Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / 37ab726d63b282300499a5f7d603a888a8e84381 / . / clang / lib / StaticAnalyzer / Checkers / BasicObjCFoundationChecks.cpp
blob: 8fa7e24cab006c477d4a034b28cd26276e70c7ea [file] [log] [blame]
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]1//== BasicObjCFoundationChecks.cpp - Simple Apple-Foundation checks -*- C++ -*--
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file defines BasicObjCFoundationChecks, a class that encapsulates
11// a set of simple checks to run on Objective-C code using Apple's Foundation
12// classes.
13//
14//===----------------------------------------------------------------------===//
15
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]16#include "BasicObjCFoundationChecks.h"
17
Ted Kremenekd99bd552010-12-23 19:38:26 +0000[diff] [blame]18#include "clang/StaticAnalyzer/PathSensitive/ExplodedGraph.h"
19#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
20#include "clang/StaticAnalyzer/PathSensitive/ExprEngine.h"
21#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
22#include "clang/StaticAnalyzer/BugReporter/BugType.h"
23#include "clang/StaticAnalyzer/PathSensitive/MemRegion.h"
24#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
25#include "clang/StaticAnalyzer/Checkers/LocalCheckers.h"
Daniel Dunbar6e8aa532008-08-11 05:35:13 +0000[diff] [blame]26#include "clang/AST/DeclObjC.h"
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]27#include "clang/AST/Expr.h"
Steve Naroff021ca182008-05-29 21:12:08 +0000[diff] [blame]28#include "clang/AST/ExprObjC.h"
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]29#include "clang/AST/ASTContext.h"
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]30
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]31using namespace clang;
Ted Kremenek98857c92010-12-23 07:20:52 +0000[diff] [blame]32using namespace ento;
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]33
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]34namespace {
35class APIMisuse : public BugType {
36public:
37 APIMisuse(const char* name) : BugType(name, "API Misuse (Apple)") {}
38};
39} // end anonymous namespace
40
41//===----------------------------------------------------------------------===//
42// Utility functions.
43//===----------------------------------------------------------------------===//
44
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]45static const ObjCInterfaceType* GetReceiverType(const ObjCMessage &msg) {
46 if (const ObjCInterfaceDecl *ID = msg.getReceiverInterface())
Argyrios Kyrtzidis8e169a52011-01-25 00:03:45 +0000[diff] [blame]47 return ID->getTypeForDecl()->getAs<ObjCInterfaceType>();
Ted Kremenekf20e2282008-04-30 22:48:21 +0000[diff] [blame]48 return NULL;
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]49}
50
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]51static const char* GetReceiverNameType(const ObjCMessage &msg) {
52 if (const ObjCInterfaceType *ReceiverType = GetReceiverType(msg))
Daniel Dunbar2c422dc92009-10-18 20:26:12 +0000[diff] [blame]53 return ReceiverType->getDecl()->getIdentifier()->getNameStart();
54 return NULL;
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]55}
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]56
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]57static bool isNSString(llvm::StringRef ClassName) {
58 return ClassName == "NSString" || ClassName == "NSMutableString";
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]59}
60
Zhongxing Xu27f17422008-10-17 05:57:07 +0000[diff] [blame]61static inline bool isNil(SVal X) {
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]62 return isa<loc::ConcreteInt>(X);
Ted Kremenek27156c82008-03-27 21:15:17 +0000[diff] [blame]63}
64
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]65//===----------------------------------------------------------------------===//
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]66// NilArgChecker - Check for prohibited nil arguments to ObjC method calls.
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]67//===----------------------------------------------------------------------===//
68
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]69namespace {
70 class NilArgChecker : public CheckerVisitor<NilArgChecker> {
71 APIMisuse *BT;
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]72 void WarnNilArg(CheckerContext &C, const ObjCMessage &msg, unsigned Arg);
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]73 public:
74 NilArgChecker() : BT(0) {}
75 static void *getTag() { static int x = 0; return &x; }
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]76 void preVisitObjCMessage(CheckerContext &C, ObjCMessage msg);
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]77 };
78}
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]79
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]80void NilArgChecker::WarnNilArg(CheckerContext &C,
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]81 const ObjCMessage &msg,
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]82 unsigned int Arg)
83{
84 if (!BT)
85 BT = new APIMisuse("nil argument");
86
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]87 if (ExplodedNode *N = C.generateSink()) {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]88 llvm::SmallString<128> sbuf;
89 llvm::raw_svector_ostream os(sbuf);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]90 os << "Argument to '" << GetReceiverNameType(msg) << "' method '"
91 << msg.getSelector().getAsString() << "' cannot be nil";
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]92
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]93 RangedBugReport *R = new RangedBugReport(*BT, os.str(), N);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]94 R->addRange(msg.getArgSourceRange(Arg));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]95 C.EmitReport(R);
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]96 }
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]97}
98
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]99void NilArgChecker::preVisitObjCMessage(CheckerContext &C,
100 ObjCMessage msg)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]101{
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]102 const ObjCInterfaceType *ReceiverType = GetReceiverType(msg);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]103 if (!ReceiverType)
104 return;
105
106 if (isNSString(ReceiverType->getDecl()->getIdentifier()->getName())) {
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]107 Selector S = msg.getSelector();
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]108
109 if (S.isUnarySelector())
110 return;
111
112 // FIXME: This is going to be really slow doing these checks with
113 // lexical comparisons.
114
115 std::string NameStr = S.getAsString();
116 llvm::StringRef Name(NameStr);
117 assert(!Name.empty());
118
119 // FIXME: Checking for initWithFormat: will not work in most cases
120 // yet because [NSString alloc] returns id, not NSString*. We will
121 // need support for tracking expected-type information in the analyzer
122 // to find these errors.
123 if (Name == "caseInsensitiveCompare:" ||
124 Name == "compare:" ||
125 Name == "compare:options:" ||
126 Name == "compare:options:range:" ||
127 Name == "compare:options:range:locale:" ||
128 Name == "componentsSeparatedByCharactersInSet:" ||
129 Name == "initWithFormat:") {
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]130 if (isNil(msg.getArgSVal(0, C.getState())))
131 WarnNilArg(C, msg, 0);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]132 }
133 }
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]134}
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]135
136//===----------------------------------------------------------------------===//
137// Error reporting.
138//===----------------------------------------------------------------------===//
139
140namespace {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]141class CFNumberCreateChecker : public CheckerVisitor<CFNumberCreateChecker> {
Ted Kremenekfc5d0672009-02-04 23:49:09 +0000[diff] [blame]142 APIMisuse* BT;
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]143 IdentifierInfo* II;
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]144public:
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]145 CFNumberCreateChecker() : BT(0), II(0) {}
146 ~CFNumberCreateChecker() {}
147 static void *getTag() { static int x = 0; return &x; }
148 void PreVisitCallExpr(CheckerContext &C, const CallExpr *CE);
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]149private:
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]150 void EmitError(const TypedRegion* R, const Expr* Ex,
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]151 uint64_t SourceSize, uint64_t TargetSize, uint64_t NumberKind);
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]152};
153} // end anonymous namespace
154
155enum CFNumberType {
156 kCFNumberSInt8Type = 1,
157 kCFNumberSInt16Type = 2,
158 kCFNumberSInt32Type = 3,
159 kCFNumberSInt64Type = 4,
160 kCFNumberFloat32Type = 5,
161 kCFNumberFloat64Type = 6,
162 kCFNumberCharType = 7,
163 kCFNumberShortType = 8,
164 kCFNumberIntType = 9,
165 kCFNumberLongType = 10,
166 kCFNumberLongLongType = 11,
167 kCFNumberFloatType = 12,
168 kCFNumberDoubleType = 13,
169 kCFNumberCFIndexType = 14,
170 kCFNumberNSIntegerType = 15,
171 kCFNumberCGFloatType = 16
172};
173
174namespace {
175 template<typename T>
176 class Optional {
177 bool IsKnown;
178 T Val;
179 public:
180 Optional() : IsKnown(false), Val(0) {}
181 Optional(const T& val) : IsKnown(true), Val(val) {}
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]182
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]183 bool isKnown() const { return IsKnown; }
184
185 const T& getValue() const {
186 assert (isKnown());
187 return Val;
188 }
189
190 operator const T&() const {
191 return getValue();
192 }
193 };
194}
195
196static Optional<uint64_t> GetCFNumberSize(ASTContext& Ctx, uint64_t i) {
Nuno Lopescfca1f02009-12-23 17:49:57 +0000[diff] [blame]197 static const unsigned char FixedSize[] = { 8, 16, 32, 64, 32, 64 };
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]198
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]199 if (i < kCFNumberCharType)
200 return FixedSize[i-1];
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]201
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]202 QualType T;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]203
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]204 switch (i) {
205 case kCFNumberCharType: T = Ctx.CharTy; break;
206 case kCFNumberShortType: T = Ctx.ShortTy; break;
207 case kCFNumberIntType: T = Ctx.IntTy; break;
208 case kCFNumberLongType: T = Ctx.LongTy; break;
209 case kCFNumberLongLongType: T = Ctx.LongLongTy; break;
210 case kCFNumberFloatType: T = Ctx.FloatTy; break;
211 case kCFNumberDoubleType: T = Ctx.DoubleTy; break;
212 case kCFNumberCFIndexType:
213 case kCFNumberNSIntegerType:
214 case kCFNumberCGFloatType:
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]215 // FIXME: We need a way to map from names to Type*.
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]216 default:
217 return Optional<uint64_t>();
218 }
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]219
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]220 return Ctx.getTypeSize(T);
221}
222
223#if 0
224static const char* GetCFNumberTypeStr(uint64_t i) {
225 static const char* Names[] = {
226 "kCFNumberSInt8Type",
227 "kCFNumberSInt16Type",
228 "kCFNumberSInt32Type",
229 "kCFNumberSInt64Type",
230 "kCFNumberFloat32Type",
231 "kCFNumberFloat64Type",
232 "kCFNumberCharType",
233 "kCFNumberShortType",
234 "kCFNumberIntType",
235 "kCFNumberLongType",
236 "kCFNumberLongLongType",
237 "kCFNumberFloatType",
238 "kCFNumberDoubleType",
239 "kCFNumberCFIndexType",
240 "kCFNumberNSIntegerType",
241 "kCFNumberCGFloatType"
242 };
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]243
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]244 return i <= kCFNumberCGFloatType ? Names[i-1] : "Invalid CFNumberType";
245}
246#endif
247
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]248void CFNumberCreateChecker::PreVisitCallExpr(CheckerContext &C,
249 const CallExpr *CE)
250{
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]251 const Expr* Callee = CE->getCallee();
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]252 const GRState *state = C.getState();
253 SVal CallV = state->getSVal(Callee);
Zhongxing Xuac129432009-04-20 05:24:46 +0000[diff] [blame]254 const FunctionDecl* FD = CallV.getAsFunctionDecl();
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]255
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]256 if (!FD)
257 return;
258
259 ASTContext &Ctx = C.getASTContext();
260 if (!II)
261 II = &Ctx.Idents.get("CFNumberCreate");
262
263 if (FD->getIdentifier() != II || CE->getNumArgs() != 3)
264 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]265
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]266 // Get the value of the "theType" argument.
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]267 SVal TheTypeVal = state->getSVal(CE->getArg(1));
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]268
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]269 // FIXME: We really should allow ranges of valid theType values, and
270 // bifurcate the state appropriately.
Zhongxing Xu27f17422008-10-17 05:57:07 +0000[diff] [blame]271 nonloc::ConcreteInt* V = dyn_cast<nonloc::ConcreteInt>(&TheTypeVal);
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]272 if (!V)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]273 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]274
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]275 uint64_t NumberKind = V->getValue().getLimitedValue();
276 Optional<uint64_t> TargetSize = GetCFNumberSize(Ctx, NumberKind);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]277
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]278 // FIXME: In some cases we can emit an error.
279 if (!TargetSize.isKnown())
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]280 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]281
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]282 // Look at the value of the integer being passed by reference. Essentially
283 // we want to catch cases where the value passed in is not equal to the
284 // size of the type being created.
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]285 SVal TheValueExpr = state->getSVal(CE->getArg(2));
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]286
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]287 // FIXME: Eventually we should handle arbitrary locations. We can do this
288 // by having an enhanced memory model that does low-level typing.
Zhongxing Xu27f17422008-10-17 05:57:07 +0000[diff] [blame]289 loc::MemRegionVal* LV = dyn_cast<loc::MemRegionVal>(&TheValueExpr);
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]290 if (!LV)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]291 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]292
Zhongxing Xuf8f3f9d2009-11-10 02:17:20 +0000[diff] [blame]293 const TypedRegion* R = dyn_cast<TypedRegion>(LV->StripCasts());
Ted Kremenek87a7a452009-07-29 18:17:40 +0000[diff] [blame]294 if (!R)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]295 return;
Ted Kremenek87a7a452009-07-29 18:17:40 +0000[diff] [blame]296
Zhongxing Xu8de0a3d2010-08-11 06:10:55 +0000[diff] [blame]297 QualType T = Ctx.getCanonicalType(R->getValueType());
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]298
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]299 // FIXME: If the pointee isn't an integer type, should we flag a warning?
300 // People can do weird stuff with pointers.
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]301
302 if (!T->isIntegerType())
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]303 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]304
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]305 uint64_t SourceSize = Ctx.getTypeSize(T);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]306
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]307 // CHECK: is SourceSize == TargetSize
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]308 if (SourceSize == TargetSize)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]309 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]310
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]311 // Generate an error. Only generate a sink if 'SourceSize < TargetSize';
312 // otherwise generate a regular node.
313 //
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]314 // FIXME: We can actually create an abstract "CFNumber" object that has
315 // the bits initialized to the provided values.
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]316 //
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]317 if (ExplodedNode *N = SourceSize < TargetSize ? C.generateSink()
318 : C.generateNode()) {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]319 llvm::SmallString<128> sbuf;
320 llvm::raw_svector_ostream os(sbuf);
321
322 os << (SourceSize == 8 ? "An " : "A ")
323 << SourceSize << " bit integer is used to initialize a CFNumber "
324 "object that represents "
325 << (TargetSize == 8 ? "an " : "a ")
326 << TargetSize << " bit integer. ";
327
328 if (SourceSize < TargetSize)
329 os << (TargetSize - SourceSize)
330 << " bits of the CFNumber value will be garbage." ;
331 else
332 os << (SourceSize - TargetSize)
333 << " bits of the input integer will be lost.";
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]334
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]335 if (!BT)
336 BT = new APIMisuse("Bad use of CFNumberCreate");
337
338 RangedBugReport *report = new RangedBugReport(*BT, os.str(), N);
339 report->addRange(CE->getArg(2)->getSourceRange());
340 C.EmitReport(report);
341 }
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]342}
343
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]344//===----------------------------------------------------------------------===//
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]345// CFRetain/CFRelease checking for null arguments.
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]346//===----------------------------------------------------------------------===//
347
348namespace {
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]349class CFRetainReleaseChecker : public CheckerVisitor<CFRetainReleaseChecker> {
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]350 APIMisuse *BT;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]351 IdentifierInfo *Retain, *Release;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]352public:
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]353 CFRetainReleaseChecker(): BT(0), Retain(0), Release(0) {}
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]354 static void *getTag() { static int x = 0; return &x; }
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]355 void PreVisitCallExpr(CheckerContext& C, const CallExpr* CE);
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]356};
357} // end anonymous namespace
358
359
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]360void CFRetainReleaseChecker::PreVisitCallExpr(CheckerContext& C,
361 const CallExpr* CE) {
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]362 // If the CallExpr doesn't have exactly 1 argument just give up checking.
363 if (CE->getNumArgs() != 1)
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]364 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]365
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]366 // Get the function declaration of the callee.
367 const GRState* state = C.getState();
Ted Kremenek57f09892010-02-08 16:18:51 +0000[diff] [blame]368 SVal X = state->getSVal(CE->getCallee());
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]369 const FunctionDecl* FD = X.getAsFunctionDecl();
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]370
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]371 if (!FD)
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]372 return;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]373
374 if (!BT) {
375 ASTContext &Ctx = C.getASTContext();
376 Retain = &Ctx.Idents.get("CFRetain");
377 Release = &Ctx.Idents.get("CFRelease");
378 BT = new APIMisuse("null passed to CFRetain/CFRelease");
379 }
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]380
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]381 // Check if we called CFRetain/CFRelease.
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]382 const IdentifierInfo *FuncII = FD->getIdentifier();
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]383 if (!(FuncII == Retain || FuncII == Release))
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]384 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]385
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]386 // FIXME: The rest of this just checks that the argument is non-null.
387 // It should probably be refactored and combined with AttrNonNullChecker.
388
389 // Get the argument's value.
390 const Expr *Arg = CE->getArg(0);
391 SVal ArgVal = state->getSVal(Arg);
392 DefinedSVal *DefArgVal = dyn_cast<DefinedSVal>(&ArgVal);
393 if (!DefArgVal)
394 return;
395
396 // Get a NULL value.
Ted Kremenek90af9092010-12-02 07:49:45 +0000[diff] [blame]397 SValBuilder &svalBuilder = C.getSValBuilder();
398 DefinedSVal zero = cast<DefinedSVal>(svalBuilder.makeZeroVal(Arg->getType()));
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]399
400 // Make an expression asserting that they're equal.
Ted Kremenek90af9092010-12-02 07:49:45 +0000[diff] [blame]401 DefinedOrUnknownSVal ArgIsNull = svalBuilder.evalEQ(state, zero, *DefArgVal);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]402
403 // Are they equal?
404 const GRState *stateTrue, *stateFalse;
Ted Kremenekc5bea1e2010-12-01 22:16:56 +0000[diff] [blame]405 llvm::tie(stateTrue, stateFalse) = state->assume(ArgIsNull);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]406
407 if (stateTrue && !stateFalse) {
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]408 ExplodedNode *N = C.generateSink(stateTrue);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]409 if (!N)
410 return;
411
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]412 const char *description = (FuncII == Retain)
413 ? "Null pointer argument in call to CFRetain"
414 : "Null pointer argument in call to CFRelease";
415
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]416 EnhancedBugReport *report = new EnhancedBugReport(*BT, description, N);
417 report->addRange(Arg->getSourceRange());
418 report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, Arg);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]419 C.EmitReport(report);
420 return;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]421 }
422
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]423 // From here on, we know the argument is non-null.
424 C.addTransition(stateFalse);
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]425}
426
427//===----------------------------------------------------------------------===//
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]428// Check for sending 'retain', 'release', or 'autorelease' directly to a Class.
429//===----------------------------------------------------------------------===//
430
431namespace {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]432class ClassReleaseChecker : public CheckerVisitor<ClassReleaseChecker> {
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]433 Selector releaseS;
434 Selector retainS;
435 Selector autoreleaseS;
436 Selector drainS;
437 BugType *BT;
438public:
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]439 ClassReleaseChecker()
440 : BT(0) {}
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]441
442 static void *getTag() { static int x = 0; return &x; }
443
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]444 void preVisitObjCMessage(CheckerContext &C, ObjCMessage msg);
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]445};
446}
447
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]448void ClassReleaseChecker::preVisitObjCMessage(CheckerContext &C,
449 ObjCMessage msg) {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]450
451 if (!BT) {
452 BT = new APIMisuse("message incorrectly sent to class instead of class "
453 "instance");
454
455 ASTContext &Ctx = C.getASTContext();
456 releaseS = GetNullarySelector("release", Ctx);
457 retainS = GetNullarySelector("retain", Ctx);
458 autoreleaseS = GetNullarySelector("autorelease", Ctx);
459 drainS = GetNullarySelector("drain", Ctx);
460 }
461
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]462 if (msg.isInstanceMessage())
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]463 return;
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]464 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
465 assert(Class);
Douglas Gregor9a129192010-04-21 00:45:42 +0000[diff] [blame]466
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]467 Selector S = msg.getSelector();
Benjamin Kramer7d875c72009-11-20 10:03:00 +0000[diff] [blame]468 if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS))
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]469 return;
470
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]471 if (ExplodedNode *N = C.generateNode()) {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]472 llvm::SmallString<200> buf;
473 llvm::raw_svector_ostream os(buf);
Ted Kremenekf5735152009-11-23 22:22:01 +0000[diff] [blame]474
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]475 os << "The '" << S.getAsString() << "' message should be sent to instances "
476 "of class '" << Class->getName()
477 << "' and not the class directly";
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]478
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]479 RangedBugReport *report = new RangedBugReport(*BT, os.str(), N);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame^]480 report->addRange(msg.getSourceRange());
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]481 C.EmitReport(report);
482 }
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]483}
484
485//===----------------------------------------------------------------------===//
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]486// Check registration.
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]487//===----------------------------------------------------------------------===//
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]488
Ted Kremenek98857c92010-12-23 07:20:52 +0000[diff] [blame]489void ento::RegisterAppleChecks(ExprEngine& Eng, const Decl &D) {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]490 Eng.registerCheck(new NilArgChecker());
491 Eng.registerCheck(new CFNumberCreateChecker());
492 RegisterNSErrorChecks(Eng.getBugReporter(), Eng, D);
Ted Kremenek18c7cee2009-11-03 08:03:59 +0000[diff] [blame]493 RegisterNSAutoreleasePoolChecks(Eng);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]494 Eng.registerCheck(new CFRetainReleaseChecker());
495 Eng.registerCheck(new ClassReleaseChecker());
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]496}