Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / 6457ad233504a2af01fd859f363539180e9c73c5 / . / clang / lib / StaticAnalyzer / Checkers / BasicObjCFoundationChecks.cpp
blob: a6bcb6930a544aae41675bd4e56110fab4cb1ced [file] [log] [blame]
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]1//== BasicObjCFoundationChecks.cpp - Simple Apple-Foundation checks -*- C++ -*--
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file defines BasicObjCFoundationChecks, a class that encapsulates
11// a set of simple checks to run on Objective-C code using Apple's Foundation
12// classes.
13//
14//===----------------------------------------------------------------------===//
15
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]16#include "ClangSACheckers.h"
Chandler Carruth3a022472012-12-04 09:13:33 +0000[diff] [blame]17#include "clang/AST/ASTContext.h"
18#include "clang/AST/DeclObjC.h"
19#include "clang/AST/Expr.h"
20#include "clang/AST/ExprObjC.h"
21#include "clang/AST/StmtObjC.h"
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]22#include "clang/Analysis/DomainSpecific/CocoaConventions.h"
Chandler Carruth3a022472012-12-04 09:13:33 +0000[diff] [blame]23#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]24#include "clang/StaticAnalyzer/Core/Checker.h"
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]25#include "clang/StaticAnalyzer/Core/CheckerManager.h"
Jordan Rose4f7df9b2012-07-26 21:39:41 +0000[diff] [blame]26#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
Argyrios Kyrtzidisdff865d2011-02-23 01:05:36 +0000[diff] [blame]27#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]28#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]29#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]30#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
Chandler Carruth3a022472012-12-04 09:13:33 +0000[diff] [blame]31#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
Benjamin Kramer49038022012-02-04 13:45:25 +0000[diff] [blame]32#include "llvm/ADT/SmallString.h"
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]33#include "llvm/ADT/StringMap.h"
Benjamin Kramer444a1302012-12-01 17:12:56 +0000[diff] [blame]34#include "llvm/Support/raw_ostream.h"
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]35
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]36using namespace clang;
Ted Kremenek98857c92010-12-23 07:20:52 +0000[diff] [blame]37using namespace ento;
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]38
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]39namespace {
40class APIMisuse : public BugType {
41public:
42 APIMisuse(const char* name) : BugType(name, "API Misuse (Apple)") {}
43};
44} // end anonymous namespace
45
46//===----------------------------------------------------------------------===//
47// Utility functions.
48//===----------------------------------------------------------------------===//
49
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]50static StringRef GetReceiverInterfaceName(const ObjCMethodCall &msg) {
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]51 if (const ObjCInterfaceDecl *ID = msg.getReceiverInterface())
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]52 return ID->getIdentifier()->getName();
53 return StringRef();
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]54}
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]55
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]56enum FoundationClass {
57 FC_None,
58 FC_NSArray,
59 FC_NSDictionary,
60 FC_NSEnumerator,
61 FC_NSOrderedSet,
62 FC_NSSet,
63 FC_NSString
64};
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]65
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]66static FoundationClass findKnownClass(const ObjCInterfaceDecl *ID) {
67 static llvm::StringMap<FoundationClass> Classes;
68 if (Classes.empty()) {
69 Classes["NSArray"] = FC_NSArray;
70 Classes["NSDictionary"] = FC_NSDictionary;
71 Classes["NSEnumerator"] = FC_NSEnumerator;
72 Classes["NSOrderedSet"] = FC_NSOrderedSet;
73 Classes["NSSet"] = FC_NSSet;
74 Classes["NSString"] = FC_NSString;
75 }
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]76
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]77 // FIXME: Should we cache this at all?
78 FoundationClass result = Classes.lookup(ID->getIdentifier()->getName());
79 if (result == FC_None)
80 if (const ObjCInterfaceDecl *Super = ID->getSuperClass())
81 return findKnownClass(Super);
82
83 return result;
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]84}
85
Zhongxing Xu27f17422008-10-17 05:57:07 +0000[diff] [blame]86static inline bool isNil(SVal X) {
David Blaikie3a3c4e02013-02-21 06:05:05 +0000[diff] [blame]87 return X.getAs<loc::ConcreteInt>().hasValue();
Ted Kremenek27156c82008-03-27 21:15:17 +0000[diff] [blame]88}
89
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]90//===----------------------------------------------------------------------===//
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]91// NilArgChecker - Check for prohibited nil arguments to ObjC method calls.
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]92//===----------------------------------------------------------------------===//
93
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]94namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]95 class NilArgChecker : public Checker<check::PreObjCMessage> {
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]96 mutable OwningPtr<APIMisuse> BT;
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]97
98 void WarnNilArg(CheckerContext &C,
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]99 const ObjCMethodCall &msg, unsigned Arg) const;
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]100
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]101 public:
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]102 void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]103 };
104}
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]105
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]106void NilArgChecker::WarnNilArg(CheckerContext &C,
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]107 const ObjCMethodCall &msg,
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]108 unsigned int Arg) const
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]109{
110 if (!BT)
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]111 BT.reset(new APIMisuse("nil argument"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]112
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]113 if (ExplodedNode *N = C.generateSink()) {
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]114 SmallString<128> sbuf;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]115 llvm::raw_svector_ostream os(sbuf);
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]116 os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '"
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]117 << msg.getSelector().getAsString() << "' cannot be nil";
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]118
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]119 BugReport *R = new BugReport(*BT, os.str(), N);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]120 R->addRange(msg.getArgSourceRange(Arg));
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]121 C.emitReport(R);
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]122 }
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]123}
124
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]125void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]126 CheckerContext &C) const {
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]127 const ObjCInterfaceDecl *ID = msg.getReceiverInterface();
128 if (!ID)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]129 return;
Anna Zaks6457ad22013-03-18 20:46:56 +0000[diff] [blame^]130
131 FoundationClass Class = findKnownClass(ID);
132
133 static const unsigned InvalidArgIndex = UINT_MAX;
134 unsigned Arg = InvalidArgIndex;
135
136 if (Class == FC_NSString) {
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]137 Selector S = msg.getSelector();
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]138
139 if (S.isUnarySelector())
140 return;
141
142 // FIXME: This is going to be really slow doing these checks with
143 // lexical comparisons.
144
145 std::string NameStr = S.getAsString();
Chris Lattner0e62c1c2011-07-23 10:55:15 +0000[diff] [blame]146 StringRef Name(NameStr);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]147 assert(!Name.empty());
148
149 // FIXME: Checking for initWithFormat: will not work in most cases
150 // yet because [NSString alloc] returns id, not NSString*. We will
151 // need support for tracking expected-type information in the analyzer
152 // to find these errors.
153 if (Name == "caseInsensitiveCompare:" ||
154 Name == "compare:" ||
155 Name == "compare:options:" ||
156 Name == "compare:options:range:" ||
157 Name == "compare:options:range:locale:" ||
158 Name == "componentsSeparatedByCharactersInSet:" ||
159 Name == "initWithFormat:") {
Anna Zaks6457ad22013-03-18 20:46:56 +0000[diff] [blame^]160 Arg = 0;
161 }
162 } else if (Class == FC_NSArray) {
163 Selector S = msg.getSelector();
164
165 if (S.isUnarySelector())
166 return;
167
168 if (S.getNameForSlot(0).equals("addObject")) {
169 Arg = 0;
170 } else if (S.getNameForSlot(0).equals("insertObject") &&
171 S.getNameForSlot(1).equals("atIndex")) {
172 Arg = 0;
173 } else if (S.getNameForSlot(0).equals("replaceObjectAtIndex") &&
174 S.getNameForSlot(1).equals("withObject")) {
175 Arg = 1;
176 } else if (S.getNameForSlot(0).equals("setObject") &&
177 S.getNameForSlot(1).equals("atIndexedSubscript")) {
178 Arg = 0;
179 } else if (S.getNameForSlot(0).equals("arrayByAddingObject")) {
180 Arg = 0;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]181 }
182 }
Anna Zaks6457ad22013-03-18 20:46:56 +0000[diff] [blame^]183
184 // If argument is '0', report a warning.
185 if ((Arg != InvalidArgIndex) && isNil(msg.getArgSVal(Arg)))
186 WarnNilArg(C, msg, Arg);
187
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]188}
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]189
190//===----------------------------------------------------------------------===//
191// Error reporting.
192//===----------------------------------------------------------------------===//
193
194namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]195class CFNumberCreateChecker : public Checker< check::PreStmt<CallExpr> > {
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]196 mutable OwningPtr<APIMisuse> BT;
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]197 mutable IdentifierInfo* II;
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]198public:
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]199 CFNumberCreateChecker() : II(0) {}
200
201 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
202
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]203private:
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]204 void EmitError(const TypedRegion* R, const Expr *Ex,
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]205 uint64_t SourceSize, uint64_t TargetSize, uint64_t NumberKind);
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]206};
207} // end anonymous namespace
208
209enum CFNumberType {
210 kCFNumberSInt8Type = 1,
211 kCFNumberSInt16Type = 2,
212 kCFNumberSInt32Type = 3,
213 kCFNumberSInt64Type = 4,
214 kCFNumberFloat32Type = 5,
215 kCFNumberFloat64Type = 6,
216 kCFNumberCharType = 7,
217 kCFNumberShortType = 8,
218 kCFNumberIntType = 9,
219 kCFNumberLongType = 10,
220 kCFNumberLongLongType = 11,
221 kCFNumberFloatType = 12,
222 kCFNumberDoubleType = 13,
223 kCFNumberCFIndexType = 14,
224 kCFNumberNSIntegerType = 15,
225 kCFNumberCGFloatType = 16
226};
227
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]228static Optional<uint64_t> GetCFNumberSize(ASTContext &Ctx, uint64_t i) {
Nuno Lopescfca1f02009-12-23 17:49:57 +0000[diff] [blame]229 static const unsigned char FixedSize[] = { 8, 16, 32, 64, 32, 64 };
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]230
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]231 if (i < kCFNumberCharType)
232 return FixedSize[i-1];
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]233
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]234 QualType T;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]235
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]236 switch (i) {
237 case kCFNumberCharType: T = Ctx.CharTy; break;
238 case kCFNumberShortType: T = Ctx.ShortTy; break;
239 case kCFNumberIntType: T = Ctx.IntTy; break;
240 case kCFNumberLongType: T = Ctx.LongTy; break;
241 case kCFNumberLongLongType: T = Ctx.LongLongTy; break;
242 case kCFNumberFloatType: T = Ctx.FloatTy; break;
243 case kCFNumberDoubleType: T = Ctx.DoubleTy; break;
244 case kCFNumberCFIndexType:
245 case kCFNumberNSIntegerType:
246 case kCFNumberCGFloatType:
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]247 // FIXME: We need a way to map from names to Type*.
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]248 default:
David Blaikie7a30dc52013-02-21 01:47:18 +0000[diff] [blame]249 return None;
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]250 }
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]251
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]252 return Ctx.getTypeSize(T);
253}
254
255#if 0
256static const char* GetCFNumberTypeStr(uint64_t i) {
257 static const char* Names[] = {
258 "kCFNumberSInt8Type",
259 "kCFNumberSInt16Type",
260 "kCFNumberSInt32Type",
261 "kCFNumberSInt64Type",
262 "kCFNumberFloat32Type",
263 "kCFNumberFloat64Type",
264 "kCFNumberCharType",
265 "kCFNumberShortType",
266 "kCFNumberIntType",
267 "kCFNumberLongType",
268 "kCFNumberLongLongType",
269 "kCFNumberFloatType",
270 "kCFNumberDoubleType",
271 "kCFNumberCFIndexType",
272 "kCFNumberNSIntegerType",
273 "kCFNumberCGFloatType"
274 };
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]275
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]276 return i <= kCFNumberCGFloatType ? Names[i-1] : "Invalid CFNumberType";
277}
278#endif
279
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]280void CFNumberCreateChecker::checkPreStmt(const CallExpr *CE,
281 CheckerContext &C) const {
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]282 ProgramStateRef state = C.getState();
Anna Zaksc6aa5312011-12-01 05:57:37 +0000[diff] [blame]283 const FunctionDecl *FD = C.getCalleeDecl(CE);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]284 if (!FD)
285 return;
286
287 ASTContext &Ctx = C.getASTContext();
288 if (!II)
289 II = &Ctx.Idents.get("CFNumberCreate");
290
291 if (FD->getIdentifier() != II || CE->getNumArgs() != 3)
292 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]293
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]294 // Get the value of the "theType" argument.
Ted Kremenek632e3b72012-01-06 22:09:28 +0000[diff] [blame]295 const LocationContext *LCtx = C.getLocationContext();
296 SVal TheTypeVal = state->getSVal(CE->getArg(1), LCtx);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]297
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]298 // FIXME: We really should allow ranges of valid theType values, and
299 // bifurcate the state appropriately.
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]300 Optional<nonloc::ConcreteInt> V = TheTypeVal.getAs<nonloc::ConcreteInt>();
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]301 if (!V)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]302 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]303
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]304 uint64_t NumberKind = V->getValue().getLimitedValue();
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]305 Optional<uint64_t> OptTargetSize = GetCFNumberSize(Ctx, NumberKind);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]306
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]307 // FIXME: In some cases we can emit an error.
David Blaikiee359f3c2013-02-20 22:23:03 +0000[diff] [blame]308 if (!OptTargetSize)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]309 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]310
David Blaikiee359f3c2013-02-20 22:23:03 +0000[diff] [blame]311 uint64_t TargetSize = *OptTargetSize;
312
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]313 // Look at the value of the integer being passed by reference. Essentially
314 // we want to catch cases where the value passed in is not equal to the
315 // size of the type being created.
Ted Kremenek632e3b72012-01-06 22:09:28 +0000[diff] [blame]316 SVal TheValueExpr = state->getSVal(CE->getArg(2), LCtx);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]317
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]318 // FIXME: Eventually we should handle arbitrary locations. We can do this
319 // by having an enhanced memory model that does low-level typing.
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]320 Optional<loc::MemRegionVal> LV = TheValueExpr.getAs<loc::MemRegionVal>();
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]321 if (!LV)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]322 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]323
Ted Kremenek8df44b262011-08-12 20:02:48 +0000[diff] [blame]324 const TypedValueRegion* R = dyn_cast<TypedValueRegion>(LV->stripCasts());
Ted Kremenek87a7a452009-07-29 18:17:40 +0000[diff] [blame]325 if (!R)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]326 return;
Ted Kremenek87a7a452009-07-29 18:17:40 +0000[diff] [blame]327
Zhongxing Xu8de0a3d2010-08-11 06:10:55 +0000[diff] [blame]328 QualType T = Ctx.getCanonicalType(R->getValueType());
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]329
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]330 // FIXME: If the pointee isn't an integer type, should we flag a warning?
331 // People can do weird stuff with pointers.
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]332
333 if (!T->isIntegerType())
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]334 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]335
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]336 uint64_t SourceSize = Ctx.getTypeSize(T);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]337
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]338 // CHECK: is SourceSize == TargetSize
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]339 if (SourceSize == TargetSize)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]340 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]341
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]342 // Generate an error. Only generate a sink if 'SourceSize < TargetSize';
343 // otherwise generate a regular node.
344 //
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]345 // FIXME: We can actually create an abstract "CFNumber" object that has
346 // the bits initialized to the provided values.
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]347 //
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]348 if (ExplodedNode *N = SourceSize < TargetSize ? C.generateSink()
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]349 : C.addTransition()) {
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]350 SmallString<128> sbuf;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]351 llvm::raw_svector_ostream os(sbuf);
352
353 os << (SourceSize == 8 ? "An " : "A ")
354 << SourceSize << " bit integer is used to initialize a CFNumber "
355 "object that represents "
356 << (TargetSize == 8 ? "an " : "a ")
357 << TargetSize << " bit integer. ";
358
359 if (SourceSize < TargetSize)
360 os << (TargetSize - SourceSize)
361 << " bits of the CFNumber value will be garbage." ;
362 else
363 os << (SourceSize - TargetSize)
364 << " bits of the input integer will be lost.";
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]365
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]366 if (!BT)
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]367 BT.reset(new APIMisuse("Bad use of CFNumberCreate"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]368
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]369 BugReport *report = new BugReport(*BT, os.str(), N);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]370 report->addRange(CE->getArg(2)->getSourceRange());
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]371 C.emitReport(report);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]372 }
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]373}
374
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]375//===----------------------------------------------------------------------===//
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]376// CFRetain/CFRelease/CFMakeCollectable checking for null arguments.
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]377//===----------------------------------------------------------------------===//
378
379namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]380class CFRetainReleaseChecker : public Checker< check::PreStmt<CallExpr> > {
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]381 mutable OwningPtr<APIMisuse> BT;
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]382 mutable IdentifierInfo *Retain, *Release, *MakeCollectable;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]383public:
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]384 CFRetainReleaseChecker(): Retain(0), Release(0), MakeCollectable(0) {}
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]385 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]386};
387} // end anonymous namespace
388
389
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]390void CFRetainReleaseChecker::checkPreStmt(const CallExpr *CE,
391 CheckerContext &C) const {
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]392 // If the CallExpr doesn't have exactly 1 argument just give up checking.
393 if (CE->getNumArgs() != 1)
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]394 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]395
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]396 ProgramStateRef state = C.getState();
Anna Zaksc6aa5312011-12-01 05:57:37 +0000[diff] [blame]397 const FunctionDecl *FD = C.getCalleeDecl(CE);
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]398 if (!FD)
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]399 return;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]400
401 if (!BT) {
402 ASTContext &Ctx = C.getASTContext();
403 Retain = &Ctx.Idents.get("CFRetain");
404 Release = &Ctx.Idents.get("CFRelease");
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]405 MakeCollectable = &Ctx.Idents.get("CFMakeCollectable");
406 BT.reset(
407 new APIMisuse("null passed to CFRetain/CFRelease/CFMakeCollectable"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]408 }
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]409
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]410 // Check if we called CFRetain/CFRelease/CFMakeCollectable.
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]411 const IdentifierInfo *FuncII = FD->getIdentifier();
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]412 if (!(FuncII == Retain || FuncII == Release || FuncII == MakeCollectable))
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]413 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]414
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]415 // FIXME: The rest of this just checks that the argument is non-null.
Anna Zaksef893392013-03-09 03:23:14 +0000[diff] [blame]416 // It should probably be refactored and combined with NonNullParamChecker.
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]417
418 // Get the argument's value.
419 const Expr *Arg = CE->getArg(0);
Ted Kremenek632e3b72012-01-06 22:09:28 +0000[diff] [blame]420 SVal ArgVal = state->getSVal(Arg, C.getLocationContext());
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]421 Optional<DefinedSVal> DefArgVal = ArgVal.getAs<DefinedSVal>();
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]422 if (!DefArgVal)
423 return;
424
425 // Get a NULL value.
Ted Kremenek90af9092010-12-02 07:49:45 +0000[diff] [blame]426 SValBuilder &svalBuilder = C.getSValBuilder();
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]427 DefinedSVal zero =
428 svalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]429
430 // Make an expression asserting that they're equal.
Ted Kremenek90af9092010-12-02 07:49:45 +0000[diff] [blame]431 DefinedOrUnknownSVal ArgIsNull = svalBuilder.evalEQ(state, zero, *DefArgVal);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]432
433 // Are they equal?
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]434 ProgramStateRef stateTrue, stateFalse;
Ted Kremenekc5bea1e2010-12-01 22:16:56 +0000[diff] [blame]435 llvm::tie(stateTrue, stateFalse) = state->assume(ArgIsNull);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]436
437 if (stateTrue && !stateFalse) {
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]438 ExplodedNode *N = C.generateSink(stateTrue);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]439 if (!N)
440 return;
441
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]442 const char *description;
443 if (FuncII == Retain)
444 description = "Null pointer argument in call to CFRetain";
445 else if (FuncII == Release)
446 description = "Null pointer argument in call to CFRelease";
447 else if (FuncII == MakeCollectable)
448 description = "Null pointer argument in call to CFMakeCollectable";
449 else
450 llvm_unreachable("impossible case");
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]451
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]452 BugReport *report = new BugReport(*BT, description, N);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]453 report->addRange(Arg->getSourceRange());
Jordan Rosea0f7d352012-08-28 00:50:51 +0000[diff] [blame]454 bugreporter::trackNullOrUndefValue(N, Arg, *report);
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]455 C.emitReport(report);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]456 return;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]457 }
458
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]459 // From here on, we know the argument is non-null.
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]460 C.addTransition(stateFalse);
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]461}
462
463//===----------------------------------------------------------------------===//
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]464// Check for sending 'retain', 'release', or 'autorelease' directly to a Class.
465//===----------------------------------------------------------------------===//
466
467namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]468class ClassReleaseChecker : public Checker<check::PreObjCMessage> {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]469 mutable Selector releaseS;
470 mutable Selector retainS;
471 mutable Selector autoreleaseS;
472 mutable Selector drainS;
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]473 mutable OwningPtr<BugType> BT;
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]474
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]475public:
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]476 void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]477};
478}
479
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]480void ClassReleaseChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]481 CheckerContext &C) const {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]482
483 if (!BT) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]484 BT.reset(new APIMisuse("message incorrectly sent to class instead of class "
485 "instance"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]486
487 ASTContext &Ctx = C.getASTContext();
488 releaseS = GetNullarySelector("release", Ctx);
489 retainS = GetNullarySelector("retain", Ctx);
490 autoreleaseS = GetNullarySelector("autorelease", Ctx);
491 drainS = GetNullarySelector("drain", Ctx);
492 }
493
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]494 if (msg.isInstanceMessage())
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]495 return;
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]496 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
497 assert(Class);
Douglas Gregor9a129192010-04-21 00:45:42 +0000[diff] [blame]498
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]499 Selector S = msg.getSelector();
Benjamin Kramer7d875c72009-11-20 10:03:00 +0000[diff] [blame]500 if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS))
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]501 return;
502
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]503 if (ExplodedNode *N = C.addTransition()) {
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]504 SmallString<200> buf;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]505 llvm::raw_svector_ostream os(buf);
Ted Kremenekf5735152009-11-23 22:22:01 +0000[diff] [blame]506
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]507 os << "The '" << S.getAsString() << "' message should be sent to instances "
508 "of class '" << Class->getName()
509 << "' and not the class directly";
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]510
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]511 BugReport *report = new BugReport(*BT, os.str(), N);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]512 report->addRange(msg.getSourceRange());
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]513 C.emitReport(report);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]514 }
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]515}
516
517//===----------------------------------------------------------------------===//
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]518// Check for passing non-Objective-C types to variadic methods that expect
519// only Objective-C types.
520//===----------------------------------------------------------------------===//
521
522namespace {
523class VariadicMethodTypeChecker : public Checker<check::PreObjCMessage> {
524 mutable Selector arrayWithObjectsS;
525 mutable Selector dictionaryWithObjectsAndKeysS;
526 mutable Selector setWithObjectsS;
Jordy Rosec0230d72012-04-06 19:06:01 +0000[diff] [blame]527 mutable Selector orderedSetWithObjectsS;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]528 mutable Selector initWithObjectsS;
529 mutable Selector initWithObjectsAndKeysS;
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]530 mutable OwningPtr<BugType> BT;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]531
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]532 bool isVariadicMessage(const ObjCMethodCall &msg) const;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]533
534public:
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]535 void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]536};
537}
538
539/// isVariadicMessage - Returns whether the given message is a variadic message,
540/// where all arguments must be Objective-C types.
541bool
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]542VariadicMethodTypeChecker::isVariadicMessage(const ObjCMethodCall &msg) const {
543 const ObjCMethodDecl *MD = msg.getDecl();
Ted Kremenekced5fea2011-04-12 21:47:05 +0000[diff] [blame]544
545 if (!MD || !MD->isVariadic() || isa<ObjCProtocolDecl>(MD->getDeclContext()))
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]546 return false;
547
548 Selector S = msg.getSelector();
549
550 if (msg.isInstanceMessage()) {
551 // FIXME: Ideally we'd look at the receiver interface here, but that's not
552 // useful for init, because alloc returns 'id'. In theory, this could lead
553 // to false positives, for example if there existed a class that had an
554 // initWithObjects: implementation that does accept non-Objective-C pointer
555 // types, but the chance of that happening is pretty small compared to the
556 // gains that this analysis gives.
557 const ObjCInterfaceDecl *Class = MD->getClassInterface();
558
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]559 switch (findKnownClass(Class)) {
560 case FC_NSArray:
561 case FC_NSOrderedSet:
562 case FC_NSSet:
563 return S == initWithObjectsS;
564 case FC_NSDictionary:
565 return S == initWithObjectsAndKeysS;
566 default:
567 return false;
568 }
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]569 } else {
570 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
571
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]572 switch (findKnownClass(Class)) {
573 case FC_NSArray:
574 return S == arrayWithObjectsS;
575 case FC_NSOrderedSet:
576 return S == orderedSetWithObjectsS;
577 case FC_NSSet:
578 return S == setWithObjectsS;
579 case FC_NSDictionary:
580 return S == dictionaryWithObjectsAndKeysS;
581 default:
582 return false;
583 }
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]584 }
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]585}
586
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]587void VariadicMethodTypeChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]588 CheckerContext &C) const {
589 if (!BT) {
590 BT.reset(new APIMisuse("Arguments passed to variadic method aren't all "
591 "Objective-C pointer types"));
592
593 ASTContext &Ctx = C.getASTContext();
594 arrayWithObjectsS = GetUnarySelector("arrayWithObjects", Ctx);
595 dictionaryWithObjectsAndKeysS =
596 GetUnarySelector("dictionaryWithObjectsAndKeys", Ctx);
597 setWithObjectsS = GetUnarySelector("setWithObjects", Ctx);
Jordy Rosec0230d72012-04-06 19:06:01 +0000[diff] [blame]598 orderedSetWithObjectsS = GetUnarySelector("orderedSetWithObjects", Ctx);
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]599
600 initWithObjectsS = GetUnarySelector("initWithObjects", Ctx);
601 initWithObjectsAndKeysS = GetUnarySelector("initWithObjectsAndKeys", Ctx);
602 }
603
604 if (!isVariadicMessage(msg))
605 return;
606
607 // We are not interested in the selector arguments since they have
608 // well-defined types, so the compiler will issue a warning for them.
609 unsigned variadicArgsBegin = msg.getSelector().getNumArgs();
610
611 // We're not interested in the last argument since it has to be nil or the
612 // compiler would have issued a warning for it elsewhere.
613 unsigned variadicArgsEnd = msg.getNumArgs() - 1;
614
615 if (variadicArgsEnd <= variadicArgsBegin)
616 return;
617
618 // Verify that all arguments have Objective-C types.
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]619 Optional<ExplodedNode*> errorNode;
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]620 ProgramStateRef state = C.getState();
Ted Kremenek066b2262011-03-14 19:50:37 +0000[diff] [blame]621
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]622 for (unsigned I = variadicArgsBegin; I != variadicArgsEnd; ++I) {
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]623 QualType ArgTy = msg.getArgExpr(I)->getType();
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]624 if (ArgTy->isObjCObjectPointerType())
625 continue;
626
Anders Carlssond1f65f62011-04-19 01:16:46 +0000[diff] [blame]627 // Block pointers are treaded as Objective-C pointers.
628 if (ArgTy->isBlockPointerType())
629 continue;
630
Ted Kremenek4ceebbf2011-03-16 00:22:51 +0000[diff] [blame]631 // Ignore pointer constants.
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]632 if (msg.getArgSVal(I).getAs<loc::ConcreteInt>())
Ted Kremenek4ceebbf2011-03-16 00:22:51 +0000[diff] [blame]633 continue;
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]634
Ted Kremenek70727342011-03-17 04:10:25 +0000[diff] [blame]635 // Ignore pointer types annotated with 'NSObject' attribute.
636 if (C.getASTContext().isObjCNSObjectType(ArgTy))
637 continue;
638
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]639 // Ignore CF references, which can be toll-free bridged.
Ted Kremenekc85964e2011-07-16 19:50:32 +0000[diff] [blame]640 if (coreFoundation::isCFObjectRef(ArgTy))
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]641 continue;
Ted Kremenek4ceebbf2011-03-16 00:22:51 +0000[diff] [blame]642
Ted Kremenek066b2262011-03-14 19:50:37 +0000[diff] [blame]643 // Generate only one error node to use for all bug reports.
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]644 if (!errorNode.hasValue())
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]645 errorNode = C.addTransition();
Ted Kremenek066b2262011-03-14 19:50:37 +0000[diff] [blame]646
647 if (!errorNode.getValue())
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]648 continue;
649
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]650 SmallString<128> sbuf;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]651 llvm::raw_svector_ostream os(sbuf);
652
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]653 StringRef TypeName = GetReceiverInterfaceName(msg);
654 if (!TypeName.empty())
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]655 os << "Argument to '" << TypeName << "' method '";
656 else
657 os << "Argument to method '";
658
659 os << msg.getSelector().getAsString()
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]660 << "' should be an Objective-C pointer type, not '";
661 ArgTy.print(os, C.getLangOpts());
662 os << "'";
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]663
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]664 BugReport *R = new BugReport(*BT, os.str(), errorNode.getValue());
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]665 R->addRange(msg.getArgSourceRange(I));
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]666 C.emitReport(R);
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]667 }
668}
669
670//===----------------------------------------------------------------------===//
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]671// Improves the modeling of loops over Cocoa collections.
672//===----------------------------------------------------------------------===//
673
674namespace {
675class ObjCLoopChecker
676 : public Checker<check::PostStmt<ObjCForCollectionStmt> > {
677
678public:
679 void checkPostStmt(const ObjCForCollectionStmt *FCS, CheckerContext &C) const;
680};
681}
682
683static bool isKnownNonNilCollectionType(QualType T) {
684 const ObjCObjectPointerType *PT = T->getAs<ObjCObjectPointerType>();
685 if (!PT)
686 return false;
687
688 const ObjCInterfaceDecl *ID = PT->getInterfaceDecl();
689 if (!ID)
690 return false;
691
692 switch (findKnownClass(ID)) {
693 case FC_NSArray:
694 case FC_NSDictionary:
695 case FC_NSEnumerator:
696 case FC_NSOrderedSet:
697 case FC_NSSet:
698 return true;
699 default:
700 return false;
701 }
702}
703
704void ObjCLoopChecker::checkPostStmt(const ObjCForCollectionStmt *FCS,
705 CheckerContext &C) const {
706 ProgramStateRef State = C.getState();
707
708 // Check if this is the branch for the end of the loop.
709 SVal CollectionSentinel = State->getSVal(FCS, C.getLocationContext());
710 if (CollectionSentinel.isZeroConstant())
711 return;
712
713 // See if the collection is one where we /know/ the elements are non-nil.
714 const Expr *Collection = FCS->getCollection();
715 if (!isKnownNonNilCollectionType(Collection->getType()))
716 return;
717
718 // FIXME: Copied from ExprEngineObjC.
719 const Stmt *Element = FCS->getElement();
720 SVal ElementVar;
721 if (const DeclStmt *DS = dyn_cast<DeclStmt>(Element)) {
722 const VarDecl *ElemDecl = cast<VarDecl>(DS->getSingleDecl());
723 assert(ElemDecl->getInit() == 0);
724 ElementVar = State->getLValue(ElemDecl, C.getLocationContext());
725 } else {
726 ElementVar = State->getSVal(Element, C.getLocationContext());
727 }
728
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]729 if (!ElementVar.getAs<Loc>())
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]730 return;
731
732 // Go ahead and assume the value is non-nil.
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]733 SVal Val = State->getSVal(ElementVar.castAs<Loc>());
734 State = State->assume(Val.castAs<DefinedOrUnknownSVal>(), true);
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]735 C.addTransition(State);
736}
737
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]738namespace {
739/// \class ObjCNonNilReturnValueChecker
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]740/// \brief The checker restricts the return values of APIs known to
741/// never (or almost never) return 'nil'.
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]742class ObjCNonNilReturnValueChecker
743 : public Checker<check::PostObjCMessage> {
744 mutable bool Initialized;
745 mutable Selector ObjectAtIndex;
746 mutable Selector ObjectAtIndexedSubscript;
Anna Zaks9159e162012-08-22 22:47:58 +0000[diff] [blame]747
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]748public:
Anna Zaks9159e162012-08-22 22:47:58 +0000[diff] [blame]749 ObjCNonNilReturnValueChecker() : Initialized(false) {}
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]750 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
751};
752}
753
Benjamin Kramer199f8da2012-09-10 11:57:16 +0000[diff] [blame]754static ProgramStateRef assumeExprIsNonNull(const Expr *NonNullExpr,
755 ProgramStateRef State,
756 CheckerContext &C) {
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]757 SVal Val = State->getSVal(NonNullExpr, C.getLocationContext());
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]758 if (Optional<DefinedOrUnknownSVal> DV = Val.getAs<DefinedOrUnknownSVal>())
Anna Zaks830c48e2012-08-30 22:55:32 +0000[diff] [blame]759 return State->assume(*DV, true);
Anna Zaksb504f442012-08-30 22:42:41 +0000[diff] [blame]760 return State;
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]761}
762
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]763void ObjCNonNilReturnValueChecker::checkPostObjCMessage(const ObjCMethodCall &M,
764 CheckerContext &C)
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]765 const {
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]766 ProgramStateRef State = C.getState();
767
768 if (!Initialized) {
769 ASTContext &Ctx = C.getASTContext();
770 ObjectAtIndex = GetUnarySelector("objectAtIndex", Ctx);
771 ObjectAtIndexedSubscript = GetUnarySelector("objectAtIndexedSubscript", Ctx);
772 }
773
774 // Check the receiver type.
775 if (const ObjCInterfaceDecl *Interface = M.getReceiverInterface()) {
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]776
777 // Assume that object returned from '[self init]' or '[super init]' is not
778 // 'nil' if we are processing an inlined function/method.
779 //
780 // A defensive callee will (and should) check if the object returned by
781 // '[super init]' is 'nil' before doing it's own initialization. However,
782 // since 'nil' is rarely returned in practice, we should not warn when the
783 // caller to the defensive constructor uses the object in contexts where
784 // 'nil' is not accepted.
Anna Zaks49bb6502012-11-06 04:20:54 +0000[diff] [blame]785 if (!C.inTopFrame() && M.getDecl() &&
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]786 M.getDecl()->getMethodFamily() == OMF_init &&
787 M.isReceiverSelfOrSuper()) {
788 State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
789 }
790
791 // Objects returned from
792 // [NSArray|NSOrderedSet]::[ObjectAtIndex|ObjectAtIndexedSubscript]
793 // are never 'nil'.
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]794 FoundationClass Cl = findKnownClass(Interface);
795 if (Cl == FC_NSArray || Cl == FC_NSOrderedSet) {
796 Selector Sel = M.getSelector();
797 if (Sel == ObjectAtIndex || Sel == ObjectAtIndexedSubscript) {
798 // Go ahead and assume the value is non-nil.
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]799 State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]800 }
801 }
802 }
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]803 C.addTransition(State);
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]804}
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]805
806//===----------------------------------------------------------------------===//
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]807// Check registration.
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]808//===----------------------------------------------------------------------===//
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]809
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]810void ento::registerNilArgChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]811 mgr.registerChecker<NilArgChecker>();
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]812}
813
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]814void ento::registerCFNumberCreateChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]815 mgr.registerChecker<CFNumberCreateChecker>();
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]816}
817
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]818void ento::registerCFRetainReleaseChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]819 mgr.registerChecker<CFRetainReleaseChecker>();
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]820}
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]821
822void ento::registerClassReleaseChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]823 mgr.registerChecker<ClassReleaseChecker>();
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]824}
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]825
826void ento::registerVariadicMethodTypeChecker(CheckerManager &mgr) {
827 mgr.registerChecker<VariadicMethodTypeChecker>();
828}
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]829
830void ento::registerObjCLoopChecker(CheckerManager &mgr) {
831 mgr.registerChecker<ObjCLoopChecker>();
832}
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]833
834void ento::registerObjCNonNilReturnValueChecker(CheckerManager &mgr) {
835 mgr.registerChecker<ObjCNonNilReturnValueChecker>();
836}