(); 2237 if (const ObjCMessageExpr *ME = dyn_cast_or_null<ObjCMessageExpr>(CE)) { 2238 const Stmt *RecExpr = ME->getInstanceReceiver(); 2239 if (RecExpr) { 2240 SVal RecV = St->getSVal(RecExpr, NContext); 2241 if (ME->getMethodFamily() == OMF_init && RecV.getAsSymbol() == Sym) 2242 InitMethodContext = CEP->getCalleeContext(); 2243 } 2244 } 2245 } 2246 2247 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 2248 } 2249 2250 // If we are reporting a leak of the object that was allocated with alloc, 2251 // mark its init method as interesting. 2252 const LocationContext *InterestingMethodContext = nullptr; 2253 if (InitMethodContext) { 2254 const ProgramPoint AllocPP = AllocationNode->getLocation(); 2255 if (Optional<StmtPoint> SP = AllocPP.getAs<StmtPoint>()) 2256 if (const ObjCMessageExpr *ME = SP->getStmtAs<ObjCMessageExpr>()) 2257 if (ME->getMethodFamily() == OMF_alloc) 2258 InterestingMethodContext = InitMethodContext; 2259 } 2260 2261 // If allocation happened in a function different from the leak node context, 2262 // do not report the binding. 2263 assert(N && "Could not find allocation node"); 2264 if (N->getLocationContext() != LeakContext) { 2265 FirstBinding = nullptr; 2266 } 2267 2268 return AllocationInfo(AllocationNodeInCurrentOrParentContext, 2269 FirstBinding, 2270 InterestingMethodContext); 2271} 2272 2273std::unique_ptr<PathDiagnosticPiece> 2274CFRefReportVisitor::getEndPath(BugReporterContext &BRC, 2275 const ExplodedNode *EndN, BugReport &BR) { 2276 BR.markInteresting(Sym); 2277 return BugReporterVisitor::getDefaultEndPath(BRC, EndN, BR); 2278} 2279 2280std::unique_ptr<PathDiagnosticPiece> 2281CFRefLeakReportVisitor::getEndPath(BugReporterContext &BRC, 2282 const ExplodedNode *EndN, BugReport &BR) { 2283 2284 // Tell the BugReporterContext to report cases when the tracked symbol is 2285 // assigned to different variables, etc. 2286 BR.markInteresting(Sym); 2287 2288 // We are reporting a leak. Walk up the graph to get to the first node where 2289 // the symbol appeared, and also get the first VarDecl that tracked object 2290 // is stored to. 2291 AllocationInfo AllocI = 2292 GetAllocationSite(BRC.getStateManager(), EndN, Sym); 2293 2294 const MemRegion* FirstBinding = AllocI.R; 2295 BR.markInteresting(AllocI.InterestingMethodContext); 2296 2297 SourceManager& SM = BRC.getSourceManager(); 2298 2299 // Compute an actual location for the leak. Sometimes a leak doesn't 2300 // occur at an actual statement (e.g., transition between blocks; end 2301 // of function) so we need to walk the graph and compute a real location. 2302 const ExplodedNode *LeakN = EndN; 2303 PathDiagnosticLocation L = PathDiagnosticLocation::createEndOfPath(LeakN, SM); 2304 2305 std::string sbuf; 2306 llvm::raw_string_ostream os(sbuf); 2307 2308 os << "Object leaked: "; 2309 2310 if (FirstBinding) { 2311 os << "object allocated and stored into '" 2312 << FirstBinding->getString() << '\''; 2313 } 2314 else 2315 os << "allocated object"; 2316 2317 // Get the retain count. 2318 const RefVal* RV = getRefBinding(EndN->getState(), Sym); 2319 assert(RV); 2320 2321 if (RV->getKind() == RefVal::ErrorLeakReturned) { 2322 // FIXME: Per comments in rdar://6320065, "create" only applies to CF 2323 // objects. Only "copy", "alloc", "retain" and "new" transfer ownership 2324 // to the caller for NS objects. 2325 const Decl *D = &EndN->getCodeDecl(); 2326 2327 os << (isa<ObjCMethodDecl>(D) ? " is returned from a method " 2328 : " is returned from a function "); 2329 2330 if (D->hasAttr<CFReturnsNotRetainedAttr>()) 2331 os << "that is annotated as CF_RETURNS_NOT_RETAINED"; 2332 else if (D->hasAttr<NSReturnsNotRetainedAttr>()) 2333 os << "that is annotated as NS_RETURNS_NOT_RETAINED"; 2334 else { 2335 if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) { 2336 os << "whose name ('" << MD->getSelector().getAsString() 2337 << "') does not start with 'copy', 'mutableCopy', 'alloc' or 'new'." 2338 " This violates the naming convention rules" 2339 " given in the Memory Management Guide for Cocoa"; 2340 } 2341 else { 2342 const FunctionDecl *FD = cast<FunctionDecl>(D); 2343 os << "whose name ('" << *FD 2344 << "') does not contain 'Copy' or 'Create'. This violates the naming" 2345 " convention rules given in the Memory Management Guide for Core" 2346 " Foundation"; 2347 } 2348 } 2349 } 2350 else if (RV->getKind() == RefVal::ErrorGCLeakReturned) { 2351 const ObjCMethodDecl &MD = cast<ObjCMethodDecl>(EndN->getCodeDecl()); 2352 os << " and returned from method '" << MD.getSelector().getAsString() 2353 << "' is potentially leaked when using garbage collection. Callers " 2354 "of this method do not expect a returned object with a +1 retain " 2355 "count since they expect the object to be managed by the garbage " 2356 "collector"; 2357 } 2358 else 2359 os << " is not referenced later in this execution path and has a retain " 2360 "count of +" << RV->getCount(); 2361 2362 return llvm::make_unique<PathDiagnosticEventPiece>(L, os.str()); 2363} 2364 2365CFRefLeakReport::CFRefLeakReport(CFRefBug &D, const LangOptions &LOpts, 2366 bool GCEnabled, const SummaryLogTy &Log, 2367 ExplodedNode *n, SymbolRef sym, 2368 CheckerContext &Ctx, 2369 bool IncludeAllocationLine) 2370 : CFRefReport(D, LOpts, GCEnabled, Log, n, sym, false) { 2371 2372 // Most bug reports are cached at the location where they occurred. 2373 // With leaks, we want to unique them by the location where they were 2374 // allocated, and only report a single path. To do this, we need to find 2375 // the allocation site of a piece of tracked memory, which we do via a 2376 // call to GetAllocationSite. This will walk the ExplodedGraph backwards. 2377 // Note that this is *not* the trimmed graph; we are guaranteed, however, 2378 // that all ancestor nodes that represent the allocation site have the 2379 // same SourceLocation. 2380 const ExplodedNode *AllocNode = nullptr; 2381 2382 const SourceManager& SMgr = Ctx.getSourceManager(); 2383 2384 AllocationInfo AllocI = 2385 GetAllocationSite(Ctx.getStateManager(), getErrorNode(), sym); 2386 2387 AllocNode = AllocI.N; 2388 AllocBinding = AllocI.R; 2389 markInteresting(AllocI.InterestingMethodContext); 2390 2391 // Get the SourceLocation for the allocation site. 2392 // FIXME: This will crash the analyzer if an allocation comes from an 2393 // implicit call (ex: a destructor call). 2394 // (Currently there are no such allocations in Cocoa, though.) 2395 const Stmt *AllocStmt = 0; 2396 ProgramPoint P = AllocNode->getLocation(); 2397 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 2398 AllocStmt = Exit->getCalleeContext()->getCallSite(); 2399 else 2400 AllocStmt = P.castAs<PostStmt>().getStmt(); 2401 assert(AllocStmt && "Cannot find allocation statement"); 2402 2403 PathDiagnosticLocation AllocLocation = 2404 PathDiagnosticLocation::createBegin(AllocStmt, SMgr, 2405 AllocNode->getLocationContext()); 2406 Location = AllocLocation; 2407 2408 // Set uniqieing info, which will be used for unique the bug reports. The 2409 // leaks should be uniqued on the allocation site. 2410 UniqueingLocation = AllocLocation; 2411 UniqueingDecl = AllocNode->getLocationContext()->getDecl(); 2412 2413 // Fill in the description of the bug. 2414 Description.clear(); 2415 llvm::raw_string_ostream os(Description); 2416 os << "Potential leak "; 2417 if (GCEnabled) 2418 os << "(when using garbage collection) "; 2419 os << "of an object"; 2420 2421 if (AllocBinding) { 2422 os << " stored into '" << AllocBinding->getString() << '\''; 2423 if (IncludeAllocationLine) { 2424 FullSourceLoc SL(AllocStmt->getLocStart(), Ctx.getSourceManager()); 2425 os << " (allocated on line " << SL.getSpellingLineNumber() << ")"; 2426 } 2427 } 2428 2429 addVisitor(llvm::make_unique<CFRefLeakReportVisitor>(sym, GCEnabled, Log)); 2430} 2431 2432//===----------------------------------------------------------------------===// 2433// Main checker logic. 2434//===----------------------------------------------------------------------===// 2435 2436namespace { 2437class RetainCountChecker 2438 : public Checker< check::Bind, 2439 check::DeadSymbols, 2440 check::EndAnalysis, 2441 check::EndFunction, 2442 check::PostStmt<BlockExpr>, 2443 check::PostStmt<CastExpr>, 2444 check::PostStmt<ObjCArrayLiteral>, 2445 check::PostStmt<ObjCDictionaryLiteral>, 2446 check::PostStmt<ObjCBoxedExpr>, 2447 check::PostStmt<ObjCIvarRefExpr>, 2448 check::PostCall, 2449 check::PreStmt<ReturnStmt>, 2450 check::RegionChanges, 2451 eval::Assume, 2452 eval::Call > { 2453 mutable std::unique_ptr<CFRefBug> useAfterRelease, releaseNotOwned; 2454 mutable std::unique_ptr<CFRefBug> deallocGC, deallocNotOwned; 2455 mutable std::unique_ptr<CFRefBug> overAutorelease, returnNotOwnedForOwned; 2456 mutable std::unique_ptr<CFRefBug> leakWithinFunction, leakAtReturn; 2457 mutable std::unique_ptr<CFRefBug> leakWithinFunctionGC, leakAtReturnGC; 2458 2459 typedef llvm::DenseMap<SymbolRef, const CheckerProgramPointTag *> SymbolTagMap; 2460 2461 // This map is only used to ensure proper deletion of any allocated tags. 2462 mutable SymbolTagMap DeadSymbolTags; 2463 2464 mutable std::unique_ptr<RetainSummaryManager> Summaries; 2465 mutable std::unique_ptr<RetainSummaryManager> SummariesGC; 2466 mutable SummaryLogTy SummaryLog; 2467 mutable bool ShouldResetSummaryLog; 2468 2469 /// Optional setting to indicate if leak reports should include 2470 /// the allocation line. 2471 mutable bool IncludeAllocationLine; 2472 2473public: 2474 RetainCountChecker(AnalyzerOptions &AO) 2475 : ShouldResetSummaryLog(false), 2476 IncludeAllocationLine(shouldIncludeAllocationSiteInLeakDiagnostics(AO)) {} 2477 2478 virtual ~RetainCountChecker() { 2479 DeleteContainerSeconds(DeadSymbolTags); 2480 } 2481 2482 void checkEndAnalysis(ExplodedGraph &G, BugReporter &BR, 2483 ExprEngine &Eng) const { 2484 // FIXME: This is a hack to make sure the summary log gets cleared between 2485 // analyses of different code bodies. 2486 // 2487 // Why is this necessary? Because a checker's lifetime is tied to a 2488 // translation unit, but an ExplodedGraph's lifetime is just a code body. 2489 // Once in a blue moon, a new ExplodedNode will have the same address as an 2490 // old one with an associated summary, and the bug report visitor gets very 2491 // confused. (To make things worse, the summary lifetime is currently also 2492 // tied to a code body, so we get a crash instead of incorrect results.) 2493 // 2494 // Why is this a bad solution? Because if the lifetime of the ExplodedGraph 2495 // changes, things will start going wrong again. Really the lifetime of this 2496 // log needs to be tied to either the specific nodes in it or the entire 2497 // ExplodedGraph, not to a specific part of the code being analyzed. 2498 // 2499 // (Also, having stateful local data means that the same checker can't be 2500 // used from multiple threads, but a lot of checkers have incorrect 2501 // assumptions about that anyway. So that wasn't a priority at the time of 2502 // this fix.) 2503 // 2504 // This happens at the end of analysis, but bug reports are emitted /after/ 2505 // this point. So we can't just clear the summary log now. Instead, we mark 2506 // that the next time we access the summary log, it should be cleared. 2507 2508 // If we never reset the summary log during /this/ code body analysis, 2509 // there were no new summaries. There might still have been summaries from 2510 // the /last/ analysis, so clear them out to make sure the bug report 2511 // visitors don't get confused. 2512 if (ShouldResetSummaryLog) 2513 SummaryLog.clear(); 2514 2515 ShouldResetSummaryLog = !SummaryLog.empty(); 2516 } 2517 2518 CFRefBug *getLeakWithinFunctionBug(const LangOptions &LOpts, 2519 bool GCEnabled) const { 2520 if (GCEnabled) { 2521 if (!leakWithinFunctionGC) 2522 leakWithinFunctionGC.reset(new Leak(this, "Leak of object when using " 2523 "garbage collection")); 2524 return leakWithinFunctionGC.get(); 2525 } else { 2526 if (!leakWithinFunction) { 2527 if (LOpts.getGC() == LangOptions::HybridGC) { 2528 leakWithinFunction.reset(new Leak(this, 2529 "Leak of object when not using " 2530 "garbage collection (GC) in " 2531 "dual GC/non-GC code")); 2532 } else { 2533 leakWithinFunction.reset(new Leak(this, "Leak")); 2534 } 2535 } 2536 return leakWithinFunction.get(); 2537 } 2538 } 2539 2540 CFRefBug *getLeakAtReturnBug(const LangOptions &LOpts, bool GCEnabled) const { 2541 if (GCEnabled) { 2542 if (!leakAtReturnGC) 2543 leakAtReturnGC.reset(new Leak(this, 2544 "Leak of returned object when using " 2545 "garbage collection")); 2546 return leakAtReturnGC.get(); 2547 } else { 2548 if (!leakAtReturn) { 2549 if (LOpts.getGC() == LangOptions::HybridGC) { 2550 leakAtReturn.reset(new Leak(this, 2551 "Leak of returned object when not using " 2552 "garbage collection (GC) in dual " 2553 "GC/non-GC code")); 2554 } else { 2555 leakAtReturn.reset(new Leak(this, "Leak of returned object")); 2556 } 2557 } 2558 return leakAtReturn.get(); 2559 } 2560 } 2561 2562 RetainSummaryManager &getSummaryManager(ASTContext &Ctx, 2563 bool GCEnabled) const { 2564 // FIXME: We don't support ARC being turned on and off during one analysis. 2565 // (nor, for that matter, do we support changing ASTContexts) 2566 bool ARCEnabled = (bool)Ctx.getLangOpts().ObjCAutoRefCount; 2567 if (GCEnabled) { 2568 if (!SummariesGC) 2569 SummariesGC.reset(new RetainSummaryManager(Ctx, true, ARCEnabled)); 2570 else 2571 assert(SummariesGC->isARCEnabled() == ARCEnabled); 2572 return *SummariesGC; 2573 } else { 2574 if (!Summaries) 2575 Summaries.reset(new RetainSummaryManager(Ctx, false, ARCEnabled)); 2576 else 2577 assert(Summaries->isARCEnabled() == ARCEnabled); 2578 return *Summaries; 2579 } 2580 } 2581 2582 RetainSummaryManager &getSummaryManager(CheckerContext &C) const { 2583 return getSummaryManager(C.getASTContext(), C.isObjCGCEnabled()); 2584 } 2585 2586 void printState(raw_ostream &Out, ProgramStateRef State, 2587 const char *NL, const char *Sep) const override; 2588 2589 void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const; 2590 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 2591 void checkPostStmt(const CastExpr *CE, CheckerContext &C) const; 2592 2593 void checkPostStmt(const ObjCArrayLiteral *AL, CheckerContext &C) const; 2594 void checkPostStmt(const ObjCDictionaryLiteral *DL, CheckerContext &C) const; 2595 void checkPostStmt(const ObjCBoxedExpr *BE, CheckerContext &C) const; 2596 2597 void checkPostStmt(const ObjCIvarRefExpr *IRE, CheckerContext &C) const; 2598 2599 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 2600 2601 void checkSummary(const RetainSummary &Summ, const CallEvent &Call, 2602 CheckerContext &C) const; 2603 2604 void processSummaryOfInlined(const RetainSummary &Summ, 2605 const CallEvent &Call, 2606 CheckerContext &C) const; 2607 2608 bool evalCall(const CallExpr *CE, CheckerContext &C) const; 2609 2610 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 2611 bool Assumption) const; 2612 2613 ProgramStateRef 2614 checkRegionChanges(ProgramStateRef state, 2615 const InvalidatedSymbols *invalidated, 2616 ArrayRef<const MemRegion *> ExplicitRegions, 2617 ArrayRef<const MemRegion *> Regions, 2618 const CallEvent *Call) const; 2619 2620 bool wantsRegionChangeUpdate(ProgramStateRef state) const { 2621 return true; 2622 } 2623 2624 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 2625 void checkReturnWithRetEffect(const ReturnStmt *S, CheckerContext &C, 2626 ExplodedNode *Pred, RetEffect RE, RefVal X, 2627 SymbolRef Sym, ProgramStateRef state) const; 2628 2629 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 2630 void checkEndFunction(CheckerContext &C) const; 2631 2632 ProgramStateRef updateSymbol(ProgramStateRef state, SymbolRef sym, 2633 RefVal V, ArgEffect E, RefVal::Kind &hasErr, 2634 CheckerContext &C) const; 2635 2636 void processNonLeakError(ProgramStateRef St, SourceRange ErrorRange, 2637 RefVal::Kind ErrorKind, SymbolRef Sym, 2638 CheckerContext &C) const; 2639 2640 void processObjCLiterals(CheckerContext &C, const Expr *Ex) const; 2641 2642 const ProgramPointTag *getDeadSymbolTag(SymbolRef sym) const; 2643 2644 ProgramStateRef handleSymbolDeath(ProgramStateRef state, 2645 SymbolRef sid, RefVal V, 2646 SmallVectorImpl<SymbolRef> &Leaked) const; 2647 2648 ProgramStateRef 2649 handleAutoreleaseCounts(ProgramStateRef state, ExplodedNode *Pred, 2650 const ProgramPointTag *Tag, CheckerContext &Ctx, 2651 SymbolRef Sym, RefVal V) const; 2652 2653 ExplodedNode *processLeaks(ProgramStateRef state, 2654 SmallVectorImpl<SymbolRef> &Leaked, 2655 CheckerContext &Ctx, 2656 ExplodedNode *Pred = nullptr) const; 2657}; 2658} // end anonymous namespace 2659 2660namespace { 2661class StopTrackingCallback : public SymbolVisitor { 2662 ProgramStateRef state; 2663public: 2664 StopTrackingCallback(ProgramStateRef st) : state(st) {} 2665 ProgramStateRef getState() const { return state; } 2666 2667 bool VisitSymbol(SymbolRef sym) override { 2668 state = state->remove<RefBindings>(sym); 2669 return true; 2670 } 2671}; 2672} // end anonymous namespace 2673 2674//===----------------------------------------------------------------------===// 2675// Handle statements that may have an effect on refcounts. 2676//===----------------------------------------------------------------------===// 2677 2678void RetainCountChecker::checkPostStmt(const BlockExpr *BE, 2679 CheckerContext &C) const { 2680 2681 // Scan the BlockDecRefExprs for any object the retain count checker 2682 // may be tracking. 2683 if (!BE->getBlockDecl()->hasCaptures()) 2684 return; 2685 2686 ProgramStateRef state = C.getState(); 2687 const BlockDataRegion *R = 2688 cast<BlockDataRegion>(state->getSVal(BE, 2689 C.getLocationContext()).getAsRegion()); 2690 2691 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2692 E = R->referenced_vars_end(); 2693 2694 if (I == E) 2695 return; 2696 2697 // FIXME: For now we invalidate the tracking of all symbols passed to blocks 2698 // via captured variables, even though captured variables result in a copy 2699 // and in implicit increment/decrement of a retain count. 2700 SmallVector<const MemRegion*, 10> Regions; 2701 const LocationContext *LC = C.getLocationContext(); 2702 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2703 2704 for ( ; I != E; ++I) { 2705 const VarRegion *VR = I.getCapturedRegion(); 2706 if (VR->getSuperRegion() == R) { 2707 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2708 } 2709 Regions.push_back(VR); 2710 } 2711 2712 state = 2713 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 2714 Regions.data() + Regions.size()).getState(); 2715 C.addTransition(state); 2716} 2717 2718void RetainCountChecker::checkPostStmt(const CastExpr *CE, 2719 CheckerContext &C) const { 2720 const ObjCBridgedCastExpr *BE = dyn_cast<ObjCBridgedCastExpr>(CE); 2721 if (!BE) 2722 return; 2723 2724 ArgEffect AE = IncRef; 2725 2726 switch (BE->getBridgeKind()) { 2727 case clang::OBC_Bridge: 2728 // Do nothing. 2729 return; 2730 case clang::OBC_BridgeRetained: 2731 AE = IncRef; 2732 break; 2733 case clang::OBC_BridgeTransfer: 2734 AE = DecRefBridgedTransferred; 2735 break; 2736 } 2737 2738 ProgramStateRef state = C.getState(); 2739 SymbolRef Sym = state->getSVal(CE, C.getLocationContext()).getAsLocSymbol(); 2740 if (!Sym) 2741 return; 2742 const RefVal* T = getRefBinding(state, Sym); 2743 if (!T) 2744 return; 2745 2746 RefVal::Kind hasErr = (RefVal::Kind) 0; 2747 state = updateSymbol(state, Sym, *T, AE, hasErr, C); 2748 2749 if (hasErr) { 2750 // FIXME: If we get an error during a bridge cast, should we report it? 2751 // Should we assert that there is no error? 2752 return; 2753 } 2754 2755 C.addTransition(state); 2756} 2757 2758void RetainCountChecker::processObjCLiterals(CheckerContext &C, 2759 const Expr *Ex) const { 2760 ProgramStateRef state = C.getState(); 2761 const ExplodedNode *pred = C.getPredecessor(); 2762 for (Stmt::const_child_iterator it = Ex->child_begin(), et = Ex->child_end() ; 2763 it != et ; ++it) { 2764 const Stmt *child = *it; 2765 SVal V = state->getSVal(child, pred->getLocationContext()); 2766 if (SymbolRef sym = V.getAsSymbol()) 2767 if (const RefVal* T = getRefBinding(state, sym)) { 2768 RefVal::Kind hasErr = (RefVal::Kind) 0; 2769 state = updateSymbol(state, sym, *T, MayEscape, hasErr, C); 2770 if (hasErr) { 2771 processNonLeakError(state, child->getSourceRange(), hasErr, sym, C); 2772 return; 2773 } 2774 } 2775 } 2776 2777 // Return the object as autoreleased. 2778 // RetEffect RE = RetEffect::MakeNotOwned(RetEffect::ObjC); 2779 if (SymbolRef sym = 2780 state->getSVal(Ex, pred->getLocationContext()).getAsSymbol()) { 2781 QualType ResultTy = Ex->getType(); 2782 state = setRefBinding(state, sym, 2783 RefVal::makeNotOwned(RetEffect::ObjC, ResultTy)); 2784 } 2785 2786 C.addTransition(state); 2787} 2788 2789void RetainCountChecker::checkPostStmt(const ObjCArrayLiteral *AL, 2790 CheckerContext &C) const { 2791 // Apply the 'MayEscape' to all values. 2792 processObjCLiterals(C, AL); 2793} 2794 2795void RetainCountChecker::checkPostStmt(const ObjCDictionaryLiteral *DL, 2796 CheckerContext &C) const { 2797 // Apply the 'MayEscape' to all keys and values. 2798 processObjCLiterals(C, DL); 2799} 2800 2801void RetainCountChecker::checkPostStmt(const ObjCBoxedExpr *Ex, 2802 CheckerContext &C) const { 2803 const ExplodedNode *Pred = C.getPredecessor(); 2804 const LocationContext *LCtx = Pred->getLocationContext(); 2805 ProgramStateRef State = Pred->getState(); 2806 2807 if (SymbolRef Sym = State->getSVal(Ex, LCtx).getAsSymbol()) { 2808 QualType ResultTy = Ex->getType(); 2809 State = setRefBinding(State, Sym, 2810 RefVal::makeNotOwned(RetEffect::ObjC, ResultTy)); 2811 } 2812 2813 C.addTransition(State); 2814} 2815 2816static bool wasLoadedFromIvar(SymbolRef Sym) { 2817 if (auto DerivedVal = dyn_cast<SymbolDerived>(Sym)) 2818 return isa<ObjCIvarRegion>(DerivedVal->getRegion()); 2819 if (auto RegionVal = dyn_cast<SymbolRegionValue>(Sym)) 2820 return isa<ObjCIvarRegion>(RegionVal->getRegion()); 2821 return false; 2822} 2823 2824/// Returns the property that claims this instance variable, if any. 2825static const ObjCPropertyDecl *findPropForIvar(const ObjCIvarDecl *Ivar) { 2826 auto IsPropertyForIvar = [Ivar](const ObjCPropertyDecl *Prop) -> bool { 2827 return Prop->getPropertyIvarDecl() == Ivar; 2828 }; 2829 2830 const ObjCInterfaceDecl *Interface = Ivar->getContainingInterface(); 2831 auto PropIter = std::find_if(Interface->prop_begin(), Interface->prop_end(), 2832 IsPropertyForIvar); 2833 if (PropIter != Interface->prop_end()) { 2834 return *PropIter; 2835 } 2836 2837 for (auto Extension : Interface->visible_extensions()) { 2838 PropIter = std::find_if(Extension->prop_begin(), Extension->prop_end(), 2839 IsPropertyForIvar); 2840 if (PropIter != Extension->prop_end()) 2841 return *PropIter; 2842 } 2843 2844 return nullptr; 2845} 2846 2847namespace { 2848 enum Retaining_t { 2849 NonRetaining, 2850 Retaining 2851 }; 2852} 2853 2854static Optional<Retaining_t> getRetainSemantics(const ObjCPropertyDecl *Prop) { 2855 assert(Prop->getPropertyIvarDecl() && 2856 "should only be used for properties with synthesized implementations"); 2857 2858 if (!Prop->hasWrittenStorageAttribute()) { 2859 // Don't assume anything about the retain semantics of readonly properties. 2860 if (Prop->isReadOnly()) 2861 return None; 2862 2863 // Don't assume anything about readwrite properties with manually-supplied 2864 // setters. 2865 const ObjCMethodDecl *Setter = Prop->getSetterMethodDecl(); 2866 bool HasManualSetter = std::any_of(Setter->redecls_begin(), 2867 Setter->redecls_end(), 2868 [](const Decl *SetterRedecl) -> bool { 2869 return cast<ObjCMethodDecl>(SetterRedecl)->hasBody(); 2870 }); 2871 if (HasManualSetter) 2872 return None; 2873 2874 // If the setter /is/ synthesized, we're already relying on the retain 2875 // semantics of the property. Continue as normal. 2876 } 2877 2878 return Prop->isRetaining() ? Retaining : NonRetaining; 2879} 2880 2881void RetainCountChecker::checkPostStmt(const ObjCIvarRefExpr *IRE, 2882 CheckerContext &C) const { 2883 Optional<Loc> IVarLoc = C.getSVal(IRE).getAs<Loc>(); 2884 if (!IVarLoc) 2885 return; 2886 2887 ProgramStateRef State = C.getState(); 2888 SymbolRef Sym = State->getSVal(*IVarLoc).getAsSymbol(); 2889 if (!Sym || !wasLoadedFromIvar(Sym)) 2890 return; 2891 2892 // Accessing an ivar directly is unusual. If we've done that, be more 2893 // forgiving about what the surrounding code is allowed to do. 2894 2895 QualType Ty = Sym->getType(); 2896 RetEffect::ObjKind Kind; 2897 if (Ty->isObjCRetainableType()) 2898 Kind = RetEffect::ObjC; 2899 else if (coreFoundation::isCFObjectRef(Ty)) 2900 Kind = RetEffect::CF; 2901 else 2902 return; 2903 2904 // If the value is already known to be nil, don't bother tracking it. 2905 ConstraintManager &CMgr = State->getConstraintManager(); 2906 if (CMgr.isNull(State, Sym).isConstrainedTrue()) 2907 return; 2908 2909 if (const RefVal *RV = getRefBinding(State, Sym)) { 2910 // If we've seen this symbol before, or we're only seeing it now because 2911 // of something the analyzer has synthesized, don't do anything. 2912 if (RV->getIvarAccessHistory() != RefVal::IvarAccessHistory::None || 2913 isSynthesizedAccessor(C.getStackFrame())) { 2914 return; 2915 } 2916 2917 // Also don't do anything if the ivar is unretained. If so, we know that 2918 // there's no outstanding retain count for the value. 2919 if (Kind == RetEffect::ObjC) 2920 if (const ObjCPropertyDecl *Prop = findPropForIvar(IRE->getDecl())) 2921 if (auto retainSemantics = getRetainSemantics(Prop)) 2922 if (retainSemantics.getValue() == NonRetaining) 2923 return; 2924 2925 // Note that this value has been loaded from an ivar. 2926 C.addTransition(setRefBinding(State, Sym, RV->withIvarAccess())); 2927 return; 2928 } 2929 2930 RefVal PlusZero = RefVal::makeNotOwned(Kind, Ty); 2931 2932 // In a synthesized accessor, the effective retain count is +0. 2933 if (isSynthesizedAccessor(C.getStackFrame())) { 2934 C.addTransition(setRefBinding(State, Sym, PlusZero)); 2935 return; 2936 } 2937 2938 bool didUpdateState = false; 2939 if (Kind == RetEffect::ObjC) { 2940 // Check if the ivar is known to be unretained. If so, we know that 2941 // there's no outstanding retain count for the value. 2942 if (const ObjCPropertyDecl *Prop = findPropForIvar(IRE->getDecl())) { 2943 if (auto retainSemantics = getRetainSemantics(Prop)) { 2944 if (retainSemantics.getValue() == NonRetaining) { 2945 State = setRefBinding(State, Sym, PlusZero); 2946 didUpdateState = true; 2947 } 2948 } 2949 } 2950 } 2951 2952 if (!didUpdateState) 2953 State = setRefBinding(State, Sym, PlusZero.withIvarAccess()); 2954 2955 C.addTransition(State); 2956} 2957 2958void RetainCountChecker::checkPostCall(const CallEvent &Call, 2959 CheckerContext &C) const { 2960 RetainSummaryManager &Summaries = getSummaryManager(C); 2961 const RetainSummary *Summ = Summaries.getSummary(Call, C.getState()); 2962 2963 if (C.wasInlined) { 2964 processSummaryOfInlined(*Summ, Call, C); 2965 return; 2966 } 2967 checkSummary(*Summ, Call, C); 2968} 2969 2970/// GetReturnType - Used to get the return type of a message expression or 2971/// function call with the intention of affixing that type to a tracked symbol. 2972/// While the return type can be queried directly from RetEx, when 2973/// invoking class methods we augment to the return type to be that of 2974/// a pointer to the class (as opposed it just being id). 2975// FIXME: We may be able to do this with related result types instead. 2976// This function is probably overestimating. 2977static QualType GetReturnType(const Expr *RetE, ASTContext &Ctx) { 2978 QualType RetTy = RetE->getType(); 2979 // If RetE is not a message expression just return its type. 2980 // If RetE is a message expression, return its types if it is something 2981 /// more specific than id. 2982 if (const ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(RetE)) 2983 if (const ObjCObjectPointerType *PT = RetTy->getAs<ObjCObjectPointerType>()) 2984 if (PT->isObjCQualifiedIdType() || PT->isObjCIdType() || 2985 PT->isObjCClassType()) { 2986 // At this point we know the return type of the message expression is 2987 // id, id<...>, or Class. If we have an ObjCInterfaceDecl, we know this 2988 // is a call to a class method whose type we can resolve. In such 2989 // cases, promote the return type to XXX* (where XXX is the class). 2990 const ObjCInterfaceDecl *D = ME->getReceiverInterface(); 2991 return !D ? RetTy : 2992 Ctx.getObjCObjectPointerType(Ctx.getObjCInterfaceType(D)); 2993 } 2994 2995 return RetTy; 2996} 2997 2998// We don't always get the exact modeling of the function with regards to the 2999// retain count checker even when the function is inlined. For example, we need 3000// to stop tracking the symbols which were marked with StopTrackingHard. 3001void RetainCountChecker::processSummaryOfInlined(const RetainSummary &Summ, 3002 const CallEvent &CallOrMsg, 3003 CheckerContext &C) const { 3004 ProgramStateRef state = C.getState(); 3005 3006 // Evaluate the effect of the arguments. 3007 for (unsigned idx = 0, e = CallOrMsg.getNumArgs(); idx != e; ++idx) { 3008 if (Summ.getArg(idx) == StopTrackingHard) { 3009 SVal V = CallOrMsg.getArgSVal(idx); 3010 if (SymbolRef Sym = V.getAsLocSymbol()) { 3011 state = removeRefBinding(state, Sym); 3012 } 3013 } 3014 } 3015 3016 // Evaluate the effect on the message receiver. 3017 const ObjCMethodCall *MsgInvocation = dyn_cast<ObjCMethodCall>(&CallOrMsg); 3018 if (MsgInvocation) { 3019 if (SymbolRef Sym = MsgInvocation->getReceiverSVal().getAsLocSymbol()) { 3020 if (Summ.getReceiverEffect() == StopTrackingHard) { 3021 state = removeRefBinding(state, Sym); 3022 } 3023 } 3024 } 3025 3026 // Consult the summary for the return value. 3027 RetEffect RE = Summ.getRetEffect(); 3028 if (RE.getKind() == RetEffect::NoRetHard) { 3029 SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol(); 3030 if (Sym) 3031 state = removeRefBinding(state, Sym); 3032 } 3033 3034 C.addTransition(state); 3035} 3036 3037void RetainCountChecker::checkSummary(const RetainSummary &Summ, 3038 const CallEvent &CallOrMsg, 3039 CheckerContext &C) const { 3040 ProgramStateRef state = C.getState(); 3041 3042 // Evaluate the effect of the arguments. 3043 RefVal::Kind hasErr = (RefVal::Kind) 0; 3044 SourceRange ErrorRange; 3045 SymbolRef ErrorSym = nullptr; 3046 3047 for (unsigned idx = 0, e = CallOrMsg.getNumArgs(); idx != e; ++idx) { 3048 SVal V = CallOrMsg.getArgSVal(idx); 3049 3050 if (SymbolRef Sym = V.getAsLocSymbol()) { 3051 if (const RefVal *T = getRefBinding(state, Sym)) { 3052 state = updateSymbol(state, Sym, *T, Summ.getArg(idx), hasErr, C); 3053 if (hasErr) { 3054 ErrorRange = CallOrMsg.getArgSourceRange(idx); 3055 ErrorSym = Sym; 3056 break; 3057 } 3058 } 3059 } 3060 } 3061 3062 // Evaluate the effect on the message receiver. 3063 bool ReceiverIsTracked = false; 3064 if (!hasErr) { 3065 const ObjCMethodCall *MsgInvocation = dyn_cast<ObjCMethodCall>(&CallOrMsg); 3066 if (MsgInvocation) { 3067 if (SymbolRef Sym = MsgInvocation->getReceiverSVal().getAsLocSymbol()) { 3068 if (const RefVal *T = getRefBinding(state, Sym)) { 3069 ReceiverIsTracked = true; 3070 state = updateSymbol(state, Sym, *T, Summ.getReceiverEffect(), 3071 hasErr, C); 3072 if (hasErr) { 3073 ErrorRange = MsgInvocation->getOriginExpr()->getReceiverRange(); 3074 ErrorSym = Sym; 3075 } 3076 } 3077 } 3078 } 3079 } 3080 3081 // Process any errors. 3082 if (hasErr) { 3083 processNonLeakError(state, ErrorRange, hasErr, ErrorSym, C); 3084 return; 3085 } 3086 3087 // Consult the summary for the return value. 3088 RetEffect RE = Summ.getRetEffect(); 3089 3090 if (RE.getKind() == RetEffect::OwnedWhenTrackedReceiver) { 3091 if (ReceiverIsTracked) 3092 RE = getSummaryManager(C).getObjAllocRetEffect(); 3093 else 3094 RE = RetEffect::MakeNoRet(); 3095 } 3096 3097 switch (RE.getKind()) { 3098 default: 3099 llvm_unreachable("Unhandled RetEffect."); 3100 3101 case RetEffect::NoRet: 3102 case RetEffect::NoRetHard: 3103 // No work necessary. 3104 break; 3105 3106 case RetEffect::OwnedAllocatedSymbol: 3107 case RetEffect::OwnedSymbol: { 3108 SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol(); 3109 if (!Sym) 3110 break; 3111 3112 // Use the result type from the CallEvent as it automatically adjusts 3113 // for methods/functions that return references. 3114 QualType ResultTy = CallOrMsg.getResultType(); 3115 state = setRefBinding(state, Sym, RefVal::makeOwned(RE.getObjKind(), 3116 ResultTy)); 3117 3118 // FIXME: Add a flag to the checker where allocations are assumed to 3119 // *not* fail. 3120 break; 3121 } 3122 3123 case RetEffect::GCNotOwnedSymbol: 3124 case RetEffect::NotOwnedSymbol: { 3125 const Expr *Ex = CallOrMsg.getOriginExpr(); 3126 SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol(); 3127 if (!Sym) 3128 break; 3129 assert(Ex); 3130 // Use GetReturnType in order to give [NSFoo alloc] the type NSFoo *. 3131 QualType ResultTy = GetReturnType(Ex, C.getASTContext()); 3132 state = setRefBinding(state, Sym, RefVal::makeNotOwned(RE.getObjKind(), 3133 ResultTy)); 3134 break; 3135 } 3136 } 3137 3138 // This check is actually necessary; otherwise the statement builder thinks 3139 // we've hit a previously-found path. 3140 // Normally addTransition takes care of this, but we want the node pointer. 3141 ExplodedNode *NewNode; 3142 if (state == C.getState()) { 3143 NewNode = C.getPredecessor(); 3144 } else { 3145 NewNode = C.addTransition(state); 3146 } 3147 3148 // Annotate the node with summary we used. 3149 if (NewNode) { 3150 // FIXME: This is ugly. See checkEndAnalysis for why it's necessary. 3151 if (ShouldResetSummaryLog) { 3152 SummaryLog.clear(); 3153 ShouldResetSummaryLog = false; 3154 } 3155 SummaryLog[NewNode] = &Summ; 3156 } 3157} 3158 3159 3160ProgramStateRef 3161RetainCountChecker::updateSymbol(ProgramStateRef state, SymbolRef sym, 3162 RefVal V, ArgEffect E, RefVal::Kind &hasErr, 3163 CheckerContext &C) const { 3164 // In GC mode [... release] and [... retain] do nothing. 3165 // In ARC mode they shouldn't exist at all, but we just ignore them. 3166 bool IgnoreRetainMsg = C.isObjCGCEnabled(); 3167 if (!IgnoreRetainMsg) 3168 IgnoreRetainMsg = (bool)C.getASTContext().getLangOpts().ObjCAutoRefCount; 3169 3170 switch (E) { 3171 default: 3172 break; 3173 case IncRefMsg: 3174 E = IgnoreRetainMsg ? DoNothing : IncRef; 3175 break; 3176 case DecRefMsg: 3177 E = IgnoreRetainMsg ? DoNothing : DecRef; 3178 break; 3179 case DecRefMsgAndStopTrackingHard: 3180 E = IgnoreRetainMsg ? StopTracking : DecRefAndStopTrackingHard; 3181 break; 3182 case MakeCollectable: 3183 E = C.isObjCGCEnabled() ? DecRef : DoNothing; 3184 break; 3185 } 3186 3187 // Handle all use-after-releases. 3188 if (!C.isObjCGCEnabled() && V.getKind() == RefVal::Released) { 3189 V = V ^ RefVal::ErrorUseAfterRelease; 3190 hasErr = V.getKind(); 3191 return setRefBinding(state, sym, V); 3192 } 3193 3194 switch (E) { 3195 case DecRefMsg: 3196 case IncRefMsg: 3197 case MakeCollectable: 3198 case DecRefMsgAndStopTrackingHard: 3199 llvm_unreachable("DecRefMsg/IncRefMsg/MakeCollectable already converted"); 3200 3201 case Dealloc: 3202 // Any use of -dealloc in GC is *bad*. 3203 if (C.isObjCGCEnabled()) { 3204 V = V ^ RefVal::ErrorDeallocGC; 3205 hasErr = V.getKind(); 3206 break; 3207 } 3208 3209 switch (V.getKind()) { 3210 default: 3211 llvm_unreachable("Invalid RefVal state for an explicit dealloc."); 3212 case RefVal::Owned: 3213 // The object immediately transitions to the released state. 3214 V = V ^ RefVal::Released; 3215 V.clearCounts(); 3216 return setRefBinding(state, sym, V); 3217 case RefVal::NotOwned: 3218 V = V ^ RefVal::ErrorDeallocNotOwned; 3219 hasErr = V.getKind(); 3220 break; 3221 } 3222 break; 3223 3224 case MayEscape: 3225 if (V.getKind() == RefVal::Owned) { 3226 V = V ^ RefVal::NotOwned; 3227 break; 3228 } 3229 3230 // Fall-through. 3231 3232 case DoNothing: 3233 return state; 3234 3235 case Autorelease: 3236 if (C.isObjCGCEnabled()) 3237 return state; 3238 // Update the autorelease counts. 3239 V = V.autorelease(); 3240 break; 3241 3242 case StopTracking: 3243 case StopTrackingHard: 3244 return removeRefBinding(state, sym); 3245 3246 case IncRef: 3247 switch (V.getKind()) { 3248 default: 3249 llvm_unreachable("Invalid RefVal state for a retain."); 3250 case RefVal::Owned: 3251 case RefVal::NotOwned: 3252 V = V + 1; 3253 break; 3254 case RefVal::Released: 3255 // Non-GC cases are handled above. 3256 assert(C.isObjCGCEnabled()); 3257 V = (V ^ RefVal::Owned) + 1; 3258 break; 3259 } 3260 break; 3261 3262 case DecRef: 3263 case DecRefBridgedTransferred: 3264 case DecRefAndStopTrackingHard: 3265 switch (V.getKind()) { 3266 default: 3267 // case 'RefVal::Released' handled above. 3268 llvm_unreachable("Invalid RefVal state for a release."); 3269 3270 case RefVal::Owned: 3271 assert(V.getCount() > 0); 3272 if (V.getCount() == 1) { 3273 if (E == DecRefBridgedTransferred || 3274 V.getIvarAccessHistory() == 3275 RefVal::IvarAccessHistory::AccessedDirectly) 3276 V = V ^ RefVal::NotOwned; 3277 else 3278 V = V ^ RefVal::Released; 3279 } else if (E == DecRefAndStopTrackingHard) { 3280 return removeRefBinding(state, sym); 3281 } 3282 3283 V = V - 1; 3284 break; 3285 3286 case RefVal::NotOwned: 3287 if (V.getCount() > 0) { 3288 if (E == DecRefAndStopTrackingHard) 3289 return removeRefBinding(state, sym); 3290 V = V - 1; 3291 } else if (V.getIvarAccessHistory() == 3292 RefVal::IvarAccessHistory::AccessedDirectly) { 3293 // Assume that the instance variable was holding on the object at 3294 // +1, and we just didn't know. 3295 if (E == DecRefAndStopTrackingHard) 3296 return removeRefBinding(state, sym); 3297 V = V.releaseViaIvar() ^ RefVal::Released; 3298 } else { 3299 V = V ^ RefVal::ErrorReleaseNotOwned; 3300 hasErr = V.getKind(); 3301 } 3302 break; 3303 3304 case RefVal::Released: 3305 // Non-GC cases are handled above. 3306 assert(C.isObjCGCEnabled()); 3307 V = V ^ RefVal::ErrorUseAfterRelease; 3308 hasErr = V.getKind(); 3309 break; 3310 } 3311 break; 3312 } 3313 return setRefBinding(state, sym, V); 3314} 3315 3316void RetainCountChecker::processNonLeakError(ProgramStateRef St, 3317 SourceRange ErrorRange, 3318 RefVal::Kind ErrorKind, 3319 SymbolRef Sym, 3320 CheckerContext &C) const { 3321 ExplodedNode *N = C.generateSink(St); 3322 if (!N) 3323 return; 3324 3325 CFRefBug *BT; 3326 switch (ErrorKind) { 3327 default: 3328 llvm_unreachable("Unhandled error."); 3329 case RefVal::ErrorUseAfterRelease: 3330 if (!useAfterRelease) 3331 useAfterRelease.reset(new UseAfterRelease(this)); 3332 BT = &*useAfterRelease; 3333 break; 3334 case RefVal::ErrorReleaseNotOwned: 3335 if (!releaseNotOwned) 3336 releaseNotOwned.reset(new BadRelease(this)); 3337 BT = &*releaseNotOwned; 3338 break; 3339 case RefVal::ErrorDeallocGC: 3340 if (!deallocGC) 3341 deallocGC.reset(new DeallocGC(this)); 3342 BT = &*deallocGC; 3343 break; 3344 case RefVal::ErrorDeallocNotOwned: 3345 if (!deallocNotOwned) 3346 deallocNotOwned.reset(new DeallocNotOwned(this)); 3347 BT = &*deallocNotOwned; 3348 break; 3349 } 3350 3351 assert(BT); 3352 CFRefReport *report = new CFRefReport(*BT, C.getASTContext().getLangOpts(), 3353 C.isObjCGCEnabled(), SummaryLog, 3354 N, Sym); 3355 report->addRange(ErrorRange); 3356 C.emitReport(report); 3357} 3358 3359//===----------------------------------------------------------------------===// 3360// Handle the return values of retain-count-related functions. 3361//===----------------------------------------------------------------------===// 3362 3363bool RetainCountChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { 3364 // Get the callee. We're only interested in simple C functions. 3365 ProgramStateRef state = C.getState(); 3366 const FunctionDecl *FD = C.getCalleeDecl(CE); 3367 if (!FD) 3368 return false; 3369 3370 IdentifierInfo *II = FD->getIdentifier(); 3371 if (!II) 3372 return false; 3373 3374 // For now, we're only handling the functions that return aliases of their 3375 // arguments: CFRetain and CFMakeCollectable (and their families). 3376 // Eventually we should add other functions we can model entirely, 3377 // such as CFRelease, which don't invalidate their arguments or globals. 3378 if (CE->getNumArgs() != 1) 3379 return false; 3380 3381 // Get the name of the function. 3382 StringRef FName = II->getName(); 3383 FName = FName.substr(FName.find_first_not_of('_')); 3384 3385 // See if it's one of the specific functions we know how to eval. 3386 bool canEval = false; 3387 3388 QualType ResultTy = CE->getCallReturnType(C.getASTContext()); 3389 if (ResultTy->isObjCIdType()) { 3390 // Handle: id NSMakeCollectable(CFTypeRef) 3391 canEval = II->isStr("NSMakeCollectable"); 3392 } else if (ResultTy->isPointerType()) { 3393 // Handle: (CF|CG)Retain 3394 // CFAutorelease 3395 // CFMakeCollectable 3396 // It's okay to be a little sloppy here (CGMakeCollectable doesn't exist). 3397 if (cocoa::isRefType(ResultTy, "CF", FName) || 3398 cocoa::isRefType(ResultTy, "CG", FName)) { 3399 canEval = isRetain(FD, FName) || isAutorelease(FD, FName) || 3400 isMakeCollectable(FD, FName); 3401 } 3402 } 3403 3404 if (!canEval) 3405 return false; 3406 3407 // Bind the return value. 3408 const LocationContext *LCtx = C.getLocationContext(); 3409 SVal RetVal = state->getSVal(CE->getArg(0), LCtx); 3410 if (RetVal.isUnknown()) { 3411 // If the receiver is unknown, conjure a return value. 3412 SValBuilder &SVB = C.getSValBuilder(); 3413 RetVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, ResultTy, C.blockCount()); 3414 } 3415 state = state->BindExpr(CE, LCtx, RetVal, false); 3416 3417 // FIXME: This should not be necessary, but otherwise the argument seems to be 3418 // considered alive during the next statement. 3419 if (const MemRegion *ArgRegion = RetVal.getAsRegion()) { 3420 // Save the refcount status of the argument. 3421 SymbolRef Sym = RetVal.getAsLocSymbol(); 3422 const RefVal *Binding = nullptr; 3423 if (Sym) 3424 Binding = getRefBinding(state, Sym); 3425 3426 // Invalidate the argument region. 3427 state = state->invalidateRegions(ArgRegion, CE, C.blockCount(), LCtx, 3428 /*CausesPointerEscape*/ false); 3429 3430 // Restore the refcount status of the argument. 3431 if (Binding) 3432 state = setRefBinding(state, Sym, *Binding); 3433 } 3434 3435 C.addTransition(state); 3436 return true; 3437} 3438 3439//===----------------------------------------------------------------------===// 3440// Handle return statements. 3441//===----------------------------------------------------------------------===// 3442 3443void RetainCountChecker::checkPreStmt(const ReturnStmt *S, 3444 CheckerContext &C) const { 3445 3446 // Only adjust the reference count if this is the top-level call frame, 3447 // and not the result of inlining. In the future, we should do 3448 // better checking even for inlined calls, and see if they match 3449 // with their expected semantics (e.g., the method should return a retained 3450 // object, etc.). 3451 if (!C.inTopFrame()) 3452 return; 3453 3454 const Expr *RetE = S->getRetValue(); 3455 if (!RetE) 3456 return; 3457 3458 ProgramStateRef state = C.getState(); 3459 SymbolRef Sym = 3460 state->getSValAsScalarOrLoc(RetE, C.getLocationContext()).getAsLocSymbol(); 3461 if (!Sym) 3462 return; 3463 3464 // Get the reference count binding (if any). 3465 const RefVal *T = getRefBinding(state, Sym); 3466 if (!T) 3467 return; 3468 3469 // Change the reference count. 3470 RefVal X = *T; 3471 3472 switch (X.getKind()) { 3473 case RefVal::Owned: { 3474 unsigned cnt = X.getCount(); 3475 assert(cnt > 0); 3476 X.setCount(cnt - 1); 3477 X = X ^ RefVal::ReturnedOwned; 3478 break; 3479 } 3480 3481 case RefVal::NotOwned: { 3482 unsigned cnt = X.getCount(); 3483 if (cnt) { 3484 X.setCount(cnt - 1); 3485 X = X ^ RefVal::ReturnedOwned; 3486 } 3487 else { 3488 X = X ^ RefVal::ReturnedNotOwned; 3489 } 3490 break; 3491 } 3492 3493 default: 3494 return; 3495 } 3496 3497 // Update the binding. 3498 state = setRefBinding(state, Sym, X); 3499 ExplodedNode *Pred = C.addTransition(state); 3500 3501 // At this point we have updated the state properly. 3502 // Everything after this is merely checking to see if the return value has 3503 // been over- or under-retained. 3504 3505 // Did we cache out? 3506 if (!Pred) 3507 return; 3508 3509 // Update the autorelease counts. 3510 static CheckerProgramPointTag AutoreleaseTag(this, "Autorelease"); 3511 state = handleAutoreleaseCounts(state, Pred, &AutoreleaseTag, C, Sym, X); 3512 3513 // Did we cache out? 3514 if (!state) 3515 return; 3516 3517 // Get the updated binding. 3518 T = getRefBinding(state, Sym); 3519 assert(T); 3520 X = *T; 3521 3522 // Consult the summary of the enclosing method. 3523 RetainSummaryManager &Summaries = getSummaryManager(C); 3524 const Decl *CD = &Pred->getCodeDecl(); 3525 RetEffect RE = RetEffect::MakeNoRet(); 3526 3527 // FIXME: What is the convention for blocks? Is there one? 3528 if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(CD)) { 3529 const RetainSummary *Summ = Summaries.getMethodSummary(MD); 3530 RE = Summ->getRetEffect(); 3531 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CD)) { 3532 if (!isa<CXXMethodDecl>(FD)) { 3533 const RetainSummary *Summ = Summaries.getFunctionSummary(FD); 3534 RE = Summ->getRetEffect(); 3535 } 3536 } 3537 3538 checkReturnWithRetEffect(S, C, Pred, RE, X, Sym, state); 3539} 3540 3541void RetainCountChecker::checkReturnWithRetEffect(const ReturnStmt *S, 3542 CheckerContext &C, 3543 ExplodedNode *Pred, 3544 RetEffect RE, RefVal X, 3545 SymbolRef Sym, 3546 ProgramStateRef state) const { 3547 // Any leaks or other errors? 3548 if (X.isReturnedOwned() && X.getCount() == 0) { 3549 if (RE.getKind() != RetEffect::NoRet) { 3550 bool hasError = false; 3551 if (C.isObjCGCEnabled() && RE.getObjKind() == RetEffect::ObjC) { 3552 // Things are more complicated with garbage collection. If the 3553 // returned object is suppose to be an Objective-C object, we have 3554 // a leak (as the caller expects a GC'ed object) because no 3555 // method should return ownership unless it returns a CF object. 3556 hasError = true; 3557 X = X ^ RefVal::ErrorGCLeakReturned; 3558 } 3559 else if (!RE.isOwned()) { 3560 // Either we are using GC and the returned object is a CF type 3561 // or we aren't using GC. In either case, we expect that the 3562 // enclosing method is expected to return ownership. 3563 hasError = true; 3564 X = X ^ RefVal::ErrorLeakReturned; 3565 } 3566 3567 if (hasError) { 3568 // Generate an error node. 3569 state = setRefBinding(state, Sym, X); 3570 3571 static CheckerProgramPointTag ReturnOwnLeakTag(this, "ReturnsOwnLeak"); 3572 ExplodedNode *N = C.addTransition(state, Pred, &ReturnOwnLeakTag); 3573 if (N) { 3574 const LangOptions &LOpts = C.getASTContext().getLangOpts(); 3575 bool GCEnabled = C.isObjCGCEnabled(); 3576 CFRefReport *report = 3577 new CFRefLeakReport(*getLeakAtReturnBug(LOpts, GCEnabled), 3578 LOpts, GCEnabled, SummaryLog, 3579 N, Sym, C, IncludeAllocationLine); 3580 3581 C.emitReport(report); 3582 } 3583 } 3584 } 3585 } else if (X.isReturnedNotOwned()) { 3586 if (RE.isOwned()) { 3587 if (X.getIvarAccessHistory() == 3588 RefVal::IvarAccessHistory::AccessedDirectly) { 3589 // Assume the method was trying to transfer a +1 reference from a 3590 // strong ivar to the caller. 3591 state = setRefBinding(state, Sym, 3592 X.releaseViaIvar() ^ RefVal::ReturnedOwned); 3593 } else { 3594 // Trying to return a not owned object to a caller expecting an 3595 // owned object. 3596 state = setRefBinding(state, Sym, X ^ RefVal::ErrorReturnedNotOwned); 3597 3598 static CheckerProgramPointTag 3599 ReturnNotOwnedTag(this, "ReturnNotOwnedForOwned"); 3600 3601 ExplodedNode *N = C.addTransition(state, Pred, &ReturnNotOwnedTag); 3602 if (N) { 3603 if (!returnNotOwnedForOwned) 3604 returnNotOwnedForOwned.reset(new ReturnedNotOwnedForOwned(this)); 3605 3606 CFRefReport *report = 3607 new CFRefReport(*returnNotOwnedForOwned, 3608 C.getASTContext().getLangOpts(), 3609 C.isObjCGCEnabled(), SummaryLog, N, Sym); 3610 C.emitReport(report); 3611 } 3612 } 3613 } 3614 } 3615} 3616 3617//===----------------------------------------------------------------------===// 3618// Check various ways a symbol can be invalidated. 3619//===----------------------------------------------------------------------===// 3620 3621void RetainCountChecker::checkBind(SVal loc, SVal val, const Stmt *S, 3622 CheckerContext &C) const { 3623 // Are we storing to something that causes the value to "escape"? 3624 bool escapes = true; 3625 3626 // A value escapes in three possible cases (this may change): 3627 // 3628 // (1) we are binding to something that is not a memory region. 3629 // (2) we are binding to a memregion that does not have stack storage 3630 // (3) we are binding to a memregion with stack storage that the store 3631 // does not understand. 3632 ProgramStateRef state = C.getState(); 3633 3634 if (Optional<loc::MemRegionVal> regionLoc = loc.getAs<loc::MemRegionVal>()) { 3635 escapes = !regionLoc->getRegion()->hasStackStorage(); 3636 3637 if (!escapes) { 3638 // To test (3), generate a new state with the binding added. If it is 3639 // the same state, then it escapes (since the store cannot represent 3640 // the binding). 3641 // Do this only if we know that the store is not supposed to generate the 3642 // same state. 3643 SVal StoredVal = state->getSVal(regionLoc->getRegion()); 3644 if (StoredVal != val) 3645 escapes = (state == (state->bindLoc(*regionLoc, val))); 3646 } 3647 if (!escapes) { 3648 // Case 4: We do not currently model what happens when a symbol is 3649 // assigned to a struct field, so be conservative here and let the symbol 3650 // go. TODO: This could definitely be improved upon. 3651 escapes = !isa<VarRegion>(regionLoc->getRegion()); 3652 } 3653 } 3654 3655 // If we are storing the value into an auto function scope variable annotated 3656 // with (__attribute__((cleanup))), stop tracking the value to avoid leak 3657 // false positives. 3658 if (const VarRegion *LVR = dyn_cast_or_null<VarRegion>(loc.getAsRegion())) { 3659 const VarDecl *VD = LVR->getDecl(); 3660 if (VD->hasAttr<CleanupAttr>()) { 3661 escapes = true; 3662 } 3663 } 3664 3665 // If our store can represent the binding and we aren't storing to something 3666 // that doesn't have local storage then just return and have the simulation 3667 // state continue as is. 3668 if (!escapes) 3669 return; 3670 3671 // Otherwise, find all symbols referenced by 'val' that we are tracking 3672 // and stop tracking them. 3673 state = state->scanReachableSymbols<StopTrackingCallback>(val).getState(); 3674 C.addTransition(state); 3675} 3676 3677ProgramStateRef RetainCountChecker::evalAssume(ProgramStateRef state, 3678 SVal Cond, 3679 bool Assumption) const { 3680 3681 // FIXME: We may add to the interface of evalAssume the list of symbols 3682 // whose assumptions have changed. For now we just iterate through the 3683 // bindings and check if any of the tracked symbols are NULL. This isn't 3684 // too bad since the number of symbols we will track in practice are 3685 // probably small and evalAssume is only called at branches and a few 3686 // other places. 3687 RefBindingsTy B = state->get<RefBindings>(); 3688 3689 if (B.isEmpty()) 3690 return state; 3691 3692 bool changed = false; 3693 RefBindingsTy::Factory &RefBFactory = state->get_context<RefBindings>(); 3694 3695 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { 3696 // Check if the symbol is null stop tracking the symbol. 3697 ConstraintManager &CMgr = state->getConstraintManager(); 3698 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 3699 if (AllocFailed.isConstrainedTrue()) { 3700 changed = true; 3701 B = RefBFactory.remove(B, I.getKey()); 3702 } 3703 } 3704 3705 if (changed) 3706 state = state->set<RefBindings>(B); 3707 3708 return state; 3709} 3710 3711ProgramStateRef 3712RetainCountChecker::checkRegionChanges(ProgramStateRef state, 3713 const InvalidatedSymbols *invalidated, 3714 ArrayRef<const MemRegion *> ExplicitRegions, 3715 ArrayRef<const MemRegion *> Regions, 3716 const CallEvent *Call) const { 3717 if (!invalidated) 3718 return state; 3719 3720 llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols; 3721 for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(), 3722 E = ExplicitRegions.end(); I != E; ++I) { 3723 if (const SymbolicRegion *SR = (*I)->StripCasts()->getAs<SymbolicRegion>()) 3724 WhitelistedSymbols.insert(SR->getSymbol()); 3725 } 3726 3727 for (InvalidatedSymbols::const_iterator I=invalidated->begin(), 3728 E = invalidated->end(); I!=E; ++I) { 3729 SymbolRef sym = *I; 3730 if (WhitelistedSymbols.count(sym)) 3731 continue; 3732 // Remove any existing reference-count binding. 3733 state = removeRefBinding(state, sym); 3734 } 3735 return state; 3736} 3737 3738//===----------------------------------------------------------------------===// 3739// Handle dead symbols and end-of-path. 3740//===----------------------------------------------------------------------===// 3741 3742ProgramStateRef 3743RetainCountChecker::handleAutoreleaseCounts(ProgramStateRef state, 3744 ExplodedNode *Pred, 3745 const ProgramPointTag *Tag, 3746 CheckerContext &Ctx, 3747 SymbolRef Sym, RefVal V) const { 3748 unsigned ACnt = V.getAutoreleaseCount(); 3749 3750 // No autorelease counts? Nothing to be done. 3751 if (!ACnt) 3752 return state; 3753 3754 assert(!Ctx.isObjCGCEnabled() && "Autorelease counts in GC mode?"); 3755 unsigned Cnt = V.getCount(); 3756 3757 // FIXME: Handle sending 'autorelease' to already released object. 3758 3759 if (V.getKind() == RefVal::ReturnedOwned) 3760 ++Cnt; 3761 3762 // If we would over-release here, but we know the value came from an ivar, 3763 // assume it was a strong ivar that's just been relinquished. 3764 if (ACnt > Cnt && 3765 V.getIvarAccessHistory() == RefVal::IvarAccessHistory::AccessedDirectly) { 3766 V = V.releaseViaIvar(); 3767 --ACnt; 3768 } 3769 3770 if (ACnt <= Cnt) { 3771 if (ACnt == Cnt) { 3772 V.clearCounts(); 3773 if (V.getKind() == RefVal::ReturnedOwned) 3774 V = V ^ RefVal::ReturnedNotOwned; 3775 else 3776 V = V ^ RefVal::NotOwned; 3777 } else { 3778 V.setCount(V.getCount() - ACnt); 3779 V.setAutoreleaseCount(0); 3780 } 3781 return setRefBinding(state, Sym, V); 3782 } 3783 3784 // Woah! More autorelease counts then retain counts left. 3785 // Emit hard error. 3786 V = V ^ RefVal::ErrorOverAutorelease; 3787 state = setRefBinding(state, Sym, V); 3788 3789 ExplodedNode *N = Ctx.generateSink(state, Pred, Tag); 3790 if (N) { 3791 SmallString<128> sbuf; 3792 llvm::raw_svector_ostream os(sbuf); 3793 os << "Object was autoreleased "; 3794 if (V.getAutoreleaseCount() > 1) 3795 os << V.getAutoreleaseCount() << " times but the object "; 3796 else 3797 os << "but "; 3798 os << "has a +" << V.getCount() << " retain count"; 3799 3800 if (!overAutorelease) 3801 overAutorelease.reset(new OverAutorelease(this)); 3802 3803 const LangOptions &LOpts = Ctx.getASTContext().getLangOpts(); 3804 CFRefReport *report = 3805 new CFRefReport(*overAutorelease, LOpts, /* GCEnabled = */ false, 3806 SummaryLog, N, Sym, os.str()); 3807 Ctx.emitReport(report); 3808 } 3809 3810 return nullptr; 3811} 3812 3813ProgramStateRef 3814RetainCountChecker::handleSymbolDeath(ProgramStateRef state, 3815 SymbolRef sid, RefVal V, 3816 SmallVectorImpl<SymbolRef> &Leaked) const { 3817 bool hasLeak = false; 3818 if (V.isOwned()) 3819 hasLeak = true; 3820 else if (V.isNotOwned() || V.isReturnedOwned()) 3821 hasLeak = (V.getCount() > 0); 3822 3823 if (!hasLeak) 3824 return removeRefBinding(state, sid); 3825 3826 Leaked.push_back(sid); 3827 return setRefBinding(state, sid, V ^ RefVal::ErrorLeak); 3828} 3829 3830ExplodedNode * 3831RetainCountChecker::processLeaks(ProgramStateRef state, 3832 SmallVectorImpl<SymbolRef> &Leaked, 3833 CheckerContext &Ctx, 3834 ExplodedNode *Pred) const { 3835 // Generate an intermediate node representing the leak point. 3836 ExplodedNode *N = Ctx.addTransition(state, Pred); 3837 3838 if (N) { 3839 for (SmallVectorImpl<SymbolRef>::iterator 3840 I = Leaked.begin(), E = Leaked.end(); I != E; ++I) { 3841 3842 const LangOptions &LOpts = Ctx.getASTContext().getLangOpts(); 3843 bool GCEnabled = Ctx.isObjCGCEnabled(); 3844 CFRefBug *BT = Pred ? getLeakWithinFunctionBug(LOpts, GCEnabled) 3845 : getLeakAtReturnBug(LOpts, GCEnabled); 3846 assert(BT && "BugType not initialized."); 3847 3848 CFRefLeakReport *report = new CFRefLeakReport(*BT, LOpts, GCEnabled, 3849 SummaryLog, N, *I, Ctx, 3850 IncludeAllocationLine); 3851 Ctx.emitReport(report); 3852 } 3853 } 3854 3855 return N; 3856} 3857 3858void RetainCountChecker::checkEndFunction(CheckerContext &Ctx) const { 3859 ProgramStateRef state = Ctx.getState(); 3860 RefBindingsTy B = state->get<RefBindings>(); 3861 ExplodedNode *Pred = Ctx.getPredecessor(); 3862 3863 // Don't process anything within synthesized bodies. 3864 const LocationContext *LCtx = Pred->getLocationContext(); 3865 if (LCtx->getAnalysisDeclContext()->isBodyAutosynthesized()) { 3866 assert(LCtx->getParent()); 3867 return; 3868 } 3869 3870 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { 3871 state = handleAutoreleaseCounts(state, Pred, /*Tag=*/nullptr, Ctx, 3872 I->first, I->second); 3873 if (!state) 3874 return; 3875 } 3876 3877 // If the current LocationContext has a parent, don't check for leaks. 3878 // We will do that later. 3879 // FIXME: we should instead check for imbalances of the retain/releases, 3880 // and suggest annotations. 3881 if (LCtx->getParent()) 3882 return; 3883 3884 B = state->get<RefBindings>(); 3885 SmallVector<SymbolRef, 10> Leaked; 3886 3887 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) 3888 state = handleSymbolDeath(state, I->first, I->second, Leaked); 3889 3890 processLeaks(state, Leaked, Ctx, Pred); 3891} 3892 3893const ProgramPointTag * 3894RetainCountChecker::getDeadSymbolTag(SymbolRef sym) const { 3895 const CheckerProgramPointTag *&tag = DeadSymbolTags[sym]; 3896 if (!tag) { 3897 SmallString<64> buf; 3898 llvm::raw_svector_ostream out(buf); 3899 out << "Dead Symbol : "; 3900 sym->dumpToStream(out); 3901 tag = new CheckerProgramPointTag(this, out.str()); 3902 } 3903 return tag; 3904} 3905 3906void RetainCountChecker::checkDeadSymbols(SymbolReaper &SymReaper, 3907 CheckerContext &C) const { 3908 ExplodedNode *Pred = C.getPredecessor(); 3909 3910 ProgramStateRef state = C.getState(); 3911 RefBindingsTy B = state->get<RefBindings>(); 3912 SmallVector<SymbolRef, 10> Leaked; 3913 3914 // Update counts from autorelease pools 3915 for (SymbolReaper::dead_iterator I = SymReaper.dead_begin(), 3916 E = SymReaper.dead_end(); I != E; ++I) { 3917 SymbolRef Sym = *I; 3918 if (const RefVal *T = B.lookup(Sym)){ 3919 // Use the symbol as the tag. 3920 // FIXME: This might not be as unique as we would like. 3921 const ProgramPointTag *Tag = getDeadSymbolTag(Sym); 3922 state = handleAutoreleaseCounts(state, Pred, Tag, C, Sym, *T); 3923 if (!state) 3924 return; 3925 3926 // Fetch the new reference count from the state, and use it to handle 3927 // this symbol. 3928 state = handleSymbolDeath(state, *I, *getRefBinding(state, Sym), Leaked); 3929 } 3930 } 3931 3932 if (Leaked.empty()) { 3933 C.addTransition(state); 3934 return; 3935 } 3936 3937 Pred = processLeaks(state, Leaked, C, Pred); 3938 3939 // Did we cache out? 3940 if (!Pred) 3941 return; 3942 3943 // Now generate a new node that nukes the old bindings. 3944 // The only bindings left at this point are the leaked symbols. 3945 RefBindingsTy::Factory &F = state->get_context<RefBindings>(); 3946 B = state->get<RefBindings>(); 3947 3948 for (SmallVectorImpl<SymbolRef>::iterator I = Leaked.begin(), 3949 E = Leaked.end(); 3950 I != E; ++I) 3951 B = F.remove(B, *I); 3952 3953 state = state->set<RefBindings>(B); 3954 C.addTransition(state, Pred); 3955} 3956 3957void RetainCountChecker::printState(raw_ostream &Out, ProgramStateRef State, 3958 const char *NL, const char *Sep) const { 3959 3960 RefBindingsTy B = State->get<RefBindings>(); 3961 3962 if (B.isEmpty()) 3963 return; 3964 3965 Out << Sep << NL; 3966 3967 for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { 3968 Out << I->first << " : "; 3969 I->second.print(Out); 3970 Out << NL; 3971 } 3972} 3973 3974//===----------------------------------------------------------------------===// 3975// Checker registration. 3976//===----------------------------------------------------------------------===// 3977 3978void ento::registerRetainCountChecker(CheckerManager &Mgr) { 3979 Mgr.registerChecker<RetainCountChecker>(Mgr.getAnalyzerOptions()); 3980} 3981 3982//===----------------------------------------------------------------------===// 3983// Implementation of the CallEffects API. 3984//===----------------------------------------------------------------------===// 3985 3986namespace clang { namespace ento { namespace objc_retain { 3987 3988// This is a bit gross, but it allows us to populate CallEffects without 3989// creating a bunch of accessors. This kind is very localized, so the 3990// damage of this macro is limited. 3991#define createCallEffect(D, KIND)\ 3992 ASTContext &Ctx = D->getASTContext();\ 3993 LangOptions L = Ctx.getLangOpts();\ 3994 RetainSummaryManager M(Ctx, L.GCOnly, L.ObjCAutoRefCount);\ 3995 const RetainSummary *S = M.get ## KIND ## Summary(D);\ 3996 CallEffects CE(S->getRetEffect());\ 3997 CE.Receiver = S->getReceiverEffect();\ 3998 unsigned N = D->param_size();\ 3999 for (unsigned i = 0; i < N; ++i) {\ 4000 CE.Args.push_back(S->getArg(i));\ 4001 } 4002 4003CallEffects CallEffects::getEffect(const ObjCMethodDecl *MD) { 4004 createCallEffect(MD, Method); 4005 return CE; 4006} 4007 4008CallEffects CallEffects::getEffect(const FunctionDecl *FD) { 4009 createCallEffect(FD, Function); 4010 return CE; 4011} 4012 4013#undef createCallEffect 4014 4015}}} 4016