Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / dd058d8a50b95b12c65b28d56b2f16f86c562b1d / . / clang / lib / StaticAnalyzer / Checkers / BasicObjCFoundationChecks.cpp
blob: 2aad77020719a124dda70423b32c8df326c5de2c [file] [log] [blame]
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]1//== BasicObjCFoundationChecks.cpp - Simple Apple-Foundation checks -*- C++ -*--
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file defines BasicObjCFoundationChecks, a class that encapsulates
11// a set of simple checks to run on Objective-C code using Apple's Foundation
12// classes.
13//
14//===----------------------------------------------------------------------===//
15
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]16#include "BasicObjCFoundationChecks.h"
17
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]18#include "ClangSACheckers.h"
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]19#include "clang/StaticAnalyzer/Core/CheckerV2.h"
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]20#include "clang/StaticAnalyzer/Core/CheckerManager.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]21#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerVisitor.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/GRState.h"
25#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
26#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
27#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerVisitor.h"
Ted Kremenekd99bd552010-12-23 19:38:26 +0000[diff] [blame]28#include "clang/StaticAnalyzer/Checkers/LocalCheckers.h"
Daniel Dunbar6e8aa532008-08-11 05:35:13 +0000[diff] [blame]29#include "clang/AST/DeclObjC.h"
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]30#include "clang/AST/Expr.h"
Steve Naroff021ca182008-05-29 21:12:08 +0000[diff] [blame]31#include "clang/AST/ExprObjC.h"
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]32#include "clang/AST/ASTContext.h"
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]33
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]34using namespace clang;
Ted Kremenek98857c92010-12-23 07:20:52 +0000[diff] [blame]35using namespace ento;
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]36
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]37namespace {
38class APIMisuse : public BugType {
39public:
40 APIMisuse(const char* name) : BugType(name, "API Misuse (Apple)") {}
41};
42} // end anonymous namespace
43
44//===----------------------------------------------------------------------===//
45// Utility functions.
46//===----------------------------------------------------------------------===//
47
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]48static const ObjCInterfaceType* GetReceiverType(const ObjCMessage &msg) {
49 if (const ObjCInterfaceDecl *ID = msg.getReceiverInterface())
Argyrios Kyrtzidis8e169a52011-01-25 00:03:45 +0000[diff] [blame]50 return ID->getTypeForDecl()->getAs<ObjCInterfaceType>();
Ted Kremenekf20e2282008-04-30 22:48:21 +0000[diff] [blame]51 return NULL;
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]52}
53
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]54static const char* GetReceiverNameType(const ObjCMessage &msg) {
55 if (const ObjCInterfaceType *ReceiverType = GetReceiverType(msg))
Daniel Dunbar2c422dc92009-10-18 20:26:12 +0000[diff] [blame]56 return ReceiverType->getDecl()->getIdentifier()->getNameStart();
57 return NULL;
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]58}
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]59
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]60static bool isNSString(llvm::StringRef ClassName) {
61 return ClassName == "NSString" || ClassName == "NSMutableString";
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]62}
63
Zhongxing Xu27f17422008-10-17 05:57:07 +0000[diff] [blame]64static inline bool isNil(SVal X) {
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]65 return isa<loc::ConcreteInt>(X);
Ted Kremenek27156c82008-03-27 21:15:17 +0000[diff] [blame]66}
67
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]68//===----------------------------------------------------------------------===//
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]69// NilArgChecker - Check for prohibited nil arguments to ObjC method calls.
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]70//===----------------------------------------------------------------------===//
71
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]72namespace {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]73 class NilArgChecker : public CheckerV2<check::PreObjCMessage> {
74 mutable llvm::OwningPtr<APIMisuse> BT;
75
76 void WarnNilArg(CheckerContext &C,
77 const ObjCMessage &msg, unsigned Arg) const;
78
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]79 public:
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]80 void checkPreObjCMessage(ObjCMessage msg, CheckerContext &C) const;
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]81 };
82}
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]83
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]84void NilArgChecker::WarnNilArg(CheckerContext &C,
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]85 const ObjCMessage &msg,
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]86 unsigned int Arg) const
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]87{
88 if (!BT)
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]89 BT.reset(new APIMisuse("nil argument"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]90
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]91 if (ExplodedNode *N = C.generateSink()) {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]92 llvm::SmallString<128> sbuf;
93 llvm::raw_svector_ostream os(sbuf);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]94 os << "Argument to '" << GetReceiverNameType(msg) << "' method '"
95 << msg.getSelector().getAsString() << "' cannot be nil";
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]96
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]97 RangedBugReport *R = new RangedBugReport(*BT, os.str(), N);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]98 R->addRange(msg.getArgSourceRange(Arg));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]99 C.EmitReport(R);
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]100 }
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]101}
102
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]103void NilArgChecker::checkPreObjCMessage(ObjCMessage msg,
104 CheckerContext &C) const {
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]105 const ObjCInterfaceType *ReceiverType = GetReceiverType(msg);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]106 if (!ReceiverType)
107 return;
108
109 if (isNSString(ReceiverType->getDecl()->getIdentifier()->getName())) {
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]110 Selector S = msg.getSelector();
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]111
112 if (S.isUnarySelector())
113 return;
114
115 // FIXME: This is going to be really slow doing these checks with
116 // lexical comparisons.
117
118 std::string NameStr = S.getAsString();
119 llvm::StringRef Name(NameStr);
120 assert(!Name.empty());
121
122 // FIXME: Checking for initWithFormat: will not work in most cases
123 // yet because [NSString alloc] returns id, not NSString*. We will
124 // need support for tracking expected-type information in the analyzer
125 // to find these errors.
126 if (Name == "caseInsensitiveCompare:" ||
127 Name == "compare:" ||
128 Name == "compare:options:" ||
129 Name == "compare:options:range:" ||
130 Name == "compare:options:range:locale:" ||
131 Name == "componentsSeparatedByCharactersInSet:" ||
132 Name == "initWithFormat:") {
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]133 if (isNil(msg.getArgSVal(0, C.getState())))
134 WarnNilArg(C, msg, 0);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]135 }
136 }
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]137}
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]138
139//===----------------------------------------------------------------------===//
140// Error reporting.
141//===----------------------------------------------------------------------===//
142
143namespace {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]144class CFNumberCreateChecker : public CheckerV2< check::PreStmt<CallExpr> > {
145 mutable llvm::OwningPtr<APIMisuse> BT;
146 mutable IdentifierInfo* II;
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]147public:
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]148 CFNumberCreateChecker() : II(0) {}
149
150 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
151
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]152private:
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]153 void EmitError(const TypedRegion* R, const Expr* Ex,
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]154 uint64_t SourceSize, uint64_t TargetSize, uint64_t NumberKind);
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]155};
156} // end anonymous namespace
157
158enum CFNumberType {
159 kCFNumberSInt8Type = 1,
160 kCFNumberSInt16Type = 2,
161 kCFNumberSInt32Type = 3,
162 kCFNumberSInt64Type = 4,
163 kCFNumberFloat32Type = 5,
164 kCFNumberFloat64Type = 6,
165 kCFNumberCharType = 7,
166 kCFNumberShortType = 8,
167 kCFNumberIntType = 9,
168 kCFNumberLongType = 10,
169 kCFNumberLongLongType = 11,
170 kCFNumberFloatType = 12,
171 kCFNumberDoubleType = 13,
172 kCFNumberCFIndexType = 14,
173 kCFNumberNSIntegerType = 15,
174 kCFNumberCGFloatType = 16
175};
176
177namespace {
178 template<typename T>
179 class Optional {
180 bool IsKnown;
181 T Val;
182 public:
183 Optional() : IsKnown(false), Val(0) {}
184 Optional(const T& val) : IsKnown(true), Val(val) {}
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]185
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]186 bool isKnown() const { return IsKnown; }
187
188 const T& getValue() const {
189 assert (isKnown());
190 return Val;
191 }
192
193 operator const T&() const {
194 return getValue();
195 }
196 };
197}
198
199static Optional<uint64_t> GetCFNumberSize(ASTContext& Ctx, uint64_t i) {
Nuno Lopescfca1f02009-12-23 17:49:57 +0000[diff] [blame]200 static const unsigned char FixedSize[] = { 8, 16, 32, 64, 32, 64 };
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]201
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]202 if (i < kCFNumberCharType)
203 return FixedSize[i-1];
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]204
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]205 QualType T;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]206
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]207 switch (i) {
208 case kCFNumberCharType: T = Ctx.CharTy; break;
209 case kCFNumberShortType: T = Ctx.ShortTy; break;
210 case kCFNumberIntType: T = Ctx.IntTy; break;
211 case kCFNumberLongType: T = Ctx.LongTy; break;
212 case kCFNumberLongLongType: T = Ctx.LongLongTy; break;
213 case kCFNumberFloatType: T = Ctx.FloatTy; break;
214 case kCFNumberDoubleType: T = Ctx.DoubleTy; break;
215 case kCFNumberCFIndexType:
216 case kCFNumberNSIntegerType:
217 case kCFNumberCGFloatType:
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]218 // FIXME: We need a way to map from names to Type*.
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]219 default:
220 return Optional<uint64_t>();
221 }
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]222
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]223 return Ctx.getTypeSize(T);
224}
225
226#if 0
227static const char* GetCFNumberTypeStr(uint64_t i) {
228 static const char* Names[] = {
229 "kCFNumberSInt8Type",
230 "kCFNumberSInt16Type",
231 "kCFNumberSInt32Type",
232 "kCFNumberSInt64Type",
233 "kCFNumberFloat32Type",
234 "kCFNumberFloat64Type",
235 "kCFNumberCharType",
236 "kCFNumberShortType",
237 "kCFNumberIntType",
238 "kCFNumberLongType",
239 "kCFNumberLongLongType",
240 "kCFNumberFloatType",
241 "kCFNumberDoubleType",
242 "kCFNumberCFIndexType",
243 "kCFNumberNSIntegerType",
244 "kCFNumberCGFloatType"
245 };
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]246
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]247 return i <= kCFNumberCGFloatType ? Names[i-1] : "Invalid CFNumberType";
248}
249#endif
250
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]251void CFNumberCreateChecker::checkPreStmt(const CallExpr *CE,
252 CheckerContext &C) const {
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]253 const Expr* Callee = CE->getCallee();
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]254 const GRState *state = C.getState();
255 SVal CallV = state->getSVal(Callee);
Zhongxing Xuac129432009-04-20 05:24:46 +0000[diff] [blame]256 const FunctionDecl* FD = CallV.getAsFunctionDecl();
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]257
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]258 if (!FD)
259 return;
260
261 ASTContext &Ctx = C.getASTContext();
262 if (!II)
263 II = &Ctx.Idents.get("CFNumberCreate");
264
265 if (FD->getIdentifier() != II || CE->getNumArgs() != 3)
266 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]267
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]268 // Get the value of the "theType" argument.
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]269 SVal TheTypeVal = state->getSVal(CE->getArg(1));
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]270
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]271 // FIXME: We really should allow ranges of valid theType values, and
272 // bifurcate the state appropriately.
Zhongxing Xu27f17422008-10-17 05:57:07 +0000[diff] [blame]273 nonloc::ConcreteInt* V = dyn_cast<nonloc::ConcreteInt>(&TheTypeVal);
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]274 if (!V)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]275 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]276
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]277 uint64_t NumberKind = V->getValue().getLimitedValue();
278 Optional<uint64_t> TargetSize = GetCFNumberSize(Ctx, NumberKind);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]279
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]280 // FIXME: In some cases we can emit an error.
281 if (!TargetSize.isKnown())
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]282 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]283
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]284 // Look at the value of the integer being passed by reference. Essentially
285 // we want to catch cases where the value passed in is not equal to the
286 // size of the type being created.
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]287 SVal TheValueExpr = state->getSVal(CE->getArg(2));
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]288
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]289 // FIXME: Eventually we should handle arbitrary locations. We can do this
290 // by having an enhanced memory model that does low-level typing.
Zhongxing Xu27f17422008-10-17 05:57:07 +0000[diff] [blame]291 loc::MemRegionVal* LV = dyn_cast<loc::MemRegionVal>(&TheValueExpr);
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]292 if (!LV)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]293 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]294
Zhanyong Wan85a203e2011-02-16 21:13:32 +0000[diff] [blame]295 const TypedRegion* R = dyn_cast<TypedRegion>(LV->stripCasts());
Ted Kremenek87a7a452009-07-29 18:17:40 +0000[diff] [blame]296 if (!R)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]297 return;
Ted Kremenek87a7a452009-07-29 18:17:40 +0000[diff] [blame]298
Zhongxing Xu8de0a3d2010-08-11 06:10:55 +0000[diff] [blame]299 QualType T = Ctx.getCanonicalType(R->getValueType());
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]300
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]301 // FIXME: If the pointee isn't an integer type, should we flag a warning?
302 // People can do weird stuff with pointers.
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]303
304 if (!T->isIntegerType())
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]305 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]306
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]307 uint64_t SourceSize = Ctx.getTypeSize(T);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]308
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]309 // CHECK: is SourceSize == TargetSize
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]310 if (SourceSize == TargetSize)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]311 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]312
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]313 // Generate an error. Only generate a sink if 'SourceSize < TargetSize';
314 // otherwise generate a regular node.
315 //
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]316 // FIXME: We can actually create an abstract "CFNumber" object that has
317 // the bits initialized to the provided values.
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]318 //
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]319 if (ExplodedNode *N = SourceSize < TargetSize ? C.generateSink()
320 : C.generateNode()) {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]321 llvm::SmallString<128> sbuf;
322 llvm::raw_svector_ostream os(sbuf);
323
324 os << (SourceSize == 8 ? "An " : "A ")
325 << SourceSize << " bit integer is used to initialize a CFNumber "
326 "object that represents "
327 << (TargetSize == 8 ? "an " : "a ")
328 << TargetSize << " bit integer. ";
329
330 if (SourceSize < TargetSize)
331 os << (TargetSize - SourceSize)
332 << " bits of the CFNumber value will be garbage." ;
333 else
334 os << (SourceSize - TargetSize)
335 << " bits of the input integer will be lost.";
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]336
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]337 if (!BT)
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]338 BT.reset(new APIMisuse("Bad use of CFNumberCreate"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]339
340 RangedBugReport *report = new RangedBugReport(*BT, os.str(), N);
341 report->addRange(CE->getArg(2)->getSourceRange());
342 C.EmitReport(report);
343 }
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]344}
345
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]346//===----------------------------------------------------------------------===//
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]347// CFRetain/CFRelease checking for null arguments.
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]348//===----------------------------------------------------------------------===//
349
350namespace {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]351class CFRetainReleaseChecker : public CheckerV2< check::PreStmt<CallExpr> > {
352 mutable llvm::OwningPtr<APIMisuse> BT;
353 mutable IdentifierInfo *Retain, *Release;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]354public:
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]355 CFRetainReleaseChecker(): Retain(0), Release(0) {}
356 void checkPreStmt(const CallExpr* CE, CheckerContext& C) const;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]357};
358} // end anonymous namespace
359
360
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]361void CFRetainReleaseChecker::checkPreStmt(const CallExpr* CE,
362 CheckerContext& C) const {
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]363 // If the CallExpr doesn't have exactly 1 argument just give up checking.
364 if (CE->getNumArgs() != 1)
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]365 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]366
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]367 // Get the function declaration of the callee.
368 const GRState* state = C.getState();
Ted Kremenek57f09892010-02-08 16:18:51 +0000[diff] [blame]369 SVal X = state->getSVal(CE->getCallee());
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]370 const FunctionDecl* FD = X.getAsFunctionDecl();
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]371
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]372 if (!FD)
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]373 return;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]374
375 if (!BT) {
376 ASTContext &Ctx = C.getASTContext();
377 Retain = &Ctx.Idents.get("CFRetain");
378 Release = &Ctx.Idents.get("CFRelease");
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]379 BT.reset(new APIMisuse("null passed to CFRetain/CFRelease"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]380 }
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]381
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]382 // Check if we called CFRetain/CFRelease.
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]383 const IdentifierInfo *FuncII = FD->getIdentifier();
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]384 if (!(FuncII == Retain || FuncII == Release))
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]385 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]386
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]387 // FIXME: The rest of this just checks that the argument is non-null.
388 // It should probably be refactored and combined with AttrNonNullChecker.
389
390 // Get the argument's value.
391 const Expr *Arg = CE->getArg(0);
392 SVal ArgVal = state->getSVal(Arg);
393 DefinedSVal *DefArgVal = dyn_cast<DefinedSVal>(&ArgVal);
394 if (!DefArgVal)
395 return;
396
397 // Get a NULL value.
Ted Kremenek90af9092010-12-02 07:49:45 +0000[diff] [blame]398 SValBuilder &svalBuilder = C.getSValBuilder();
399 DefinedSVal zero = cast<DefinedSVal>(svalBuilder.makeZeroVal(Arg->getType()));
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]400
401 // Make an expression asserting that they're equal.
Ted Kremenek90af9092010-12-02 07:49:45 +0000[diff] [blame]402 DefinedOrUnknownSVal ArgIsNull = svalBuilder.evalEQ(state, zero, *DefArgVal);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]403
404 // Are they equal?
405 const GRState *stateTrue, *stateFalse;
Ted Kremenekc5bea1e2010-12-01 22:16:56 +0000[diff] [blame]406 llvm::tie(stateTrue, stateFalse) = state->assume(ArgIsNull);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]407
408 if (stateTrue && !stateFalse) {
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]409 ExplodedNode *N = C.generateSink(stateTrue);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]410 if (!N)
411 return;
412
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]413 const char *description = (FuncII == Retain)
414 ? "Null pointer argument in call to CFRetain"
415 : "Null pointer argument in call to CFRelease";
416
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]417 EnhancedBugReport *report = new EnhancedBugReport(*BT, description, N);
418 report->addRange(Arg->getSourceRange());
419 report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, Arg);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]420 C.EmitReport(report);
421 return;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]422 }
423
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]424 // From here on, we know the argument is non-null.
425 C.addTransition(stateFalse);
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]426}
427
428//===----------------------------------------------------------------------===//
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]429// Check for sending 'retain', 'release', or 'autorelease' directly to a Class.
430//===----------------------------------------------------------------------===//
431
432namespace {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]433class ClassReleaseChecker : public CheckerV2<check::PreObjCMessage> {
434 mutable Selector releaseS;
435 mutable Selector retainS;
436 mutable Selector autoreleaseS;
437 mutable Selector drainS;
438 mutable llvm::OwningPtr<BugType> BT;
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]439
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]440public:
441 void checkPreObjCMessage(ObjCMessage msg, CheckerContext &C) const;
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]442};
443}
444
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]445void ClassReleaseChecker::checkPreObjCMessage(ObjCMessage msg,
446 CheckerContext &C) const {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]447
448 if (!BT) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]449 BT.reset(new APIMisuse("message incorrectly sent to class instead of class "
450 "instance"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]451
452 ASTContext &Ctx = C.getASTContext();
453 releaseS = GetNullarySelector("release", Ctx);
454 retainS = GetNullarySelector("retain", Ctx);
455 autoreleaseS = GetNullarySelector("autorelease", Ctx);
456 drainS = GetNullarySelector("drain", Ctx);
457 }
458
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]459 if (msg.isInstanceMessage())
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]460 return;
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]461 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
462 assert(Class);
Douglas Gregor9a129192010-04-21 00:45:42 +0000[diff] [blame]463
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]464 Selector S = msg.getSelector();
Benjamin Kramer7d875c72009-11-20 10:03:00 +0000[diff] [blame]465 if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS))
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]466 return;
467
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]468 if (ExplodedNode *N = C.generateNode()) {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]469 llvm::SmallString<200> buf;
470 llvm::raw_svector_ostream os(buf);
Ted Kremenekf5735152009-11-23 22:22:01 +0000[diff] [blame]471
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]472 os << "The '" << S.getAsString() << "' message should be sent to instances "
473 "of class '" << Class->getName()
474 << "' and not the class directly";
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]475
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]476 RangedBugReport *report = new RangedBugReport(*BT, os.str(), N);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]477 report->addRange(msg.getSourceRange());
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]478 C.EmitReport(report);
479 }
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]480}
481
482//===----------------------------------------------------------------------===//
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]483// Check registration.
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]484//===----------------------------------------------------------------------===//
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]485
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]486void ento::registerNilArgChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]487 mgr.registerChecker<NilArgChecker>();
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]488}
489
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]490void ento::registerCFNumberCreateChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]491 mgr.registerChecker<CFNumberCreateChecker>();
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]492}
493
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]494void ento::registerCFRetainReleaseChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]495 mgr.registerChecker<CFRetainReleaseChecker>();
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]496}
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]497
498void ento::registerClassReleaseChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame^]499 mgr.registerChecker<ClassReleaseChecker>();
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]500}