Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / clang / 74eed0ea03598cc5ef58b72fd5ed929631a11631 / . / lib / StaticAnalyzer / Checkers / BasicObjCFoundationChecks.cpp
blob: 2aad77020719a124dda70423b32c8df326c5de2c [file] [log] [blame]
Ted Kremenek99c6ad32008-03-27 07:25:52 +0000[diff] [blame]1//== BasicObjCFoundationChecks.cpp - Simple Apple-Foundation checks -*- C++ -*--
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file defines BasicObjCFoundationChecks, a class that encapsulates
11// a set of simple checks to run on Objective-C code using Apple's Foundation
12// classes.
13//
14//===----------------------------------------------------------------------===//
15
Ted Kremenek52755612008-03-27 17:17:22 +0000[diff] [blame]16#include "BasicObjCFoundationChecks.h"
17
Argyrios Kyrtzidis0b1ba622011-02-16 01:40:52 +0000[diff] [blame]18#include "ClangSACheckers.h"
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]19#include "clang/StaticAnalyzer/Core/CheckerV2.h"
Argyrios Kyrtzidis695fb502011-02-17 21:39:17 +0000[diff] [blame]20#include "clang/StaticAnalyzer/Core/CheckerManager.h"
Ted Kremenek9b663712011-02-10 01:03:03 +0000[diff] [blame]21#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerVisitor.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/GRState.h"
25#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
26#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
27#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerVisitor.h"
Ted Kremenek21142582010-12-23 19:38:26 +0000[diff] [blame]28#include "clang/StaticAnalyzer/Checkers/LocalCheckers.h"
Daniel Dunbarc4a1dea2008-08-11 05:35:13 +0000[diff] [blame]29#include "clang/AST/DeclObjC.h"
Ted Kremenek99c6ad32008-03-27 07:25:52 +0000[diff] [blame]30#include "clang/AST/Expr.h"
Steve Narofff494b572008-05-29 21:12:08 +0000[diff] [blame]31#include "clang/AST/ExprObjC.h"
Ted Kremenek99c6ad32008-03-27 07:25:52 +0000[diff] [blame]32#include "clang/AST/ASTContext.h"
Ted Kremenek99c6ad32008-03-27 07:25:52 +0000[diff] [blame]33
Ted Kremenek99c6ad32008-03-27 07:25:52 +0000[diff] [blame]34using namespace clang;
Ted Kremenek9ef65372010-12-23 07:20:52 +0000[diff] [blame]35using namespace ento;
Ted Kremenek52755612008-03-27 17:17:22 +0000[diff] [blame]36
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]37namespace {
38class APIMisuse : public BugType {
39public:
40 APIMisuse(const char* name) : BugType(name, "API Misuse (Apple)") {}
41};
42} // end anonymous namespace
43
44//===----------------------------------------------------------------------===//
45// Utility functions.
46//===----------------------------------------------------------------------===//
47
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]48static const ObjCInterfaceType* GetReceiverType(const ObjCMessage &msg) {
49 if (const ObjCInterfaceDecl *ID = msg.getReceiverInterface())
Argyrios Kyrtzidis090c47b2011-01-25 00:03:45 +0000[diff] [blame]50 return ID->getTypeForDecl()->getAs<ObjCInterfaceType>();
Ted Kremenekc1ff3cd2008-04-30 22:48:21 +0000[diff] [blame]51 return NULL;
Ted Kremenek4ba62832008-03-27 22:05:32 +0000[diff] [blame]52}
53
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]54static const char* GetReceiverNameType(const ObjCMessage &msg) {
55 if (const ObjCInterfaceType *ReceiverType = GetReceiverType(msg))
Daniel Dunbare013d682009-10-18 20:26:12 +0000[diff] [blame]56 return ReceiverType->getDecl()->getIdentifier()->getNameStart();
57 return NULL;
Ted Kremenek4ba62832008-03-27 22:05:32 +0000[diff] [blame]58}
Ted Kremenek52755612008-03-27 17:17:22 +0000[diff] [blame]59
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]60static bool isNSString(llvm::StringRef ClassName) {
61 return ClassName == "NSString" || ClassName == "NSMutableString";
Ted Kremenek99c6ad32008-03-27 07:25:52 +0000[diff] [blame]62}
63
Zhongxing Xu1c96b242008-10-17 05:57:07 +0000[diff] [blame]64static inline bool isNil(SVal X) {
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]65 return isa<loc::ConcreteInt>(X);
Ted Kremeneke5d5c202008-03-27 21:15:17 +0000[diff] [blame]66}
67
Ted Kremenek99c6ad32008-03-27 07:25:52 +0000[diff] [blame]68//===----------------------------------------------------------------------===//
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]69// NilArgChecker - Check for prohibited nil arguments to ObjC method calls.
Ted Kremenek99c6ad32008-03-27 07:25:52 +0000[diff] [blame]70//===----------------------------------------------------------------------===//
71
Benjamin Kramercb9c0742010-10-22 16:33:16 +0000[diff] [blame]72namespace {
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]73 class NilArgChecker : public CheckerV2<check::PreObjCMessage> {
74 mutable llvm::OwningPtr<APIMisuse> BT;
75
76 void WarnNilArg(CheckerContext &C,
77 const ObjCMessage &msg, unsigned Arg) const;
78
Benjamin Kramercb9c0742010-10-22 16:33:16 +0000[diff] [blame]79 public:
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]80 void checkPreObjCMessage(ObjCMessage msg, CheckerContext &C) const;
Benjamin Kramercb9c0742010-10-22 16:33:16 +0000[diff] [blame]81 };
82}
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]83
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]84void NilArgChecker::WarnNilArg(CheckerContext &C,
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]85 const ObjCMessage &msg,
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]86 unsigned int Arg) const
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]87{
88 if (!BT)
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]89 BT.reset(new APIMisuse("nil argument"));
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]90
Ted Kremenekd048c6e2010-12-20 21:19:09 +0000[diff] [blame]91 if (ExplodedNode *N = C.generateSink()) {
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]92 llvm::SmallString<128> sbuf;
93 llvm::raw_svector_ostream os(sbuf);
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]94 os << "Argument to '" << GetReceiverNameType(msg) << "' method '"
95 << msg.getSelector().getAsString() << "' cannot be nil";
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]96
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]97 RangedBugReport *R = new RangedBugReport(*BT, os.str(), N);
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]98 R->addRange(msg.getArgSourceRange(Arg));
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]99 C.EmitReport(R);
Ted Kremenek4ba62832008-03-27 22:05:32 +0000[diff] [blame]100 }
Ted Kremenek4ba62832008-03-27 22:05:32 +0000[diff] [blame]101}
102
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]103void NilArgChecker::checkPreObjCMessage(ObjCMessage msg,
104 CheckerContext &C) const {
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]105 const ObjCInterfaceType *ReceiverType = GetReceiverType(msg);
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]106 if (!ReceiverType)
107 return;
108
109 if (isNSString(ReceiverType->getDecl()->getIdentifier()->getName())) {
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]110 Selector S = msg.getSelector();
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]111
112 if (S.isUnarySelector())
113 return;
114
115 // FIXME: This is going to be really slow doing these checks with
116 // lexical comparisons.
117
118 std::string NameStr = S.getAsString();
119 llvm::StringRef Name(NameStr);
120 assert(!Name.empty());
121
122 // FIXME: Checking for initWithFormat: will not work in most cases
123 // yet because [NSString alloc] returns id, not NSString*. We will
124 // need support for tracking expected-type information in the analyzer
125 // to find these errors.
126 if (Name == "caseInsensitiveCompare:" ||
127 Name == "compare:" ||
128 Name == "compare:options:" ||
129 Name == "compare:options:range:" ||
130 Name == "compare:options:range:locale:" ||
131 Name == "componentsSeparatedByCharactersInSet:" ||
132 Name == "initWithFormat:") {
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]133 if (isNil(msg.getArgSVal(0, C.getState())))
134 WarnNilArg(C, msg, 0);
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]135 }
136 }
Ted Kremenek99c6ad32008-03-27 07:25:52 +0000[diff] [blame]137}
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]138
139//===----------------------------------------------------------------------===//
140// Error reporting.
141//===----------------------------------------------------------------------===//
142
143namespace {
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]144class CFNumberCreateChecker : public CheckerV2< check::PreStmt<CallExpr> > {
145 mutable llvm::OwningPtr<APIMisuse> BT;
146 mutable IdentifierInfo* II;
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]147public:
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]148 CFNumberCreateChecker() : II(0) {}
149
150 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
151
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]152private:
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]153 void EmitError(const TypedRegion* R, const Expr* Ex,
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]154 uint64_t SourceSize, uint64_t TargetSize, uint64_t NumberKind);
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]155};
156} // end anonymous namespace
157
158enum CFNumberType {
159 kCFNumberSInt8Type = 1,
160 kCFNumberSInt16Type = 2,
161 kCFNumberSInt32Type = 3,
162 kCFNumberSInt64Type = 4,
163 kCFNumberFloat32Type = 5,
164 kCFNumberFloat64Type = 6,
165 kCFNumberCharType = 7,
166 kCFNumberShortType = 8,
167 kCFNumberIntType = 9,
168 kCFNumberLongType = 10,
169 kCFNumberLongLongType = 11,
170 kCFNumberFloatType = 12,
171 kCFNumberDoubleType = 13,
172 kCFNumberCFIndexType = 14,
173 kCFNumberNSIntegerType = 15,
174 kCFNumberCGFloatType = 16
175};
176
177namespace {
178 template<typename T>
179 class Optional {
180 bool IsKnown;
181 T Val;
182 public:
183 Optional() : IsKnown(false), Val(0) {}
184 Optional(const T& val) : IsKnown(true), Val(val) {}
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]185
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]186 bool isKnown() const { return IsKnown; }
187
188 const T& getValue() const {
189 assert (isKnown());
190 return Val;
191 }
192
193 operator const T&() const {
194 return getValue();
195 }
196 };
197}
198
199static Optional<uint64_t> GetCFNumberSize(ASTContext& Ctx, uint64_t i) {
Nuno Lopes2550d702009-12-23 17:49:57 +0000[diff] [blame]200 static const unsigned char FixedSize[] = { 8, 16, 32, 64, 32, 64 };
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]201
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]202 if (i < kCFNumberCharType)
203 return FixedSize[i-1];
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]204
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]205 QualType T;
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]206
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]207 switch (i) {
208 case kCFNumberCharType: T = Ctx.CharTy; break;
209 case kCFNumberShortType: T = Ctx.ShortTy; break;
210 case kCFNumberIntType: T = Ctx.IntTy; break;
211 case kCFNumberLongType: T = Ctx.LongTy; break;
212 case kCFNumberLongLongType: T = Ctx.LongLongTy; break;
213 case kCFNumberFloatType: T = Ctx.FloatTy; break;
214 case kCFNumberDoubleType: T = Ctx.DoubleTy; break;
215 case kCFNumberCFIndexType:
216 case kCFNumberNSIntegerType:
217 case kCFNumberCGFloatType:
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]218 // FIXME: We need a way to map from names to Type*.
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]219 default:
220 return Optional<uint64_t>();
221 }
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]222
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]223 return Ctx.getTypeSize(T);
224}
225
226#if 0
227static const char* GetCFNumberTypeStr(uint64_t i) {
228 static const char* Names[] = {
229 "kCFNumberSInt8Type",
230 "kCFNumberSInt16Type",
231 "kCFNumberSInt32Type",
232 "kCFNumberSInt64Type",
233 "kCFNumberFloat32Type",
234 "kCFNumberFloat64Type",
235 "kCFNumberCharType",
236 "kCFNumberShortType",
237 "kCFNumberIntType",
238 "kCFNumberLongType",
239 "kCFNumberLongLongType",
240 "kCFNumberFloatType",
241 "kCFNumberDoubleType",
242 "kCFNumberCFIndexType",
243 "kCFNumberNSIntegerType",
244 "kCFNumberCGFloatType"
245 };
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]246
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]247 return i <= kCFNumberCGFloatType ? Names[i-1] : "Invalid CFNumberType";
248}
249#endif
250
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]251void CFNumberCreateChecker::checkPreStmt(const CallExpr *CE,
252 CheckerContext &C) const {
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]253 const Expr* Callee = CE->getCallee();
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]254 const GRState *state = C.getState();
255 SVal CallV = state->getSVal(Callee);
Zhongxing Xu369f4472009-04-20 05:24:46 +0000[diff] [blame]256 const FunctionDecl* FD = CallV.getAsFunctionDecl();
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]257
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]258 if (!FD)
259 return;
260
261 ASTContext &Ctx = C.getASTContext();
262 if (!II)
263 II = &Ctx.Idents.get("CFNumberCreate");
264
265 if (FD->getIdentifier() != II || CE->getNumArgs() != 3)
266 return;
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]267
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]268 // Get the value of the "theType" argument.
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]269 SVal TheTypeVal = state->getSVal(CE->getArg(1));
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]270
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]271 // FIXME: We really should allow ranges of valid theType values, and
272 // bifurcate the state appropriately.
Zhongxing Xu1c96b242008-10-17 05:57:07 +0000[diff] [blame]273 nonloc::ConcreteInt* V = dyn_cast<nonloc::ConcreteInt>(&TheTypeVal);
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]274 if (!V)
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]275 return;
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]276
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]277 uint64_t NumberKind = V->getValue().getLimitedValue();
278 Optional<uint64_t> TargetSize = GetCFNumberSize(Ctx, NumberKind);
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]279
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]280 // FIXME: In some cases we can emit an error.
281 if (!TargetSize.isKnown())
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]282 return;
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]283
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]284 // Look at the value of the integer being passed by reference. Essentially
285 // we want to catch cases where the value passed in is not equal to the
286 // size of the type being created.
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]287 SVal TheValueExpr = state->getSVal(CE->getArg(2));
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]288
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]289 // FIXME: Eventually we should handle arbitrary locations. We can do this
290 // by having an enhanced memory model that does low-level typing.
Zhongxing Xu1c96b242008-10-17 05:57:07 +0000[diff] [blame]291 loc::MemRegionVal* LV = dyn_cast<loc::MemRegionVal>(&TheValueExpr);
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]292 if (!LV)
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]293 return;
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]294
Zhanyong Wan7dfc9422011-02-16 21:13:32 +0000[diff] [blame]295 const TypedRegion* R = dyn_cast<TypedRegion>(LV->stripCasts());
Ted Kremenek5e77eba2009-07-29 18:17:40 +0000[diff] [blame]296 if (!R)
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]297 return;
Ted Kremenek5e77eba2009-07-29 18:17:40 +0000[diff] [blame]298
Zhongxing Xu018220c2010-08-11 06:10:55 +0000[diff] [blame]299 QualType T = Ctx.getCanonicalType(R->getValueType());
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]300
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]301 // FIXME: If the pointee isn't an integer type, should we flag a warning?
302 // People can do weird stuff with pointers.
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]303
304 if (!T->isIntegerType())
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]305 return;
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]306
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]307 uint64_t SourceSize = Ctx.getTypeSize(T);
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]308
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]309 // CHECK: is SourceSize == TargetSize
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]310 if (SourceSize == TargetSize)
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]311 return;
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]312
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]313 // Generate an error. Only generate a sink if 'SourceSize < TargetSize';
314 // otherwise generate a regular node.
315 //
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]316 // FIXME: We can actually create an abstract "CFNumber" object that has
317 // the bits initialized to the provided values.
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]318 //
Ted Kremenekd048c6e2010-12-20 21:19:09 +0000[diff] [blame]319 if (ExplodedNode *N = SourceSize < TargetSize ? C.generateSink()
320 : C.generateNode()) {
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]321 llvm::SmallString<128> sbuf;
322 llvm::raw_svector_ostream os(sbuf);
323
324 os << (SourceSize == 8 ? "An " : "A ")
325 << SourceSize << " bit integer is used to initialize a CFNumber "
326 "object that represents "
327 << (TargetSize == 8 ? "an " : "a ")
328 << TargetSize << " bit integer. ";
329
330 if (SourceSize < TargetSize)
331 os << (TargetSize - SourceSize)
332 << " bits of the CFNumber value will be garbage." ;
333 else
334 os << (SourceSize - TargetSize)
335 << " bits of the input integer will be lost.";
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]336
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]337 if (!BT)
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]338 BT.reset(new APIMisuse("Bad use of CFNumberCreate"));
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]339
340 RangedBugReport *report = new RangedBugReport(*BT, os.str(), N);
341 report->addRange(CE->getArg(2)->getSourceRange());
342 C.EmitReport(report);
343 }
Ted Kremenek04bc8762008-06-26 23:59:48 +0000[diff] [blame]344}
345
Ted Kremenek78d46242008-07-22 16:21:24 +0000[diff] [blame]346//===----------------------------------------------------------------------===//
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]347// CFRetain/CFRelease checking for null arguments.
Ted Kremenek79b4f7d2009-07-14 00:43:42 +0000[diff] [blame]348//===----------------------------------------------------------------------===//
349
350namespace {
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]351class CFRetainReleaseChecker : public CheckerV2< check::PreStmt<CallExpr> > {
352 mutable llvm::OwningPtr<APIMisuse> BT;
353 mutable IdentifierInfo *Retain, *Release;
Ted Kremenek79b4f7d2009-07-14 00:43:42 +0000[diff] [blame]354public:
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]355 CFRetainReleaseChecker(): Retain(0), Release(0) {}
356 void checkPreStmt(const CallExpr* CE, CheckerContext& C) const;
Ted Kremenek79b4f7d2009-07-14 00:43:42 +0000[diff] [blame]357};
358} // end anonymous namespace
359
360
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]361void CFRetainReleaseChecker::checkPreStmt(const CallExpr* CE,
362 CheckerContext& C) const {
Ted Kremenek79b4f7d2009-07-14 00:43:42 +0000[diff] [blame]363 // If the CallExpr doesn't have exactly 1 argument just give up checking.
364 if (CE->getNumArgs() != 1)
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]365 return;
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]366
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]367 // Get the function declaration of the callee.
368 const GRState* state = C.getState();
Ted Kremenek13976632010-02-08 16:18:51 +0000[diff] [blame]369 SVal X = state->getSVal(CE->getCallee());
Ted Kremenek79b4f7d2009-07-14 00:43:42 +0000[diff] [blame]370 const FunctionDecl* FD = X.getAsFunctionDecl();
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]371
Ted Kremenek79b4f7d2009-07-14 00:43:42 +0000[diff] [blame]372 if (!FD)
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]373 return;
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]374
375 if (!BT) {
376 ASTContext &Ctx = C.getASTContext();
377 Retain = &Ctx.Idents.get("CFRetain");
378 Release = &Ctx.Idents.get("CFRelease");
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]379 BT.reset(new APIMisuse("null passed to CFRetain/CFRelease"));
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]380 }
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]381
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]382 // Check if we called CFRetain/CFRelease.
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]383 const IdentifierInfo *FuncII = FD->getIdentifier();
Ted Kremenek79b4f7d2009-07-14 00:43:42 +0000[diff] [blame]384 if (!(FuncII == Retain || FuncII == Release))
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]385 return;
Mike Stump1eb44332009-09-09 15:08:12 +0000[diff] [blame]386
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]387 // FIXME: The rest of this just checks that the argument is non-null.
388 // It should probably be refactored and combined with AttrNonNullChecker.
389
390 // Get the argument's value.
391 const Expr *Arg = CE->getArg(0);
392 SVal ArgVal = state->getSVal(Arg);
393 DefinedSVal *DefArgVal = dyn_cast<DefinedSVal>(&ArgVal);
394 if (!DefArgVal)
395 return;
396
397 // Get a NULL value.
Ted Kremenekc8413fd2010-12-02 07:49:45 +0000[diff] [blame]398 SValBuilder &svalBuilder = C.getSValBuilder();
399 DefinedSVal zero = cast<DefinedSVal>(svalBuilder.makeZeroVal(Arg->getType()));
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]400
401 // Make an expression asserting that they're equal.
Ted Kremenekc8413fd2010-12-02 07:49:45 +0000[diff] [blame]402 DefinedOrUnknownSVal ArgIsNull = svalBuilder.evalEQ(state, zero, *DefArgVal);
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]403
404 // Are they equal?
405 const GRState *stateTrue, *stateFalse;
Ted Kremenek28f47b92010-12-01 22:16:56 +0000[diff] [blame]406 llvm::tie(stateTrue, stateFalse) = state->assume(ArgIsNull);
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]407
408 if (stateTrue && !stateFalse) {
Ted Kremenekd048c6e2010-12-20 21:19:09 +0000[diff] [blame]409 ExplodedNode *N = C.generateSink(stateTrue);
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]410 if (!N)
411 return;
412
Ted Kremenek79b4f7d2009-07-14 00:43:42 +0000[diff] [blame]413 const char *description = (FuncII == Retain)
414 ? "Null pointer argument in call to CFRetain"
415 : "Null pointer argument in call to CFRelease";
416
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]417 EnhancedBugReport *report = new EnhancedBugReport(*BT, description, N);
418 report->addRange(Arg->getSourceRange());
419 report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, Arg);
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]420 C.EmitReport(report);
421 return;
Ted Kremenek79b4f7d2009-07-14 00:43:42 +0000[diff] [blame]422 }
423
Jordy Rose61fb55c2010-07-06 02:34:42 +0000[diff] [blame]424 // From here on, we know the argument is non-null.
425 C.addTransition(stateFalse);
Ted Kremenek79b4f7d2009-07-14 00:43:42 +0000[diff] [blame]426}
427
428//===----------------------------------------------------------------------===//
Ted Kremenek50e837b2009-11-20 05:27:05 +0000[diff] [blame]429// Check for sending 'retain', 'release', or 'autorelease' directly to a Class.
430//===----------------------------------------------------------------------===//
431
432namespace {
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]433class ClassReleaseChecker : public CheckerV2<check::PreObjCMessage> {
434 mutable Selector releaseS;
435 mutable Selector retainS;
436 mutable Selector autoreleaseS;
437 mutable Selector drainS;
438 mutable llvm::OwningPtr<BugType> BT;
Ted Kremenek50e837b2009-11-20 05:27:05 +0000[diff] [blame]439
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]440public:
441 void checkPreObjCMessage(ObjCMessage msg, CheckerContext &C) const;
Ted Kremenek50e837b2009-11-20 05:27:05 +0000[diff] [blame]442};
443}
444
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]445void ClassReleaseChecker::checkPreObjCMessage(ObjCMessage msg,
446 CheckerContext &C) const {
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]447
448 if (!BT) {
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]449 BT.reset(new APIMisuse("message incorrectly sent to class instead of class "
450 "instance"));
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]451
452 ASTContext &Ctx = C.getASTContext();
453 releaseS = GetNullarySelector("release", Ctx);
454 retainS = GetNullarySelector("retain", Ctx);
455 autoreleaseS = GetNullarySelector("autorelease", Ctx);
456 drainS = GetNullarySelector("drain", Ctx);
457 }
458
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]459 if (msg.isInstanceMessage())
Ted Kremenek50e837b2009-11-20 05:27:05 +0000[diff] [blame]460 return;
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]461 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
462 assert(Class);
Douglas Gregor04badcf2010-04-21 00:45:42 +0000[diff] [blame]463
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]464 Selector S = msg.getSelector();
Benjamin Kramer921ddc42009-11-20 10:03:00 +0000[diff] [blame]465 if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS))
Ted Kremenek50e837b2009-11-20 05:27:05 +0000[diff] [blame]466 return;
467
Ted Kremenekd048c6e2010-12-20 21:19:09 +0000[diff] [blame]468 if (ExplodedNode *N = C.generateNode()) {
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]469 llvm::SmallString<200> buf;
470 llvm::raw_svector_ostream os(buf);
Ted Kremenek19d67b52009-11-23 22:22:01 +0000[diff] [blame]471
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]472 os << "The '" << S.getAsString() << "' message should be sent to instances "
473 "of class '" << Class->getName()
474 << "' and not the class directly";
Ted Kremenek50e837b2009-11-20 05:27:05 +0000[diff] [blame]475
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]476 RangedBugReport *report = new RangedBugReport(*BT, os.str(), N);
Argyrios Kyrtzidis432424d2011-01-25 00:03:53 +0000[diff] [blame]477 report->addRange(msg.getSourceRange());
Ted Kremenek2ce2baa2010-10-20 23:38:56 +0000[diff] [blame]478 C.EmitReport(report);
479 }
Ted Kremenek50e837b2009-11-20 05:27:05 +0000[diff] [blame]480}
481
482//===----------------------------------------------------------------------===//
Ted Kremenek78d46242008-07-22 16:21:24 +0000[diff] [blame]483// Check registration.
Ted Kremenek79b4f7d2009-07-14 00:43:42 +0000[diff] [blame]484//===----------------------------------------------------------------------===//
Argyrios Kyrtzidis0b1ba622011-02-16 01:40:52 +0000[diff] [blame]485
Argyrios Kyrtzidis695fb502011-02-17 21:39:17 +0000[diff] [blame]486void ento::registerNilArgChecker(CheckerManager &mgr) {
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]487 mgr.registerChecker<NilArgChecker>();
Argyrios Kyrtzidis0b1ba622011-02-16 01:40:52 +0000[diff] [blame]488}
489
Argyrios Kyrtzidis695fb502011-02-17 21:39:17 +0000[diff] [blame]490void ento::registerCFNumberCreateChecker(CheckerManager &mgr) {
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]491 mgr.registerChecker<CFNumberCreateChecker>();
Argyrios Kyrtzidis0b1ba622011-02-16 01:40:52 +0000[diff] [blame]492}
493
Argyrios Kyrtzidis695fb502011-02-17 21:39:17 +0000[diff] [blame]494void ento::registerCFRetainReleaseChecker(CheckerManager &mgr) {
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]495 mgr.registerChecker<CFRetainReleaseChecker>();
Ted Kremenek78d46242008-07-22 16:21:24 +0000[diff] [blame]496}
Argyrios Kyrtzidis695fb502011-02-17 21:39:17 +0000[diff] [blame]497
498void ento::registerClassReleaseChecker(CheckerManager &mgr) {
Argyrios Kyrtzidis74eed0e2011-02-23 00:16:10 +0000[diff] [blame^]499 mgr.registerChecker<ClassReleaseChecker>();
Argyrios Kyrtzidis695fb502011-02-17 21:39:17 +0000[diff] [blame]500}