Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / bd8f60d6d117eb782c61a559533a180d1b777e1e / . / clang / lib / StaticAnalyzer / Checkers / BasicObjCFoundationChecks.cpp
blob: 533a324e7507925f988529bed66dbf74e6123cbd [file] [log] [blame]
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]1//== BasicObjCFoundationChecks.cpp - Simple Apple-Foundation checks -*- C++ -*--
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file defines BasicObjCFoundationChecks, a class that encapsulates
11// a set of simple checks to run on Objective-C code using Apple's Foundation
12// classes.
13//
14//===----------------------------------------------------------------------===//
15
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]16#include "ClangSACheckers.h"
Chandler Carruth3a022472012-12-04 09:13:33 +0000[diff] [blame]17#include "clang/AST/ASTContext.h"
18#include "clang/AST/DeclObjC.h"
19#include "clang/AST/Expr.h"
20#include "clang/AST/ExprObjC.h"
21#include "clang/AST/StmtObjC.h"
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]22#include "clang/Analysis/DomainSpecific/CocoaConventions.h"
Chandler Carruth3a022472012-12-04 09:13:33 +0000[diff] [blame]23#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]24#include "clang/StaticAnalyzer/Core/Checker.h"
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]25#include "clang/StaticAnalyzer/Core/CheckerManager.h"
Jordan Rose4f7df9b2012-07-26 21:39:41 +0000[diff] [blame]26#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
Argyrios Kyrtzidisdff865d2011-02-23 01:05:36 +0000[diff] [blame]27#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]28#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]29#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]30#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
Chandler Carruth3a022472012-12-04 09:13:33 +0000[diff] [blame]31#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
Benjamin Kramer49038022012-02-04 13:45:25 +0000[diff] [blame]32#include "llvm/ADT/SmallString.h"
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]33#include "llvm/ADT/StringMap.h"
Benjamin Kramer444a1302012-12-01 17:12:56 +0000[diff] [blame]34#include "llvm/Support/raw_ostream.h"
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]35
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]36using namespace clang;
Ted Kremenek98857c92010-12-23 07:20:52 +0000[diff] [blame]37using namespace ento;
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]38
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]39namespace {
40class APIMisuse : public BugType {
41public:
42 APIMisuse(const char* name) : BugType(name, "API Misuse (Apple)") {}
43};
44} // end anonymous namespace
45
46//===----------------------------------------------------------------------===//
47// Utility functions.
48//===----------------------------------------------------------------------===//
49
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]50static StringRef GetReceiverInterfaceName(const ObjCMethodCall &msg) {
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]51 if (const ObjCInterfaceDecl *ID = msg.getReceiverInterface())
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]52 return ID->getIdentifier()->getName();
53 return StringRef();
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]54}
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]55
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]56enum FoundationClass {
57 FC_None,
58 FC_NSArray,
59 FC_NSDictionary,
60 FC_NSEnumerator,
61 FC_NSOrderedSet,
62 FC_NSSet,
63 FC_NSString
64};
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]65
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]66static FoundationClass findKnownClass(const ObjCInterfaceDecl *ID) {
67 static llvm::StringMap<FoundationClass> Classes;
68 if (Classes.empty()) {
69 Classes["NSArray"] = FC_NSArray;
70 Classes["NSDictionary"] = FC_NSDictionary;
71 Classes["NSEnumerator"] = FC_NSEnumerator;
72 Classes["NSOrderedSet"] = FC_NSOrderedSet;
73 Classes["NSSet"] = FC_NSSet;
74 Classes["NSString"] = FC_NSString;
75 }
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]76
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]77 // FIXME: Should we cache this at all?
78 FoundationClass result = Classes.lookup(ID->getIdentifier()->getName());
79 if (result == FC_None)
80 if (const ObjCInterfaceDecl *Super = ID->getSuperClass())
81 return findKnownClass(Super);
82
83 return result;
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]84}
85
86//===----------------------------------------------------------------------===//
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]87// NilArgChecker - Check for prohibited nil arguments to ObjC method calls.
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]88//===----------------------------------------------------------------------===//
89
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]90namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]91 class NilArgChecker : public Checker<check::PreObjCMessage> {
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]92 mutable OwningPtr<APIMisuse> BT;
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]93
Anna Zaks130df4b2013-03-23 00:39:21 +0000[diff] [blame]94 void WarnIfNilArg(CheckerContext &C,
95 const ObjCMethodCall &msg, unsigned Arg,
96 FoundationClass Class,
97 bool CanBeSubscript = false) const;
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]98
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]99 public:
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]100 void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]101 };
102}
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]103
Anna Zaks130df4b2013-03-23 00:39:21 +0000[diff] [blame]104void NilArgChecker::WarnIfNilArg(CheckerContext &C,
105 const ObjCMethodCall &msg,
106 unsigned int Arg,
107 FoundationClass Class,
108 bool CanBeSubscript) const {
109 // Check if the argument is nil.
110 ProgramStateRef State = C.getState();
111 if (!State->isNull(msg.getArgSVal(Arg)).isConstrainedTrue())
112 return;
113
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]114 if (!BT)
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]115 BT.reset(new APIMisuse("nil argument"));
Anna Zaks130df4b2013-03-23 00:39:21 +0000[diff] [blame]116
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]117 if (ExplodedNode *N = C.generateSink()) {
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]118 SmallString<128> sbuf;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]119 llvm::raw_svector_ostream os(sbuf);
Anna Zaks130df4b2013-03-23 00:39:21 +0000[diff] [blame]120
121 if (CanBeSubscript && msg.getMessageKind() == OCM_Subscript) {
122
123 if (Class == FC_NSArray) {
124 os << "Array element cannot be nil";
125 } else if (Class == FC_NSDictionary) {
126 if (Arg == 0)
127 os << "Dictionary object cannot be nil";
128 else {
129 assert(Arg == 1);
130 os << "Dictionary key cannot be nil";
131 }
132 } else
133 llvm_unreachable("Missing foundation class for the subscript expr");
134
135 } else {
136 os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '"
137 << msg.getSelector().getAsString() << "' cannot be nil";
138 }
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]139
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]140 BugReport *R = new BugReport(*BT, os.str(), N);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]141 R->addRange(msg.getArgSourceRange(Arg));
Anna Zaksbd8f60d2013-03-26 23:58:49 +0000[diff] [blame^]142 bugreporter::trackNullOrUndefValue(N, msg.getArgExpr(Arg), *R);
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]143 C.emitReport(R);
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]144 }
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]145}
146
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]147void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]148 CheckerContext &C) const {
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]149 const ObjCInterfaceDecl *ID = msg.getReceiverInterface();
150 if (!ID)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]151 return;
Anna Zaks6457ad22013-03-18 20:46:56 +0000[diff] [blame]152
153 FoundationClass Class = findKnownClass(ID);
154
155 static const unsigned InvalidArgIndex = UINT_MAX;
156 unsigned Arg = InvalidArgIndex;
Anna Zaks130df4b2013-03-23 00:39:21 +0000[diff] [blame]157 bool CanBeSubscript = false;
158
Anna Zaks6457ad22013-03-18 20:46:56 +0000[diff] [blame]159 if (Class == FC_NSString) {
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]160 Selector S = msg.getSelector();
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]161
162 if (S.isUnarySelector())
163 return;
164
165 // FIXME: This is going to be really slow doing these checks with
166 // lexical comparisons.
167
168 std::string NameStr = S.getAsString();
Chris Lattner0e62c1c2011-07-23 10:55:15 +0000[diff] [blame]169 StringRef Name(NameStr);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]170 assert(!Name.empty());
171
172 // FIXME: Checking for initWithFormat: will not work in most cases
173 // yet because [NSString alloc] returns id, not NSString*. We will
174 // need support for tracking expected-type information in the analyzer
175 // to find these errors.
176 if (Name == "caseInsensitiveCompare:" ||
177 Name == "compare:" ||
178 Name == "compare:options:" ||
179 Name == "compare:options:range:" ||
180 Name == "compare:options:range:locale:" ||
181 Name == "componentsSeparatedByCharactersInSet:" ||
182 Name == "initWithFormat:") {
Anna Zaks6457ad22013-03-18 20:46:56 +0000[diff] [blame]183 Arg = 0;
184 }
185 } else if (Class == FC_NSArray) {
186 Selector S = msg.getSelector();
187
188 if (S.isUnarySelector())
189 return;
190
191 if (S.getNameForSlot(0).equals("addObject")) {
192 Arg = 0;
193 } else if (S.getNameForSlot(0).equals("insertObject") &&
194 S.getNameForSlot(1).equals("atIndex")) {
195 Arg = 0;
196 } else if (S.getNameForSlot(0).equals("replaceObjectAtIndex") &&
197 S.getNameForSlot(1).equals("withObject")) {
198 Arg = 1;
199 } else if (S.getNameForSlot(0).equals("setObject") &&
200 S.getNameForSlot(1).equals("atIndexedSubscript")) {
201 Arg = 0;
Anna Zaks130df4b2013-03-23 00:39:21 +0000[diff] [blame]202 CanBeSubscript = true;
Anna Zaks6457ad22013-03-18 20:46:56 +0000[diff] [blame]203 } else if (S.getNameForSlot(0).equals("arrayByAddingObject")) {
204 Arg = 0;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]205 }
Anna Zaks130df4b2013-03-23 00:39:21 +0000[diff] [blame]206 } else if (Class == FC_NSDictionary) {
207 Selector S = msg.getSelector();
208
209 if (S.isUnarySelector())
210 return;
211
212 if (S.getNameForSlot(0).equals("dictionaryWithObject") &&
213 S.getNameForSlot(1).equals("forKey")) {
214 Arg = 0;
215 WarnIfNilArg(C, msg, /* Arg */1, Class);
216 } else if (S.getNameForSlot(0).equals("setObject") &&
217 S.getNameForSlot(1).equals("forKey")) {
218 Arg = 0;
219 WarnIfNilArg(C, msg, /* Arg */1, Class);
220 } else if (S.getNameForSlot(0).equals("setObject") &&
221 S.getNameForSlot(1).equals("forKeyedSubscript")) {
222 CanBeSubscript = true;
223 Arg = 0;
224 WarnIfNilArg(C, msg, /* Arg */1, Class, CanBeSubscript);
225 } else if (S.getNameForSlot(0).equals("removeObjectForKey")) {
226 Arg = 0;
227 }
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]228 }
Anna Zaks6457ad22013-03-18 20:46:56 +0000[diff] [blame]229
Anna Zaks130df4b2013-03-23 00:39:21 +0000[diff] [blame]230
Anna Zaks6457ad22013-03-18 20:46:56 +0000[diff] [blame]231 // If argument is '0', report a warning.
Anna Zaks130df4b2013-03-23 00:39:21 +0000[diff] [blame]232 if ((Arg != InvalidArgIndex))
233 WarnIfNilArg(C, msg, Arg, Class, CanBeSubscript);
Anna Zaks6457ad22013-03-18 20:46:56 +0000[diff] [blame]234
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]235}
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]236
237//===----------------------------------------------------------------------===//
238// Error reporting.
239//===----------------------------------------------------------------------===//
240
241namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]242class CFNumberCreateChecker : public Checker< check::PreStmt<CallExpr> > {
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]243 mutable OwningPtr<APIMisuse> BT;
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]244 mutable IdentifierInfo* II;
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]245public:
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]246 CFNumberCreateChecker() : II(0) {}
247
248 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
249
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]250private:
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]251 void EmitError(const TypedRegion* R, const Expr *Ex,
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]252 uint64_t SourceSize, uint64_t TargetSize, uint64_t NumberKind);
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]253};
254} // end anonymous namespace
255
256enum CFNumberType {
257 kCFNumberSInt8Type = 1,
258 kCFNumberSInt16Type = 2,
259 kCFNumberSInt32Type = 3,
260 kCFNumberSInt64Type = 4,
261 kCFNumberFloat32Type = 5,
262 kCFNumberFloat64Type = 6,
263 kCFNumberCharType = 7,
264 kCFNumberShortType = 8,
265 kCFNumberIntType = 9,
266 kCFNumberLongType = 10,
267 kCFNumberLongLongType = 11,
268 kCFNumberFloatType = 12,
269 kCFNumberDoubleType = 13,
270 kCFNumberCFIndexType = 14,
271 kCFNumberNSIntegerType = 15,
272 kCFNumberCGFloatType = 16
273};
274
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]275static Optional<uint64_t> GetCFNumberSize(ASTContext &Ctx, uint64_t i) {
Nuno Lopescfca1f02009-12-23 17:49:57 +0000[diff] [blame]276 static const unsigned char FixedSize[] = { 8, 16, 32, 64, 32, 64 };
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]277
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]278 if (i < kCFNumberCharType)
279 return FixedSize[i-1];
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]280
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]281 QualType T;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]282
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]283 switch (i) {
284 case kCFNumberCharType: T = Ctx.CharTy; break;
285 case kCFNumberShortType: T = Ctx.ShortTy; break;
286 case kCFNumberIntType: T = Ctx.IntTy; break;
287 case kCFNumberLongType: T = Ctx.LongTy; break;
288 case kCFNumberLongLongType: T = Ctx.LongLongTy; break;
289 case kCFNumberFloatType: T = Ctx.FloatTy; break;
290 case kCFNumberDoubleType: T = Ctx.DoubleTy; break;
291 case kCFNumberCFIndexType:
292 case kCFNumberNSIntegerType:
293 case kCFNumberCGFloatType:
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]294 // FIXME: We need a way to map from names to Type*.
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]295 default:
David Blaikie7a30dc52013-02-21 01:47:18 +0000[diff] [blame]296 return None;
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]297 }
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]298
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]299 return Ctx.getTypeSize(T);
300}
301
302#if 0
303static const char* GetCFNumberTypeStr(uint64_t i) {
304 static const char* Names[] = {
305 "kCFNumberSInt8Type",
306 "kCFNumberSInt16Type",
307 "kCFNumberSInt32Type",
308 "kCFNumberSInt64Type",
309 "kCFNumberFloat32Type",
310 "kCFNumberFloat64Type",
311 "kCFNumberCharType",
312 "kCFNumberShortType",
313 "kCFNumberIntType",
314 "kCFNumberLongType",
315 "kCFNumberLongLongType",
316 "kCFNumberFloatType",
317 "kCFNumberDoubleType",
318 "kCFNumberCFIndexType",
319 "kCFNumberNSIntegerType",
320 "kCFNumberCGFloatType"
321 };
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]322
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]323 return i <= kCFNumberCGFloatType ? Names[i-1] : "Invalid CFNumberType";
324}
325#endif
326
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]327void CFNumberCreateChecker::checkPreStmt(const CallExpr *CE,
328 CheckerContext &C) const {
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]329 ProgramStateRef state = C.getState();
Anna Zaksc6aa5312011-12-01 05:57:37 +0000[diff] [blame]330 const FunctionDecl *FD = C.getCalleeDecl(CE);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]331 if (!FD)
332 return;
333
334 ASTContext &Ctx = C.getASTContext();
335 if (!II)
336 II = &Ctx.Idents.get("CFNumberCreate");
337
338 if (FD->getIdentifier() != II || CE->getNumArgs() != 3)
339 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]340
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]341 // Get the value of the "theType" argument.
Ted Kremenek632e3b72012-01-06 22:09:28 +0000[diff] [blame]342 const LocationContext *LCtx = C.getLocationContext();
343 SVal TheTypeVal = state->getSVal(CE->getArg(1), LCtx);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]344
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]345 // FIXME: We really should allow ranges of valid theType values, and
346 // bifurcate the state appropriately.
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]347 Optional<nonloc::ConcreteInt> V = TheTypeVal.getAs<nonloc::ConcreteInt>();
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]348 if (!V)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]349 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]350
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]351 uint64_t NumberKind = V->getValue().getLimitedValue();
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]352 Optional<uint64_t> OptTargetSize = GetCFNumberSize(Ctx, NumberKind);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]353
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]354 // FIXME: In some cases we can emit an error.
David Blaikiee359f3c2013-02-20 22:23:03 +0000[diff] [blame]355 if (!OptTargetSize)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]356 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]357
David Blaikiee359f3c2013-02-20 22:23:03 +0000[diff] [blame]358 uint64_t TargetSize = *OptTargetSize;
359
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]360 // Look at the value of the integer being passed by reference. Essentially
361 // we want to catch cases where the value passed in is not equal to the
362 // size of the type being created.
Ted Kremenek632e3b72012-01-06 22:09:28 +0000[diff] [blame]363 SVal TheValueExpr = state->getSVal(CE->getArg(2), LCtx);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]364
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]365 // FIXME: Eventually we should handle arbitrary locations. We can do this
366 // by having an enhanced memory model that does low-level typing.
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]367 Optional<loc::MemRegionVal> LV = TheValueExpr.getAs<loc::MemRegionVal>();
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]368 if (!LV)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]369 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]370
Ted Kremenek8df44b262011-08-12 20:02:48 +0000[diff] [blame]371 const TypedValueRegion* R = dyn_cast<TypedValueRegion>(LV->stripCasts());
Ted Kremenek87a7a452009-07-29 18:17:40 +0000[diff] [blame]372 if (!R)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]373 return;
Ted Kremenek87a7a452009-07-29 18:17:40 +0000[diff] [blame]374
Zhongxing Xu8de0a3d2010-08-11 06:10:55 +0000[diff] [blame]375 QualType T = Ctx.getCanonicalType(R->getValueType());
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]376
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]377 // FIXME: If the pointee isn't an integer type, should we flag a warning?
378 // People can do weird stuff with pointers.
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]379
380 if (!T->isIntegerType())
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]381 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]382
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]383 uint64_t SourceSize = Ctx.getTypeSize(T);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]384
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]385 // CHECK: is SourceSize == TargetSize
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]386 if (SourceSize == TargetSize)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]387 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]388
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]389 // Generate an error. Only generate a sink if 'SourceSize < TargetSize';
390 // otherwise generate a regular node.
391 //
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]392 // FIXME: We can actually create an abstract "CFNumber" object that has
393 // the bits initialized to the provided values.
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]394 //
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]395 if (ExplodedNode *N = SourceSize < TargetSize ? C.generateSink()
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]396 : C.addTransition()) {
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]397 SmallString<128> sbuf;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]398 llvm::raw_svector_ostream os(sbuf);
399
400 os << (SourceSize == 8 ? "An " : "A ")
401 << SourceSize << " bit integer is used to initialize a CFNumber "
402 "object that represents "
403 << (TargetSize == 8 ? "an " : "a ")
404 << TargetSize << " bit integer. ";
405
406 if (SourceSize < TargetSize)
407 os << (TargetSize - SourceSize)
408 << " bits of the CFNumber value will be garbage." ;
409 else
410 os << (SourceSize - TargetSize)
411 << " bits of the input integer will be lost.";
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]412
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]413 if (!BT)
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]414 BT.reset(new APIMisuse("Bad use of CFNumberCreate"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]415
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]416 BugReport *report = new BugReport(*BT, os.str(), N);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]417 report->addRange(CE->getArg(2)->getSourceRange());
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]418 C.emitReport(report);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]419 }
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]420}
421
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]422//===----------------------------------------------------------------------===//
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]423// CFRetain/CFRelease/CFMakeCollectable checking for null arguments.
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]424//===----------------------------------------------------------------------===//
425
426namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]427class CFRetainReleaseChecker : public Checker< check::PreStmt<CallExpr> > {
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]428 mutable OwningPtr<APIMisuse> BT;
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]429 mutable IdentifierInfo *Retain, *Release, *MakeCollectable;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]430public:
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]431 CFRetainReleaseChecker(): Retain(0), Release(0), MakeCollectable(0) {}
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]432 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]433};
434} // end anonymous namespace
435
436
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]437void CFRetainReleaseChecker::checkPreStmt(const CallExpr *CE,
438 CheckerContext &C) const {
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]439 // If the CallExpr doesn't have exactly 1 argument just give up checking.
440 if (CE->getNumArgs() != 1)
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]441 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]442
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]443 ProgramStateRef state = C.getState();
Anna Zaksc6aa5312011-12-01 05:57:37 +0000[diff] [blame]444 const FunctionDecl *FD = C.getCalleeDecl(CE);
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]445 if (!FD)
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]446 return;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]447
448 if (!BT) {
449 ASTContext &Ctx = C.getASTContext();
450 Retain = &Ctx.Idents.get("CFRetain");
451 Release = &Ctx.Idents.get("CFRelease");
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]452 MakeCollectable = &Ctx.Idents.get("CFMakeCollectable");
453 BT.reset(
454 new APIMisuse("null passed to CFRetain/CFRelease/CFMakeCollectable"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]455 }
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]456
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]457 // Check if we called CFRetain/CFRelease/CFMakeCollectable.
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]458 const IdentifierInfo *FuncII = FD->getIdentifier();
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]459 if (!(FuncII == Retain || FuncII == Release || FuncII == MakeCollectable))
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]460 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]461
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]462 // FIXME: The rest of this just checks that the argument is non-null.
Anna Zaksef893392013-03-09 03:23:14 +0000[diff] [blame]463 // It should probably be refactored and combined with NonNullParamChecker.
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]464
465 // Get the argument's value.
466 const Expr *Arg = CE->getArg(0);
Ted Kremenek632e3b72012-01-06 22:09:28 +0000[diff] [blame]467 SVal ArgVal = state->getSVal(Arg, C.getLocationContext());
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]468 Optional<DefinedSVal> DefArgVal = ArgVal.getAs<DefinedSVal>();
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]469 if (!DefArgVal)
470 return;
471
472 // Get a NULL value.
Ted Kremenek90af9092010-12-02 07:49:45 +0000[diff] [blame]473 SValBuilder &svalBuilder = C.getSValBuilder();
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]474 DefinedSVal zero =
475 svalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]476
477 // Make an expression asserting that they're equal.
Ted Kremenek90af9092010-12-02 07:49:45 +0000[diff] [blame]478 DefinedOrUnknownSVal ArgIsNull = svalBuilder.evalEQ(state, zero, *DefArgVal);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]479
480 // Are they equal?
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]481 ProgramStateRef stateTrue, stateFalse;
Ted Kremenekc5bea1e2010-12-01 22:16:56 +0000[diff] [blame]482 llvm::tie(stateTrue, stateFalse) = state->assume(ArgIsNull);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]483
484 if (stateTrue && !stateFalse) {
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]485 ExplodedNode *N = C.generateSink(stateTrue);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]486 if (!N)
487 return;
488
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]489 const char *description;
490 if (FuncII == Retain)
491 description = "Null pointer argument in call to CFRetain";
492 else if (FuncII == Release)
493 description = "Null pointer argument in call to CFRelease";
494 else if (FuncII == MakeCollectable)
495 description = "Null pointer argument in call to CFMakeCollectable";
496 else
497 llvm_unreachable("impossible case");
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]498
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]499 BugReport *report = new BugReport(*BT, description, N);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]500 report->addRange(Arg->getSourceRange());
Jordan Rosea0f7d352012-08-28 00:50:51 +0000[diff] [blame]501 bugreporter::trackNullOrUndefValue(N, Arg, *report);
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]502 C.emitReport(report);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]503 return;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]504 }
505
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]506 // From here on, we know the argument is non-null.
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]507 C.addTransition(stateFalse);
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]508}
509
510//===----------------------------------------------------------------------===//
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]511// Check for sending 'retain', 'release', or 'autorelease' directly to a Class.
512//===----------------------------------------------------------------------===//
513
514namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]515class ClassReleaseChecker : public Checker<check::PreObjCMessage> {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]516 mutable Selector releaseS;
517 mutable Selector retainS;
518 mutable Selector autoreleaseS;
519 mutable Selector drainS;
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]520 mutable OwningPtr<BugType> BT;
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]521
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]522public:
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]523 void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]524};
525}
526
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]527void ClassReleaseChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]528 CheckerContext &C) const {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]529
530 if (!BT) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]531 BT.reset(new APIMisuse("message incorrectly sent to class instead of class "
532 "instance"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]533
534 ASTContext &Ctx = C.getASTContext();
535 releaseS = GetNullarySelector("release", Ctx);
536 retainS = GetNullarySelector("retain", Ctx);
537 autoreleaseS = GetNullarySelector("autorelease", Ctx);
538 drainS = GetNullarySelector("drain", Ctx);
539 }
540
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]541 if (msg.isInstanceMessage())
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]542 return;
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]543 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
544 assert(Class);
Douglas Gregor9a129192010-04-21 00:45:42 +0000[diff] [blame]545
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]546 Selector S = msg.getSelector();
Benjamin Kramer7d875c72009-11-20 10:03:00 +0000[diff] [blame]547 if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS))
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]548 return;
549
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]550 if (ExplodedNode *N = C.addTransition()) {
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]551 SmallString<200> buf;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]552 llvm::raw_svector_ostream os(buf);
Ted Kremenekf5735152009-11-23 22:22:01 +0000[diff] [blame]553
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]554 os << "The '" << S.getAsString() << "' message should be sent to instances "
555 "of class '" << Class->getName()
556 << "' and not the class directly";
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]557
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]558 BugReport *report = new BugReport(*BT, os.str(), N);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]559 report->addRange(msg.getSourceRange());
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]560 C.emitReport(report);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]561 }
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]562}
563
564//===----------------------------------------------------------------------===//
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]565// Check for passing non-Objective-C types to variadic methods that expect
566// only Objective-C types.
567//===----------------------------------------------------------------------===//
568
569namespace {
570class VariadicMethodTypeChecker : public Checker<check::PreObjCMessage> {
571 mutable Selector arrayWithObjectsS;
572 mutable Selector dictionaryWithObjectsAndKeysS;
573 mutable Selector setWithObjectsS;
Jordy Rosec0230d72012-04-06 19:06:01 +0000[diff] [blame]574 mutable Selector orderedSetWithObjectsS;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]575 mutable Selector initWithObjectsS;
576 mutable Selector initWithObjectsAndKeysS;
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]577 mutable OwningPtr<BugType> BT;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]578
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]579 bool isVariadicMessage(const ObjCMethodCall &msg) const;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]580
581public:
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]582 void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]583};
584}
585
586/// isVariadicMessage - Returns whether the given message is a variadic message,
587/// where all arguments must be Objective-C types.
588bool
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]589VariadicMethodTypeChecker::isVariadicMessage(const ObjCMethodCall &msg) const {
590 const ObjCMethodDecl *MD = msg.getDecl();
Ted Kremenekced5fea2011-04-12 21:47:05 +0000[diff] [blame]591
592 if (!MD || !MD->isVariadic() || isa<ObjCProtocolDecl>(MD->getDeclContext()))
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]593 return false;
594
595 Selector S = msg.getSelector();
596
597 if (msg.isInstanceMessage()) {
598 // FIXME: Ideally we'd look at the receiver interface here, but that's not
599 // useful for init, because alloc returns 'id'. In theory, this could lead
600 // to false positives, for example if there existed a class that had an
601 // initWithObjects: implementation that does accept non-Objective-C pointer
602 // types, but the chance of that happening is pretty small compared to the
603 // gains that this analysis gives.
604 const ObjCInterfaceDecl *Class = MD->getClassInterface();
605
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]606 switch (findKnownClass(Class)) {
607 case FC_NSArray:
608 case FC_NSOrderedSet:
609 case FC_NSSet:
610 return S == initWithObjectsS;
611 case FC_NSDictionary:
612 return S == initWithObjectsAndKeysS;
613 default:
614 return false;
615 }
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]616 } else {
617 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
618
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]619 switch (findKnownClass(Class)) {
620 case FC_NSArray:
621 return S == arrayWithObjectsS;
622 case FC_NSOrderedSet:
623 return S == orderedSetWithObjectsS;
624 case FC_NSSet:
625 return S == setWithObjectsS;
626 case FC_NSDictionary:
627 return S == dictionaryWithObjectsAndKeysS;
628 default:
629 return false;
630 }
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]631 }
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]632}
633
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]634void VariadicMethodTypeChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]635 CheckerContext &C) const {
636 if (!BT) {
637 BT.reset(new APIMisuse("Arguments passed to variadic method aren't all "
638 "Objective-C pointer types"));
639
640 ASTContext &Ctx = C.getASTContext();
641 arrayWithObjectsS = GetUnarySelector("arrayWithObjects", Ctx);
642 dictionaryWithObjectsAndKeysS =
643 GetUnarySelector("dictionaryWithObjectsAndKeys", Ctx);
644 setWithObjectsS = GetUnarySelector("setWithObjects", Ctx);
Jordy Rosec0230d72012-04-06 19:06:01 +0000[diff] [blame]645 orderedSetWithObjectsS = GetUnarySelector("orderedSetWithObjects", Ctx);
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]646
647 initWithObjectsS = GetUnarySelector("initWithObjects", Ctx);
648 initWithObjectsAndKeysS = GetUnarySelector("initWithObjectsAndKeys", Ctx);
649 }
650
651 if (!isVariadicMessage(msg))
652 return;
653
654 // We are not interested in the selector arguments since they have
655 // well-defined types, so the compiler will issue a warning for them.
656 unsigned variadicArgsBegin = msg.getSelector().getNumArgs();
657
658 // We're not interested in the last argument since it has to be nil or the
659 // compiler would have issued a warning for it elsewhere.
660 unsigned variadicArgsEnd = msg.getNumArgs() - 1;
661
662 if (variadicArgsEnd <= variadicArgsBegin)
663 return;
664
665 // Verify that all arguments have Objective-C types.
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]666 Optional<ExplodedNode*> errorNode;
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]667 ProgramStateRef state = C.getState();
Ted Kremenek066b2262011-03-14 19:50:37 +0000[diff] [blame]668
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]669 for (unsigned I = variadicArgsBegin; I != variadicArgsEnd; ++I) {
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]670 QualType ArgTy = msg.getArgExpr(I)->getType();
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]671 if (ArgTy->isObjCObjectPointerType())
672 continue;
673
Anders Carlssond1f65f62011-04-19 01:16:46 +0000[diff] [blame]674 // Block pointers are treaded as Objective-C pointers.
675 if (ArgTy->isBlockPointerType())
676 continue;
677
Ted Kremenek4ceebbf2011-03-16 00:22:51 +0000[diff] [blame]678 // Ignore pointer constants.
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]679 if (msg.getArgSVal(I).getAs<loc::ConcreteInt>())
Ted Kremenek4ceebbf2011-03-16 00:22:51 +0000[diff] [blame]680 continue;
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]681
Ted Kremenek70727342011-03-17 04:10:25 +0000[diff] [blame]682 // Ignore pointer types annotated with 'NSObject' attribute.
683 if (C.getASTContext().isObjCNSObjectType(ArgTy))
684 continue;
685
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]686 // Ignore CF references, which can be toll-free bridged.
Ted Kremenekc85964e2011-07-16 19:50:32 +0000[diff] [blame]687 if (coreFoundation::isCFObjectRef(ArgTy))
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]688 continue;
Ted Kremenek4ceebbf2011-03-16 00:22:51 +0000[diff] [blame]689
Ted Kremenek066b2262011-03-14 19:50:37 +0000[diff] [blame]690 // Generate only one error node to use for all bug reports.
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]691 if (!errorNode.hasValue())
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]692 errorNode = C.addTransition();
Ted Kremenek066b2262011-03-14 19:50:37 +0000[diff] [blame]693
694 if (!errorNode.getValue())
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]695 continue;
696
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]697 SmallString<128> sbuf;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]698 llvm::raw_svector_ostream os(sbuf);
699
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]700 StringRef TypeName = GetReceiverInterfaceName(msg);
701 if (!TypeName.empty())
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]702 os << "Argument to '" << TypeName << "' method '";
703 else
704 os << "Argument to method '";
705
706 os << msg.getSelector().getAsString()
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]707 << "' should be an Objective-C pointer type, not '";
708 ArgTy.print(os, C.getLangOpts());
709 os << "'";
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]710
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]711 BugReport *R = new BugReport(*BT, os.str(), errorNode.getValue());
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]712 R->addRange(msg.getArgSourceRange(I));
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]713 C.emitReport(R);
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]714 }
715}
716
717//===----------------------------------------------------------------------===//
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]718// Improves the modeling of loops over Cocoa collections.
719//===----------------------------------------------------------------------===//
720
721namespace {
722class ObjCLoopChecker
723 : public Checker<check::PostStmt<ObjCForCollectionStmt> > {
724
725public:
726 void checkPostStmt(const ObjCForCollectionStmt *FCS, CheckerContext &C) const;
727};
728}
729
730static bool isKnownNonNilCollectionType(QualType T) {
731 const ObjCObjectPointerType *PT = T->getAs<ObjCObjectPointerType>();
732 if (!PT)
733 return false;
734
735 const ObjCInterfaceDecl *ID = PT->getInterfaceDecl();
736 if (!ID)
737 return false;
738
739 switch (findKnownClass(ID)) {
740 case FC_NSArray:
741 case FC_NSDictionary:
742 case FC_NSEnumerator:
743 case FC_NSOrderedSet:
744 case FC_NSSet:
745 return true;
746 default:
747 return false;
748 }
749}
750
751void ObjCLoopChecker::checkPostStmt(const ObjCForCollectionStmt *FCS,
752 CheckerContext &C) const {
753 ProgramStateRef State = C.getState();
754
755 // Check if this is the branch for the end of the loop.
756 SVal CollectionSentinel = State->getSVal(FCS, C.getLocationContext());
757 if (CollectionSentinel.isZeroConstant())
758 return;
759
760 // See if the collection is one where we /know/ the elements are non-nil.
761 const Expr *Collection = FCS->getCollection();
762 if (!isKnownNonNilCollectionType(Collection->getType()))
763 return;
764
765 // FIXME: Copied from ExprEngineObjC.
766 const Stmt *Element = FCS->getElement();
767 SVal ElementVar;
768 if (const DeclStmt *DS = dyn_cast<DeclStmt>(Element)) {
769 const VarDecl *ElemDecl = cast<VarDecl>(DS->getSingleDecl());
770 assert(ElemDecl->getInit() == 0);
771 ElementVar = State->getLValue(ElemDecl, C.getLocationContext());
772 } else {
773 ElementVar = State->getSVal(Element, C.getLocationContext());
774 }
775
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]776 if (!ElementVar.getAs<Loc>())
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]777 return;
778
779 // Go ahead and assume the value is non-nil.
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]780 SVal Val = State->getSVal(ElementVar.castAs<Loc>());
781 State = State->assume(Val.castAs<DefinedOrUnknownSVal>(), true);
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]782 C.addTransition(State);
783}
784
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]785namespace {
786/// \class ObjCNonNilReturnValueChecker
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]787/// \brief The checker restricts the return values of APIs known to
788/// never (or almost never) return 'nil'.
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]789class ObjCNonNilReturnValueChecker
790 : public Checker<check::PostObjCMessage> {
791 mutable bool Initialized;
792 mutable Selector ObjectAtIndex;
793 mutable Selector ObjectAtIndexedSubscript;
Anna Zaks9159e162012-08-22 22:47:58 +0000[diff] [blame]794
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]795public:
Anna Zaks9159e162012-08-22 22:47:58 +0000[diff] [blame]796 ObjCNonNilReturnValueChecker() : Initialized(false) {}
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]797 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
798};
799}
800
Benjamin Kramer199f8da2012-09-10 11:57:16 +0000[diff] [blame]801static ProgramStateRef assumeExprIsNonNull(const Expr *NonNullExpr,
802 ProgramStateRef State,
803 CheckerContext &C) {
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]804 SVal Val = State->getSVal(NonNullExpr, C.getLocationContext());
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]805 if (Optional<DefinedOrUnknownSVal> DV = Val.getAs<DefinedOrUnknownSVal>())
Anna Zaks830c48e2012-08-30 22:55:32 +0000[diff] [blame]806 return State->assume(*DV, true);
Anna Zaksb504f442012-08-30 22:42:41 +0000[diff] [blame]807 return State;
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]808}
809
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]810void ObjCNonNilReturnValueChecker::checkPostObjCMessage(const ObjCMethodCall &M,
811 CheckerContext &C)
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]812 const {
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]813 ProgramStateRef State = C.getState();
814
815 if (!Initialized) {
816 ASTContext &Ctx = C.getASTContext();
817 ObjectAtIndex = GetUnarySelector("objectAtIndex", Ctx);
818 ObjectAtIndexedSubscript = GetUnarySelector("objectAtIndexedSubscript", Ctx);
819 }
820
821 // Check the receiver type.
822 if (const ObjCInterfaceDecl *Interface = M.getReceiverInterface()) {
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]823
824 // Assume that object returned from '[self init]' or '[super init]' is not
825 // 'nil' if we are processing an inlined function/method.
826 //
827 // A defensive callee will (and should) check if the object returned by
828 // '[super init]' is 'nil' before doing it's own initialization. However,
829 // since 'nil' is rarely returned in practice, we should not warn when the
830 // caller to the defensive constructor uses the object in contexts where
831 // 'nil' is not accepted.
Anna Zaks49bb6502012-11-06 04:20:54 +0000[diff] [blame]832 if (!C.inTopFrame() && M.getDecl() &&
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]833 M.getDecl()->getMethodFamily() == OMF_init &&
834 M.isReceiverSelfOrSuper()) {
835 State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
836 }
837
838 // Objects returned from
839 // [NSArray|NSOrderedSet]::[ObjectAtIndex|ObjectAtIndexedSubscript]
840 // are never 'nil'.
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]841 FoundationClass Cl = findKnownClass(Interface);
842 if (Cl == FC_NSArray || Cl == FC_NSOrderedSet) {
843 Selector Sel = M.getSelector();
844 if (Sel == ObjectAtIndex || Sel == ObjectAtIndexedSubscript) {
845 // Go ahead and assume the value is non-nil.
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]846 State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]847 }
848 }
849 }
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]850 C.addTransition(State);
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]851}
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]852
853//===----------------------------------------------------------------------===//
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]854// Check registration.
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]855//===----------------------------------------------------------------------===//
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]856
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]857void ento::registerNilArgChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]858 mgr.registerChecker<NilArgChecker>();
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]859}
860
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]861void ento::registerCFNumberCreateChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]862 mgr.registerChecker<CFNumberCreateChecker>();
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]863}
864
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]865void ento::registerCFRetainReleaseChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]866 mgr.registerChecker<CFRetainReleaseChecker>();
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]867}
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]868
869void ento::registerClassReleaseChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]870 mgr.registerChecker<ClassReleaseChecker>();
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]871}
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]872
873void ento::registerVariadicMethodTypeChecker(CheckerManager &mgr) {
874 mgr.registerChecker<VariadicMethodTypeChecker>();
875}
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]876
877void ento::registerObjCLoopChecker(CheckerManager &mgr) {
878 mgr.registerChecker<ObjCLoopChecker>();
879}
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]880
881void ento::registerObjCNonNilReturnValueChecker(CheckerManager &mgr) {
882 mgr.registerChecker<ObjCNonNilReturnValueChecker>();
883}