blob: 50b872bd8682ff2fe35d68c36a35282215f67008 [file] [log] [blame]
//==- CheckObjCDealloc.cpp - Check ObjC -dealloc implementation --*- C++ -*-==//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This checker analyzes Objective-C -dealloc methods and their callees
// to warn about improper releasing of instance variables that back synthesized
// properties. It warns about missing releases in the following cases:
// - When a class has a synthesized instance variable for a 'retain' or 'copy'
// property and lacks a -dealloc method in its implementation.
// - When a class has a synthesized instance variable for a 'retain'/'copy'
// property but the ivar is not released in -dealloc by either -release
// or by nilling out the property.
//
// It warns about extra releases in -dealloc (but not in callees) when a
// synthesized instance variable is released in the following cases:
// - When the property is 'assign' and is not 'readonly'.
// - When the property is 'weak'.
//
// This checker only warns for instance variables synthesized to back
// properties. Handling the more general case would require inferring whether
// an instance variable is stored retained or not. For synthesized properties,
// this is specified in the property declaration itself.
//
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/Analysis/PathDiagnostic.h"
#include "clang/AST/Attr.h"
#include "clang/AST/DeclObjC.h"
#include "clang/AST/Expr.h"
#include "clang/AST/ExprObjC.h"
#include "clang/Basic/LangOptions.h"
#include "clang/Basic/TargetInfo.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include "llvm/Support/raw_ostream.h"
using namespace clang;
using namespace ento;
/// Indicates whether an instance variable is required to be released in
/// -dealloc.
enum class ReleaseRequirement {
/// The instance variable must be released, either by calling
/// -release on it directly or by nilling it out with a property setter.
MustRelease,
/// The instance variable must not be directly released with -release.
MustNotReleaseDirectly,
/// The requirement for the instance variable could not be determined.
Unknown
};
/// Returns true if the property implementation is synthesized and the
/// type of the property is retainable.
static bool isSynthesizedRetainableProperty(const ObjCPropertyImplDecl *I,
const ObjCIvarDecl **ID,
const ObjCPropertyDecl **PD) {
if (I->getPropertyImplementation() != ObjCPropertyImplDecl::Synthesize)
return false;
(*ID) = I->getPropertyIvarDecl();
if (!(*ID))
return false;
QualType T = (*ID)->getType();
if (!T->isObjCRetainableType())
return false;
(*PD) = I->getPropertyDecl();
// Shouldn't be able to synthesize a property that doesn't exist.
assert(*PD);
return true;
}
namespace {
class ObjCDeallocChecker
: public Checker<check::ASTDecl<ObjCImplementationDecl>,
check::PreObjCMessage, check::PostObjCMessage,
check::PreCall,
check::BeginFunction, check::EndFunction,
eval::Assume,
check::PointerEscape,
check::PreStmt<ReturnStmt>> {
mutable IdentifierInfo *NSObjectII, *SenTestCaseII, *XCTestCaseII,
*Block_releaseII, *CIFilterII;
mutable Selector DeallocSel, ReleaseSel;
std::unique_ptr<BugType> MissingReleaseBugType;
std::unique_ptr<BugType> ExtraReleaseBugType;
std::unique_ptr<BugType> MistakenDeallocBugType;
public:
ObjCDeallocChecker();
void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& Mgr,
BugReporter &BR) const;
void checkBeginFunction(CheckerContext &Ctx) const;
void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond,
bool Assumption) const;
ProgramStateRef checkPointerEscape(ProgramStateRef State,
const InvalidatedSymbols &Escaped,
const CallEvent *Call,
PointerEscapeKind Kind) const;
void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;
private:
void diagnoseMissingReleases(CheckerContext &C) const;
bool diagnoseExtraRelease(SymbolRef ReleasedValue, const ObjCMethodCall &M,
CheckerContext &C) const;
bool diagnoseMistakenDealloc(SymbolRef DeallocedValue,
const ObjCMethodCall &M,
CheckerContext &C) const;
SymbolRef getValueReleasedByNillingOut(const ObjCMethodCall &M,
CheckerContext &C) const;
const ObjCIvarRegion *getIvarRegionForIvarSymbol(SymbolRef IvarSym) const;
SymbolRef getInstanceSymbolFromIvarSymbol(SymbolRef IvarSym) const;
const ObjCPropertyImplDecl*
findPropertyOnDeallocatingInstance(SymbolRef IvarSym,
CheckerContext &C) const;
ReleaseRequirement
getDeallocReleaseRequirement(const ObjCPropertyImplDecl *PropImpl) const;
bool isInInstanceDealloc(const CheckerContext &C, SVal &SelfValOut) const;
bool isInInstanceDealloc(const CheckerContext &C, const LocationContext *LCtx,
SVal &SelfValOut) const;
bool instanceDeallocIsOnStack(const CheckerContext &C,
SVal &InstanceValOut) const;
bool isSuperDeallocMessage(const ObjCMethodCall &M) const;
const ObjCImplDecl *getContainingObjCImpl(const LocationContext *LCtx) const;
const ObjCPropertyDecl *
findShadowedPropertyDecl(const ObjCPropertyImplDecl *PropImpl) const;
void transitionToReleaseValue(CheckerContext &C, SymbolRef Value) const;
ProgramStateRef removeValueRequiringRelease(ProgramStateRef State,
SymbolRef InstanceSym,
SymbolRef ValueSym) const;
void initIdentifierInfoAndSelectors(ASTContext &Ctx) const;
bool classHasSeparateTeardown(const ObjCInterfaceDecl *ID) const;
bool isReleasedByCIFilterDealloc(const ObjCPropertyImplDecl *PropImpl) const;
bool isNibLoadedIvarWithoutRetain(const ObjCPropertyImplDecl *PropImpl) const;
};
} // End anonymous namespace.
/// Maps from the symbol for a class instance to the set of
/// symbols remaining that must be released in -dealloc.
REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(SymbolSet, SymbolRef)
REGISTER_MAP_WITH_PROGRAMSTATE(UnreleasedIvarMap, SymbolRef, SymbolSet)
/// An AST check that diagnose when the class requires a -dealloc method and
/// is missing one.
void ObjCDeallocChecker::checkASTDecl(const ObjCImplementationDecl *D,
AnalysisManager &Mgr,
BugReporter &BR) const {
assert(Mgr.getLangOpts().getGC() != LangOptions::GCOnly);
assert(!Mgr.getLangOpts().ObjCAutoRefCount);
initIdentifierInfoAndSelectors(Mgr.getASTContext());
const ObjCInterfaceDecl *ID = D->getClassInterface();
// If the class is known to have a lifecycle with a separate teardown method
// then it may not require a -dealloc method.
if (classHasSeparateTeardown(ID))
return;
// Does the class contain any synthesized properties that are retainable?
// If not, skip the check entirely.
const ObjCPropertyImplDecl *PropImplRequiringRelease = nullptr;
bool HasOthers = false;
for (const auto *I : D->property_impls()) {
if (getDeallocReleaseRequirement(I) == ReleaseRequirement::MustRelease) {
if (!PropImplRequiringRelease)
PropImplRequiringRelease = I;
else {
HasOthers = true;
break;
}
}
}
if (!PropImplRequiringRelease)
return;
const ObjCMethodDecl *MD = nullptr;
// Scan the instance methods for "dealloc".
for (const auto *I : D->instance_methods()) {
if (I->getSelector() == DeallocSel) {
MD = I;
break;
}
}
if (!MD) { // No dealloc found.
const char* Name = "Missing -dealloc";
std::string Buf;
llvm::raw_string_ostream OS(Buf);
OS << "'" << *D << "' lacks a 'dealloc' instance method but "
<< "must release '" << *PropImplRequiringRelease->getPropertyIvarDecl()
<< "'";
if (HasOthers)
OS << " and others";
PathDiagnosticLocation DLoc =
PathDiagnosticLocation::createBegin(D, BR.getSourceManager());
BR.EmitBasicReport(D, this, Name, categories::CoreFoundationObjectiveC,
OS.str(), DLoc);
return;
}
}
/// If this is the beginning of -dealloc, mark the values initially stored in
/// instance variables that must be released by the end of -dealloc
/// as unreleased in the state.
void ObjCDeallocChecker::checkBeginFunction(
CheckerContext &C) const {
initIdentifierInfoAndSelectors(C.getASTContext());
// Only do this if the current method is -dealloc.
SVal SelfVal;
if (!isInInstanceDealloc(C, SelfVal))
return;
SymbolRef SelfSymbol = SelfVal.getAsSymbol();
const LocationContext *LCtx = C.getLocationContext();
ProgramStateRef InitialState = C.getState();
ProgramStateRef State = InitialState;
SymbolSet::Factory &F = State->getStateManager().get_context<SymbolSet>();
// Symbols that must be released by the end of the -dealloc;
SymbolSet RequiredReleases = F.getEmptySet();
// If we're an inlined -dealloc, we should add our symbols to the existing
// set from our subclass.
if (const SymbolSet *CurrSet = State->get<UnreleasedIvarMap>(SelfSymbol))
RequiredReleases = *CurrSet;
for (auto *PropImpl : getContainingObjCImpl(LCtx)->property_impls()) {
ReleaseRequirement Requirement = getDeallocReleaseRequirement(PropImpl);
if (Requirement != ReleaseRequirement::MustRelease)
continue;
SVal LVal = State->getLValue(PropImpl->getPropertyIvarDecl(), SelfVal);
Optional<Loc> LValLoc = LVal.getAs<Loc>();
if (!LValLoc)
continue;
SVal InitialVal = State->getSVal(LValLoc.getValue());
SymbolRef Symbol = InitialVal.getAsSymbol();
if (!Symbol || !isa<SymbolRegionValue>(Symbol))
continue;
// Mark the value as requiring a release.
RequiredReleases = F.add(RequiredReleases, Symbol);
}
if (!RequiredReleases.isEmpty()) {
State = State->set<UnreleasedIvarMap>(SelfSymbol, RequiredReleases);
}
if (State != InitialState) {
C.addTransition(State);
}
}
/// Given a symbol for an ivar, return the ivar region it was loaded from.
/// Returns nullptr if the instance symbol cannot be found.
const ObjCIvarRegion *
ObjCDeallocChecker::getIvarRegionForIvarSymbol(SymbolRef IvarSym) const {
return dyn_cast_or_null<ObjCIvarRegion>(IvarSym->getOriginRegion());
}
/// Given a symbol for an ivar, return a symbol for the instance containing
/// the ivar. Returns nullptr if the instance symbol cannot be found.
SymbolRef
ObjCDeallocChecker::getInstanceSymbolFromIvarSymbol(SymbolRef IvarSym) const {
const ObjCIvarRegion *IvarRegion = getIvarRegionForIvarSymbol(IvarSym);
if (!IvarRegion)
return nullptr;
return IvarRegion->getSymbolicBase()->getSymbol();
}
/// If we are in -dealloc or -dealloc is on the stack, handle the call if it is
/// a release or a nilling-out property setter.
void ObjCDeallocChecker::checkPreObjCMessage(
const ObjCMethodCall &M, CheckerContext &C) const {
// Only run if -dealloc is on the stack.
SVal DeallocedInstance;
if (!instanceDeallocIsOnStack(C, DeallocedInstance))
return;
SymbolRef ReleasedValue = nullptr;
if (M.getSelector() == ReleaseSel) {
ReleasedValue = M.getReceiverSVal().getAsSymbol();
} else if (M.getSelector() == DeallocSel && !M.isReceiverSelfOrSuper()) {
if (diagnoseMistakenDealloc(M.getReceiverSVal().getAsSymbol(), M, C))
return;
}
if (ReleasedValue) {
// An instance variable symbol was released with -release:
// [_property release];
if (diagnoseExtraRelease(ReleasedValue,M, C))
return;
} else {
// An instance variable symbol was released nilling out its property:
// self.property = nil;
ReleasedValue = getValueReleasedByNillingOut(M, C);
}
if (!ReleasedValue)
return;
transitionToReleaseValue(C, ReleasedValue);
}
/// If we are in -dealloc or -dealloc is on the stack, handle the call if it is
/// call to Block_release().
void ObjCDeallocChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const {
const IdentifierInfo *II = Call.getCalleeIdentifier();
if (II != Block_releaseII)
return;
if (Call.getNumArgs() != 1)
return;
SymbolRef ReleasedValue = Call.getArgSVal(0).getAsSymbol();
if (!ReleasedValue)
return;
transitionToReleaseValue(C, ReleasedValue);
}
/// If the message was a call to '[super dealloc]', diagnose any missing
/// releases.
void ObjCDeallocChecker::checkPostObjCMessage(
const ObjCMethodCall &M, CheckerContext &C) const {
// We perform this check post-message so that if the super -dealloc
// calls a helper method and that this class overrides, any ivars released in
// the helper method will be recorded before checking.
if (isSuperDeallocMessage(M))
diagnoseMissingReleases(C);
}
/// Check for missing releases even when -dealloc does not call
/// '[super dealloc]'.
void ObjCDeallocChecker::checkEndFunction(
const ReturnStmt *RS, CheckerContext &C) const {
diagnoseMissingReleases(C);
}
/// Check for missing releases on early return.
void ObjCDeallocChecker::checkPreStmt(
const ReturnStmt *RS, CheckerContext &C) const {
diagnoseMissingReleases(C);
}
/// When a symbol is assumed to be nil, remove it from the set of symbols
/// require to be nil.
ProgramStateRef ObjCDeallocChecker::evalAssume(ProgramStateRef State, SVal Cond,
bool Assumption) const {
if (State->get<UnreleasedIvarMap>().isEmpty())
return State;
auto *CondBSE = dyn_cast_or_null<BinarySymExpr>(Cond.getAsSymExpr());
if (!CondBSE)
return State;
BinaryOperator::Opcode OpCode = CondBSE->getOpcode();
if (Assumption) {
if (OpCode != BO_EQ)
return State;
} else {
if (OpCode != BO_NE)
return State;
}
SymbolRef NullSymbol = nullptr;
if (auto *SIE = dyn_cast<SymIntExpr>(CondBSE)) {
const llvm::APInt &RHS = SIE->getRHS();
if (RHS != 0)
return State;
NullSymbol = SIE->getLHS();
} else if (auto *SIE = dyn_cast<IntSymExpr>(CondBSE)) {
const llvm::APInt &LHS = SIE->getLHS();
if (LHS != 0)
return State;
NullSymbol = SIE->getRHS();
} else {
return State;
}
SymbolRef InstanceSymbol = getInstanceSymbolFromIvarSymbol(NullSymbol);
if (!InstanceSymbol)
return State;
State = removeValueRequiringRelease(State, InstanceSymbol, NullSymbol);
return State;
}
/// If a symbol escapes conservatively assume unseen code released it.
ProgramStateRef ObjCDeallocChecker::checkPointerEscape(
ProgramStateRef State, const InvalidatedSymbols &Escaped,
const CallEvent *Call, PointerEscapeKind Kind) const {
if (State->get<UnreleasedIvarMap>().isEmpty())
return State;
// Don't treat calls to '[super dealloc]' as escaping for the purposes
// of this checker. Because the checker diagnoses missing releases in the
// post-message handler for '[super dealloc], escaping here would cause
// the checker to never warn.
auto *OMC = dyn_cast_or_null<ObjCMethodCall>(Call);
if (OMC && isSuperDeallocMessage(*OMC))
return State;
for (const auto &Sym : Escaped) {
if (!Call || (Call && !Call->isInSystemHeader())) {
// If Sym is a symbol for an object with instance variables that
// must be released, remove these obligations when the object escapes
// unless via a call to a system function. System functions are
// very unlikely to release instance variables on objects passed to them,
// and are frequently called on 'self' in -dealloc (e.g., to remove
// observers) -- we want to avoid false negatives from escaping on
// them.
State = State->remove<UnreleasedIvarMap>(Sym);
}
SymbolRef InstanceSymbol = getInstanceSymbolFromIvarSymbol(Sym);
if (!InstanceSymbol)
continue;
State = removeValueRequiringRelease(State, InstanceSymbol, Sym);
}
return State;
}
/// Report any unreleased instance variables for the current instance being
/// dealloced.
void ObjCDeallocChecker::diagnoseMissingReleases(CheckerContext &C) const {
ProgramStateRef State = C.getState();
SVal SelfVal;
if (!isInInstanceDealloc(C, SelfVal))
return;
const MemRegion *SelfRegion = SelfVal.castAs<loc::MemRegionVal>().getRegion();
const LocationContext *LCtx = C.getLocationContext();
ExplodedNode *ErrNode = nullptr;
SymbolRef SelfSym = SelfVal.getAsSymbol();
if (!SelfSym)
return;
const SymbolSet *OldUnreleased = State->get<UnreleasedIvarMap>(SelfSym);
if (!OldUnreleased)
return;
SymbolSet NewUnreleased = *OldUnreleased;
SymbolSet::Factory &F = State->getStateManager().get_context<SymbolSet>();
ProgramStateRef InitialState = State;
for (auto *IvarSymbol : *OldUnreleased) {
const TypedValueRegion *TVR =
cast<SymbolRegionValue>(IvarSymbol)->getRegion();
const ObjCIvarRegion *IvarRegion = cast<ObjCIvarRegion>(TVR);
// Don't warn if the ivar is not for this instance.
if (SelfRegion != IvarRegion->getSuperRegion())
continue;
const ObjCIvarDecl *IvarDecl = IvarRegion->getDecl();
// Prevent an inlined call to -dealloc in a super class from warning
// about the values the subclass's -dealloc should release.
if (IvarDecl->getContainingInterface() !=
cast<ObjCMethodDecl>(LCtx->getDecl())->getClassInterface())
continue;
// Prevents diagnosing multiple times for the same instance variable
// at, for example, both a return and at the end of the function.
NewUnreleased = F.remove(NewUnreleased, IvarSymbol);
if (State->getStateManager()
.getConstraintManager()
.isNull(State, IvarSymbol)
.isConstrainedTrue()) {
continue;
}
// A missing release manifests as a leak, so treat as a non-fatal error.
if (!ErrNode)
ErrNode = C.generateNonFatalErrorNode();
// If we've already reached this node on another path, return without
// diagnosing.
if (!ErrNode)
return;
std::string Buf;
llvm::raw_string_ostream OS(Buf);
const ObjCInterfaceDecl *Interface = IvarDecl->getContainingInterface();
// If the class is known to have a lifecycle with teardown that is
// separate from -dealloc, do not warn about missing releases. We
// suppress here (rather than not tracking for instance variables in
// such classes) because these classes are rare.
if (classHasSeparateTeardown(Interface))
return;
ObjCImplDecl *ImplDecl = Interface->getImplementation();
const ObjCPropertyImplDecl *PropImpl =
ImplDecl->FindPropertyImplIvarDecl(IvarDecl->getIdentifier());
const ObjCPropertyDecl *PropDecl = PropImpl->getPropertyDecl();
assert(PropDecl->getSetterKind() == ObjCPropertyDecl::Copy ||
PropDecl->getSetterKind() == ObjCPropertyDecl::Retain);
OS << "The '" << *IvarDecl << "' ivar in '" << *ImplDecl
<< "' was ";
if (PropDecl->getSetterKind() == ObjCPropertyDecl::Retain)
OS << "retained";
else
OS << "copied";
OS << " by a synthesized property but not released"
" before '[super dealloc]'";
auto BR = std::make_unique<PathSensitiveBugReport>(*MissingReleaseBugType,
OS.str(), ErrNode);
C.emitReport(std::move(BR));
}
if (NewUnreleased.isEmpty()) {
State = State->remove<UnreleasedIvarMap>(SelfSym);
} else {
State = State->set<UnreleasedIvarMap>(SelfSym, NewUnreleased);
}
if (ErrNode) {
C.addTransition(State, ErrNode);
} else if (State != InitialState) {
C.addTransition(State);
}
// Make sure that after checking in the top-most frame the list of
// tracked ivars is empty. This is intended to detect accidental leaks in
// the UnreleasedIvarMap program state.
assert(!LCtx->inTopFrame() || State->get<UnreleasedIvarMap>().isEmpty());
}
/// Given a symbol, determine whether the symbol refers to an ivar on
/// the top-most deallocating instance. If so, find the property for that
/// ivar, if one exists. Otherwise return null.
const ObjCPropertyImplDecl *
ObjCDeallocChecker::findPropertyOnDeallocatingInstance(
SymbolRef IvarSym, CheckerContext &C) const {
SVal DeallocedInstance;
if (!isInInstanceDealloc(C, DeallocedInstance))
return nullptr;
// Try to get the region from which the ivar value was loaded.
auto *IvarRegion = getIvarRegionForIvarSymbol(IvarSym);
if (!IvarRegion)
return nullptr;
// Don't try to find the property if the ivar was not loaded from the
// given instance.
if (DeallocedInstance.castAs<loc::MemRegionVal>().getRegion() !=
IvarRegion->getSuperRegion())
return nullptr;
const LocationContext *LCtx = C.getLocationContext();
const ObjCIvarDecl *IvarDecl = IvarRegion->getDecl();
const ObjCImplDecl *Container = getContainingObjCImpl(LCtx);
const ObjCPropertyImplDecl *PropImpl =
Container->FindPropertyImplIvarDecl(IvarDecl->getIdentifier());
return PropImpl;
}
/// Emits a warning if the current context is -dealloc and ReleasedValue
/// must not be directly released in a -dealloc. Returns true if a diagnostic
/// was emitted.
bool ObjCDeallocChecker::diagnoseExtraRelease(SymbolRef ReleasedValue,
const ObjCMethodCall &M,
CheckerContext &C) const {
// Try to get the region from which the released value was loaded.
// Note that, unlike diagnosing for missing releases, here we don't track
// values that must not be released in the state. This is because even if
// these values escape, it is still an error under the rules of MRR to
// release them in -dealloc.
const ObjCPropertyImplDecl *PropImpl =
findPropertyOnDeallocatingInstance(ReleasedValue, C);
if (!PropImpl)
return false;
// If the ivar belongs to a property that must not be released directly
// in dealloc, emit a warning.
if (getDeallocReleaseRequirement(PropImpl) !=
ReleaseRequirement::MustNotReleaseDirectly) {
return false;
}
// If the property is readwrite but it shadows a read-only property in its
// external interface, treat the property a read-only. If the outside
// world cannot write to a property then the internal implementation is free
// to make its own convention about whether the value is stored retained
// or not. We look up the shadow here rather than in
// getDeallocReleaseRequirement() because doing so can be expensive.
const ObjCPropertyDecl *PropDecl = findShadowedPropertyDecl(PropImpl);
if (PropDecl) {
if (PropDecl->isReadOnly())
return false;
} else {
PropDecl = PropImpl->getPropertyDecl();
}
ExplodedNode *ErrNode = C.generateNonFatalErrorNode();
if (!ErrNode)
return false;
std::string Buf;
llvm::raw_string_ostream OS(Buf);
assert(PropDecl->getSetterKind() == ObjCPropertyDecl::Weak ||
(PropDecl->getSetterKind() == ObjCPropertyDecl::Assign &&
!PropDecl->isReadOnly()) ||
isReleasedByCIFilterDealloc(PropImpl)
);
const ObjCImplDecl *Container = getContainingObjCImpl(C.getLocationContext());
OS << "The '" << *PropImpl->getPropertyIvarDecl()
<< "' ivar in '" << *Container;
if (isReleasedByCIFilterDealloc(PropImpl)) {
OS << "' will be released by '-[CIFilter dealloc]' but also released here";
} else {
OS << "' was synthesized for ";
if (PropDecl->getSetterKind() == ObjCPropertyDecl::Weak)
OS << "a weak";
else
OS << "an assign, readwrite";
OS << " property but was released in 'dealloc'";
}
auto BR = std::make_unique<PathSensitiveBugReport>(*ExtraReleaseBugType,
OS.str(), ErrNode);
BR->addRange(M.getOriginExpr()->getSourceRange());
C.emitReport(std::move(BR));
return true;
}
/// Emits a warning if the current context is -dealloc and DeallocedValue
/// must not be directly dealloced in a -dealloc. Returns true if a diagnostic
/// was emitted.
bool ObjCDeallocChecker::diagnoseMistakenDealloc(SymbolRef DeallocedValue,
const ObjCMethodCall &M,
CheckerContext &C) const {
// TODO: Apart from unknown/undefined receivers, this may happen when
// dealloc is called as a class method. Should we warn?
if (!DeallocedValue)
return false;
// Find the property backing the instance variable that M
// is dealloc'ing.
const ObjCPropertyImplDecl *PropImpl =
findPropertyOnDeallocatingInstance(DeallocedValue, C);
if (!PropImpl)
return false;
if (getDeallocReleaseRequirement(PropImpl) !=
ReleaseRequirement::MustRelease) {
return false;
}
ExplodedNode *ErrNode = C.generateErrorNode();
if (!ErrNode)
return false;
std::string Buf;
llvm::raw_string_ostream OS(Buf);
OS << "'" << *PropImpl->getPropertyIvarDecl()
<< "' should be released rather than deallocated";
auto BR = std::make_unique<PathSensitiveBugReport>(*MistakenDeallocBugType,
OS.str(), ErrNode);
BR->addRange(M.getOriginExpr()->getSourceRange());
C.emitReport(std::move(BR));
return true;
}
ObjCDeallocChecker::ObjCDeallocChecker()
: NSObjectII(nullptr), SenTestCaseII(nullptr), XCTestCaseII(nullptr),
CIFilterII(nullptr) {
MissingReleaseBugType.reset(
new BugType(this, "Missing ivar release (leak)",
categories::MemoryRefCount));
ExtraReleaseBugType.reset(
new BugType(this, "Extra ivar release",
categories::MemoryRefCount));
MistakenDeallocBugType.reset(
new BugType(this, "Mistaken dealloc",
categories::MemoryRefCount));
}
void ObjCDeallocChecker::initIdentifierInfoAndSelectors(
ASTContext &Ctx) const {
if (NSObjectII)
return;
NSObjectII = &Ctx.Idents.get("NSObject");
SenTestCaseII = &Ctx.Idents.get("SenTestCase");
XCTestCaseII = &Ctx.Idents.get("XCTestCase");
Block_releaseII = &Ctx.Idents.get("_Block_release");
CIFilterII = &Ctx.Idents.get("CIFilter");
IdentifierInfo *DeallocII = &Ctx.Idents.get("dealloc");
IdentifierInfo *ReleaseII = &Ctx.Idents.get("release");
DeallocSel = Ctx.Selectors.getSelector(0, &DeallocII);
ReleaseSel = Ctx.Selectors.getSelector(0, &ReleaseII);
}
/// Returns true if M is a call to '[super dealloc]'.
bool ObjCDeallocChecker::isSuperDeallocMessage(
const ObjCMethodCall &M) const {
if (M.getOriginExpr()->getReceiverKind() != ObjCMessageExpr::SuperInstance)
return false;
return M.getSelector() == DeallocSel;
}
/// Returns the ObjCImplDecl containing the method declaration in LCtx.
const ObjCImplDecl *
ObjCDeallocChecker::getContainingObjCImpl(const LocationContext *LCtx) const {
auto *MD = cast<ObjCMethodDecl>(LCtx->getDecl());
return cast<ObjCImplDecl>(MD->getDeclContext());
}
/// Returns the property that shadowed by PropImpl if one exists and
/// nullptr otherwise.
const ObjCPropertyDecl *ObjCDeallocChecker::findShadowedPropertyDecl(
const ObjCPropertyImplDecl *PropImpl) const {
const ObjCPropertyDecl *PropDecl = PropImpl->getPropertyDecl();
// Only readwrite properties can shadow.
if (PropDecl->isReadOnly())
return nullptr;
auto *CatDecl = dyn_cast<ObjCCategoryDecl>(PropDecl->getDeclContext());
// Only class extensions can contain shadowing properties.
if (!CatDecl || !CatDecl->IsClassExtension())
return nullptr;
IdentifierInfo *ID = PropDecl->getIdentifier();
DeclContext::lookup_result R = CatDecl->getClassInterface()->lookup(ID);
for (DeclContext::lookup_iterator I = R.begin(), E = R.end(); I != E; ++I) {
auto *ShadowedPropDecl = dyn_cast<ObjCPropertyDecl>(*I);
if (!ShadowedPropDecl)
continue;
if (ShadowedPropDecl->isInstanceProperty()) {
assert(ShadowedPropDecl->isReadOnly());
return ShadowedPropDecl;
}
}
return nullptr;
}
/// Add a transition noting the release of the given value.
void ObjCDeallocChecker::transitionToReleaseValue(CheckerContext &C,
SymbolRef Value) const {
assert(Value);
SymbolRef InstanceSym = getInstanceSymbolFromIvarSymbol(Value);
if (!InstanceSym)
return;
ProgramStateRef InitialState = C.getState();
ProgramStateRef ReleasedState =
removeValueRequiringRelease(InitialState, InstanceSym, Value);
if (ReleasedState != InitialState) {
C.addTransition(ReleasedState);
}
}
/// Remove the Value requiring a release from the tracked set for
/// Instance and return the resultant state.
ProgramStateRef ObjCDeallocChecker::removeValueRequiringRelease(
ProgramStateRef State, SymbolRef Instance, SymbolRef Value) const {
assert(Instance);
assert(Value);
const ObjCIvarRegion *RemovedRegion = getIvarRegionForIvarSymbol(Value);
if (!RemovedRegion)
return State;
const SymbolSet *Unreleased = State->get<UnreleasedIvarMap>(Instance);
if (!Unreleased)
return State;
// Mark the value as no longer requiring a release.
SymbolSet::Factory &F = State->getStateManager().get_context<SymbolSet>();
SymbolSet NewUnreleased = *Unreleased;
for (auto &Sym : *Unreleased) {
const ObjCIvarRegion *UnreleasedRegion = getIvarRegionForIvarSymbol(Sym);
assert(UnreleasedRegion);
if (RemovedRegion->getDecl() == UnreleasedRegion->getDecl()) {
NewUnreleased = F.remove(NewUnreleased, Sym);
}
}
if (NewUnreleased.isEmpty()) {
return State->remove<UnreleasedIvarMap>(Instance);
}
return State->set<UnreleasedIvarMap>(Instance, NewUnreleased);
}
/// Determines whether the instance variable for \p PropImpl must or must not be
/// released in -dealloc or whether it cannot be determined.
ReleaseRequirement ObjCDeallocChecker::getDeallocReleaseRequirement(
const ObjCPropertyImplDecl *PropImpl) const {
const ObjCIvarDecl *IvarDecl;
const ObjCPropertyDecl *PropDecl;
if (!isSynthesizedRetainableProperty(PropImpl, &IvarDecl, &PropDecl))
return ReleaseRequirement::Unknown;
ObjCPropertyDecl::SetterKind SK = PropDecl->getSetterKind();
switch (SK) {
// Retain and copy setters retain/copy their values before storing and so
// the value in their instance variables must be released in -dealloc.
case ObjCPropertyDecl::Retain:
case ObjCPropertyDecl::Copy:
if (isReleasedByCIFilterDealloc(PropImpl))
return ReleaseRequirement::MustNotReleaseDirectly;
if (isNibLoadedIvarWithoutRetain(PropImpl))
return ReleaseRequirement::Unknown;
return ReleaseRequirement::MustRelease;
case ObjCPropertyDecl::Weak:
return ReleaseRequirement::MustNotReleaseDirectly;
case ObjCPropertyDecl::Assign:
// It is common for the ivars for read-only assign properties to
// always be stored retained, so their release requirement cannot be
// be determined.
if (PropDecl->isReadOnly())
return ReleaseRequirement::Unknown;
return ReleaseRequirement::MustNotReleaseDirectly;
}
llvm_unreachable("Unrecognized setter kind");
}
/// Returns the released value if M is a call a setter that releases
/// and nils out its underlying instance variable.
SymbolRef
ObjCDeallocChecker::getValueReleasedByNillingOut(const ObjCMethodCall &M,
CheckerContext &C) const {
SVal ReceiverVal = M.getReceiverSVal();
if (!ReceiverVal.isValid())
return nullptr;
if (M.getNumArgs() == 0)
return nullptr;
if (!M.getArgExpr(0)->getType()->isObjCRetainableType())
return nullptr;
// Is the first argument nil?
SVal Arg = M.getArgSVal(0);
ProgramStateRef notNilState, nilState;
std::tie(notNilState, nilState) =
M.getState()->assume(Arg.castAs<DefinedOrUnknownSVal>());
if (!(nilState && !notNilState))
return nullptr;
const ObjCPropertyDecl *Prop = M.getAccessedProperty();
if (!Prop)
return nullptr;
ObjCIvarDecl *PropIvarDecl = Prop->getPropertyIvarDecl();
if (!PropIvarDecl)
return nullptr;
ProgramStateRef State = C.getState();
SVal LVal = State->getLValue(PropIvarDecl, ReceiverVal);
Optional<Loc> LValLoc = LVal.getAs<Loc>();
if (!LValLoc)
return nullptr;
SVal CurrentValInIvar = State->getSVal(LValLoc.getValue());
return CurrentValInIvar.getAsSymbol();
}
/// Returns true if the current context is a call to -dealloc and false
/// otherwise. If true, it also sets SelfValOut to the value of
/// 'self'.
bool ObjCDeallocChecker::isInInstanceDealloc(const CheckerContext &C,
SVal &SelfValOut) const {
return isInInstanceDealloc(C, C.getLocationContext(), SelfValOut);
}
/// Returns true if LCtx is a call to -dealloc and false
/// otherwise. If true, it also sets SelfValOut to the value of
/// 'self'.
bool ObjCDeallocChecker::isInInstanceDealloc(const CheckerContext &C,
const LocationContext *LCtx,
SVal &SelfValOut) const {
auto *MD = dyn_cast<ObjCMethodDecl>(LCtx->getDecl());
if (!MD || !MD->isInstanceMethod() || MD->getSelector() != DeallocSel)
return false;
const ImplicitParamDecl *SelfDecl = LCtx->getSelfDecl();
assert(SelfDecl && "No self in -dealloc?");
ProgramStateRef State = C.getState();
SelfValOut = State->getSVal(State->getRegion(SelfDecl, LCtx));
return true;
}
/// Returns true if there is a call to -dealloc anywhere on the stack and false
/// otherwise. If true, it also sets InstanceValOut to the value of
/// 'self' in the frame for -dealloc.
bool ObjCDeallocChecker::instanceDeallocIsOnStack(const CheckerContext &C,
SVal &InstanceValOut) const {
const LocationContext *LCtx = C.getLocationContext();
while (LCtx) {
if (isInInstanceDealloc(C, LCtx, InstanceValOut))
return true;
LCtx = LCtx->getParent();
}
return false;
}
/// Returns true if the ID is a class in which which is known to have
/// a separate teardown lifecycle. In this case, -dealloc warnings
/// about missing releases should be suppressed.
bool ObjCDeallocChecker::classHasSeparateTeardown(
const ObjCInterfaceDecl *ID) const {
// Suppress if the class is not a subclass of NSObject.
for ( ; ID ; ID = ID->getSuperClass()) {
IdentifierInfo *II = ID->getIdentifier();
if (II == NSObjectII)
return false;
// FIXME: For now, ignore classes that subclass SenTestCase and XCTestCase,
// as these don't need to implement -dealloc. They implement tear down in
// another way, which we should try and catch later.
// http://llvm.org/bugs/show_bug.cgi?id=3187
if (II == XCTestCaseII || II == SenTestCaseII)
return true;
}
return true;
}
/// The -dealloc method in CIFilter highly unusual in that is will release
/// instance variables belonging to its *subclasses* if the variable name
/// starts with "input" or backs a property whose name starts with "input".
/// Subclasses should not release these ivars in their own -dealloc method --
/// doing so could result in an over release.
///
/// This method returns true if the property will be released by
/// -[CIFilter dealloc].
bool ObjCDeallocChecker::isReleasedByCIFilterDealloc(
const ObjCPropertyImplDecl *PropImpl) const {
assert(PropImpl->getPropertyIvarDecl());
StringRef PropName = PropImpl->getPropertyDecl()->getName();
StringRef IvarName = PropImpl->getPropertyIvarDecl()->getName();
const char *ReleasePrefix = "input";
if (!(PropName.startswith(ReleasePrefix) ||
IvarName.startswith(ReleasePrefix))) {
return false;
}
const ObjCInterfaceDecl *ID =
PropImpl->getPropertyIvarDecl()->getContainingInterface();
for ( ; ID ; ID = ID->getSuperClass()) {
IdentifierInfo *II = ID->getIdentifier();
if (II == CIFilterII)
return true;
}
return false;
}
/// Returns whether the ivar backing the property is an IBOutlet that
/// has its value set by nib loading code without retaining the value.
///
/// On macOS, if there is no setter, the nib-loading code sets the ivar
/// directly, without retaining the value,
///
/// On iOS and its derivatives, the nib-loading code will call
/// -setValue:forKey:, which retains the value before directly setting the ivar.
bool ObjCDeallocChecker::isNibLoadedIvarWithoutRetain(
const ObjCPropertyImplDecl *PropImpl) const {
const ObjCIvarDecl *IvarDecl = PropImpl->getPropertyIvarDecl();
if (!IvarDecl->hasAttr<IBOutletAttr>())
return false;
const llvm::Triple &Target =
IvarDecl->getASTContext().getTargetInfo().getTriple();
if (!Target.isMacOSX())
return false;
if (PropImpl->getPropertyDecl()->getSetterMethodDecl())
return false;
return true;
}
void ento::registerObjCDeallocChecker(CheckerManager &Mgr) {
Mgr.registerChecker<ObjCDeallocChecker>();
}
bool ento::shouldRegisterObjCDeallocChecker(const LangOptions &LO) {
// These checker only makes sense under MRR.
return LO.getGC() != LangOptions::GCOnly && !LO.ObjCAutoRefCount;
}