Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / ef893399868c99b2edac6831d957d74d0d3a782c / . / clang / lib / StaticAnalyzer / Checkers / BasicObjCFoundationChecks.cpp
blob: fdb6bbbe52268eeeadb6a9bc6a41d802357e8174 [file] [log] [blame]
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]1//== BasicObjCFoundationChecks.cpp - Simple Apple-Foundation checks -*- C++ -*--
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file defines BasicObjCFoundationChecks, a class that encapsulates
11// a set of simple checks to run on Objective-C code using Apple's Foundation
12// classes.
13//
14//===----------------------------------------------------------------------===//
15
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]16#include "ClangSACheckers.h"
Chandler Carruth3a022472012-12-04 09:13:33 +0000[diff] [blame]17#include "clang/AST/ASTContext.h"
18#include "clang/AST/DeclObjC.h"
19#include "clang/AST/Expr.h"
20#include "clang/AST/ExprObjC.h"
21#include "clang/AST/StmtObjC.h"
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]22#include "clang/Analysis/DomainSpecific/CocoaConventions.h"
Chandler Carruth3a022472012-12-04 09:13:33 +0000[diff] [blame]23#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]24#include "clang/StaticAnalyzer/Core/Checker.h"
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]25#include "clang/StaticAnalyzer/Core/CheckerManager.h"
Jordan Rose4f7df9b2012-07-26 21:39:41 +0000[diff] [blame]26#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
Argyrios Kyrtzidisdff865d2011-02-23 01:05:36 +0000[diff] [blame]27#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]28#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]29#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]30#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
Chandler Carruth3a022472012-12-04 09:13:33 +0000[diff] [blame]31#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
Benjamin Kramer49038022012-02-04 13:45:25 +0000[diff] [blame]32#include "llvm/ADT/SmallString.h"
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]33#include "llvm/ADT/StringMap.h"
Benjamin Kramer444a1302012-12-01 17:12:56 +0000[diff] [blame]34#include "llvm/Support/raw_ostream.h"
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]35
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]36using namespace clang;
Ted Kremenek98857c92010-12-23 07:20:52 +0000[diff] [blame]37using namespace ento;
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]38
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]39namespace {
40class APIMisuse : public BugType {
41public:
42 APIMisuse(const char* name) : BugType(name, "API Misuse (Apple)") {}
43};
44} // end anonymous namespace
45
46//===----------------------------------------------------------------------===//
47// Utility functions.
48//===----------------------------------------------------------------------===//
49
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]50static StringRef GetReceiverInterfaceName(const ObjCMethodCall &msg) {
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]51 if (const ObjCInterfaceDecl *ID = msg.getReceiverInterface())
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]52 return ID->getIdentifier()->getName();
53 return StringRef();
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]54}
Ted Kremeneka4d60b62008-03-27 17:17:22 +0000[diff] [blame]55
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]56enum FoundationClass {
57 FC_None,
58 FC_NSArray,
59 FC_NSDictionary,
60 FC_NSEnumerator,
61 FC_NSOrderedSet,
62 FC_NSSet,
63 FC_NSString
64};
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]65
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]66static FoundationClass findKnownClass(const ObjCInterfaceDecl *ID) {
67 static llvm::StringMap<FoundationClass> Classes;
68 if (Classes.empty()) {
69 Classes["NSArray"] = FC_NSArray;
70 Classes["NSDictionary"] = FC_NSDictionary;
71 Classes["NSEnumerator"] = FC_NSEnumerator;
72 Classes["NSOrderedSet"] = FC_NSOrderedSet;
73 Classes["NSSet"] = FC_NSSet;
74 Classes["NSString"] = FC_NSString;
75 }
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]76
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]77 // FIXME: Should we cache this at all?
78 FoundationClass result = Classes.lookup(ID->getIdentifier()->getName());
79 if (result == FC_None)
80 if (const ObjCInterfaceDecl *Super = ID->getSuperClass())
81 return findKnownClass(Super);
82
83 return result;
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]84}
85
Zhongxing Xu27f17422008-10-17 05:57:07 +0000[diff] [blame]86static inline bool isNil(SVal X) {
David Blaikie3a3c4e02013-02-21 06:05:05 +0000[diff] [blame]87 return X.getAs<loc::ConcreteInt>().hasValue();
Ted Kremenek27156c82008-03-27 21:15:17 +0000[diff] [blame]88}
89
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]90//===----------------------------------------------------------------------===//
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]91// NilArgChecker - Check for prohibited nil arguments to ObjC method calls.
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]92//===----------------------------------------------------------------------===//
93
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]94namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]95 class NilArgChecker : public Checker<check::PreObjCMessage> {
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]96 mutable OwningPtr<APIMisuse> BT;
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]97
98 void WarnNilArg(CheckerContext &C,
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]99 const ObjCMethodCall &msg, unsigned Arg) const;
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]100
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]101 public:
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]102 void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
Benjamin Kramer2fc373e2010-10-22 16:33:16 +0000[diff] [blame]103 };
104}
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]105
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]106void NilArgChecker::WarnNilArg(CheckerContext &C,
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]107 const ObjCMethodCall &msg,
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]108 unsigned int Arg) const
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]109{
110 if (!BT)
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]111 BT.reset(new APIMisuse("nil argument"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]112
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]113 if (ExplodedNode *N = C.generateSink()) {
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]114 SmallString<128> sbuf;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]115 llvm::raw_svector_ostream os(sbuf);
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]116 os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '"
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]117 << msg.getSelector().getAsString() << "' cannot be nil";
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]118
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]119 BugReport *R = new BugReport(*BT, os.str(), N);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]120 R->addRange(msg.getArgSourceRange(Arg));
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]121 C.emitReport(R);
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]122 }
Ted Kremenek276278e2008-03-27 22:05:32 +0000[diff] [blame]123}
124
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]125void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]126 CheckerContext &C) const {
Anders Carlsson3c50aea2011-03-08 20:05:26 +0000[diff] [blame]127 const ObjCInterfaceDecl *ID = msg.getReceiverInterface();
128 if (!ID)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]129 return;
130
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]131 if (findKnownClass(ID) == FC_NSString) {
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]132 Selector S = msg.getSelector();
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]133
134 if (S.isUnarySelector())
135 return;
136
137 // FIXME: This is going to be really slow doing these checks with
138 // lexical comparisons.
139
140 std::string NameStr = S.getAsString();
Chris Lattner0e62c1c2011-07-23 10:55:15 +0000[diff] [blame]141 StringRef Name(NameStr);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]142 assert(!Name.empty());
143
144 // FIXME: Checking for initWithFormat: will not work in most cases
145 // yet because [NSString alloc] returns id, not NSString*. We will
146 // need support for tracking expected-type information in the analyzer
147 // to find these errors.
148 if (Name == "caseInsensitiveCompare:" ||
149 Name == "compare:" ||
150 Name == "compare:options:" ||
151 Name == "compare:options:range:" ||
152 Name == "compare:options:range:locale:" ||
153 Name == "componentsSeparatedByCharactersInSet:" ||
154 Name == "initWithFormat:") {
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]155 if (isNil(msg.getArgSVal(0)))
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]156 WarnNilArg(C, msg, 0);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]157 }
158 }
Ted Kremenekc0414922008-03-27 07:25:52 +0000[diff] [blame]159}
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]160
161//===----------------------------------------------------------------------===//
162// Error reporting.
163//===----------------------------------------------------------------------===//
164
165namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]166class CFNumberCreateChecker : public Checker< check::PreStmt<CallExpr> > {
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]167 mutable OwningPtr<APIMisuse> BT;
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]168 mutable IdentifierInfo* II;
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]169public:
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]170 CFNumberCreateChecker() : II(0) {}
171
172 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
173
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]174private:
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]175 void EmitError(const TypedRegion* R, const Expr *Ex,
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]176 uint64_t SourceSize, uint64_t TargetSize, uint64_t NumberKind);
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]177};
178} // end anonymous namespace
179
180enum CFNumberType {
181 kCFNumberSInt8Type = 1,
182 kCFNumberSInt16Type = 2,
183 kCFNumberSInt32Type = 3,
184 kCFNumberSInt64Type = 4,
185 kCFNumberFloat32Type = 5,
186 kCFNumberFloat64Type = 6,
187 kCFNumberCharType = 7,
188 kCFNumberShortType = 8,
189 kCFNumberIntType = 9,
190 kCFNumberLongType = 10,
191 kCFNumberLongLongType = 11,
192 kCFNumberFloatType = 12,
193 kCFNumberDoubleType = 13,
194 kCFNumberCFIndexType = 14,
195 kCFNumberNSIntegerType = 15,
196 kCFNumberCGFloatType = 16
197};
198
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]199static Optional<uint64_t> GetCFNumberSize(ASTContext &Ctx, uint64_t i) {
Nuno Lopescfca1f02009-12-23 17:49:57 +0000[diff] [blame]200 static const unsigned char FixedSize[] = { 8, 16, 32, 64, 32, 64 };
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]201
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]202 if (i < kCFNumberCharType)
203 return FixedSize[i-1];
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]204
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]205 QualType T;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]206
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]207 switch (i) {
208 case kCFNumberCharType: T = Ctx.CharTy; break;
209 case kCFNumberShortType: T = Ctx.ShortTy; break;
210 case kCFNumberIntType: T = Ctx.IntTy; break;
211 case kCFNumberLongType: T = Ctx.LongTy; break;
212 case kCFNumberLongLongType: T = Ctx.LongLongTy; break;
213 case kCFNumberFloatType: T = Ctx.FloatTy; break;
214 case kCFNumberDoubleType: T = Ctx.DoubleTy; break;
215 case kCFNumberCFIndexType:
216 case kCFNumberNSIntegerType:
217 case kCFNumberCGFloatType:
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]218 // FIXME: We need a way to map from names to Type*.
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]219 default:
David Blaikie7a30dc52013-02-21 01:47:18 +0000[diff] [blame]220 return None;
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]221 }
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]222
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]223 return Ctx.getTypeSize(T);
224}
225
226#if 0
227static const char* GetCFNumberTypeStr(uint64_t i) {
228 static const char* Names[] = {
229 "kCFNumberSInt8Type",
230 "kCFNumberSInt16Type",
231 "kCFNumberSInt32Type",
232 "kCFNumberSInt64Type",
233 "kCFNumberFloat32Type",
234 "kCFNumberFloat64Type",
235 "kCFNumberCharType",
236 "kCFNumberShortType",
237 "kCFNumberIntType",
238 "kCFNumberLongType",
239 "kCFNumberLongLongType",
240 "kCFNumberFloatType",
241 "kCFNumberDoubleType",
242 "kCFNumberCFIndexType",
243 "kCFNumberNSIntegerType",
244 "kCFNumberCGFloatType"
245 };
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]246
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]247 return i <= kCFNumberCGFloatType ? Names[i-1] : "Invalid CFNumberType";
248}
249#endif
250
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]251void CFNumberCreateChecker::checkPreStmt(const CallExpr *CE,
252 CheckerContext &C) const {
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]253 ProgramStateRef state = C.getState();
Anna Zaksc6aa5312011-12-01 05:57:37 +0000[diff] [blame]254 const FunctionDecl *FD = C.getCalleeDecl(CE);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]255 if (!FD)
256 return;
257
258 ASTContext &Ctx = C.getASTContext();
259 if (!II)
260 II = &Ctx.Idents.get("CFNumberCreate");
261
262 if (FD->getIdentifier() != II || CE->getNumArgs() != 3)
263 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]264
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]265 // Get the value of the "theType" argument.
Ted Kremenek632e3b72012-01-06 22:09:28 +0000[diff] [blame]266 const LocationContext *LCtx = C.getLocationContext();
267 SVal TheTypeVal = state->getSVal(CE->getArg(1), LCtx);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]268
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]269 // FIXME: We really should allow ranges of valid theType values, and
270 // bifurcate the state appropriately.
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]271 Optional<nonloc::ConcreteInt> V = TheTypeVal.getAs<nonloc::ConcreteInt>();
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]272 if (!V)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]273 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]274
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]275 uint64_t NumberKind = V->getValue().getLimitedValue();
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]276 Optional<uint64_t> OptTargetSize = GetCFNumberSize(Ctx, NumberKind);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]277
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]278 // FIXME: In some cases we can emit an error.
David Blaikiee359f3c2013-02-20 22:23:03 +0000[diff] [blame]279 if (!OptTargetSize)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]280 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]281
David Blaikiee359f3c2013-02-20 22:23:03 +0000[diff] [blame]282 uint64_t TargetSize = *OptTargetSize;
283
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]284 // Look at the value of the integer being passed by reference. Essentially
285 // we want to catch cases where the value passed in is not equal to the
286 // size of the type being created.
Ted Kremenek632e3b72012-01-06 22:09:28 +0000[diff] [blame]287 SVal TheValueExpr = state->getSVal(CE->getArg(2), LCtx);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]288
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]289 // FIXME: Eventually we should handle arbitrary locations. We can do this
290 // by having an enhanced memory model that does low-level typing.
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]291 Optional<loc::MemRegionVal> LV = TheValueExpr.getAs<loc::MemRegionVal>();
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]292 if (!LV)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]293 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]294
Ted Kremenek8df44b262011-08-12 20:02:48 +0000[diff] [blame]295 const TypedValueRegion* R = dyn_cast<TypedValueRegion>(LV->stripCasts());
Ted Kremenek87a7a452009-07-29 18:17:40 +0000[diff] [blame]296 if (!R)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]297 return;
Ted Kremenek87a7a452009-07-29 18:17:40 +0000[diff] [blame]298
Zhongxing Xu8de0a3d2010-08-11 06:10:55 +0000[diff] [blame]299 QualType T = Ctx.getCanonicalType(R->getValueType());
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]300
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]301 // FIXME: If the pointee isn't an integer type, should we flag a warning?
302 // People can do weird stuff with pointers.
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]303
304 if (!T->isIntegerType())
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]305 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]306
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]307 uint64_t SourceSize = Ctx.getTypeSize(T);
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]308
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]309 // CHECK: is SourceSize == TargetSize
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]310 if (SourceSize == TargetSize)
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]311 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]312
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]313 // Generate an error. Only generate a sink if 'SourceSize < TargetSize';
314 // otherwise generate a regular node.
315 //
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]316 // FIXME: We can actually create an abstract "CFNumber" object that has
317 // the bits initialized to the provided values.
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]318 //
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]319 if (ExplodedNode *N = SourceSize < TargetSize ? C.generateSink()
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]320 : C.addTransition()) {
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]321 SmallString<128> sbuf;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]322 llvm::raw_svector_ostream os(sbuf);
323
324 os << (SourceSize == 8 ? "An " : "A ")
325 << SourceSize << " bit integer is used to initialize a CFNumber "
326 "object that represents "
327 << (TargetSize == 8 ? "an " : "a ")
328 << TargetSize << " bit integer. ";
329
330 if (SourceSize < TargetSize)
331 os << (TargetSize - SourceSize)
332 << " bits of the CFNumber value will be garbage." ;
333 else
334 os << (SourceSize - TargetSize)
335 << " bits of the input integer will be lost.";
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]336
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]337 if (!BT)
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]338 BT.reset(new APIMisuse("Bad use of CFNumberCreate"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]339
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]340 BugReport *report = new BugReport(*BT, os.str(), N);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]341 report->addRange(CE->getArg(2)->getSourceRange());
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]342 C.emitReport(report);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]343 }
Ted Kremenekcf1ab192008-06-26 23:59:48 +0000[diff] [blame]344}
345
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]346//===----------------------------------------------------------------------===//
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]347// CFRetain/CFRelease/CFMakeCollectable checking for null arguments.
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]348//===----------------------------------------------------------------------===//
349
350namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]351class CFRetainReleaseChecker : public Checker< check::PreStmt<CallExpr> > {
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]352 mutable OwningPtr<APIMisuse> BT;
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]353 mutable IdentifierInfo *Retain, *Release, *MakeCollectable;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]354public:
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]355 CFRetainReleaseChecker(): Retain(0), Release(0), MakeCollectable(0) {}
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]356 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]357};
358} // end anonymous namespace
359
360
Ted Kremenek5ef32db2011-08-12 23:37:29 +0000[diff] [blame]361void CFRetainReleaseChecker::checkPreStmt(const CallExpr *CE,
362 CheckerContext &C) const {
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]363 // If the CallExpr doesn't have exactly 1 argument just give up checking.
364 if (CE->getNumArgs() != 1)
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]365 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]366
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]367 ProgramStateRef state = C.getState();
Anna Zaksc6aa5312011-12-01 05:57:37 +0000[diff] [blame]368 const FunctionDecl *FD = C.getCalleeDecl(CE);
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]369 if (!FD)
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]370 return;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]371
372 if (!BT) {
373 ASTContext &Ctx = C.getASTContext();
374 Retain = &Ctx.Idents.get("CFRetain");
375 Release = &Ctx.Idents.get("CFRelease");
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]376 MakeCollectable = &Ctx.Idents.get("CFMakeCollectable");
377 BT.reset(
378 new APIMisuse("null passed to CFRetain/CFRelease/CFMakeCollectable"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]379 }
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]380
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]381 // Check if we called CFRetain/CFRelease/CFMakeCollectable.
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]382 const IdentifierInfo *FuncII = FD->getIdentifier();
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]383 if (!(FuncII == Retain || FuncII == Release || FuncII == MakeCollectable))
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]384 return;
Mike Stump11289f42009-09-09 15:08:12 +0000[diff] [blame]385
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]386 // FIXME: The rest of this just checks that the argument is non-null.
Anna Zaksef893392013-03-09 03:23:14 +0000[diff] [blame^]387 // It should probably be refactored and combined with NonNullParamChecker.
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]388
389 // Get the argument's value.
390 const Expr *Arg = CE->getArg(0);
Ted Kremenek632e3b72012-01-06 22:09:28 +0000[diff] [blame]391 SVal ArgVal = state->getSVal(Arg, C.getLocationContext());
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]392 Optional<DefinedSVal> DefArgVal = ArgVal.getAs<DefinedSVal>();
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]393 if (!DefArgVal)
394 return;
395
396 // Get a NULL value.
Ted Kremenek90af9092010-12-02 07:49:45 +0000[diff] [blame]397 SValBuilder &svalBuilder = C.getSValBuilder();
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]398 DefinedSVal zero =
399 svalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]400
401 // Make an expression asserting that they're equal.
Ted Kremenek90af9092010-12-02 07:49:45 +0000[diff] [blame]402 DefinedOrUnknownSVal ArgIsNull = svalBuilder.evalEQ(state, zero, *DefArgVal);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]403
404 // Are they equal?
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]405 ProgramStateRef stateTrue, stateFalse;
Ted Kremenekc5bea1e2010-12-01 22:16:56 +0000[diff] [blame]406 llvm::tie(stateTrue, stateFalse) = state->assume(ArgIsNull);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]407
408 if (stateTrue && !stateFalse) {
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]409 ExplodedNode *N = C.generateSink(stateTrue);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]410 if (!N)
411 return;
412
Jordan Rose721567a2012-11-07 17:12:37 +0000[diff] [blame]413 const char *description;
414 if (FuncII == Retain)
415 description = "Null pointer argument in call to CFRetain";
416 else if (FuncII == Release)
417 description = "Null pointer argument in call to CFRelease";
418 else if (FuncII == MakeCollectable)
419 description = "Null pointer argument in call to CFMakeCollectable";
420 else
421 llvm_unreachable("impossible case");
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]422
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]423 BugReport *report = new BugReport(*BT, description, N);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]424 report->addRange(Arg->getSourceRange());
Jordan Rosea0f7d352012-08-28 00:50:51 +0000[diff] [blame]425 bugreporter::trackNullOrUndefValue(N, Arg, *report);
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]426 C.emitReport(report);
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]427 return;
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]428 }
429
Jordy Rose40c5c242010-07-06 02:34:42 +0000[diff] [blame]430 // From here on, we know the argument is non-null.
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]431 C.addTransition(stateFalse);
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]432}
433
434//===----------------------------------------------------------------------===//
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]435// Check for sending 'retain', 'release', or 'autorelease' directly to a Class.
436//===----------------------------------------------------------------------===//
437
438namespace {
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]439class ClassReleaseChecker : public Checker<check::PreObjCMessage> {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]440 mutable Selector releaseS;
441 mutable Selector retainS;
442 mutable Selector autoreleaseS;
443 mutable Selector drainS;
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]444 mutable OwningPtr<BugType> BT;
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]445
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]446public:
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]447 void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]448};
449}
450
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]451void ClassReleaseChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]452 CheckerContext &C) const {
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]453
454 if (!BT) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]455 BT.reset(new APIMisuse("message incorrectly sent to class instead of class "
456 "instance"));
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]457
458 ASTContext &Ctx = C.getASTContext();
459 releaseS = GetNullarySelector("release", Ctx);
460 retainS = GetNullarySelector("retain", Ctx);
461 autoreleaseS = GetNullarySelector("autorelease", Ctx);
462 drainS = GetNullarySelector("drain", Ctx);
463 }
464
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]465 if (msg.isInstanceMessage())
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]466 return;
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]467 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
468 assert(Class);
Douglas Gregor9a129192010-04-21 00:45:42 +0000[diff] [blame]469
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]470 Selector S = msg.getSelector();
Benjamin Kramer7d875c72009-11-20 10:03:00 +0000[diff] [blame]471 if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS))
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]472 return;
473
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]474 if (ExplodedNode *N = C.addTransition()) {
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]475 SmallString<200> buf;
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]476 llvm::raw_svector_ostream os(buf);
Ted Kremenekf5735152009-11-23 22:22:01 +0000[diff] [blame]477
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]478 os << "The '" << S.getAsString() << "' message should be sent to instances "
479 "of class '" << Class->getName()
480 << "' and not the class directly";
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]481
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]482 BugReport *report = new BugReport(*BT, os.str(), N);
Argyrios Kyrtzidis37ab7262011-01-25 00:03:53 +0000[diff] [blame]483 report->addRange(msg.getSourceRange());
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]484 C.emitReport(report);
Ted Kremenekbd2c8002010-10-20 23:38:56 +0000[diff] [blame]485 }
Ted Kremeneka4f7c182009-11-20 05:27:05 +0000[diff] [blame]486}
487
488//===----------------------------------------------------------------------===//
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]489// Check for passing non-Objective-C types to variadic methods that expect
490// only Objective-C types.
491//===----------------------------------------------------------------------===//
492
493namespace {
494class VariadicMethodTypeChecker : public Checker<check::PreObjCMessage> {
495 mutable Selector arrayWithObjectsS;
496 mutable Selector dictionaryWithObjectsAndKeysS;
497 mutable Selector setWithObjectsS;
Jordy Rosec0230d72012-04-06 19:06:01 +0000[diff] [blame]498 mutable Selector orderedSetWithObjectsS;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]499 mutable Selector initWithObjectsS;
500 mutable Selector initWithObjectsAndKeysS;
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]501 mutable OwningPtr<BugType> BT;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]502
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]503 bool isVariadicMessage(const ObjCMethodCall &msg) const;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]504
505public:
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]506 void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]507};
508}
509
510/// isVariadicMessage - Returns whether the given message is a variadic message,
511/// where all arguments must be Objective-C types.
512bool
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]513VariadicMethodTypeChecker::isVariadicMessage(const ObjCMethodCall &msg) const {
514 const ObjCMethodDecl *MD = msg.getDecl();
Ted Kremenekced5fea2011-04-12 21:47:05 +0000[diff] [blame]515
516 if (!MD || !MD->isVariadic() || isa<ObjCProtocolDecl>(MD->getDeclContext()))
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]517 return false;
518
519 Selector S = msg.getSelector();
520
521 if (msg.isInstanceMessage()) {
522 // FIXME: Ideally we'd look at the receiver interface here, but that's not
523 // useful for init, because alloc returns 'id'. In theory, this could lead
524 // to false positives, for example if there existed a class that had an
525 // initWithObjects: implementation that does accept non-Objective-C pointer
526 // types, but the chance of that happening is pretty small compared to the
527 // gains that this analysis gives.
528 const ObjCInterfaceDecl *Class = MD->getClassInterface();
529
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]530 switch (findKnownClass(Class)) {
531 case FC_NSArray:
532 case FC_NSOrderedSet:
533 case FC_NSSet:
534 return S == initWithObjectsS;
535 case FC_NSDictionary:
536 return S == initWithObjectsAndKeysS;
537 default:
538 return false;
539 }
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]540 } else {
541 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
542
Jordan Rose3ba8ae32012-06-11 16:40:37 +0000[diff] [blame]543 switch (findKnownClass(Class)) {
544 case FC_NSArray:
545 return S == arrayWithObjectsS;
546 case FC_NSOrderedSet:
547 return S == orderedSetWithObjectsS;
548 case FC_NSSet:
549 return S == setWithObjectsS;
550 case FC_NSDictionary:
551 return S == dictionaryWithObjectsAndKeysS;
552 default:
553 return false;
554 }
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]555 }
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]556}
557
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]558void VariadicMethodTypeChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]559 CheckerContext &C) const {
560 if (!BT) {
561 BT.reset(new APIMisuse("Arguments passed to variadic method aren't all "
562 "Objective-C pointer types"));
563
564 ASTContext &Ctx = C.getASTContext();
565 arrayWithObjectsS = GetUnarySelector("arrayWithObjects", Ctx);
566 dictionaryWithObjectsAndKeysS =
567 GetUnarySelector("dictionaryWithObjectsAndKeys", Ctx);
568 setWithObjectsS = GetUnarySelector("setWithObjects", Ctx);
Jordy Rosec0230d72012-04-06 19:06:01 +0000[diff] [blame]569 orderedSetWithObjectsS = GetUnarySelector("orderedSetWithObjects", Ctx);
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]570
571 initWithObjectsS = GetUnarySelector("initWithObjects", Ctx);
572 initWithObjectsAndKeysS = GetUnarySelector("initWithObjectsAndKeys", Ctx);
573 }
574
575 if (!isVariadicMessage(msg))
576 return;
577
578 // We are not interested in the selector arguments since they have
579 // well-defined types, so the compiler will issue a warning for them.
580 unsigned variadicArgsBegin = msg.getSelector().getNumArgs();
581
582 // We're not interested in the last argument since it has to be nil or the
583 // compiler would have issued a warning for it elsewhere.
584 unsigned variadicArgsEnd = msg.getNumArgs() - 1;
585
586 if (variadicArgsEnd <= variadicArgsBegin)
587 return;
588
589 // Verify that all arguments have Objective-C types.
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]590 Optional<ExplodedNode*> errorNode;
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]591 ProgramStateRef state = C.getState();
Ted Kremenek066b2262011-03-14 19:50:37 +0000[diff] [blame]592
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]593 for (unsigned I = variadicArgsBegin; I != variadicArgsEnd; ++I) {
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]594 QualType ArgTy = msg.getArgExpr(I)->getType();
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]595 if (ArgTy->isObjCObjectPointerType())
596 continue;
597
Anders Carlssond1f65f62011-04-19 01:16:46 +0000[diff] [blame]598 // Block pointers are treaded as Objective-C pointers.
599 if (ArgTy->isBlockPointerType())
600 continue;
601
Ted Kremenek4ceebbf2011-03-16 00:22:51 +0000[diff] [blame]602 // Ignore pointer constants.
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]603 if (msg.getArgSVal(I).getAs<loc::ConcreteInt>())
Ted Kremenek4ceebbf2011-03-16 00:22:51 +0000[diff] [blame]604 continue;
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]605
Ted Kremenek70727342011-03-17 04:10:25 +0000[diff] [blame]606 // Ignore pointer types annotated with 'NSObject' attribute.
607 if (C.getASTContext().isObjCNSObjectType(ArgTy))
608 continue;
609
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]610 // Ignore CF references, which can be toll-free bridged.
Ted Kremenekc85964e2011-07-16 19:50:32 +0000[diff] [blame]611 if (coreFoundation::isCFObjectRef(ArgTy))
Ted Kremenek6fa1dae2011-03-17 04:01:35 +0000[diff] [blame]612 continue;
Ted Kremenek4ceebbf2011-03-16 00:22:51 +0000[diff] [blame]613
Ted Kremenek066b2262011-03-14 19:50:37 +0000[diff] [blame]614 // Generate only one error node to use for all bug reports.
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]615 if (!errorNode.hasValue())
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]616 errorNode = C.addTransition();
Ted Kremenek066b2262011-03-14 19:50:37 +0000[diff] [blame]617
618 if (!errorNode.getValue())
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]619 continue;
620
Dylan Noblesmith2c1dd272012-02-05 02:13:05 +0000[diff] [blame]621 SmallString<128> sbuf;
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]622 llvm::raw_svector_ostream os(sbuf);
623
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]624 StringRef TypeName = GetReceiverInterfaceName(msg);
625 if (!TypeName.empty())
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]626 os << "Argument to '" << TypeName << "' method '";
627 else
628 os << "Argument to method '";
629
630 os << msg.getSelector().getAsString()
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]631 << "' should be an Objective-C pointer type, not '";
632 ArgTy.print(os, C.getLangOpts());
633 os << "'";
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]634
Jordan Rose547060b2012-07-02 19:28:04 +0000[diff] [blame]635 BugReport *R = new BugReport(*BT, os.str(), errorNode.getValue());
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]636 R->addRange(msg.getArgSourceRange(I));
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame]637 C.emitReport(R);
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]638 }
639}
640
641//===----------------------------------------------------------------------===//
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]642// Improves the modeling of loops over Cocoa collections.
643//===----------------------------------------------------------------------===//
644
645namespace {
646class ObjCLoopChecker
647 : public Checker<check::PostStmt<ObjCForCollectionStmt> > {
648
649public:
650 void checkPostStmt(const ObjCForCollectionStmt *FCS, CheckerContext &C) const;
651};
652}
653
654static bool isKnownNonNilCollectionType(QualType T) {
655 const ObjCObjectPointerType *PT = T->getAs<ObjCObjectPointerType>();
656 if (!PT)
657 return false;
658
659 const ObjCInterfaceDecl *ID = PT->getInterfaceDecl();
660 if (!ID)
661 return false;
662
663 switch (findKnownClass(ID)) {
664 case FC_NSArray:
665 case FC_NSDictionary:
666 case FC_NSEnumerator:
667 case FC_NSOrderedSet:
668 case FC_NSSet:
669 return true;
670 default:
671 return false;
672 }
673}
674
675void ObjCLoopChecker::checkPostStmt(const ObjCForCollectionStmt *FCS,
676 CheckerContext &C) const {
677 ProgramStateRef State = C.getState();
678
679 // Check if this is the branch for the end of the loop.
680 SVal CollectionSentinel = State->getSVal(FCS, C.getLocationContext());
681 if (CollectionSentinel.isZeroConstant())
682 return;
683
684 // See if the collection is one where we /know/ the elements are non-nil.
685 const Expr *Collection = FCS->getCollection();
686 if (!isKnownNonNilCollectionType(Collection->getType()))
687 return;
688
689 // FIXME: Copied from ExprEngineObjC.
690 const Stmt *Element = FCS->getElement();
691 SVal ElementVar;
692 if (const DeclStmt *DS = dyn_cast<DeclStmt>(Element)) {
693 const VarDecl *ElemDecl = cast<VarDecl>(DS->getSingleDecl());
694 assert(ElemDecl->getInit() == 0);
695 ElementVar = State->getLValue(ElemDecl, C.getLocationContext());
696 } else {
697 ElementVar = State->getSVal(Element, C.getLocationContext());
698 }
699
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]700 if (!ElementVar.getAs<Loc>())
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]701 return;
702
703 // Go ahead and assume the value is non-nil.
David Blaikie2fdacbc2013-02-20 05:52:05 +0000[diff] [blame]704 SVal Val = State->getSVal(ElementVar.castAs<Loc>());
705 State = State->assume(Val.castAs<DefinedOrUnknownSVal>(), true);
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]706 C.addTransition(State);
707}
708
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]709namespace {
710/// \class ObjCNonNilReturnValueChecker
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]711/// \brief The checker restricts the return values of APIs known to
712/// never (or almost never) return 'nil'.
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]713class ObjCNonNilReturnValueChecker
714 : public Checker<check::PostObjCMessage> {
715 mutable bool Initialized;
716 mutable Selector ObjectAtIndex;
717 mutable Selector ObjectAtIndexedSubscript;
Anna Zaks9159e162012-08-22 22:47:58 +0000[diff] [blame]718
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]719public:
Anna Zaks9159e162012-08-22 22:47:58 +0000[diff] [blame]720 ObjCNonNilReturnValueChecker() : Initialized(false) {}
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]721 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
722};
723}
724
Benjamin Kramer199f8da2012-09-10 11:57:16 +0000[diff] [blame]725static ProgramStateRef assumeExprIsNonNull(const Expr *NonNullExpr,
726 ProgramStateRef State,
727 CheckerContext &C) {
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]728 SVal Val = State->getSVal(NonNullExpr, C.getLocationContext());
David Blaikie05785d12013-02-20 22:23:23 +0000[diff] [blame]729 if (Optional<DefinedOrUnknownSVal> DV = Val.getAs<DefinedOrUnknownSVal>())
Anna Zaks830c48e2012-08-30 22:55:32 +0000[diff] [blame]730 return State->assume(*DV, true);
Anna Zaksb504f442012-08-30 22:42:41 +0000[diff] [blame]731 return State;
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]732}
733
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]734void ObjCNonNilReturnValueChecker::checkPostObjCMessage(const ObjCMethodCall &M,
735 CheckerContext &C)
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]736 const {
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]737 ProgramStateRef State = C.getState();
738
739 if (!Initialized) {
740 ASTContext &Ctx = C.getASTContext();
741 ObjectAtIndex = GetUnarySelector("objectAtIndex", Ctx);
742 ObjectAtIndexedSubscript = GetUnarySelector("objectAtIndexedSubscript", Ctx);
743 }
744
745 // Check the receiver type.
746 if (const ObjCInterfaceDecl *Interface = M.getReceiverInterface()) {
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]747
748 // Assume that object returned from '[self init]' or '[super init]' is not
749 // 'nil' if we are processing an inlined function/method.
750 //
751 // A defensive callee will (and should) check if the object returned by
752 // '[super init]' is 'nil' before doing it's own initialization. However,
753 // since 'nil' is rarely returned in practice, we should not warn when the
754 // caller to the defensive constructor uses the object in contexts where
755 // 'nil' is not accepted.
Anna Zaks49bb6502012-11-06 04:20:54 +0000[diff] [blame]756 if (!C.inTopFrame() && M.getDecl() &&
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]757 M.getDecl()->getMethodFamily() == OMF_init &&
758 M.isReceiverSelfOrSuper()) {
759 State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
760 }
761
762 // Objects returned from
763 // [NSArray|NSOrderedSet]::[ObjectAtIndex|ObjectAtIndexedSubscript]
764 // are never 'nil'.
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]765 FoundationClass Cl = findKnownClass(Interface);
766 if (Cl == FC_NSArray || Cl == FC_NSOrderedSet) {
767 Selector Sel = M.getSelector();
768 if (Sel == ObjectAtIndex || Sel == ObjectAtIndexedSubscript) {
769 // Go ahead and assume the value is non-nil.
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]770 State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]771 }
772 }
773 }
Anna Zaks4818bbe2012-08-30 19:40:52 +0000[diff] [blame]774 C.addTransition(State);
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]775}
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]776
777//===----------------------------------------------------------------------===//
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]778// Check registration.
Ted Kremenekc057f412009-07-14 00:43:42 +0000[diff] [blame]779//===----------------------------------------------------------------------===//
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]780
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]781void ento::registerNilArgChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]782 mgr.registerChecker<NilArgChecker>();
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]783}
784
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]785void ento::registerCFNumberCreateChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]786 mgr.registerChecker<CFNumberCreateChecker>();
Argyrios Kyrtzidis9d4d4f92011-02-16 01:40:52 +0000[diff] [blame]787}
788
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]789void ento::registerCFRetainReleaseChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]790 mgr.registerChecker<CFRetainReleaseChecker>();
Ted Kremenek1f352db2008-07-22 16:21:24 +0000[diff] [blame]791}
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]792
793void ento::registerClassReleaseChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdd058d82011-02-23 00:16:10 +0000[diff] [blame]794 mgr.registerChecker<ClassReleaseChecker>();
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]795}
Anders Carlssond91d5f12011-03-13 20:35:21 +0000[diff] [blame]796
797void ento::registerVariadicMethodTypeChecker(CheckerManager &mgr) {
798 mgr.registerChecker<VariadicMethodTypeChecker>();
799}
Jordan Roseefef7602012-06-11 16:40:41 +0000[diff] [blame]800
801void ento::registerObjCLoopChecker(CheckerManager &mgr) {
802 mgr.registerChecker<ObjCLoopChecker>();
803}
Anna Zaks5a5a1752012-08-22 21:19:56 +0000[diff] [blame]804
805void ento::registerObjCNonNilReturnValueChecker(CheckerManager &mgr) {
806 mgr.registerChecker<ObjCNonNilReturnValueChecker>();
807}