10b57cec5SDimitry Andric //==-- RetainCountChecker.cpp - Checks for leaks and other issues -*- C++ -*--//
20b57cec5SDimitry Andric //
30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information.
50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
60b57cec5SDimitry Andric //
70b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
80b57cec5SDimitry Andric //
90b57cec5SDimitry Andric // This file defines the methods for RetainCountChecker, which implements
100b57cec5SDimitry Andric // a reference count checker for Core Foundation and Cocoa on (Mac OS X).
110b57cec5SDimitry Andric //
120b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
130b57cec5SDimitry Andric
140b57cec5SDimitry Andric #include "RetainCountChecker.h"
155ffd83dbSDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h"
160b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
17bdd1243dSDimitry Andric #include <optional>
180b57cec5SDimitry Andric
190b57cec5SDimitry Andric using namespace clang;
200b57cec5SDimitry Andric using namespace ento;
210b57cec5SDimitry Andric using namespace retaincountchecker;
220b57cec5SDimitry Andric
230b57cec5SDimitry Andric REGISTER_MAP_WITH_PROGRAMSTATE(RefBindings, SymbolRef, RefVal)
240b57cec5SDimitry Andric
250b57cec5SDimitry Andric namespace clang {
260b57cec5SDimitry Andric namespace ento {
270b57cec5SDimitry Andric namespace retaincountchecker {
280b57cec5SDimitry Andric
getRefBinding(ProgramStateRef State,SymbolRef Sym)290b57cec5SDimitry Andric const RefVal *getRefBinding(ProgramStateRef State, SymbolRef Sym) {
300b57cec5SDimitry Andric return State->get<RefBindings>(Sym);
310b57cec5SDimitry Andric }
320b57cec5SDimitry Andric
330b57cec5SDimitry Andric } // end namespace retaincountchecker
340b57cec5SDimitry Andric } // end namespace ento
350b57cec5SDimitry Andric } // end namespace clang
360b57cec5SDimitry Andric
setRefBinding(ProgramStateRef State,SymbolRef Sym,RefVal Val)370b57cec5SDimitry Andric static ProgramStateRef setRefBinding(ProgramStateRef State, SymbolRef Sym,
380b57cec5SDimitry Andric RefVal Val) {
390b57cec5SDimitry Andric assert(Sym != nullptr);
400b57cec5SDimitry Andric return State->set<RefBindings>(Sym, Val);
410b57cec5SDimitry Andric }
420b57cec5SDimitry Andric
removeRefBinding(ProgramStateRef State,SymbolRef Sym)430b57cec5SDimitry Andric static ProgramStateRef removeRefBinding(ProgramStateRef State, SymbolRef Sym) {
440b57cec5SDimitry Andric return State->remove<RefBindings>(Sym);
450b57cec5SDimitry Andric }
460b57cec5SDimitry Andric
print(raw_ostream & Out) const470b57cec5SDimitry Andric void RefVal::print(raw_ostream &Out) const {
480b57cec5SDimitry Andric if (!T.isNull())
4981ad6265SDimitry Andric Out << "Tracked " << T << " | ";
500b57cec5SDimitry Andric
510b57cec5SDimitry Andric switch (getKind()) {
520b57cec5SDimitry Andric default: llvm_unreachable("Invalid RefVal kind");
530b57cec5SDimitry Andric case Owned: {
540b57cec5SDimitry Andric Out << "Owned";
550b57cec5SDimitry Andric unsigned cnt = getCount();
560b57cec5SDimitry Andric if (cnt) Out << " (+ " << cnt << ")";
570b57cec5SDimitry Andric break;
580b57cec5SDimitry Andric }
590b57cec5SDimitry Andric
600b57cec5SDimitry Andric case NotOwned: {
610b57cec5SDimitry Andric Out << "NotOwned";
620b57cec5SDimitry Andric unsigned cnt = getCount();
630b57cec5SDimitry Andric if (cnt) Out << " (+ " << cnt << ")";
640b57cec5SDimitry Andric break;
650b57cec5SDimitry Andric }
660b57cec5SDimitry Andric
670b57cec5SDimitry Andric case ReturnedOwned: {
680b57cec5SDimitry Andric Out << "ReturnedOwned";
690b57cec5SDimitry Andric unsigned cnt = getCount();
700b57cec5SDimitry Andric if (cnt) Out << " (+ " << cnt << ")";
710b57cec5SDimitry Andric break;
720b57cec5SDimitry Andric }
730b57cec5SDimitry Andric
740b57cec5SDimitry Andric case ReturnedNotOwned: {
750b57cec5SDimitry Andric Out << "ReturnedNotOwned";
760b57cec5SDimitry Andric unsigned cnt = getCount();
770b57cec5SDimitry Andric if (cnt) Out << " (+ " << cnt << ")";
780b57cec5SDimitry Andric break;
790b57cec5SDimitry Andric }
800b57cec5SDimitry Andric
810b57cec5SDimitry Andric case Released:
820b57cec5SDimitry Andric Out << "Released";
830b57cec5SDimitry Andric break;
840b57cec5SDimitry Andric
850b57cec5SDimitry Andric case ErrorDeallocNotOwned:
860b57cec5SDimitry Andric Out << "-dealloc (not-owned)";
870b57cec5SDimitry Andric break;
880b57cec5SDimitry Andric
890b57cec5SDimitry Andric case ErrorLeak:
900b57cec5SDimitry Andric Out << "Leaked";
910b57cec5SDimitry Andric break;
920b57cec5SDimitry Andric
930b57cec5SDimitry Andric case ErrorLeakReturned:
940b57cec5SDimitry Andric Out << "Leaked (Bad naming)";
950b57cec5SDimitry Andric break;
960b57cec5SDimitry Andric
970b57cec5SDimitry Andric case ErrorUseAfterRelease:
980b57cec5SDimitry Andric Out << "Use-After-Release [ERROR]";
990b57cec5SDimitry Andric break;
1000b57cec5SDimitry Andric
1010b57cec5SDimitry Andric case ErrorReleaseNotOwned:
1020b57cec5SDimitry Andric Out << "Release of Not-Owned [ERROR]";
1030b57cec5SDimitry Andric break;
1040b57cec5SDimitry Andric
1050b57cec5SDimitry Andric case RefVal::ErrorOverAutorelease:
1060b57cec5SDimitry Andric Out << "Over-autoreleased";
1070b57cec5SDimitry Andric break;
1080b57cec5SDimitry Andric
1090b57cec5SDimitry Andric case RefVal::ErrorReturnedNotOwned:
1100b57cec5SDimitry Andric Out << "Non-owned object returned instead of owned";
1110b57cec5SDimitry Andric break;
1120b57cec5SDimitry Andric }
1130b57cec5SDimitry Andric
1140b57cec5SDimitry Andric switch (getIvarAccessHistory()) {
1150b57cec5SDimitry Andric case IvarAccessHistory::None:
1160b57cec5SDimitry Andric break;
1170b57cec5SDimitry Andric case IvarAccessHistory::AccessedDirectly:
1180b57cec5SDimitry Andric Out << " [direct ivar access]";
1190b57cec5SDimitry Andric break;
1200b57cec5SDimitry Andric case IvarAccessHistory::ReleasedAfterDirectAccess:
1210b57cec5SDimitry Andric Out << " [released after direct ivar access]";
1220b57cec5SDimitry Andric }
1230b57cec5SDimitry Andric
1240b57cec5SDimitry Andric if (ACnt) {
1250b57cec5SDimitry Andric Out << " [autorelease -" << ACnt << ']';
1260b57cec5SDimitry Andric }
1270b57cec5SDimitry Andric }
1280b57cec5SDimitry Andric
1290b57cec5SDimitry Andric namespace {
1300b57cec5SDimitry Andric class StopTrackingCallback final : public SymbolVisitor {
1310b57cec5SDimitry Andric ProgramStateRef state;
1320b57cec5SDimitry Andric public:
StopTrackingCallback(ProgramStateRef st)1330b57cec5SDimitry Andric StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
getState() const1340b57cec5SDimitry Andric ProgramStateRef getState() const { return state; }
1350b57cec5SDimitry Andric
VisitSymbol(SymbolRef sym)1360b57cec5SDimitry Andric bool VisitSymbol(SymbolRef sym) override {
1370b57cec5SDimitry Andric state = removeRefBinding(state, sym);
1380b57cec5SDimitry Andric return true;
1390b57cec5SDimitry Andric }
1400b57cec5SDimitry Andric };
1410b57cec5SDimitry Andric } // end anonymous namespace
1420b57cec5SDimitry Andric
1430b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
1440b57cec5SDimitry Andric // Handle statements that may have an effect on refcounts.
1450b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
1460b57cec5SDimitry Andric
checkPostStmt(const BlockExpr * BE,CheckerContext & C) const1470b57cec5SDimitry Andric void RetainCountChecker::checkPostStmt(const BlockExpr *BE,
1480b57cec5SDimitry Andric CheckerContext &C) const {
1490b57cec5SDimitry Andric
1500b57cec5SDimitry Andric // Scan the BlockDecRefExprs for any object the retain count checker
1510b57cec5SDimitry Andric // may be tracking.
1520b57cec5SDimitry Andric if (!BE->getBlockDecl()->hasCaptures())
1530b57cec5SDimitry Andric return;
1540b57cec5SDimitry Andric
1550b57cec5SDimitry Andric ProgramStateRef state = C.getState();
1560b57cec5SDimitry Andric auto *R = cast<BlockDataRegion>(C.getSVal(BE).getAsRegion());
1570b57cec5SDimitry Andric
15806c3fb27SDimitry Andric auto ReferencedVars = R->referenced_vars();
15906c3fb27SDimitry Andric if (ReferencedVars.empty())
1600b57cec5SDimitry Andric return;
1610b57cec5SDimitry Andric
1620b57cec5SDimitry Andric // FIXME: For now we invalidate the tracking of all symbols passed to blocks
1630b57cec5SDimitry Andric // via captured variables, even though captured variables result in a copy
1640b57cec5SDimitry Andric // and in implicit increment/decrement of a retain count.
1650b57cec5SDimitry Andric SmallVector<const MemRegion*, 10> Regions;
1660b57cec5SDimitry Andric const LocationContext *LC = C.getLocationContext();
1670b57cec5SDimitry Andric MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
1680b57cec5SDimitry Andric
16906c3fb27SDimitry Andric for (auto Var : ReferencedVars) {
17006c3fb27SDimitry Andric const VarRegion *VR = Var.getCapturedRegion();
1710b57cec5SDimitry Andric if (VR->getSuperRegion() == R) {
1720b57cec5SDimitry Andric VR = MemMgr.getVarRegion(VR->getDecl(), LC);
1730b57cec5SDimitry Andric }
1740b57cec5SDimitry Andric Regions.push_back(VR);
1750b57cec5SDimitry Andric }
1760b57cec5SDimitry Andric
1770b57cec5SDimitry Andric state = state->scanReachableSymbols<StopTrackingCallback>(Regions).getState();
1780b57cec5SDimitry Andric C.addTransition(state);
1790b57cec5SDimitry Andric }
1800b57cec5SDimitry Andric
checkPostStmt(const CastExpr * CE,CheckerContext & C) const1810b57cec5SDimitry Andric void RetainCountChecker::checkPostStmt(const CastExpr *CE,
1820b57cec5SDimitry Andric CheckerContext &C) const {
1830b57cec5SDimitry Andric const ObjCBridgedCastExpr *BE = dyn_cast<ObjCBridgedCastExpr>(CE);
1840b57cec5SDimitry Andric if (!BE)
1850b57cec5SDimitry Andric return;
1860b57cec5SDimitry Andric
1870b57cec5SDimitry Andric QualType QT = CE->getType();
1880b57cec5SDimitry Andric ObjKind K;
1890b57cec5SDimitry Andric if (QT->isObjCObjectPointerType()) {
1900b57cec5SDimitry Andric K = ObjKind::ObjC;
1910b57cec5SDimitry Andric } else {
1920b57cec5SDimitry Andric K = ObjKind::CF;
1930b57cec5SDimitry Andric }
1940b57cec5SDimitry Andric
1950b57cec5SDimitry Andric ArgEffect AE = ArgEffect(IncRef, K);
1960b57cec5SDimitry Andric
1970b57cec5SDimitry Andric switch (BE->getBridgeKind()) {
1980b57cec5SDimitry Andric case OBC_Bridge:
1990b57cec5SDimitry Andric // Do nothing.
2000b57cec5SDimitry Andric return;
2010b57cec5SDimitry Andric case OBC_BridgeRetained:
2020b57cec5SDimitry Andric AE = AE.withKind(IncRef);
2030b57cec5SDimitry Andric break;
2040b57cec5SDimitry Andric case OBC_BridgeTransfer:
2050b57cec5SDimitry Andric AE = AE.withKind(DecRefBridgedTransferred);
2060b57cec5SDimitry Andric break;
2070b57cec5SDimitry Andric }
2080b57cec5SDimitry Andric
2090b57cec5SDimitry Andric ProgramStateRef state = C.getState();
2100b57cec5SDimitry Andric SymbolRef Sym = C.getSVal(CE).getAsLocSymbol();
2110b57cec5SDimitry Andric if (!Sym)
2120b57cec5SDimitry Andric return;
2130b57cec5SDimitry Andric const RefVal* T = getRefBinding(state, Sym);
2140b57cec5SDimitry Andric if (!T)
2150b57cec5SDimitry Andric return;
2160b57cec5SDimitry Andric
2170b57cec5SDimitry Andric RefVal::Kind hasErr = (RefVal::Kind) 0;
2180b57cec5SDimitry Andric state = updateSymbol(state, Sym, *T, AE, hasErr, C);
2190b57cec5SDimitry Andric
2200b57cec5SDimitry Andric if (hasErr) {
2210b57cec5SDimitry Andric // FIXME: If we get an error during a bridge cast, should we report it?
2220b57cec5SDimitry Andric return;
2230b57cec5SDimitry Andric }
2240b57cec5SDimitry Andric
2250b57cec5SDimitry Andric C.addTransition(state);
2260b57cec5SDimitry Andric }
2270b57cec5SDimitry Andric
processObjCLiterals(CheckerContext & C,const Expr * Ex) const2280b57cec5SDimitry Andric void RetainCountChecker::processObjCLiterals(CheckerContext &C,
2290b57cec5SDimitry Andric const Expr *Ex) const {
2300b57cec5SDimitry Andric ProgramStateRef state = C.getState();
2310b57cec5SDimitry Andric const ExplodedNode *pred = C.getPredecessor();
2320b57cec5SDimitry Andric for (const Stmt *Child : Ex->children()) {
2330b57cec5SDimitry Andric SVal V = pred->getSVal(Child);
2340b57cec5SDimitry Andric if (SymbolRef sym = V.getAsSymbol())
2350b57cec5SDimitry Andric if (const RefVal* T = getRefBinding(state, sym)) {
2360b57cec5SDimitry Andric RefVal::Kind hasErr = (RefVal::Kind) 0;
2370b57cec5SDimitry Andric state = updateSymbol(state, sym, *T,
2380b57cec5SDimitry Andric ArgEffect(MayEscape, ObjKind::ObjC), hasErr, C);
2390b57cec5SDimitry Andric if (hasErr) {
2400b57cec5SDimitry Andric processNonLeakError(state, Child->getSourceRange(), hasErr, sym, C);
2410b57cec5SDimitry Andric return;
2420b57cec5SDimitry Andric }
2430b57cec5SDimitry Andric }
2440b57cec5SDimitry Andric }
2450b57cec5SDimitry Andric
2460b57cec5SDimitry Andric // Return the object as autoreleased.
2470b57cec5SDimitry Andric // RetEffect RE = RetEffect::MakeNotOwned(ObjKind::ObjC);
2480b57cec5SDimitry Andric if (SymbolRef sym =
2490b57cec5SDimitry Andric state->getSVal(Ex, pred->getLocationContext()).getAsSymbol()) {
2500b57cec5SDimitry Andric QualType ResultTy = Ex->getType();
2510b57cec5SDimitry Andric state = setRefBinding(state, sym,
2520b57cec5SDimitry Andric RefVal::makeNotOwned(ObjKind::ObjC, ResultTy));
2530b57cec5SDimitry Andric }
2540b57cec5SDimitry Andric
2550b57cec5SDimitry Andric C.addTransition(state);
2560b57cec5SDimitry Andric }
2570b57cec5SDimitry Andric
checkPostStmt(const ObjCArrayLiteral * AL,CheckerContext & C) const2580b57cec5SDimitry Andric void RetainCountChecker::checkPostStmt(const ObjCArrayLiteral *AL,
2590b57cec5SDimitry Andric CheckerContext &C) const {
2600b57cec5SDimitry Andric // Apply the 'MayEscape' to all values.
2610b57cec5SDimitry Andric processObjCLiterals(C, AL);
2620b57cec5SDimitry Andric }
2630b57cec5SDimitry Andric
checkPostStmt(const ObjCDictionaryLiteral * DL,CheckerContext & C) const2640b57cec5SDimitry Andric void RetainCountChecker::checkPostStmt(const ObjCDictionaryLiteral *DL,
2650b57cec5SDimitry Andric CheckerContext &C) const {
2660b57cec5SDimitry Andric // Apply the 'MayEscape' to all keys and values.
2670b57cec5SDimitry Andric processObjCLiterals(C, DL);
2680b57cec5SDimitry Andric }
2690b57cec5SDimitry Andric
checkPostStmt(const ObjCBoxedExpr * Ex,CheckerContext & C) const2700b57cec5SDimitry Andric void RetainCountChecker::checkPostStmt(const ObjCBoxedExpr *Ex,
2710b57cec5SDimitry Andric CheckerContext &C) const {
2720b57cec5SDimitry Andric const ExplodedNode *Pred = C.getPredecessor();
2730b57cec5SDimitry Andric ProgramStateRef State = Pred->getState();
2740b57cec5SDimitry Andric
2750b57cec5SDimitry Andric if (SymbolRef Sym = Pred->getSVal(Ex).getAsSymbol()) {
2760b57cec5SDimitry Andric QualType ResultTy = Ex->getType();
2770b57cec5SDimitry Andric State = setRefBinding(State, Sym,
2780b57cec5SDimitry Andric RefVal::makeNotOwned(ObjKind::ObjC, ResultTy));
2790b57cec5SDimitry Andric }
2800b57cec5SDimitry Andric
2810b57cec5SDimitry Andric C.addTransition(State);
2820b57cec5SDimitry Andric }
2830b57cec5SDimitry Andric
checkPostStmt(const ObjCIvarRefExpr * IRE,CheckerContext & C) const2840b57cec5SDimitry Andric void RetainCountChecker::checkPostStmt(const ObjCIvarRefExpr *IRE,
2850b57cec5SDimitry Andric CheckerContext &C) const {
286bdd1243dSDimitry Andric std::optional<Loc> IVarLoc = C.getSVal(IRE).getAs<Loc>();
2870b57cec5SDimitry Andric if (!IVarLoc)
2880b57cec5SDimitry Andric return;
2890b57cec5SDimitry Andric
2900b57cec5SDimitry Andric ProgramStateRef State = C.getState();
2910b57cec5SDimitry Andric SymbolRef Sym = State->getSVal(*IVarLoc).getAsSymbol();
292349cc55cSDimitry Andric if (!Sym || !isa_and_nonnull<ObjCIvarRegion>(Sym->getOriginRegion()))
2930b57cec5SDimitry Andric return;
2940b57cec5SDimitry Andric
2950b57cec5SDimitry Andric // Accessing an ivar directly is unusual. If we've done that, be more
2960b57cec5SDimitry Andric // forgiving about what the surrounding code is allowed to do.
2970b57cec5SDimitry Andric
2980b57cec5SDimitry Andric QualType Ty = Sym->getType();
2990b57cec5SDimitry Andric ObjKind Kind;
3000b57cec5SDimitry Andric if (Ty->isObjCRetainableType())
3010b57cec5SDimitry Andric Kind = ObjKind::ObjC;
3020b57cec5SDimitry Andric else if (coreFoundation::isCFObjectRef(Ty))
3030b57cec5SDimitry Andric Kind = ObjKind::CF;
3040b57cec5SDimitry Andric else
3050b57cec5SDimitry Andric return;
3060b57cec5SDimitry Andric
3070b57cec5SDimitry Andric // If the value is already known to be nil, don't bother tracking it.
3080b57cec5SDimitry Andric ConstraintManager &CMgr = State->getConstraintManager();
3090b57cec5SDimitry Andric if (CMgr.isNull(State, Sym).isConstrainedTrue())
3100b57cec5SDimitry Andric return;
3110b57cec5SDimitry Andric
3120b57cec5SDimitry Andric if (const RefVal *RV = getRefBinding(State, Sym)) {
3130b57cec5SDimitry Andric // If we've seen this symbol before, or we're only seeing it now because
3140b57cec5SDimitry Andric // of something the analyzer has synthesized, don't do anything.
3150b57cec5SDimitry Andric if (RV->getIvarAccessHistory() != RefVal::IvarAccessHistory::None ||
3160b57cec5SDimitry Andric isSynthesizedAccessor(C.getStackFrame())) {
3170b57cec5SDimitry Andric return;
3180b57cec5SDimitry Andric }
3190b57cec5SDimitry Andric
3200b57cec5SDimitry Andric // Note that this value has been loaded from an ivar.
3210b57cec5SDimitry Andric C.addTransition(setRefBinding(State, Sym, RV->withIvarAccess()));
3220b57cec5SDimitry Andric return;
3230b57cec5SDimitry Andric }
3240b57cec5SDimitry Andric
3250b57cec5SDimitry Andric RefVal PlusZero = RefVal::makeNotOwned(Kind, Ty);
3260b57cec5SDimitry Andric
3270b57cec5SDimitry Andric // In a synthesized accessor, the effective retain count is +0.
3280b57cec5SDimitry Andric if (isSynthesizedAccessor(C.getStackFrame())) {
3290b57cec5SDimitry Andric C.addTransition(setRefBinding(State, Sym, PlusZero));
3300b57cec5SDimitry Andric return;
3310b57cec5SDimitry Andric }
3320b57cec5SDimitry Andric
3330b57cec5SDimitry Andric State = setRefBinding(State, Sym, PlusZero.withIvarAccess());
3340b57cec5SDimitry Andric C.addTransition(State);
3350b57cec5SDimitry Andric }
3360b57cec5SDimitry Andric
isReceiverUnconsumedSelf(const CallEvent & Call)3370b57cec5SDimitry Andric static bool isReceiverUnconsumedSelf(const CallEvent &Call) {
3380b57cec5SDimitry Andric if (const auto *MC = dyn_cast<ObjCMethodCall>(&Call)) {
3390b57cec5SDimitry Andric
3400b57cec5SDimitry Andric // Check if the message is not consumed, we know it will not be used in
3410b57cec5SDimitry Andric // an assignment, ex: "self = [super init]".
3420b57cec5SDimitry Andric return MC->getMethodFamily() == OMF_init && MC->isReceiverSelfOrSuper() &&
3430b57cec5SDimitry Andric !Call.getLocationContext()
3440b57cec5SDimitry Andric ->getAnalysisDeclContext()
3450b57cec5SDimitry Andric ->getParentMap()
3460b57cec5SDimitry Andric .isConsumedExpr(Call.getOriginExpr());
3470b57cec5SDimitry Andric }
3480b57cec5SDimitry Andric return false;
3490b57cec5SDimitry Andric }
3500b57cec5SDimitry Andric
getSummary(RetainSummaryManager & Summaries,const CallEvent & Call,QualType ReceiverType)3510b57cec5SDimitry Andric const static RetainSummary *getSummary(RetainSummaryManager &Summaries,
3520b57cec5SDimitry Andric const CallEvent &Call,
3530b57cec5SDimitry Andric QualType ReceiverType) {
3540b57cec5SDimitry Andric const Expr *CE = Call.getOriginExpr();
3550b57cec5SDimitry Andric AnyCall C =
3560b57cec5SDimitry Andric CE ? *AnyCall::forExpr(CE)
3570b57cec5SDimitry Andric : AnyCall(cast<CXXDestructorDecl>(Call.getDecl()));
3580b57cec5SDimitry Andric return Summaries.getSummary(C, Call.hasNonZeroCallbackArg(),
3590b57cec5SDimitry Andric isReceiverUnconsumedSelf(Call), ReceiverType);
3600b57cec5SDimitry Andric }
3610b57cec5SDimitry Andric
checkPostCall(const CallEvent & Call,CheckerContext & C) const3620b57cec5SDimitry Andric void RetainCountChecker::checkPostCall(const CallEvent &Call,
3630b57cec5SDimitry Andric CheckerContext &C) const {
3640b57cec5SDimitry Andric RetainSummaryManager &Summaries = getSummaryManager(C);
3650b57cec5SDimitry Andric
3660b57cec5SDimitry Andric // Leave null if no receiver.
3670b57cec5SDimitry Andric QualType ReceiverType;
3680b57cec5SDimitry Andric if (const auto *MC = dyn_cast<ObjCMethodCall>(&Call)) {
3690b57cec5SDimitry Andric if (MC->isInstanceMessage()) {
3700b57cec5SDimitry Andric SVal ReceiverV = MC->getReceiverSVal();
3710b57cec5SDimitry Andric if (SymbolRef Sym = ReceiverV.getAsLocSymbol())
3720b57cec5SDimitry Andric if (const RefVal *T = getRefBinding(C.getState(), Sym))
3730b57cec5SDimitry Andric ReceiverType = T->getType();
3740b57cec5SDimitry Andric }
3750b57cec5SDimitry Andric }
3760b57cec5SDimitry Andric
3770b57cec5SDimitry Andric const RetainSummary *Summ = getSummary(Summaries, Call, ReceiverType);
3780b57cec5SDimitry Andric
3790b57cec5SDimitry Andric if (C.wasInlined) {
3800b57cec5SDimitry Andric processSummaryOfInlined(*Summ, Call, C);
3810b57cec5SDimitry Andric return;
3820b57cec5SDimitry Andric }
3830b57cec5SDimitry Andric checkSummary(*Summ, Call, C);
3840b57cec5SDimitry Andric }
3850b57cec5SDimitry Andric
3860b57cec5SDimitry Andric /// GetReturnType - Used to get the return type of a message expression or
3870b57cec5SDimitry Andric /// function call with the intention of affixing that type to a tracked symbol.
3880b57cec5SDimitry Andric /// While the return type can be queried directly from RetEx, when
3890b57cec5SDimitry Andric /// invoking class methods we augment to the return type to be that of
3900b57cec5SDimitry Andric /// a pointer to the class (as opposed it just being id).
3910b57cec5SDimitry Andric // FIXME: We may be able to do this with related result types instead.
3920b57cec5SDimitry Andric // This function is probably overestimating.
GetReturnType(const Expr * RetE,ASTContext & Ctx)3930b57cec5SDimitry Andric static QualType GetReturnType(const Expr *RetE, ASTContext &Ctx) {
3940b57cec5SDimitry Andric QualType RetTy = RetE->getType();
3950b57cec5SDimitry Andric // If RetE is not a message expression just return its type.
3960b57cec5SDimitry Andric // If RetE is a message expression, return its types if it is something
3970b57cec5SDimitry Andric /// more specific than id.
3980b57cec5SDimitry Andric if (const ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(RetE))
3990b57cec5SDimitry Andric if (const ObjCObjectPointerType *PT = RetTy->getAs<ObjCObjectPointerType>())
4000b57cec5SDimitry Andric if (PT->isObjCQualifiedIdType() || PT->isObjCIdType() ||
4010b57cec5SDimitry Andric PT->isObjCClassType()) {
4020b57cec5SDimitry Andric // At this point we know the return type of the message expression is
4030b57cec5SDimitry Andric // id, id<...>, or Class. If we have an ObjCInterfaceDecl, we know this
4040b57cec5SDimitry Andric // is a call to a class method whose type we can resolve. In such
4050b57cec5SDimitry Andric // cases, promote the return type to XXX* (where XXX is the class).
4060b57cec5SDimitry Andric const ObjCInterfaceDecl *D = ME->getReceiverInterface();
4070b57cec5SDimitry Andric return !D ? RetTy :
4080b57cec5SDimitry Andric Ctx.getObjCObjectPointerType(Ctx.getObjCInterfaceType(D));
4090b57cec5SDimitry Andric }
4100b57cec5SDimitry Andric
4110b57cec5SDimitry Andric return RetTy;
4120b57cec5SDimitry Andric }
4130b57cec5SDimitry Andric
refValFromRetEffect(RetEffect RE,QualType ResultTy)414bdd1243dSDimitry Andric static std::optional<RefVal> refValFromRetEffect(RetEffect RE,
4150b57cec5SDimitry Andric QualType ResultTy) {
4160b57cec5SDimitry Andric if (RE.isOwned()) {
4170b57cec5SDimitry Andric return RefVal::makeOwned(RE.getObjKind(), ResultTy);
4180b57cec5SDimitry Andric } else if (RE.notOwned()) {
4190b57cec5SDimitry Andric return RefVal::makeNotOwned(RE.getObjKind(), ResultTy);
4200b57cec5SDimitry Andric }
4210b57cec5SDimitry Andric
422bdd1243dSDimitry Andric return std::nullopt;
4230b57cec5SDimitry Andric }
4240b57cec5SDimitry Andric
isPointerToObject(QualType QT)4250b57cec5SDimitry Andric static bool isPointerToObject(QualType QT) {
4260b57cec5SDimitry Andric QualType PT = QT->getPointeeType();
4270b57cec5SDimitry Andric if (!PT.isNull())
4280b57cec5SDimitry Andric if (PT->getAsCXXRecordDecl())
4290b57cec5SDimitry Andric return true;
4300b57cec5SDimitry Andric return false;
4310b57cec5SDimitry Andric }
4320b57cec5SDimitry Andric
4330b57cec5SDimitry Andric /// Whether the tracked value should be escaped on a given call.
4340b57cec5SDimitry Andric /// OSObjects are escaped when passed to void * / etc.
shouldEscapeOSArgumentOnCall(const CallEvent & CE,unsigned ArgIdx,const RefVal * TrackedValue)4350b57cec5SDimitry Andric static bool shouldEscapeOSArgumentOnCall(const CallEvent &CE, unsigned ArgIdx,
4360b57cec5SDimitry Andric const RefVal *TrackedValue) {
4370b57cec5SDimitry Andric if (TrackedValue->getObjKind() != ObjKind::OS)
4380b57cec5SDimitry Andric return false;
4390b57cec5SDimitry Andric if (ArgIdx >= CE.parameters().size())
4400b57cec5SDimitry Andric return false;
4410b57cec5SDimitry Andric return !isPointerToObject(CE.parameters()[ArgIdx]->getType());
4420b57cec5SDimitry Andric }
4430b57cec5SDimitry Andric
4440b57cec5SDimitry Andric // We don't always get the exact modeling of the function with regards to the
4450b57cec5SDimitry Andric // retain count checker even when the function is inlined. For example, we need
4460b57cec5SDimitry Andric // to stop tracking the symbols which were marked with StopTrackingHard.
processSummaryOfInlined(const RetainSummary & Summ,const CallEvent & CallOrMsg,CheckerContext & C) const4470b57cec5SDimitry Andric void RetainCountChecker::processSummaryOfInlined(const RetainSummary &Summ,
4480b57cec5SDimitry Andric const CallEvent &CallOrMsg,
4490b57cec5SDimitry Andric CheckerContext &C) const {
4500b57cec5SDimitry Andric ProgramStateRef state = C.getState();
4510b57cec5SDimitry Andric
4520b57cec5SDimitry Andric // Evaluate the effect of the arguments.
4530b57cec5SDimitry Andric for (unsigned idx = 0, e = CallOrMsg.getNumArgs(); idx != e; ++idx) {
4540b57cec5SDimitry Andric SVal V = CallOrMsg.getArgSVal(idx);
4550b57cec5SDimitry Andric
4560b57cec5SDimitry Andric if (SymbolRef Sym = V.getAsLocSymbol()) {
4570b57cec5SDimitry Andric bool ShouldRemoveBinding = Summ.getArg(idx).getKind() == StopTrackingHard;
4580b57cec5SDimitry Andric if (const RefVal *T = getRefBinding(state, Sym))
4590b57cec5SDimitry Andric if (shouldEscapeOSArgumentOnCall(CallOrMsg, idx, T))
4600b57cec5SDimitry Andric ShouldRemoveBinding = true;
4610b57cec5SDimitry Andric
4620b57cec5SDimitry Andric if (ShouldRemoveBinding)
4630b57cec5SDimitry Andric state = removeRefBinding(state, Sym);
4640b57cec5SDimitry Andric }
4650b57cec5SDimitry Andric }
4660b57cec5SDimitry Andric
4670b57cec5SDimitry Andric // Evaluate the effect on the message receiver.
4680b57cec5SDimitry Andric if (const auto *MsgInvocation = dyn_cast<ObjCMethodCall>(&CallOrMsg)) {
4690b57cec5SDimitry Andric if (SymbolRef Sym = MsgInvocation->getReceiverSVal().getAsLocSymbol()) {
4700b57cec5SDimitry Andric if (Summ.getReceiverEffect().getKind() == StopTrackingHard) {
4710b57cec5SDimitry Andric state = removeRefBinding(state, Sym);
4720b57cec5SDimitry Andric }
4730b57cec5SDimitry Andric }
4740b57cec5SDimitry Andric }
4750b57cec5SDimitry Andric
4760b57cec5SDimitry Andric // Consult the summary for the return value.
4770b57cec5SDimitry Andric RetEffect RE = Summ.getRetEffect();
4780b57cec5SDimitry Andric
4790b57cec5SDimitry Andric if (SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol()) {
4800b57cec5SDimitry Andric if (RE.getKind() == RetEffect::NoRetHard)
4810b57cec5SDimitry Andric state = removeRefBinding(state, Sym);
4820b57cec5SDimitry Andric }
4830b57cec5SDimitry Andric
4840b57cec5SDimitry Andric C.addTransition(state);
4850b57cec5SDimitry Andric }
4860b57cec5SDimitry Andric
isSmartPtrField(const MemRegion * MR)4870b57cec5SDimitry Andric static bool isSmartPtrField(const MemRegion *MR) {
4880b57cec5SDimitry Andric const auto *TR = dyn_cast<TypedValueRegion>(
4890b57cec5SDimitry Andric cast<SubRegion>(MR)->getSuperRegion());
4900b57cec5SDimitry Andric return TR && RetainSummaryManager::isKnownSmartPointer(TR->getValueType());
4910b57cec5SDimitry Andric }
4920b57cec5SDimitry Andric
4930b57cec5SDimitry Andric
4940b57cec5SDimitry Andric /// A value escapes in these possible cases:
4950b57cec5SDimitry Andric ///
4960b57cec5SDimitry Andric /// - binding to something that is not a memory region.
4970b57cec5SDimitry Andric /// - binding to a memregion that does not have stack storage
4980b57cec5SDimitry Andric /// - binding to a variable that has a destructor attached using CleanupAttr
4990b57cec5SDimitry Andric ///
5000b57cec5SDimitry Andric /// We do not currently model what happens when a symbol is
5010b57cec5SDimitry Andric /// assigned to a struct field, unless it is a known smart pointer
5020b57cec5SDimitry Andric /// implementation, about which we know that it is inlined.
5030b57cec5SDimitry Andric /// FIXME: This could definitely be improved upon.
shouldEscapeRegion(const MemRegion * R)5040b57cec5SDimitry Andric static bool shouldEscapeRegion(const MemRegion *R) {
5050b57cec5SDimitry Andric if (isSmartPtrField(R))
5060b57cec5SDimitry Andric return false;
5070b57cec5SDimitry Andric
5080b57cec5SDimitry Andric const auto *VR = dyn_cast<VarRegion>(R);
5090b57cec5SDimitry Andric
5100b57cec5SDimitry Andric if (!R->hasStackStorage() || !VR)
5110b57cec5SDimitry Andric return true;
5120b57cec5SDimitry Andric
5130b57cec5SDimitry Andric const VarDecl *VD = VR->getDecl();
5140b57cec5SDimitry Andric if (!VD->hasAttr<CleanupAttr>())
5150b57cec5SDimitry Andric return false; // CleanupAttr attaches destructors, which cause escaping.
5160b57cec5SDimitry Andric return true;
5170b57cec5SDimitry Andric }
5180b57cec5SDimitry Andric
5190b57cec5SDimitry Andric static SmallVector<ProgramStateRef, 2>
updateOutParameters(ProgramStateRef State,const RetainSummary & Summ,const CallEvent & CE)5200b57cec5SDimitry Andric updateOutParameters(ProgramStateRef State, const RetainSummary &Summ,
5210b57cec5SDimitry Andric const CallEvent &CE) {
5220b57cec5SDimitry Andric
5230b57cec5SDimitry Andric SVal L = CE.getReturnValue();
5240b57cec5SDimitry Andric
5250b57cec5SDimitry Andric // Splitting is required to support out parameters,
5260b57cec5SDimitry Andric // as out parameters might be created only on the "success" branch.
5270b57cec5SDimitry Andric // We want to avoid eagerly splitting unless out parameters are actually
5280b57cec5SDimitry Andric // needed.
5290b57cec5SDimitry Andric bool SplitNecessary = false;
5300b57cec5SDimitry Andric for (auto &P : Summ.getArgEffects())
5310b57cec5SDimitry Andric if (P.second.getKind() == RetainedOutParameterOnNonZero ||
5320b57cec5SDimitry Andric P.second.getKind() == RetainedOutParameterOnZero)
5330b57cec5SDimitry Andric SplitNecessary = true;
5340b57cec5SDimitry Andric
5350b57cec5SDimitry Andric ProgramStateRef AssumeNonZeroReturn = State;
5360b57cec5SDimitry Andric ProgramStateRef AssumeZeroReturn = State;
5370b57cec5SDimitry Andric
5380b57cec5SDimitry Andric if (SplitNecessary) {
5390b57cec5SDimitry Andric if (!CE.getResultType()->isScalarType()) {
5400b57cec5SDimitry Andric // Structures cannot be assumed. This probably deserves
5410b57cec5SDimitry Andric // a compiler warning for invalid annotations.
5420b57cec5SDimitry Andric return {State};
5430b57cec5SDimitry Andric }
5440b57cec5SDimitry Andric if (auto DL = L.getAs<DefinedOrUnknownSVal>()) {
5450b57cec5SDimitry Andric AssumeNonZeroReturn = AssumeNonZeroReturn->assume(*DL, true);
5460b57cec5SDimitry Andric AssumeZeroReturn = AssumeZeroReturn->assume(*DL, false);
5470b57cec5SDimitry Andric }
5480b57cec5SDimitry Andric }
5490b57cec5SDimitry Andric
5500b57cec5SDimitry Andric for (unsigned idx = 0, e = CE.getNumArgs(); idx != e; ++idx) {
5510b57cec5SDimitry Andric SVal ArgVal = CE.getArgSVal(idx);
5520b57cec5SDimitry Andric ArgEffect AE = Summ.getArg(idx);
5530b57cec5SDimitry Andric
5540b57cec5SDimitry Andric auto *ArgRegion = dyn_cast_or_null<TypedValueRegion>(ArgVal.getAsRegion());
5550b57cec5SDimitry Andric if (!ArgRegion)
5560b57cec5SDimitry Andric continue;
5570b57cec5SDimitry Andric
5580b57cec5SDimitry Andric QualType PointeeTy = ArgRegion->getValueType();
5590b57cec5SDimitry Andric SVal PointeeVal = State->getSVal(ArgRegion);
5600b57cec5SDimitry Andric SymbolRef Pointee = PointeeVal.getAsLocSymbol();
5610b57cec5SDimitry Andric if (!Pointee)
5620b57cec5SDimitry Andric continue;
5630b57cec5SDimitry Andric
5640b57cec5SDimitry Andric if (shouldEscapeRegion(ArgRegion))
5650b57cec5SDimitry Andric continue;
5660b57cec5SDimitry Andric
5670b57cec5SDimitry Andric auto makeNotOwnedParameter = [&](ProgramStateRef St) {
5680b57cec5SDimitry Andric return setRefBinding(St, Pointee,
5690b57cec5SDimitry Andric RefVal::makeNotOwned(AE.getObjKind(), PointeeTy));
5700b57cec5SDimitry Andric };
5710b57cec5SDimitry Andric auto makeOwnedParameter = [&](ProgramStateRef St) {
5720b57cec5SDimitry Andric return setRefBinding(St, Pointee,
5730b57cec5SDimitry Andric RefVal::makeOwned(ObjKind::OS, PointeeTy));
5740b57cec5SDimitry Andric };
5750b57cec5SDimitry Andric
5760b57cec5SDimitry Andric switch (AE.getKind()) {
5770b57cec5SDimitry Andric case UnretainedOutParameter:
5780b57cec5SDimitry Andric AssumeNonZeroReturn = makeNotOwnedParameter(AssumeNonZeroReturn);
5790b57cec5SDimitry Andric AssumeZeroReturn = makeNotOwnedParameter(AssumeZeroReturn);
5800b57cec5SDimitry Andric break;
5810b57cec5SDimitry Andric case RetainedOutParameter:
5820b57cec5SDimitry Andric AssumeNonZeroReturn = makeOwnedParameter(AssumeNonZeroReturn);
5830b57cec5SDimitry Andric AssumeZeroReturn = makeOwnedParameter(AssumeZeroReturn);
5840b57cec5SDimitry Andric break;
5850b57cec5SDimitry Andric case RetainedOutParameterOnNonZero:
5860b57cec5SDimitry Andric AssumeNonZeroReturn = makeOwnedParameter(AssumeNonZeroReturn);
5870b57cec5SDimitry Andric break;
5880b57cec5SDimitry Andric case RetainedOutParameterOnZero:
5890b57cec5SDimitry Andric AssumeZeroReturn = makeOwnedParameter(AssumeZeroReturn);
5900b57cec5SDimitry Andric break;
5910b57cec5SDimitry Andric default:
5920b57cec5SDimitry Andric break;
5930b57cec5SDimitry Andric }
5940b57cec5SDimitry Andric }
5950b57cec5SDimitry Andric
5960b57cec5SDimitry Andric if (SplitNecessary) {
5970b57cec5SDimitry Andric return {AssumeNonZeroReturn, AssumeZeroReturn};
5980b57cec5SDimitry Andric } else {
5990b57cec5SDimitry Andric assert(AssumeZeroReturn == AssumeNonZeroReturn);
6000b57cec5SDimitry Andric return {AssumeZeroReturn};
6010b57cec5SDimitry Andric }
6020b57cec5SDimitry Andric }
6030b57cec5SDimitry Andric
checkSummary(const RetainSummary & Summ,const CallEvent & CallOrMsg,CheckerContext & C) const6040b57cec5SDimitry Andric void RetainCountChecker::checkSummary(const RetainSummary &Summ,
6050b57cec5SDimitry Andric const CallEvent &CallOrMsg,
6060b57cec5SDimitry Andric CheckerContext &C) const {
6070b57cec5SDimitry Andric ProgramStateRef state = C.getState();
6080b57cec5SDimitry Andric
6090b57cec5SDimitry Andric // Evaluate the effect of the arguments.
6100b57cec5SDimitry Andric RefVal::Kind hasErr = (RefVal::Kind) 0;
6110b57cec5SDimitry Andric SourceRange ErrorRange;
6120b57cec5SDimitry Andric SymbolRef ErrorSym = nullptr;
6130b57cec5SDimitry Andric
6140b57cec5SDimitry Andric // Helper tag for providing diagnostics: indicate whether dealloc was sent
6150b57cec5SDimitry Andric // at this location.
6160b57cec5SDimitry Andric bool DeallocSent = false;
6170b57cec5SDimitry Andric
6180b57cec5SDimitry Andric for (unsigned idx = 0, e = CallOrMsg.getNumArgs(); idx != e; ++idx) {
6190b57cec5SDimitry Andric SVal V = CallOrMsg.getArgSVal(idx);
6200b57cec5SDimitry Andric
6210b57cec5SDimitry Andric ArgEffect Effect = Summ.getArg(idx);
6220b57cec5SDimitry Andric if (SymbolRef Sym = V.getAsLocSymbol()) {
6230b57cec5SDimitry Andric if (const RefVal *T = getRefBinding(state, Sym)) {
6240b57cec5SDimitry Andric
6250b57cec5SDimitry Andric if (shouldEscapeOSArgumentOnCall(CallOrMsg, idx, T))
6260b57cec5SDimitry Andric Effect = ArgEffect(StopTrackingHard, ObjKind::OS);
6270b57cec5SDimitry Andric
6280b57cec5SDimitry Andric state = updateSymbol(state, Sym, *T, Effect, hasErr, C);
6290b57cec5SDimitry Andric if (hasErr) {
6300b57cec5SDimitry Andric ErrorRange = CallOrMsg.getArgSourceRange(idx);
6310b57cec5SDimitry Andric ErrorSym = Sym;
6320b57cec5SDimitry Andric break;
6330b57cec5SDimitry Andric } else if (Effect.getKind() == Dealloc) {
6340b57cec5SDimitry Andric DeallocSent = true;
6350b57cec5SDimitry Andric }
6360b57cec5SDimitry Andric }
6370b57cec5SDimitry Andric }
6380b57cec5SDimitry Andric }
6390b57cec5SDimitry Andric
6400b57cec5SDimitry Andric // Evaluate the effect on the message receiver / `this` argument.
6410b57cec5SDimitry Andric bool ReceiverIsTracked = false;
6420b57cec5SDimitry Andric if (!hasErr) {
6430b57cec5SDimitry Andric if (const auto *MsgInvocation = dyn_cast<ObjCMethodCall>(&CallOrMsg)) {
6440b57cec5SDimitry Andric if (SymbolRef Sym = MsgInvocation->getReceiverSVal().getAsLocSymbol()) {
6450b57cec5SDimitry Andric if (const RefVal *T = getRefBinding(state, Sym)) {
6460b57cec5SDimitry Andric ReceiverIsTracked = true;
6470b57cec5SDimitry Andric state = updateSymbol(state, Sym, *T,
6480b57cec5SDimitry Andric Summ.getReceiverEffect(), hasErr, C);
6490b57cec5SDimitry Andric if (hasErr) {
6500b57cec5SDimitry Andric ErrorRange = MsgInvocation->getOriginExpr()->getReceiverRange();
6510b57cec5SDimitry Andric ErrorSym = Sym;
6520b57cec5SDimitry Andric } else if (Summ.getReceiverEffect().getKind() == Dealloc) {
6530b57cec5SDimitry Andric DeallocSent = true;
6540b57cec5SDimitry Andric }
6550b57cec5SDimitry Andric }
6560b57cec5SDimitry Andric }
6570b57cec5SDimitry Andric } else if (const auto *MCall = dyn_cast<CXXMemberCall>(&CallOrMsg)) {
6580b57cec5SDimitry Andric if (SymbolRef Sym = MCall->getCXXThisVal().getAsLocSymbol()) {
6590b57cec5SDimitry Andric if (const RefVal *T = getRefBinding(state, Sym)) {
6600b57cec5SDimitry Andric state = updateSymbol(state, Sym, *T, Summ.getThisEffect(),
6610b57cec5SDimitry Andric hasErr, C);
6620b57cec5SDimitry Andric if (hasErr) {
6630b57cec5SDimitry Andric ErrorRange = MCall->getOriginExpr()->getSourceRange();
6640b57cec5SDimitry Andric ErrorSym = Sym;
6650b57cec5SDimitry Andric }
6660b57cec5SDimitry Andric }
6670b57cec5SDimitry Andric }
6680b57cec5SDimitry Andric }
6690b57cec5SDimitry Andric }
6700b57cec5SDimitry Andric
6710b57cec5SDimitry Andric // Process any errors.
6720b57cec5SDimitry Andric if (hasErr) {
6730b57cec5SDimitry Andric processNonLeakError(state, ErrorRange, hasErr, ErrorSym, C);
6740b57cec5SDimitry Andric return;
6750b57cec5SDimitry Andric }
6760b57cec5SDimitry Andric
6770b57cec5SDimitry Andric // Consult the summary for the return value.
6780b57cec5SDimitry Andric RetEffect RE = Summ.getRetEffect();
6790b57cec5SDimitry Andric
6800b57cec5SDimitry Andric if (RE.getKind() == RetEffect::OwnedWhenTrackedReceiver) {
6810b57cec5SDimitry Andric if (ReceiverIsTracked)
6820b57cec5SDimitry Andric RE = getSummaryManager(C).getObjAllocRetEffect();
6830b57cec5SDimitry Andric else
6840b57cec5SDimitry Andric RE = RetEffect::MakeNoRet();
6850b57cec5SDimitry Andric }
6860b57cec5SDimitry Andric
6870b57cec5SDimitry Andric if (SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol()) {
6880b57cec5SDimitry Andric QualType ResultTy = CallOrMsg.getResultType();
6890b57cec5SDimitry Andric if (RE.notOwned()) {
6900b57cec5SDimitry Andric const Expr *Ex = CallOrMsg.getOriginExpr();
6910b57cec5SDimitry Andric assert(Ex);
6920b57cec5SDimitry Andric ResultTy = GetReturnType(Ex, C.getASTContext());
6930b57cec5SDimitry Andric }
694bdd1243dSDimitry Andric if (std::optional<RefVal> updatedRefVal = refValFromRetEffect(RE, ResultTy))
6950b57cec5SDimitry Andric state = setRefBinding(state, Sym, *updatedRefVal);
6960b57cec5SDimitry Andric }
6970b57cec5SDimitry Andric
6980b57cec5SDimitry Andric SmallVector<ProgramStateRef, 2> Out =
6990b57cec5SDimitry Andric updateOutParameters(state, Summ, CallOrMsg);
7000b57cec5SDimitry Andric
7010b57cec5SDimitry Andric for (ProgramStateRef St : Out) {
7020b57cec5SDimitry Andric if (DeallocSent) {
7035ffd83dbSDimitry Andric C.addTransition(St, C.getPredecessor(), &getDeallocSentTag());
7040b57cec5SDimitry Andric } else {
7050b57cec5SDimitry Andric C.addTransition(St);
7060b57cec5SDimitry Andric }
7070b57cec5SDimitry Andric }
7080b57cec5SDimitry Andric }
7090b57cec5SDimitry Andric
updateSymbol(ProgramStateRef state,SymbolRef sym,RefVal V,ArgEffect AE,RefVal::Kind & hasErr,CheckerContext & C) const7100b57cec5SDimitry Andric ProgramStateRef RetainCountChecker::updateSymbol(ProgramStateRef state,
7110b57cec5SDimitry Andric SymbolRef sym, RefVal V,
7120b57cec5SDimitry Andric ArgEffect AE,
7130b57cec5SDimitry Andric RefVal::Kind &hasErr,
7140b57cec5SDimitry Andric CheckerContext &C) const {
7150b57cec5SDimitry Andric bool IgnoreRetainMsg = (bool)C.getASTContext().getLangOpts().ObjCAutoRefCount;
7160b57cec5SDimitry Andric if (AE.getObjKind() == ObjKind::ObjC && IgnoreRetainMsg) {
7170b57cec5SDimitry Andric switch (AE.getKind()) {
7180b57cec5SDimitry Andric default:
7190b57cec5SDimitry Andric break;
7200b57cec5SDimitry Andric case IncRef:
7210b57cec5SDimitry Andric AE = AE.withKind(DoNothing);
7220b57cec5SDimitry Andric break;
7230b57cec5SDimitry Andric case DecRef:
7240b57cec5SDimitry Andric AE = AE.withKind(DoNothing);
7250b57cec5SDimitry Andric break;
7260b57cec5SDimitry Andric case DecRefAndStopTrackingHard:
7270b57cec5SDimitry Andric AE = AE.withKind(StopTracking);
7280b57cec5SDimitry Andric break;
7290b57cec5SDimitry Andric }
7300b57cec5SDimitry Andric }
7310b57cec5SDimitry Andric
7320b57cec5SDimitry Andric // Handle all use-after-releases.
7330b57cec5SDimitry Andric if (V.getKind() == RefVal::Released) {
7340b57cec5SDimitry Andric V = V ^ RefVal::ErrorUseAfterRelease;
7350b57cec5SDimitry Andric hasErr = V.getKind();
7360b57cec5SDimitry Andric return setRefBinding(state, sym, V);
7370b57cec5SDimitry Andric }
7380b57cec5SDimitry Andric
7390b57cec5SDimitry Andric switch (AE.getKind()) {
7400b57cec5SDimitry Andric case UnretainedOutParameter:
7410b57cec5SDimitry Andric case RetainedOutParameter:
7420b57cec5SDimitry Andric case RetainedOutParameterOnZero:
7430b57cec5SDimitry Andric case RetainedOutParameterOnNonZero:
7440b57cec5SDimitry Andric llvm_unreachable("Applies to pointer-to-pointer parameters, which should "
7450b57cec5SDimitry Andric "not have ref state.");
7460b57cec5SDimitry Andric
7470b57cec5SDimitry Andric case Dealloc: // NB. we only need to add a note in a non-error case.
7480b57cec5SDimitry Andric switch (V.getKind()) {
7490b57cec5SDimitry Andric default:
7500b57cec5SDimitry Andric llvm_unreachable("Invalid RefVal state for an explicit dealloc.");
7510b57cec5SDimitry Andric case RefVal::Owned:
7520b57cec5SDimitry Andric // The object immediately transitions to the released state.
7530b57cec5SDimitry Andric V = V ^ RefVal::Released;
7540b57cec5SDimitry Andric V.clearCounts();
7550b57cec5SDimitry Andric return setRefBinding(state, sym, V);
7560b57cec5SDimitry Andric case RefVal::NotOwned:
7570b57cec5SDimitry Andric V = V ^ RefVal::ErrorDeallocNotOwned;
7580b57cec5SDimitry Andric hasErr = V.getKind();
7590b57cec5SDimitry Andric break;
7600b57cec5SDimitry Andric }
7610b57cec5SDimitry Andric break;
7620b57cec5SDimitry Andric
7630b57cec5SDimitry Andric case MayEscape:
7640b57cec5SDimitry Andric if (V.getKind() == RefVal::Owned) {
7650b57cec5SDimitry Andric V = V ^ RefVal::NotOwned;
7660b57cec5SDimitry Andric break;
7670b57cec5SDimitry Andric }
7680b57cec5SDimitry Andric
769bdd1243dSDimitry Andric [[fallthrough]];
7700b57cec5SDimitry Andric
7710b57cec5SDimitry Andric case DoNothing:
7720b57cec5SDimitry Andric return state;
7730b57cec5SDimitry Andric
7740b57cec5SDimitry Andric case Autorelease:
7750b57cec5SDimitry Andric // Update the autorelease counts.
7760b57cec5SDimitry Andric V = V.autorelease();
7770b57cec5SDimitry Andric break;
7780b57cec5SDimitry Andric
7790b57cec5SDimitry Andric case StopTracking:
7800b57cec5SDimitry Andric case StopTrackingHard:
7810b57cec5SDimitry Andric return removeRefBinding(state, sym);
7820b57cec5SDimitry Andric
7830b57cec5SDimitry Andric case IncRef:
7840b57cec5SDimitry Andric switch (V.getKind()) {
7850b57cec5SDimitry Andric default:
7860b57cec5SDimitry Andric llvm_unreachable("Invalid RefVal state for a retain.");
7870b57cec5SDimitry Andric case RefVal::Owned:
7880b57cec5SDimitry Andric case RefVal::NotOwned:
7890b57cec5SDimitry Andric V = V + 1;
7900b57cec5SDimitry Andric break;
7910b57cec5SDimitry Andric }
7920b57cec5SDimitry Andric break;
7930b57cec5SDimitry Andric
7940b57cec5SDimitry Andric case DecRef:
7950b57cec5SDimitry Andric case DecRefBridgedTransferred:
7960b57cec5SDimitry Andric case DecRefAndStopTrackingHard:
7970b57cec5SDimitry Andric switch (V.getKind()) {
7980b57cec5SDimitry Andric default:
7990b57cec5SDimitry Andric // case 'RefVal::Released' handled above.
8000b57cec5SDimitry Andric llvm_unreachable("Invalid RefVal state for a release.");
8010b57cec5SDimitry Andric
8020b57cec5SDimitry Andric case RefVal::Owned:
8030b57cec5SDimitry Andric assert(V.getCount() > 0);
8040b57cec5SDimitry Andric if (V.getCount() == 1) {
8050b57cec5SDimitry Andric if (AE.getKind() == DecRefBridgedTransferred ||
8060b57cec5SDimitry Andric V.getIvarAccessHistory() ==
8070b57cec5SDimitry Andric RefVal::IvarAccessHistory::AccessedDirectly)
8080b57cec5SDimitry Andric V = V ^ RefVal::NotOwned;
8090b57cec5SDimitry Andric else
8100b57cec5SDimitry Andric V = V ^ RefVal::Released;
8110b57cec5SDimitry Andric } else if (AE.getKind() == DecRefAndStopTrackingHard) {
8120b57cec5SDimitry Andric return removeRefBinding(state, sym);
8130b57cec5SDimitry Andric }
8140b57cec5SDimitry Andric
8150b57cec5SDimitry Andric V = V - 1;
8160b57cec5SDimitry Andric break;
8170b57cec5SDimitry Andric
8180b57cec5SDimitry Andric case RefVal::NotOwned:
8190b57cec5SDimitry Andric if (V.getCount() > 0) {
8200b57cec5SDimitry Andric if (AE.getKind() == DecRefAndStopTrackingHard)
8210b57cec5SDimitry Andric return removeRefBinding(state, sym);
8220b57cec5SDimitry Andric V = V - 1;
8230b57cec5SDimitry Andric } else if (V.getIvarAccessHistory() ==
8240b57cec5SDimitry Andric RefVal::IvarAccessHistory::AccessedDirectly) {
8250b57cec5SDimitry Andric // Assume that the instance variable was holding on the object at
8260b57cec5SDimitry Andric // +1, and we just didn't know.
8270b57cec5SDimitry Andric if (AE.getKind() == DecRefAndStopTrackingHard)
8280b57cec5SDimitry Andric return removeRefBinding(state, sym);
8290b57cec5SDimitry Andric V = V.releaseViaIvar() ^ RefVal::Released;
8300b57cec5SDimitry Andric } else {
8310b57cec5SDimitry Andric V = V ^ RefVal::ErrorReleaseNotOwned;
8320b57cec5SDimitry Andric hasErr = V.getKind();
8330b57cec5SDimitry Andric }
8340b57cec5SDimitry Andric break;
8350b57cec5SDimitry Andric }
8360b57cec5SDimitry Andric break;
8370b57cec5SDimitry Andric }
8380b57cec5SDimitry Andric return setRefBinding(state, sym, V);
8390b57cec5SDimitry Andric }
8400b57cec5SDimitry Andric
8410b57cec5SDimitry Andric const RefCountBug &
errorKindToBugKind(RefVal::Kind ErrorKind,SymbolRef Sym) const8420b57cec5SDimitry Andric RetainCountChecker::errorKindToBugKind(RefVal::Kind ErrorKind,
8430b57cec5SDimitry Andric SymbolRef Sym) const {
8440b57cec5SDimitry Andric switch (ErrorKind) {
8450b57cec5SDimitry Andric case RefVal::ErrorUseAfterRelease:
8465ffd83dbSDimitry Andric return *UseAfterRelease;
8470b57cec5SDimitry Andric case RefVal::ErrorReleaseNotOwned:
8485ffd83dbSDimitry Andric return *ReleaseNotOwned;
8490b57cec5SDimitry Andric case RefVal::ErrorDeallocNotOwned:
8500b57cec5SDimitry Andric if (Sym->getType()->getPointeeCXXRecordDecl())
8515ffd83dbSDimitry Andric return *FreeNotOwned;
8525ffd83dbSDimitry Andric return *DeallocNotOwned;
8530b57cec5SDimitry Andric default:
8540b57cec5SDimitry Andric llvm_unreachable("Unhandled error.");
8550b57cec5SDimitry Andric }
8560b57cec5SDimitry Andric }
8570b57cec5SDimitry Andric
processNonLeakError(ProgramStateRef St,SourceRange ErrorRange,RefVal::Kind ErrorKind,SymbolRef Sym,CheckerContext & C) const8580b57cec5SDimitry Andric void RetainCountChecker::processNonLeakError(ProgramStateRef St,
8590b57cec5SDimitry Andric SourceRange ErrorRange,
8600b57cec5SDimitry Andric RefVal::Kind ErrorKind,
8610b57cec5SDimitry Andric SymbolRef Sym,
8620b57cec5SDimitry Andric CheckerContext &C) const {
8630b57cec5SDimitry Andric // HACK: Ignore retain-count issues on values accessed through ivars,
8640b57cec5SDimitry Andric // because of cases like this:
8650b57cec5SDimitry Andric // [_contentView retain];
8660b57cec5SDimitry Andric // [_contentView removeFromSuperview];
8670b57cec5SDimitry Andric // [self addSubview:_contentView]; // invalidates 'self'
8680b57cec5SDimitry Andric // [_contentView release];
8690b57cec5SDimitry Andric if (const RefVal *RV = getRefBinding(St, Sym))
8700b57cec5SDimitry Andric if (RV->getIvarAccessHistory() != RefVal::IvarAccessHistory::None)
8710b57cec5SDimitry Andric return;
8720b57cec5SDimitry Andric
8730b57cec5SDimitry Andric ExplodedNode *N = C.generateErrorNode(St);
8740b57cec5SDimitry Andric if (!N)
8750b57cec5SDimitry Andric return;
8760b57cec5SDimitry Andric
877a7dea167SDimitry Andric auto report = std::make_unique<RefCountReport>(
8780b57cec5SDimitry Andric errorKindToBugKind(ErrorKind, Sym),
8790b57cec5SDimitry Andric C.getASTContext().getLangOpts(), N, Sym);
8800b57cec5SDimitry Andric report->addRange(ErrorRange);
8810b57cec5SDimitry Andric C.emitReport(std::move(report));
8820b57cec5SDimitry Andric }
8830b57cec5SDimitry Andric
8840b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
8850b57cec5SDimitry Andric // Handle the return values of retain-count-related functions.
8860b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
8870b57cec5SDimitry Andric
evalCall(const CallEvent & Call,CheckerContext & C) const8880b57cec5SDimitry Andric bool RetainCountChecker::evalCall(const CallEvent &Call,
8890b57cec5SDimitry Andric CheckerContext &C) const {
8900b57cec5SDimitry Andric ProgramStateRef state = C.getState();
8910b57cec5SDimitry Andric const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
8920b57cec5SDimitry Andric if (!FD)
8930b57cec5SDimitry Andric return false;
8940b57cec5SDimitry Andric
8950b57cec5SDimitry Andric const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
8960b57cec5SDimitry Andric if (!CE)
8970b57cec5SDimitry Andric return false;
8980b57cec5SDimitry Andric
8990b57cec5SDimitry Andric RetainSummaryManager &SmrMgr = getSummaryManager(C);
9000b57cec5SDimitry Andric QualType ResultTy = Call.getResultType();
9010b57cec5SDimitry Andric
9020b57cec5SDimitry Andric // See if the function has 'rc_ownership_trusted_implementation'
9030b57cec5SDimitry Andric // annotate attribute. If it does, we will not inline it.
9040b57cec5SDimitry Andric bool hasTrustedImplementationAnnotation = false;
9050b57cec5SDimitry Andric
9060b57cec5SDimitry Andric const LocationContext *LCtx = C.getLocationContext();
9070b57cec5SDimitry Andric
9080b57cec5SDimitry Andric using BehaviorSummary = RetainSummaryManager::BehaviorSummary;
909bdd1243dSDimitry Andric std::optional<BehaviorSummary> BSmr =
9100b57cec5SDimitry Andric SmrMgr.canEval(CE, FD, hasTrustedImplementationAnnotation);
9110b57cec5SDimitry Andric
9120b57cec5SDimitry Andric // See if it's one of the specific functions we know how to eval.
9130b57cec5SDimitry Andric if (!BSmr)
9140b57cec5SDimitry Andric return false;
9150b57cec5SDimitry Andric
9160b57cec5SDimitry Andric // Bind the return value.
9170b57cec5SDimitry Andric if (BSmr == BehaviorSummary::Identity ||
9180b57cec5SDimitry Andric BSmr == BehaviorSummary::IdentityOrZero ||
9190b57cec5SDimitry Andric BSmr == BehaviorSummary::IdentityThis) {
9200b57cec5SDimitry Andric
9210b57cec5SDimitry Andric const Expr *BindReturnTo =
9220b57cec5SDimitry Andric (BSmr == BehaviorSummary::IdentityThis)
9230b57cec5SDimitry Andric ? cast<CXXMemberCallExpr>(CE)->getImplicitObjectArgument()
9240b57cec5SDimitry Andric : CE->getArg(0);
9250b57cec5SDimitry Andric SVal RetVal = state->getSVal(BindReturnTo, LCtx);
9260b57cec5SDimitry Andric
9270b57cec5SDimitry Andric // If the receiver is unknown or the function has
9280b57cec5SDimitry Andric // 'rc_ownership_trusted_implementation' annotate attribute, conjure a
9290b57cec5SDimitry Andric // return value.
9300b57cec5SDimitry Andric // FIXME: this branch is very strange.
9310b57cec5SDimitry Andric if (RetVal.isUnknown() ||
9320b57cec5SDimitry Andric (hasTrustedImplementationAnnotation && !ResultTy.isNull())) {
9330b57cec5SDimitry Andric SValBuilder &SVB = C.getSValBuilder();
9340b57cec5SDimitry Andric RetVal =
9350b57cec5SDimitry Andric SVB.conjureSymbolVal(nullptr, CE, LCtx, ResultTy, C.blockCount());
9360b57cec5SDimitry Andric }
9370b57cec5SDimitry Andric
9380b57cec5SDimitry Andric // Bind the value.
9390b57cec5SDimitry Andric state = state->BindExpr(CE, LCtx, RetVal, /*Invalidate=*/false);
9400b57cec5SDimitry Andric
9410b57cec5SDimitry Andric if (BSmr == BehaviorSummary::IdentityOrZero) {
9420b57cec5SDimitry Andric // Add a branch where the output is zero.
9430b57cec5SDimitry Andric ProgramStateRef NullOutputState = C.getState();
9440b57cec5SDimitry Andric
9450b57cec5SDimitry Andric // Assume that output is zero on the other branch.
9460b57cec5SDimitry Andric NullOutputState = NullOutputState->BindExpr(
94781ad6265SDimitry Andric CE, LCtx, C.getSValBuilder().makeNullWithType(ResultTy),
94881ad6265SDimitry Andric /*Invalidate=*/false);
9495ffd83dbSDimitry Andric C.addTransition(NullOutputState, &getCastFailTag());
9500b57cec5SDimitry Andric
9510b57cec5SDimitry Andric // And on the original branch assume that both input and
9520b57cec5SDimitry Andric // output are non-zero.
9530b57cec5SDimitry Andric if (auto L = RetVal.getAs<DefinedOrUnknownSVal>())
9540b57cec5SDimitry Andric state = state->assume(*L, /*assumption=*/true);
9550b57cec5SDimitry Andric
9560b57cec5SDimitry Andric }
9570b57cec5SDimitry Andric }
9580b57cec5SDimitry Andric
9590b57cec5SDimitry Andric C.addTransition(state);
9600b57cec5SDimitry Andric return true;
9610b57cec5SDimitry Andric }
9620b57cec5SDimitry Andric
processReturn(const ReturnStmt * S,CheckerContext & C) const9630b57cec5SDimitry Andric ExplodedNode * RetainCountChecker::processReturn(const ReturnStmt *S,
9640b57cec5SDimitry Andric CheckerContext &C) const {
9650b57cec5SDimitry Andric ExplodedNode *Pred = C.getPredecessor();
9660b57cec5SDimitry Andric
9670b57cec5SDimitry Andric // Only adjust the reference count if this is the top-level call frame,
9680b57cec5SDimitry Andric // and not the result of inlining. In the future, we should do
9690b57cec5SDimitry Andric // better checking even for inlined calls, and see if they match
9700b57cec5SDimitry Andric // with their expected semantics (e.g., the method should return a retained
9710b57cec5SDimitry Andric // object, etc.).
9720b57cec5SDimitry Andric if (!C.inTopFrame())
9730b57cec5SDimitry Andric return Pred;
9740b57cec5SDimitry Andric
9750b57cec5SDimitry Andric if (!S)
9760b57cec5SDimitry Andric return Pred;
9770b57cec5SDimitry Andric
9780b57cec5SDimitry Andric const Expr *RetE = S->getRetValue();
9790b57cec5SDimitry Andric if (!RetE)
9800b57cec5SDimitry Andric return Pred;
9810b57cec5SDimitry Andric
9820b57cec5SDimitry Andric ProgramStateRef state = C.getState();
9830b57cec5SDimitry Andric // We need to dig down to the symbolic base here because various
9840b57cec5SDimitry Andric // custom allocators do sometimes return the symbol with an offset.
9850b57cec5SDimitry Andric SymbolRef Sym = state->getSValAsScalarOrLoc(RetE, C.getLocationContext())
9860b57cec5SDimitry Andric .getAsLocSymbol(/*IncludeBaseRegions=*/true);
9870b57cec5SDimitry Andric if (!Sym)
9880b57cec5SDimitry Andric return Pred;
9890b57cec5SDimitry Andric
9900b57cec5SDimitry Andric // Get the reference count binding (if any).
9910b57cec5SDimitry Andric const RefVal *T = getRefBinding(state, Sym);
9920b57cec5SDimitry Andric if (!T)
9930b57cec5SDimitry Andric return Pred;
9940b57cec5SDimitry Andric
9950b57cec5SDimitry Andric // Change the reference count.
9960b57cec5SDimitry Andric RefVal X = *T;
9970b57cec5SDimitry Andric
9980b57cec5SDimitry Andric switch (X.getKind()) {
9990b57cec5SDimitry Andric case RefVal::Owned: {
10000b57cec5SDimitry Andric unsigned cnt = X.getCount();
10010b57cec5SDimitry Andric assert(cnt > 0);
10020b57cec5SDimitry Andric X.setCount(cnt - 1);
10030b57cec5SDimitry Andric X = X ^ RefVal::ReturnedOwned;
10040b57cec5SDimitry Andric break;
10050b57cec5SDimitry Andric }
10060b57cec5SDimitry Andric
10070b57cec5SDimitry Andric case RefVal::NotOwned: {
10080b57cec5SDimitry Andric unsigned cnt = X.getCount();
10090b57cec5SDimitry Andric if (cnt) {
10100b57cec5SDimitry Andric X.setCount(cnt - 1);
10110b57cec5SDimitry Andric X = X ^ RefVal::ReturnedOwned;
10120b57cec5SDimitry Andric } else {
10130b57cec5SDimitry Andric X = X ^ RefVal::ReturnedNotOwned;
10140b57cec5SDimitry Andric }
10150b57cec5SDimitry Andric break;
10160b57cec5SDimitry Andric }
10170b57cec5SDimitry Andric
10180b57cec5SDimitry Andric default:
10190b57cec5SDimitry Andric return Pred;
10200b57cec5SDimitry Andric }
10210b57cec5SDimitry Andric
10220b57cec5SDimitry Andric // Update the binding.
10230b57cec5SDimitry Andric state = setRefBinding(state, Sym, X);
10240b57cec5SDimitry Andric Pred = C.addTransition(state);
10250b57cec5SDimitry Andric
10260b57cec5SDimitry Andric // At this point we have updated the state properly.
10270b57cec5SDimitry Andric // Everything after this is merely checking to see if the return value has
10280b57cec5SDimitry Andric // been over- or under-retained.
10290b57cec5SDimitry Andric
10300b57cec5SDimitry Andric // Did we cache out?
10310b57cec5SDimitry Andric if (!Pred)
10320b57cec5SDimitry Andric return nullptr;
10330b57cec5SDimitry Andric
10340b57cec5SDimitry Andric // Update the autorelease counts.
10350b57cec5SDimitry Andric static CheckerProgramPointTag AutoreleaseTag(this, "Autorelease");
10360b57cec5SDimitry Andric state = handleAutoreleaseCounts(state, Pred, &AutoreleaseTag, C, Sym, X, S);
10370b57cec5SDimitry Andric
10380b57cec5SDimitry Andric // Have we generated a sink node?
10390b57cec5SDimitry Andric if (!state)
10400b57cec5SDimitry Andric return nullptr;
10410b57cec5SDimitry Andric
10420b57cec5SDimitry Andric // Get the updated binding.
10430b57cec5SDimitry Andric T = getRefBinding(state, Sym);
10440b57cec5SDimitry Andric assert(T);
10450b57cec5SDimitry Andric X = *T;
10460b57cec5SDimitry Andric
10470b57cec5SDimitry Andric // Consult the summary of the enclosing method.
10480b57cec5SDimitry Andric RetainSummaryManager &Summaries = getSummaryManager(C);
10490b57cec5SDimitry Andric const Decl *CD = &Pred->getCodeDecl();
10500b57cec5SDimitry Andric RetEffect RE = RetEffect::MakeNoRet();
10510b57cec5SDimitry Andric
10520b57cec5SDimitry Andric // FIXME: What is the convention for blocks? Is there one?
10530b57cec5SDimitry Andric if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(CD)) {
10540b57cec5SDimitry Andric const RetainSummary *Summ = Summaries.getSummary(AnyCall(MD));
10550b57cec5SDimitry Andric RE = Summ->getRetEffect();
10560b57cec5SDimitry Andric } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CD)) {
10570b57cec5SDimitry Andric if (!isa<CXXMethodDecl>(FD)) {
10580b57cec5SDimitry Andric const RetainSummary *Summ = Summaries.getSummary(AnyCall(FD));
10590b57cec5SDimitry Andric RE = Summ->getRetEffect();
10600b57cec5SDimitry Andric }
10610b57cec5SDimitry Andric }
10620b57cec5SDimitry Andric
10630b57cec5SDimitry Andric return checkReturnWithRetEffect(S, C, Pred, RE, X, Sym, state);
10640b57cec5SDimitry Andric }
10650b57cec5SDimitry Andric
checkReturnWithRetEffect(const ReturnStmt * S,CheckerContext & C,ExplodedNode * Pred,RetEffect RE,RefVal X,SymbolRef Sym,ProgramStateRef state) const10660b57cec5SDimitry Andric ExplodedNode * RetainCountChecker::checkReturnWithRetEffect(const ReturnStmt *S,
10670b57cec5SDimitry Andric CheckerContext &C,
10680b57cec5SDimitry Andric ExplodedNode *Pred,
10690b57cec5SDimitry Andric RetEffect RE, RefVal X,
10700b57cec5SDimitry Andric SymbolRef Sym,
10710b57cec5SDimitry Andric ProgramStateRef state) const {
10720b57cec5SDimitry Andric // HACK: Ignore retain-count issues on values accessed through ivars,
10730b57cec5SDimitry Andric // because of cases like this:
10740b57cec5SDimitry Andric // [_contentView retain];
10750b57cec5SDimitry Andric // [_contentView removeFromSuperview];
10760b57cec5SDimitry Andric // [self addSubview:_contentView]; // invalidates 'self'
10770b57cec5SDimitry Andric // [_contentView release];
10780b57cec5SDimitry Andric if (X.getIvarAccessHistory() != RefVal::IvarAccessHistory::None)
10790b57cec5SDimitry Andric return Pred;
10800b57cec5SDimitry Andric
10810b57cec5SDimitry Andric // Any leaks or other errors?
10820b57cec5SDimitry Andric if (X.isReturnedOwned() && X.getCount() == 0) {
10830b57cec5SDimitry Andric if (RE.getKind() != RetEffect::NoRet) {
10840b57cec5SDimitry Andric if (!RE.isOwned()) {
10850b57cec5SDimitry Andric
10860b57cec5SDimitry Andric // The returning type is a CF, we expect the enclosing method should
10870b57cec5SDimitry Andric // return ownership.
10880b57cec5SDimitry Andric X = X ^ RefVal::ErrorLeakReturned;
10890b57cec5SDimitry Andric
10900b57cec5SDimitry Andric // Generate an error node.
10910b57cec5SDimitry Andric state = setRefBinding(state, Sym, X);
10920b57cec5SDimitry Andric
10930b57cec5SDimitry Andric static CheckerProgramPointTag ReturnOwnLeakTag(this, "ReturnsOwnLeak");
10940b57cec5SDimitry Andric ExplodedNode *N = C.addTransition(state, Pred, &ReturnOwnLeakTag);
10950b57cec5SDimitry Andric if (N) {
10960b57cec5SDimitry Andric const LangOptions &LOpts = C.getASTContext().getLangOpts();
10970b57cec5SDimitry Andric auto R =
10985ffd83dbSDimitry Andric std::make_unique<RefLeakReport>(*LeakAtReturn, LOpts, N, Sym, C);
10990b57cec5SDimitry Andric C.emitReport(std::move(R));
11000b57cec5SDimitry Andric }
11010b57cec5SDimitry Andric return N;
11020b57cec5SDimitry Andric }
11030b57cec5SDimitry Andric }
11040b57cec5SDimitry Andric } else if (X.isReturnedNotOwned()) {
11050b57cec5SDimitry Andric if (RE.isOwned()) {
11060b57cec5SDimitry Andric if (X.getIvarAccessHistory() ==
11070b57cec5SDimitry Andric RefVal::IvarAccessHistory::AccessedDirectly) {
11080b57cec5SDimitry Andric // Assume the method was trying to transfer a +1 reference from a
11090b57cec5SDimitry Andric // strong ivar to the caller.
11100b57cec5SDimitry Andric state = setRefBinding(state, Sym,
11110b57cec5SDimitry Andric X.releaseViaIvar() ^ RefVal::ReturnedOwned);
11120b57cec5SDimitry Andric } else {
11130b57cec5SDimitry Andric // Trying to return a not owned object to a caller expecting an
11140b57cec5SDimitry Andric // owned object.
11150b57cec5SDimitry Andric state = setRefBinding(state, Sym, X ^ RefVal::ErrorReturnedNotOwned);
11160b57cec5SDimitry Andric
11170b57cec5SDimitry Andric static CheckerProgramPointTag
11180b57cec5SDimitry Andric ReturnNotOwnedTag(this, "ReturnNotOwnedForOwned");
11190b57cec5SDimitry Andric
11200b57cec5SDimitry Andric ExplodedNode *N = C.addTransition(state, Pred, &ReturnNotOwnedTag);
11210b57cec5SDimitry Andric if (N) {
1122a7dea167SDimitry Andric auto R = std::make_unique<RefCountReport>(
11235ffd83dbSDimitry Andric *ReturnNotOwnedForOwned, C.getASTContext().getLangOpts(), N, Sym);
11240b57cec5SDimitry Andric C.emitReport(std::move(R));
11250b57cec5SDimitry Andric }
11260b57cec5SDimitry Andric return N;
11270b57cec5SDimitry Andric }
11280b57cec5SDimitry Andric }
11290b57cec5SDimitry Andric }
11300b57cec5SDimitry Andric return Pred;
11310b57cec5SDimitry Andric }
11320b57cec5SDimitry Andric
11330b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
11340b57cec5SDimitry Andric // Check various ways a symbol can be invalidated.
11350b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
11360b57cec5SDimitry Andric
checkBind(SVal loc,SVal val,const Stmt * S,CheckerContext & C) const11370b57cec5SDimitry Andric void RetainCountChecker::checkBind(SVal loc, SVal val, const Stmt *S,
11380b57cec5SDimitry Andric CheckerContext &C) const {
11390b57cec5SDimitry Andric ProgramStateRef state = C.getState();
11400b57cec5SDimitry Andric const MemRegion *MR = loc.getAsRegion();
11410b57cec5SDimitry Andric
11420b57cec5SDimitry Andric // Find all symbols referenced by 'val' that we are tracking
11430b57cec5SDimitry Andric // and stop tracking them.
11440b57cec5SDimitry Andric if (MR && shouldEscapeRegion(MR)) {
11450b57cec5SDimitry Andric state = state->scanReachableSymbols<StopTrackingCallback>(val).getState();
11460b57cec5SDimitry Andric C.addTransition(state);
11470b57cec5SDimitry Andric }
11480b57cec5SDimitry Andric }
11490b57cec5SDimitry Andric
evalAssume(ProgramStateRef state,SVal Cond,bool Assumption) const11500b57cec5SDimitry Andric ProgramStateRef RetainCountChecker::evalAssume(ProgramStateRef state,
11510b57cec5SDimitry Andric SVal Cond,
11520b57cec5SDimitry Andric bool Assumption) const {
11530b57cec5SDimitry Andric // FIXME: We may add to the interface of evalAssume the list of symbols
11540b57cec5SDimitry Andric // whose assumptions have changed. For now we just iterate through the
11550b57cec5SDimitry Andric // bindings and check if any of the tracked symbols are NULL. This isn't
11560b57cec5SDimitry Andric // too bad since the number of symbols we will track in practice are
11570b57cec5SDimitry Andric // probably small and evalAssume is only called at branches and a few
11580b57cec5SDimitry Andric // other places.
11590b57cec5SDimitry Andric RefBindingsTy B = state->get<RefBindings>();
11600b57cec5SDimitry Andric
11610b57cec5SDimitry Andric if (B.isEmpty())
11620b57cec5SDimitry Andric return state;
11630b57cec5SDimitry Andric
11640b57cec5SDimitry Andric bool changed = false;
11650b57cec5SDimitry Andric RefBindingsTy::Factory &RefBFactory = state->get_context<RefBindings>();
11660b57cec5SDimitry Andric ConstraintManager &CMgr = state->getConstraintManager();
11670b57cec5SDimitry Andric
11680b57cec5SDimitry Andric for (auto &I : B) {
11690b57cec5SDimitry Andric // Check if the symbol is null stop tracking the symbol.
11700b57cec5SDimitry Andric ConditionTruthVal AllocFailed = CMgr.isNull(state, I.first);
11710b57cec5SDimitry Andric if (AllocFailed.isConstrainedTrue()) {
11720b57cec5SDimitry Andric changed = true;
11730b57cec5SDimitry Andric B = RefBFactory.remove(B, I.first);
11740b57cec5SDimitry Andric }
11750b57cec5SDimitry Andric }
11760b57cec5SDimitry Andric
11770b57cec5SDimitry Andric if (changed)
11780b57cec5SDimitry Andric state = state->set<RefBindings>(B);
11790b57cec5SDimitry Andric
11800b57cec5SDimitry Andric return state;
11810b57cec5SDimitry Andric }
11820b57cec5SDimitry Andric
checkRegionChanges(ProgramStateRef state,const InvalidatedSymbols * invalidated,ArrayRef<const MemRegion * > ExplicitRegions,ArrayRef<const MemRegion * > Regions,const LocationContext * LCtx,const CallEvent * Call) const11830b57cec5SDimitry Andric ProgramStateRef RetainCountChecker::checkRegionChanges(
11840b57cec5SDimitry Andric ProgramStateRef state, const InvalidatedSymbols *invalidated,
11850b57cec5SDimitry Andric ArrayRef<const MemRegion *> ExplicitRegions,
11860b57cec5SDimitry Andric ArrayRef<const MemRegion *> Regions, const LocationContext *LCtx,
11870b57cec5SDimitry Andric const CallEvent *Call) const {
11880b57cec5SDimitry Andric if (!invalidated)
11890b57cec5SDimitry Andric return state;
11900b57cec5SDimitry Andric
1191349cc55cSDimitry Andric llvm::SmallPtrSet<SymbolRef, 8> AllowedSymbols;
11920b57cec5SDimitry Andric
11930b57cec5SDimitry Andric for (const MemRegion *I : ExplicitRegions)
11940b57cec5SDimitry Andric if (const SymbolicRegion *SR = I->StripCasts()->getAs<SymbolicRegion>())
1195349cc55cSDimitry Andric AllowedSymbols.insert(SR->getSymbol());
11960b57cec5SDimitry Andric
11970b57cec5SDimitry Andric for (SymbolRef sym : *invalidated) {
1198349cc55cSDimitry Andric if (AllowedSymbols.count(sym))
11990b57cec5SDimitry Andric continue;
12000b57cec5SDimitry Andric // Remove any existing reference-count binding.
12010b57cec5SDimitry Andric state = removeRefBinding(state, sym);
12020b57cec5SDimitry Andric }
12030b57cec5SDimitry Andric return state;
12040b57cec5SDimitry Andric }
12050b57cec5SDimitry Andric
12060b57cec5SDimitry Andric ProgramStateRef
handleAutoreleaseCounts(ProgramStateRef state,ExplodedNode * Pred,const ProgramPointTag * Tag,CheckerContext & Ctx,SymbolRef Sym,RefVal V,const ReturnStmt * S) const12070b57cec5SDimitry Andric RetainCountChecker::handleAutoreleaseCounts(ProgramStateRef state,
12080b57cec5SDimitry Andric ExplodedNode *Pred,
12090b57cec5SDimitry Andric const ProgramPointTag *Tag,
12100b57cec5SDimitry Andric CheckerContext &Ctx,
12110b57cec5SDimitry Andric SymbolRef Sym,
12120b57cec5SDimitry Andric RefVal V,
12130b57cec5SDimitry Andric const ReturnStmt *S) const {
12140b57cec5SDimitry Andric unsigned ACnt = V.getAutoreleaseCount();
12150b57cec5SDimitry Andric
12160b57cec5SDimitry Andric // No autorelease counts? Nothing to be done.
12170b57cec5SDimitry Andric if (!ACnt)
12180b57cec5SDimitry Andric return state;
12190b57cec5SDimitry Andric
12200b57cec5SDimitry Andric unsigned Cnt = V.getCount();
12210b57cec5SDimitry Andric
12220b57cec5SDimitry Andric // FIXME: Handle sending 'autorelease' to already released object.
12230b57cec5SDimitry Andric
12240b57cec5SDimitry Andric if (V.getKind() == RefVal::ReturnedOwned)
12250b57cec5SDimitry Andric ++Cnt;
12260b57cec5SDimitry Andric
12270b57cec5SDimitry Andric // If we would over-release here, but we know the value came from an ivar,
12280b57cec5SDimitry Andric // assume it was a strong ivar that's just been relinquished.
12290b57cec5SDimitry Andric if (ACnt > Cnt &&
12300b57cec5SDimitry Andric V.getIvarAccessHistory() == RefVal::IvarAccessHistory::AccessedDirectly) {
12310b57cec5SDimitry Andric V = V.releaseViaIvar();
12320b57cec5SDimitry Andric --ACnt;
12330b57cec5SDimitry Andric }
12340b57cec5SDimitry Andric
12350b57cec5SDimitry Andric if (ACnt <= Cnt) {
12360b57cec5SDimitry Andric if (ACnt == Cnt) {
12370b57cec5SDimitry Andric V.clearCounts();
12380b57cec5SDimitry Andric if (V.getKind() == RefVal::ReturnedOwned) {
12390b57cec5SDimitry Andric V = V ^ RefVal::ReturnedNotOwned;
12400b57cec5SDimitry Andric } else {
12410b57cec5SDimitry Andric V = V ^ RefVal::NotOwned;
12420b57cec5SDimitry Andric }
12430b57cec5SDimitry Andric } else {
12440b57cec5SDimitry Andric V.setCount(V.getCount() - ACnt);
12450b57cec5SDimitry Andric V.setAutoreleaseCount(0);
12460b57cec5SDimitry Andric }
12470b57cec5SDimitry Andric return setRefBinding(state, Sym, V);
12480b57cec5SDimitry Andric }
12490b57cec5SDimitry Andric
12500b57cec5SDimitry Andric // HACK: Ignore retain-count issues on values accessed through ivars,
12510b57cec5SDimitry Andric // because of cases like this:
12520b57cec5SDimitry Andric // [_contentView retain];
12530b57cec5SDimitry Andric // [_contentView removeFromSuperview];
12540b57cec5SDimitry Andric // [self addSubview:_contentView]; // invalidates 'self'
12550b57cec5SDimitry Andric // [_contentView release];
12560b57cec5SDimitry Andric if (V.getIvarAccessHistory() != RefVal::IvarAccessHistory::None)
12570b57cec5SDimitry Andric return state;
12580b57cec5SDimitry Andric
12590b57cec5SDimitry Andric // Woah! More autorelease counts then retain counts left.
12600b57cec5SDimitry Andric // Emit hard error.
12610b57cec5SDimitry Andric V = V ^ RefVal::ErrorOverAutorelease;
12620b57cec5SDimitry Andric state = setRefBinding(state, Sym, V);
12630b57cec5SDimitry Andric
12640b57cec5SDimitry Andric ExplodedNode *N = Ctx.generateSink(state, Pred, Tag);
12650b57cec5SDimitry Andric if (N) {
12660b57cec5SDimitry Andric SmallString<128> sbuf;
12670b57cec5SDimitry Andric llvm::raw_svector_ostream os(sbuf);
12680b57cec5SDimitry Andric os << "Object was autoreleased ";
12690b57cec5SDimitry Andric if (V.getAutoreleaseCount() > 1)
12700b57cec5SDimitry Andric os << V.getAutoreleaseCount() << " times but the object ";
12710b57cec5SDimitry Andric else
12720b57cec5SDimitry Andric os << "but ";
12730b57cec5SDimitry Andric os << "has a +" << V.getCount() << " retain count";
12740b57cec5SDimitry Andric
12750b57cec5SDimitry Andric const LangOptions &LOpts = Ctx.getASTContext().getLangOpts();
12765ffd83dbSDimitry Andric auto R = std::make_unique<RefCountReport>(*OverAutorelease, LOpts, N, Sym,
12770b57cec5SDimitry Andric os.str());
12780b57cec5SDimitry Andric Ctx.emitReport(std::move(R));
12790b57cec5SDimitry Andric }
12800b57cec5SDimitry Andric
12810b57cec5SDimitry Andric return nullptr;
12820b57cec5SDimitry Andric }
12830b57cec5SDimitry Andric
12840b57cec5SDimitry Andric ProgramStateRef
handleSymbolDeath(ProgramStateRef state,SymbolRef sid,RefVal V,SmallVectorImpl<SymbolRef> & Leaked) const12850b57cec5SDimitry Andric RetainCountChecker::handleSymbolDeath(ProgramStateRef state,
12860b57cec5SDimitry Andric SymbolRef sid, RefVal V,
12870b57cec5SDimitry Andric SmallVectorImpl<SymbolRef> &Leaked) const {
12880b57cec5SDimitry Andric bool hasLeak;
12890b57cec5SDimitry Andric
12900b57cec5SDimitry Andric // HACK: Ignore retain-count issues on values accessed through ivars,
12910b57cec5SDimitry Andric // because of cases like this:
12920b57cec5SDimitry Andric // [_contentView retain];
12930b57cec5SDimitry Andric // [_contentView removeFromSuperview];
12940b57cec5SDimitry Andric // [self addSubview:_contentView]; // invalidates 'self'
12950b57cec5SDimitry Andric // [_contentView release];
12960b57cec5SDimitry Andric if (V.getIvarAccessHistory() != RefVal::IvarAccessHistory::None)
12970b57cec5SDimitry Andric hasLeak = false;
12980b57cec5SDimitry Andric else if (V.isOwned())
12990b57cec5SDimitry Andric hasLeak = true;
13000b57cec5SDimitry Andric else if (V.isNotOwned() || V.isReturnedOwned())
13010b57cec5SDimitry Andric hasLeak = (V.getCount() > 0);
13020b57cec5SDimitry Andric else
13030b57cec5SDimitry Andric hasLeak = false;
13040b57cec5SDimitry Andric
13050b57cec5SDimitry Andric if (!hasLeak)
13060b57cec5SDimitry Andric return removeRefBinding(state, sid);
13070b57cec5SDimitry Andric
13080b57cec5SDimitry Andric Leaked.push_back(sid);
13090b57cec5SDimitry Andric return setRefBinding(state, sid, V ^ RefVal::ErrorLeak);
13100b57cec5SDimitry Andric }
13110b57cec5SDimitry Andric
13120b57cec5SDimitry Andric ExplodedNode *
processLeaks(ProgramStateRef state,SmallVectorImpl<SymbolRef> & Leaked,CheckerContext & Ctx,ExplodedNode * Pred) const13130b57cec5SDimitry Andric RetainCountChecker::processLeaks(ProgramStateRef state,
13140b57cec5SDimitry Andric SmallVectorImpl<SymbolRef> &Leaked,
13150b57cec5SDimitry Andric CheckerContext &Ctx,
13160b57cec5SDimitry Andric ExplodedNode *Pred) const {
13170b57cec5SDimitry Andric // Generate an intermediate node representing the leak point.
13180b57cec5SDimitry Andric ExplodedNode *N = Ctx.addTransition(state, Pred);
13190b57cec5SDimitry Andric const LangOptions &LOpts = Ctx.getASTContext().getLangOpts();
13200b57cec5SDimitry Andric
13210b57cec5SDimitry Andric if (N) {
13220b57cec5SDimitry Andric for (SymbolRef L : Leaked) {
13235ffd83dbSDimitry Andric const RefCountBug &BT = Pred ? *LeakWithinFunction : *LeakAtReturn;
1324a7dea167SDimitry Andric Ctx.emitReport(std::make_unique<RefLeakReport>(BT, LOpts, N, L, Ctx));
13250b57cec5SDimitry Andric }
13260b57cec5SDimitry Andric }
13270b57cec5SDimitry Andric
13280b57cec5SDimitry Andric return N;
13290b57cec5SDimitry Andric }
13300b57cec5SDimitry Andric
checkBeginFunction(CheckerContext & Ctx) const13310b57cec5SDimitry Andric void RetainCountChecker::checkBeginFunction(CheckerContext &Ctx) const {
13320b57cec5SDimitry Andric if (!Ctx.inTopFrame())
13330b57cec5SDimitry Andric return;
13340b57cec5SDimitry Andric
13350b57cec5SDimitry Andric RetainSummaryManager &SmrMgr = getSummaryManager(Ctx);
13360b57cec5SDimitry Andric const LocationContext *LCtx = Ctx.getLocationContext();
13370b57cec5SDimitry Andric const Decl *D = LCtx->getDecl();
1338bdd1243dSDimitry Andric std::optional<AnyCall> C = AnyCall::forDecl(D);
13390b57cec5SDimitry Andric
13400b57cec5SDimitry Andric if (!C || SmrMgr.isTrustedReferenceCountImplementation(D))
13410b57cec5SDimitry Andric return;
13420b57cec5SDimitry Andric
13430b57cec5SDimitry Andric ProgramStateRef state = Ctx.getState();
13440b57cec5SDimitry Andric const RetainSummary *FunctionSummary = SmrMgr.getSummary(*C);
13450b57cec5SDimitry Andric ArgEffects CalleeSideArgEffects = FunctionSummary->getArgEffects();
13460b57cec5SDimitry Andric
13470b57cec5SDimitry Andric for (unsigned idx = 0, e = C->param_size(); idx != e; ++idx) {
13480b57cec5SDimitry Andric const ParmVarDecl *Param = C->parameters()[idx];
13490b57cec5SDimitry Andric SymbolRef Sym = state->getSVal(state->getRegion(Param, LCtx)).getAsSymbol();
13500b57cec5SDimitry Andric
13510b57cec5SDimitry Andric QualType Ty = Param->getType();
13520b57cec5SDimitry Andric const ArgEffect *AE = CalleeSideArgEffects.lookup(idx);
13530b57cec5SDimitry Andric if (AE) {
13540b57cec5SDimitry Andric ObjKind K = AE->getObjKind();
13550b57cec5SDimitry Andric if (K == ObjKind::Generalized || K == ObjKind::OS ||
13560b57cec5SDimitry Andric (TrackNSCFStartParam && (K == ObjKind::ObjC || K == ObjKind::CF))) {
13570b57cec5SDimitry Andric RefVal NewVal = AE->getKind() == DecRef ? RefVal::makeOwned(K, Ty)
13580b57cec5SDimitry Andric : RefVal::makeNotOwned(K, Ty);
13590b57cec5SDimitry Andric state = setRefBinding(state, Sym, NewVal);
13600b57cec5SDimitry Andric }
13610b57cec5SDimitry Andric }
13620b57cec5SDimitry Andric }
13630b57cec5SDimitry Andric
13640b57cec5SDimitry Andric Ctx.addTransition(state);
13650b57cec5SDimitry Andric }
13660b57cec5SDimitry Andric
checkEndFunction(const ReturnStmt * RS,CheckerContext & Ctx) const13670b57cec5SDimitry Andric void RetainCountChecker::checkEndFunction(const ReturnStmt *RS,
13680b57cec5SDimitry Andric CheckerContext &Ctx) const {
13690b57cec5SDimitry Andric ExplodedNode *Pred = processReturn(RS, Ctx);
13700b57cec5SDimitry Andric
13710b57cec5SDimitry Andric // Created state cached out.
13720b57cec5SDimitry Andric if (!Pred) {
13730b57cec5SDimitry Andric return;
13740b57cec5SDimitry Andric }
13750b57cec5SDimitry Andric
13760b57cec5SDimitry Andric ProgramStateRef state = Pred->getState();
13770b57cec5SDimitry Andric RefBindingsTy B = state->get<RefBindings>();
13780b57cec5SDimitry Andric
13790b57cec5SDimitry Andric // Don't process anything within synthesized bodies.
13800b57cec5SDimitry Andric const LocationContext *LCtx = Pred->getLocationContext();
13810b57cec5SDimitry Andric if (LCtx->getAnalysisDeclContext()->isBodyAutosynthesized()) {
13820b57cec5SDimitry Andric assert(!LCtx->inTopFrame());
13830b57cec5SDimitry Andric return;
13840b57cec5SDimitry Andric }
13850b57cec5SDimitry Andric
13860b57cec5SDimitry Andric for (auto &I : B) {
13870b57cec5SDimitry Andric state = handleAutoreleaseCounts(state, Pred, /*Tag=*/nullptr, Ctx,
13880b57cec5SDimitry Andric I.first, I.second);
13890b57cec5SDimitry Andric if (!state)
13900b57cec5SDimitry Andric return;
13910b57cec5SDimitry Andric }
13920b57cec5SDimitry Andric
13930b57cec5SDimitry Andric // If the current LocationContext has a parent, don't check for leaks.
13940b57cec5SDimitry Andric // We will do that later.
13950b57cec5SDimitry Andric // FIXME: we should instead check for imbalances of the retain/releases,
13960b57cec5SDimitry Andric // and suggest annotations.
13970b57cec5SDimitry Andric if (LCtx->getParent())
13980b57cec5SDimitry Andric return;
13990b57cec5SDimitry Andric
14000b57cec5SDimitry Andric B = state->get<RefBindings>();
14010b57cec5SDimitry Andric SmallVector<SymbolRef, 10> Leaked;
14020b57cec5SDimitry Andric
14030b57cec5SDimitry Andric for (auto &I : B)
14040b57cec5SDimitry Andric state = handleSymbolDeath(state, I.first, I.second, Leaked);
14050b57cec5SDimitry Andric
14060b57cec5SDimitry Andric processLeaks(state, Leaked, Ctx, Pred);
14070b57cec5SDimitry Andric }
14080b57cec5SDimitry Andric
checkDeadSymbols(SymbolReaper & SymReaper,CheckerContext & C) const14090b57cec5SDimitry Andric void RetainCountChecker::checkDeadSymbols(SymbolReaper &SymReaper,
14100b57cec5SDimitry Andric CheckerContext &C) const {
14110b57cec5SDimitry Andric ExplodedNode *Pred = C.getPredecessor();
14120b57cec5SDimitry Andric
14130b57cec5SDimitry Andric ProgramStateRef state = C.getState();
14140b57cec5SDimitry Andric SmallVector<SymbolRef, 10> Leaked;
14150b57cec5SDimitry Andric
14160b57cec5SDimitry Andric // Update counts from autorelease pools
14170b57cec5SDimitry Andric for (const auto &I: state->get<RefBindings>()) {
14180b57cec5SDimitry Andric SymbolRef Sym = I.first;
14190b57cec5SDimitry Andric if (SymReaper.isDead(Sym)) {
14200b57cec5SDimitry Andric static CheckerProgramPointTag Tag(this, "DeadSymbolAutorelease");
14210b57cec5SDimitry Andric const RefVal &V = I.second;
14220b57cec5SDimitry Andric state = handleAutoreleaseCounts(state, Pred, &Tag, C, Sym, V);
14230b57cec5SDimitry Andric if (!state)
14240b57cec5SDimitry Andric return;
14250b57cec5SDimitry Andric
14260b57cec5SDimitry Andric // Fetch the new reference count from the state, and use it to handle
14270b57cec5SDimitry Andric // this symbol.
14280b57cec5SDimitry Andric state = handleSymbolDeath(state, Sym, *getRefBinding(state, Sym), Leaked);
14290b57cec5SDimitry Andric }
14300b57cec5SDimitry Andric }
14310b57cec5SDimitry Andric
14320b57cec5SDimitry Andric if (Leaked.empty()) {
14330b57cec5SDimitry Andric C.addTransition(state);
14340b57cec5SDimitry Andric return;
14350b57cec5SDimitry Andric }
14360b57cec5SDimitry Andric
14370b57cec5SDimitry Andric Pred = processLeaks(state, Leaked, C, Pred);
14380b57cec5SDimitry Andric
14390b57cec5SDimitry Andric // Did we cache out?
14400b57cec5SDimitry Andric if (!Pred)
14410b57cec5SDimitry Andric return;
14420b57cec5SDimitry Andric
14430b57cec5SDimitry Andric // Now generate a new node that nukes the old bindings.
14440b57cec5SDimitry Andric // The only bindings left at this point are the leaked symbols.
14450b57cec5SDimitry Andric RefBindingsTy::Factory &F = state->get_context<RefBindings>();
14460b57cec5SDimitry Andric RefBindingsTy B = state->get<RefBindings>();
14470b57cec5SDimitry Andric
14480b57cec5SDimitry Andric for (SymbolRef L : Leaked)
14490b57cec5SDimitry Andric B = F.remove(B, L);
14500b57cec5SDimitry Andric
14510b57cec5SDimitry Andric state = state->set<RefBindings>(B);
14520b57cec5SDimitry Andric C.addTransition(state, Pred);
14530b57cec5SDimitry Andric }
14540b57cec5SDimitry Andric
printState(raw_ostream & Out,ProgramStateRef State,const char * NL,const char * Sep) const14550b57cec5SDimitry Andric void RetainCountChecker::printState(raw_ostream &Out, ProgramStateRef State,
14560b57cec5SDimitry Andric const char *NL, const char *Sep) const {
14570b57cec5SDimitry Andric
14580b57cec5SDimitry Andric RefBindingsTy B = State->get<RefBindings>();
14590b57cec5SDimitry Andric
14600b57cec5SDimitry Andric if (B.isEmpty())
14610b57cec5SDimitry Andric return;
14620b57cec5SDimitry Andric
14630b57cec5SDimitry Andric Out << Sep << NL;
14640b57cec5SDimitry Andric
14650b57cec5SDimitry Andric for (auto &I : B) {
14660b57cec5SDimitry Andric Out << I.first << " : ";
14670b57cec5SDimitry Andric I.second.print(Out);
14680b57cec5SDimitry Andric Out << NL;
14690b57cec5SDimitry Andric }
14700b57cec5SDimitry Andric }
14710b57cec5SDimitry Andric
14720b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
14730b57cec5SDimitry Andric // Checker registration.
14740b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
14750b57cec5SDimitry Andric
14765ffd83dbSDimitry Andric std::unique_ptr<CheckerProgramPointTag> RetainCountChecker::DeallocSentTag;
14775ffd83dbSDimitry Andric std::unique_ptr<CheckerProgramPointTag> RetainCountChecker::CastFailTag;
14785ffd83dbSDimitry Andric
registerRetainCountBase(CheckerManager & Mgr)14790b57cec5SDimitry Andric void ento::registerRetainCountBase(CheckerManager &Mgr) {
14805ffd83dbSDimitry Andric auto *Chk = Mgr.registerChecker<RetainCountChecker>();
14815ffd83dbSDimitry Andric Chk->DeallocSentTag =
14825ffd83dbSDimitry Andric std::make_unique<CheckerProgramPointTag>(Chk, "DeallocSent");
14835ffd83dbSDimitry Andric Chk->CastFailTag =
14845ffd83dbSDimitry Andric std::make_unique<CheckerProgramPointTag>(Chk, "DynamicCastFail");
14850b57cec5SDimitry Andric }
14860b57cec5SDimitry Andric
shouldRegisterRetainCountBase(const CheckerManager & mgr)14875ffd83dbSDimitry Andric bool ento::shouldRegisterRetainCountBase(const CheckerManager &mgr) {
14880b57cec5SDimitry Andric return true;
14890b57cec5SDimitry Andric }
registerRetainCountChecker(CheckerManager & Mgr)14900b57cec5SDimitry Andric void ento::registerRetainCountChecker(CheckerManager &Mgr) {
14910b57cec5SDimitry Andric auto *Chk = Mgr.getChecker<RetainCountChecker>();
14920b57cec5SDimitry Andric Chk->TrackObjCAndCFObjects = true;
14935ffd83dbSDimitry Andric Chk->TrackNSCFStartParam = Mgr.getAnalyzerOptions().getCheckerBooleanOption(
14945ffd83dbSDimitry Andric Mgr.getCurrentCheckerName(), "TrackNSCFStartParam");
14955ffd83dbSDimitry Andric
14965ffd83dbSDimitry Andric #define INIT_BUGTYPE(KIND) \
14975ffd83dbSDimitry Andric Chk->KIND = std::make_unique<RefCountBug>(Mgr.getCurrentCheckerName(), \
14985ffd83dbSDimitry Andric RefCountBug::KIND);
14995ffd83dbSDimitry Andric // TODO: Ideally, we should have a checker for each of these bug types.
15005ffd83dbSDimitry Andric INIT_BUGTYPE(UseAfterRelease)
15015ffd83dbSDimitry Andric INIT_BUGTYPE(ReleaseNotOwned)
15025ffd83dbSDimitry Andric INIT_BUGTYPE(DeallocNotOwned)
15035ffd83dbSDimitry Andric INIT_BUGTYPE(FreeNotOwned)
15045ffd83dbSDimitry Andric INIT_BUGTYPE(OverAutorelease)
15055ffd83dbSDimitry Andric INIT_BUGTYPE(ReturnNotOwnedForOwned)
15065ffd83dbSDimitry Andric INIT_BUGTYPE(LeakWithinFunction)
15075ffd83dbSDimitry Andric INIT_BUGTYPE(LeakAtReturn)
15085ffd83dbSDimitry Andric #undef INIT_BUGTYPE
15090b57cec5SDimitry Andric }
15100b57cec5SDimitry Andric
shouldRegisterRetainCountChecker(const CheckerManager & mgr)15115ffd83dbSDimitry Andric bool ento::shouldRegisterRetainCountChecker(const CheckerManager &mgr) {
15120b57cec5SDimitry Andric return true;
15130b57cec5SDimitry Andric }
15140b57cec5SDimitry Andric
registerOSObjectRetainCountChecker(CheckerManager & Mgr)15150b57cec5SDimitry Andric void ento::registerOSObjectRetainCountChecker(CheckerManager &Mgr) {
15160b57cec5SDimitry Andric auto *Chk = Mgr.getChecker<RetainCountChecker>();
15170b57cec5SDimitry Andric Chk->TrackOSObjects = true;
15185ffd83dbSDimitry Andric
15195ffd83dbSDimitry Andric // FIXME: We want bug reports to always have the same checker name associated
15205ffd83dbSDimitry Andric // with them, yet here, if RetainCountChecker is disabled but
15215ffd83dbSDimitry Andric // OSObjectRetainCountChecker is enabled, the checker names will be different.
15225ffd83dbSDimitry Andric // This hack will make it so that the checker name depends on which checker is
15235ffd83dbSDimitry Andric // enabled rather than on the registration order.
15245ffd83dbSDimitry Andric // For the most part, we want **non-hidden checkers** to be associated with
15255ffd83dbSDimitry Andric // diagnostics, and **hidden checker options** with the fine-tuning of
15265ffd83dbSDimitry Andric // modeling. Following this logic, OSObjectRetainCountChecker should be the
15275ffd83dbSDimitry Andric // latter, but we can't just remove it for backward compatibility reasons.
15285ffd83dbSDimitry Andric #define LAZY_INIT_BUGTYPE(KIND) \
15295ffd83dbSDimitry Andric if (!Chk->KIND) \
15305ffd83dbSDimitry Andric Chk->KIND = std::make_unique<RefCountBug>(Mgr.getCurrentCheckerName(), \
15315ffd83dbSDimitry Andric RefCountBug::KIND);
15325ffd83dbSDimitry Andric LAZY_INIT_BUGTYPE(UseAfterRelease)
15335ffd83dbSDimitry Andric LAZY_INIT_BUGTYPE(ReleaseNotOwned)
15345ffd83dbSDimitry Andric LAZY_INIT_BUGTYPE(DeallocNotOwned)
15355ffd83dbSDimitry Andric LAZY_INIT_BUGTYPE(FreeNotOwned)
15365ffd83dbSDimitry Andric LAZY_INIT_BUGTYPE(OverAutorelease)
15375ffd83dbSDimitry Andric LAZY_INIT_BUGTYPE(ReturnNotOwnedForOwned)
15385ffd83dbSDimitry Andric LAZY_INIT_BUGTYPE(LeakWithinFunction)
15395ffd83dbSDimitry Andric LAZY_INIT_BUGTYPE(LeakAtReturn)
15405ffd83dbSDimitry Andric #undef LAZY_INIT_BUGTYPE
15410b57cec5SDimitry Andric }
15420b57cec5SDimitry Andric
shouldRegisterOSObjectRetainCountChecker(const CheckerManager & mgr)15435ffd83dbSDimitry Andric bool ento::shouldRegisterOSObjectRetainCountChecker(const CheckerManager &mgr) {
15440b57cec5SDimitry Andric return true;
15450b57cec5SDimitry Andric }
1546