clang 17.0.0git
BasicObjCFoundationChecks.cpp
Go to the documentation of this file.
1//== BasicObjCFoundationChecks.cpp - Simple Apple-Foundation checks -*- C++ -*--
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines BasicObjCFoundationChecks, a class that encapsulates
10// a set of simple checks to run on Objective-C code using Apple's Foundation
11// classes.
12//
13//===----------------------------------------------------------------------===//
14
15#include "clang/AST/ASTContext.h"
16#include "clang/AST/DeclObjC.h"
17#include "clang/AST/Expr.h"
18#include "clang/AST/ExprObjC.h"
19#include "clang/AST/StmtObjC.h"
20#include "clang/Analysis/DomainSpecific/CocoaConventions.h"
21#include "clang/Analysis/SelectorExtras.h"
22#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
23#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
24#include "clang/StaticAnalyzer/Core/Checker.h"
25#include "clang/StaticAnalyzer/Core/CheckerManager.h"
26#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
27#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
28#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
29#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
30#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
31#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
32#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
33#include "llvm/ADT/SmallString.h"
34#include "llvm/ADT/StringMap.h"
35#include "llvm/Support/raw_ostream.h"
36#include <optional>
37
38using namespace clang;
39using namespace ento;
40using namespace llvm;
41
42namespace {
43class APIMisuse : public BugType {
44public:
45 APIMisuse(const CheckerBase *checker, const char *name)
46 : BugType(checker, name, "API Misuse (Apple)") {}
47};
48} // end anonymous namespace
49
50//===----------------------------------------------------------------------===//
51// Utility functions.
52//===----------------------------------------------------------------------===//
53
54static StringRef GetReceiverInterfaceName(const ObjCMethodCall &msg) {
55 if (const ObjCInterfaceDecl *ID = msg.getReceiverInterface())
56 return ID->getIdentifier()->getName();
57 return StringRef();
58}
59
60enum FoundationClass {
61 FC_None,
62 FC_NSArray,
63 FC_NSDictionary,
64 FC_NSEnumerator,
65 FC_NSNull,
66 FC_NSOrderedSet,
67 FC_NSSet,
68 FC_NSString
69};
70
71static FoundationClass findKnownClass(const ObjCInterfaceDecl *ID,
72 bool IncludeSuperclasses = true) {
73 static llvm::StringMap<FoundationClass> Classes;
74 if (Classes.empty()) {
75 Classes["NSArray"] = FC_NSArray;
76 Classes["NSDictionary"] = FC_NSDictionary;
77 Classes["NSEnumerator"] = FC_NSEnumerator;
78 Classes["NSNull"] = FC_NSNull;
79 Classes["NSOrderedSet"] = FC_NSOrderedSet;
80 Classes["NSSet"] = FC_NSSet;
81 Classes["NSString"] = FC_NSString;
82 }
83
84 // FIXME: Should we cache this at all?
85 FoundationClass result = Classes.lookup(ID->getIdentifier()->getName());
86 if (result == FC_None && IncludeSuperclasses)
87 if (const ObjCInterfaceDecl *Super = ID->getSuperClass())
88 return findKnownClass(Super);
89
90 return result;
91}
92
93//===----------------------------------------------------------------------===//
94// NilArgChecker - Check for prohibited nil arguments to ObjC method calls.
95//===----------------------------------------------------------------------===//
96
97namespace {
98 class NilArgChecker : public Checker<check::PreObjCMessage,
99 check::PostStmt<ObjCDictionaryLiteral>,
100 check::PostStmt<ObjCArrayLiteral> > {
101 mutable std::unique_ptr<APIMisuse> BT;
102
103 mutable llvm::SmallDenseMap<Selector, unsigned, 16> StringSelectors;
104 mutable Selector ArrayWithObjectSel;
105 mutable Selector AddObjectSel;
106 mutable Selector InsertObjectAtIndexSel;
107 mutable Selector ReplaceObjectAtIndexWithObjectSel;
108 mutable Selector SetObjectAtIndexedSubscriptSel;
109 mutable Selector ArrayByAddingObjectSel;
110 mutable Selector DictionaryWithObjectForKeySel;
111 mutable Selector SetObjectForKeySel;
112 mutable Selector SetObjectForKeyedSubscriptSel;
113 mutable Selector RemoveObjectForKeySel;
114
115 void warnIfNilExpr(const Expr *E,
116 const char *Msg,
117 CheckerContext &C) const;
118
119 void warnIfNilArg(CheckerContext &C,
120 const ObjCMethodCall &msg, unsigned Arg,
121 FoundationClass Class,
122 bool CanBeSubscript = false) const;
123
124 void generateBugReport(ExplodedNode *N,
125 StringRef Msg,
126 SourceRange Range,
127 const Expr *Expr,
128 CheckerContext &C) const;
129
130 public:
131 void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
132 void checkPostStmt(const ObjCDictionaryLiteral *DL,
133 CheckerContext &C) const;
134 void checkPostStmt(const ObjCArrayLiteral *AL,
135 CheckerContext &C) const;
136 };
137} // end anonymous namespace
138
139void NilArgChecker::warnIfNilExpr(const Expr *E,
140 const char *Msg,
141 CheckerContext &C) const {
142 ProgramStateRef State = C.getState();
143 if (State->isNull(C.getSVal(E)).isConstrainedTrue()) {
144
145 if (ExplodedNode *N = C.generateErrorNode()) {
146 generateBugReport(N, Msg, E->getSourceRange(), E, C);
147 }
148 }
149}
150
151void NilArgChecker::warnIfNilArg(CheckerContext &C,
152 const ObjCMethodCall &msg,
153 unsigned int Arg,
154 FoundationClass Class,
155 bool CanBeSubscript) const {
156 // Check if the argument is nil.
157 ProgramStateRef State = C.getState();
158 if (!State->isNull(msg.getArgSVal(Arg)).isConstrainedTrue())
159 return;
160
161 // NOTE: We cannot throw non-fatal errors from warnIfNilExpr,
162 // because it's called multiple times from some callers, so it'd cause
163 // an unwanted state split if two or more non-fatal errors are thrown
164 // within the same checker callback. For now we don't want to, but
165 // it'll need to be fixed if we ever want to.
166 if (ExplodedNode *N = C.generateErrorNode()) {
167 SmallString<128> sbuf;
168 llvm::raw_svector_ostream os(sbuf);
169
170 if (CanBeSubscript && msg.getMessageKind() == OCM_Subscript) {
171
172 if (Class == FC_NSArray) {
173 os << "Array element cannot be nil";
174 } else if (Class == FC_NSDictionary) {
175 if (Arg == 0) {
176 os << "Value stored into '";
177 os << GetReceiverInterfaceName(msg) << "' cannot be nil";
178 } else {
179 assert(Arg == 1);
180 os << "'"<< GetReceiverInterfaceName(msg) << "' key cannot be nil";
181 }
182 } else
183 llvm_unreachable("Missing foundation class for the subscript expr");
184
185 } else {
186 if (Class == FC_NSDictionary) {
187 if (Arg == 0)
188 os << "Value argument ";
189 else {
190 assert(Arg == 1);
191 os << "Key argument ";
192 }
193 os << "to '";
194 msg.getSelector().print(os);
195 os << "' cannot be nil";
196 } else {
197 os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '";
198 msg.getSelector().print(os);
199 os << "' cannot be nil";
200 }
201 }
202
203 generateBugReport(N, os.str(), msg.getArgSourceRange(Arg),
204 msg.getArgExpr(Arg), C);
205 }
206}
207
208void NilArgChecker::generateBugReport(ExplodedNode *N,
209 StringRef Msg,
210 SourceRange Range,
211 const Expr *E,
212 CheckerContext &C) const {
213 if (!BT)
214 BT.reset(new APIMisuse(this, "nil argument"));
215
216 auto R = std::make_unique<PathSensitiveBugReport>(*BT, Msg, N);
217 R->addRange(Range);
218 bugreporter::trackExpressionValue(N, E, *R);
219 C.emitReport(std::move(R));
220}
221
222void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
223 CheckerContext &C) const {
224 const ObjCInterfaceDecl *ID = msg.getReceiverInterface();
225 if (!ID)
226 return;
227
228 FoundationClass Class = findKnownClass(ID);
229
230 static const unsigned InvalidArgIndex = UINT_MAX;
231 unsigned Arg = InvalidArgIndex;
232 bool CanBeSubscript = false;
233
234 if (Class == FC_NSString) {
235 Selector S = msg.getSelector();
236
237 if (S.isUnarySelector())
238 return;
239
240 if (StringSelectors.empty()) {
241 ASTContext &Ctx = C.getASTContext();
242 Selector Sels[] = {
243 getKeywordSelector(Ctx, "caseInsensitiveCompare"),
244 getKeywordSelector(Ctx, "compare"),
245 getKeywordSelector(Ctx, "compare", "options"),
246 getKeywordSelector(Ctx, "compare", "options", "range"),
247 getKeywordSelector(Ctx, "compare", "options", "range", "locale"),
248 getKeywordSelector(Ctx, "componentsSeparatedByCharactersInSet"),
249 getKeywordSelector(Ctx, "initWithFormat"),
250 getKeywordSelector(Ctx, "localizedCaseInsensitiveCompare"),
251 getKeywordSelector(Ctx, "localizedCompare"),
252 getKeywordSelector(Ctx, "localizedStandardCompare"),
253 };
254 for (Selector KnownSel : Sels)
255 StringSelectors[KnownSel] = 0;
256 }
257 auto I = StringSelectors.find(S);
258 if (I == StringSelectors.end())
259 return;
260 Arg = I->second;
261 } else if (Class == FC_NSArray) {
262 Selector S = msg.getSelector();
263
264 if (S.isUnarySelector())
265 return;
266
267 if (ArrayWithObjectSel.isNull()) {
268 ASTContext &Ctx = C.getASTContext();
269 ArrayWithObjectSel = getKeywordSelector(Ctx, "arrayWithObject");
270 AddObjectSel = getKeywordSelector(Ctx, "addObject");
271 InsertObjectAtIndexSel =
272 getKeywordSelector(Ctx, "insertObject", "atIndex");
273 ReplaceObjectAtIndexWithObjectSel =
274 getKeywordSelector(Ctx, "replaceObjectAtIndex", "withObject");
275 SetObjectAtIndexedSubscriptSel =
276 getKeywordSelector(Ctx, "setObject", "atIndexedSubscript");
277 ArrayByAddingObjectSel = getKeywordSelector(Ctx, "arrayByAddingObject");
278 }
279
280 if (S == ArrayWithObjectSel || S == AddObjectSel ||
281 S == InsertObjectAtIndexSel || S == ArrayByAddingObjectSel) {
282 Arg = 0;
283 } else if (S == SetObjectAtIndexedSubscriptSel) {
284 Arg = 0;
285 CanBeSubscript = true;
286 } else if (S == ReplaceObjectAtIndexWithObjectSel) {
287 Arg = 1;
288 }
289 } else if (Class == FC_NSDictionary) {
290 Selector S = msg.getSelector();
291
292 if (S.isUnarySelector())
293 return;
294
295 if (DictionaryWithObjectForKeySel.isNull()) {
296 ASTContext &Ctx = C.getASTContext();
297 DictionaryWithObjectForKeySel =
298 getKeywordSelector(Ctx, "dictionaryWithObject", "forKey");
299 SetObjectForKeySel = getKeywordSelector(Ctx, "setObject", "forKey");
300 SetObjectForKeyedSubscriptSel =
301 getKeywordSelector(Ctx, "setObject", "forKeyedSubscript");
302 RemoveObjectForKeySel = getKeywordSelector(Ctx, "removeObjectForKey");
303 }
304
305 if (S == DictionaryWithObjectForKeySel || S == SetObjectForKeySel) {
306 Arg = 0;
307 warnIfNilArg(C, msg, /* Arg */1, Class);
308 } else if (S == SetObjectForKeyedSubscriptSel) {
309 CanBeSubscript = true;
310 Arg = 1;
311 } else if (S == RemoveObjectForKeySel) {
312 Arg = 0;
313 }
314 }
315
316 // If argument is '0', report a warning.
317 if ((Arg != InvalidArgIndex))
318 warnIfNilArg(C, msg, Arg, Class, CanBeSubscript);
319}
320
321void NilArgChecker::checkPostStmt(const ObjCArrayLiteral *AL,
322 CheckerContext &C) const {
323 unsigned NumOfElements = AL->getNumElements();
324 for (unsigned i = 0; i < NumOfElements; ++i) {
325 warnIfNilExpr(AL->getElement(i), "Array element cannot be nil", C);
326 }
327}
328
329void NilArgChecker::checkPostStmt(const ObjCDictionaryLiteral *DL,
330 CheckerContext &C) const {
331 unsigned NumOfElements = DL->getNumElements();
332 for (unsigned i = 0; i < NumOfElements; ++i) {
333 ObjCDictionaryElement Element = DL->getKeyValueElement(i);
334 warnIfNilExpr(Element.Key, "Dictionary key cannot be nil", C);
335 warnIfNilExpr(Element.Value, "Dictionary value cannot be nil", C);
336 }
337}
338
339//===----------------------------------------------------------------------===//
340// Checking for mismatched types passed to CFNumberCreate/CFNumberGetValue.
341//===----------------------------------------------------------------------===//
342
343namespace {
344class CFNumberChecker : public Checker< check::PreStmt<CallExpr> > {
345 mutable std::unique_ptr<APIMisuse> BT;
346 mutable IdentifierInfo *ICreate, *IGetValue;
347public:
348 CFNumberChecker() : ICreate(nullptr), IGetValue(nullptr) {}
349
350 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
351};
352} // end anonymous namespace
353
354enum CFNumberType {
355 kCFNumberSInt8Type = 1,
356 kCFNumberSInt16Type = 2,
357 kCFNumberSInt32Type = 3,
358 kCFNumberSInt64Type = 4,
359 kCFNumberFloat32Type = 5,
360 kCFNumberFloat64Type = 6,
361 kCFNumberCharType = 7,
362 kCFNumberShortType = 8,
363 kCFNumberIntType = 9,
364 kCFNumberLongType = 10,
365 kCFNumberLongLongType = 11,
366 kCFNumberFloatType = 12,
367 kCFNumberDoubleType = 13,
368 kCFNumberCFIndexType = 14,
369 kCFNumberNSIntegerType = 15,
370 kCFNumberCGFloatType = 16
371};
372
373static std::optional<uint64_t> GetCFNumberSize(ASTContext &Ctx, uint64_t i) {
374 static const unsigned char FixedSize[] = { 8, 16, 32, 64, 32, 64 };
375
376 if (i < kCFNumberCharType)
377 return FixedSize[i-1];
378
379 QualType T;
380
381 switch (i) {
382 case kCFNumberCharType: T = Ctx.CharTy; break;
383 case kCFNumberShortType: T = Ctx.ShortTy; break;
384 case kCFNumberIntType: T = Ctx.IntTy; break;
385 case kCFNumberLongType: T = Ctx.LongTy; break;
386 case kCFNumberLongLongType: T = Ctx.LongLongTy; break;
387 case kCFNumberFloatType: T = Ctx.FloatTy; break;
388 case kCFNumberDoubleType: T = Ctx.DoubleTy; break;
389 case kCFNumberCFIndexType:
390 case kCFNumberNSIntegerType:
391 case kCFNumberCGFloatType:
392 // FIXME: We need a way to map from names to Type*.
393 default:
394 return std::nullopt;
395 }
396
397 return Ctx.getTypeSize(T);
398}
399
400#if 0
401static const char* GetCFNumberTypeStr(uint64_t i) {
402 static const char* Names[] = {
403 "kCFNumberSInt8Type",
404 "kCFNumberSInt16Type",
405 "kCFNumberSInt32Type",
406 "kCFNumberSInt64Type",
407 "kCFNumberFloat32Type",
408 "kCFNumberFloat64Type",
409 "kCFNumberCharType",
410 "kCFNumberShortType",
411 "kCFNumberIntType",
412 "kCFNumberLongType",
413 "kCFNumberLongLongType",
414 "kCFNumberFloatType",
415 "kCFNumberDoubleType",
416 "kCFNumberCFIndexType",
417 "kCFNumberNSIntegerType",
418 "kCFNumberCGFloatType"
419 };
420
421 return i <= kCFNumberCGFloatType ? Names[i-1] : "Invalid CFNumberType";
422}
423#endif
424
425void CFNumberChecker::checkPreStmt(const CallExpr *CE,
426 CheckerContext &C) const {
427 ProgramStateRef state = C.getState();
428 const FunctionDecl *FD = C.getCalleeDecl(CE);
429 if (!FD)
430 return;
431
432 ASTContext &Ctx = C.getASTContext();
433 if (!ICreate) {
434 ICreate = &Ctx.Idents.get("CFNumberCreate");
435 IGetValue = &Ctx.Idents.get("CFNumberGetValue");
436 }
437 if (!(FD->getIdentifier() == ICreate || FD->getIdentifier() == IGetValue) ||
438 CE->getNumArgs() != 3)
439 return;
440
441 // Get the value of the "theType" argument.
442 SVal TheTypeVal = C.getSVal(CE->getArg(1));
443
444 // FIXME: We really should allow ranges of valid theType values, and
445 // bifurcate the state appropriately.
446 std::optional<nonloc::ConcreteInt> V =
447 dyn_cast<nonloc::ConcreteInt>(TheTypeVal);
448 if (!V)
449 return;
450
451 uint64_t NumberKind = V->getValue().getLimitedValue();
452 std::optional<uint64_t> OptCFNumberSize = GetCFNumberSize(Ctx, NumberKind);
453
454 // FIXME: In some cases we can emit an error.
455 if (!OptCFNumberSize)
456 return;
457
458 uint64_t CFNumberSize = *OptCFNumberSize;
459
460 // Look at the value of the integer being passed by reference. Essentially
461 // we want to catch cases where the value passed in is not equal to the
462 // size of the type being created.
463 SVal TheValueExpr = C.getSVal(CE->getArg(2));
464
465 // FIXME: Eventually we should handle arbitrary locations. We can do this
466 // by having an enhanced memory model that does low-level typing.
467 std::optional<loc::MemRegionVal> LV = TheValueExpr.getAs<loc::MemRegionVal>();
468 if (!LV)
469 return;
470
471 const TypedValueRegion* R = dyn_cast<TypedValueRegion>(LV->stripCasts());
472 if (!R)
473 return;
474
475 QualType T = Ctx.getCanonicalType(R->getValueType());
476
477 // FIXME: If the pointee isn't an integer type, should we flag a warning?
478 // People can do weird stuff with pointers.
479
480 if (!T->isIntegralOrEnumerationType())
481 return;
482
483 uint64_t PrimitiveTypeSize = Ctx.getTypeSize(T);
484
485 if (PrimitiveTypeSize == CFNumberSize)
486 return;
487
488 // FIXME: We can actually create an abstract "CFNumber" object that has
489 // the bits initialized to the provided values.
490 ExplodedNode *N = C.generateNonFatalErrorNode();
491 if (N) {
492 SmallString<128> sbuf;
493 llvm::raw_svector_ostream os(sbuf);
494 bool isCreate = (FD->getIdentifier() == ICreate);
495
496 if (isCreate) {
497 os << (PrimitiveTypeSize == 8 ? "An " : "A ")
498 << PrimitiveTypeSize << "-bit integer is used to initialize a "
499 << "CFNumber object that represents "
500 << (CFNumberSize == 8 ? "an " : "a ")
501 << CFNumberSize << "-bit integer; ";
502 } else {
503 os << "A CFNumber object that represents "
504 << (CFNumberSize == 8 ? "an " : "a ")
505 << CFNumberSize << "-bit integer is used to initialize "
506 << (PrimitiveTypeSize == 8 ? "an " : "a ")
507 << PrimitiveTypeSize << "-bit integer; ";
508 }
509
510 if (PrimitiveTypeSize < CFNumberSize)
511 os << (CFNumberSize - PrimitiveTypeSize)
512 << " bits of the CFNumber value will "
513 << (isCreate ? "be garbage." : "overwrite adjacent storage.");
514 else
515 os << (PrimitiveTypeSize - CFNumberSize)
516 << " bits of the integer value will be "
517 << (isCreate ? "lost." : "garbage.");
518
519 if (!BT)
520 BT.reset(new APIMisuse(this, "Bad use of CFNumber APIs"));
521
522 auto report = std::make_unique<PathSensitiveBugReport>(*BT, os.str(), N);
523 report->addRange(CE->getArg(2)->getSourceRange());
524 C.emitReport(std::move(report));
525 }
526}
527
528//===----------------------------------------------------------------------===//
529// CFRetain/CFRelease/CFMakeCollectable/CFAutorelease checking for null arguments.
530//===----------------------------------------------------------------------===//
531
532namespace {
533class CFRetainReleaseChecker : public Checker<check::PreCall> {
534 mutable APIMisuse BT{this, "null passed to CF memory management function"};
535 const CallDescriptionSet ModelledCalls = {
536 {{"CFRetain"}, 1},
537 {{"CFRelease"}, 1},
538 {{"CFMakeCollectable"}, 1},
539 {{"CFAutorelease"}, 1},
540 };
541
542public:
543 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
544};
545} // end anonymous namespace
546
547void CFRetainReleaseChecker::checkPreCall(const CallEvent &Call,
548 CheckerContext &C) const {
549 // TODO: Make this check part of CallDescription.
550 if (!Call.isGlobalCFunction())
551 return;
552
553 // Check if we called CFRetain/CFRelease/CFMakeCollectable/CFAutorelease.
554 if (!ModelledCalls.contains(Call))
555 return;
556
557 // Get the argument's value.
558 SVal ArgVal = Call.getArgSVal(0);
559 std::optional<DefinedSVal> DefArgVal = ArgVal.getAs<DefinedSVal>();
560 if (!DefArgVal)
561 return;
562
563 // Is it null?
564 ProgramStateRef state = C.getState();
565 ProgramStateRef stateNonNull, stateNull;
566 std::tie(stateNonNull, stateNull) = state->assume(*DefArgVal);
567
568 if (!stateNonNull) {
569 ExplodedNode *N = C.generateErrorNode(stateNull);
570 if (!N)
571 return;
572
573 SmallString<64> Str;
574 raw_svector_ostream OS(Str);
575 OS << "Null pointer argument in call to "
576 << cast<FunctionDecl>(Call.getDecl())->getName();
577
578 auto report = std::make_unique<PathSensitiveBugReport>(BT, OS.str(), N);
579 report->addRange(Call.getArgSourceRange(0));
580 bugreporter::trackExpressionValue(N, Call.getArgExpr(0), *report);
581 C.emitReport(std::move(report));
582 return;
583 }
584
585 // From here on, we know the argument is non-null.
586 C.addTransition(stateNonNull);
587}
588
589//===----------------------------------------------------------------------===//
590// Check for sending 'retain', 'release', or 'autorelease' directly to a Class.
591//===----------------------------------------------------------------------===//
592
593namespace {
594class ClassReleaseChecker : public Checker<check::PreObjCMessage> {
595 mutable Selector releaseS;
596 mutable Selector retainS;
597 mutable Selector autoreleaseS;
598 mutable Selector drainS;
599 mutable std::unique_ptr<BugType> BT;
600
601public:
602 void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
603};
604} // end anonymous namespace
605
606void ClassReleaseChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
607 CheckerContext &C) const {
608 if (!BT) {
609 BT.reset(new APIMisuse(
610 this, "message incorrectly sent to class instead of class instance"));
611
612 ASTContext &Ctx = C.getASTContext();
613 releaseS = GetNullarySelector("release", Ctx);
614 retainS = GetNullarySelector("retain", Ctx);
615 autoreleaseS = GetNullarySelector("autorelease", Ctx);
616 drainS = GetNullarySelector("drain", Ctx);
617 }
618
619 if (msg.isInstanceMessage())
620 return;
621 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
622 assert(Class);
623
624 Selector S = msg.getSelector();
625 if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS))
626 return;
627
628 if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
629 SmallString<200> buf;
630 llvm::raw_svector_ostream os(buf);
631
632 os << "The '";
633 S.print(os);
634 os << "' message should be sent to instances "
635 "of class '" << Class->getName()
636 << "' and not the class directly";
637
638 auto report = std::make_unique<PathSensitiveBugReport>(*BT, os.str(), N);
639 report->addRange(msg.getSourceRange());
640 C.emitReport(std::move(report));
641 }
642}
643
644//===----------------------------------------------------------------------===//
645// Check for passing non-Objective-C types to variadic methods that expect
646// only Objective-C types.
647//===----------------------------------------------------------------------===//
648
649namespace {
650class VariadicMethodTypeChecker : public Checker<check::PreObjCMessage> {
651 mutable Selector arrayWithObjectsS;
652 mutable Selector dictionaryWithObjectsAndKeysS;
653 mutable Selector setWithObjectsS;
654 mutable Selector orderedSetWithObjectsS;
655 mutable Selector initWithObjectsS;
656 mutable Selector initWithObjectsAndKeysS;
657 mutable std::unique_ptr<BugType> BT;
658
659 bool isVariadicMessage(const ObjCMethodCall &msg) const;
660
661public:
662 void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
663};
664} // end anonymous namespace
665
666/// isVariadicMessage - Returns whether the given message is a variadic message,
667/// where all arguments must be Objective-C types.
668bool
669VariadicMethodTypeChecker::isVariadicMessage(const ObjCMethodCall &msg) const {
670 const ObjCMethodDecl *MD = msg.getDecl();
671
672 if (!MD || !MD->isVariadic() || isa<ObjCProtocolDecl>(MD->getDeclContext()))
673 return false;
674
675 Selector S = msg.getSelector();
676
677 if (msg.isInstanceMessage()) {
678 // FIXME: Ideally we'd look at the receiver interface here, but that's not
679 // useful for init, because alloc returns 'id'. In theory, this could lead
680 // to false positives, for example if there existed a class that had an
681 // initWithObjects: implementation that does accept non-Objective-C pointer
682 // types, but the chance of that happening is pretty small compared to the
683 // gains that this analysis gives.
684 const ObjCInterfaceDecl *Class = MD->getClassInterface();
685
686 switch (findKnownClass(Class)) {
687 case FC_NSArray:
688 case FC_NSOrderedSet:
689 case FC_NSSet:
690 return S == initWithObjectsS;
691 case FC_NSDictionary:
692 return S == initWithObjectsAndKeysS;
693 default:
694 return false;
695 }
696 } else {
697 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
698
699 switch (findKnownClass(Class)) {
700 case FC_NSArray:
701 return S == arrayWithObjectsS;
702 case FC_NSOrderedSet:
703 return S == orderedSetWithObjectsS;
704 case FC_NSSet:
705 return S == setWithObjectsS;
706 case FC_NSDictionary:
707 return S == dictionaryWithObjectsAndKeysS;
708 default:
709 return false;
710 }
711 }
712}
713
714void VariadicMethodTypeChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
715 CheckerContext &C) const {
716 if (!BT) {
717 BT.reset(new APIMisuse(this,
718 "Arguments passed to variadic method aren't all "
719 "Objective-C pointer types"));
720
721 ASTContext &Ctx = C.getASTContext();
722 arrayWithObjectsS = GetUnarySelector("arrayWithObjects", Ctx);
723 dictionaryWithObjectsAndKeysS =
724 GetUnarySelector("dictionaryWithObjectsAndKeys", Ctx);
725 setWithObjectsS = GetUnarySelector("setWithObjects", Ctx);
726 orderedSetWithObjectsS = GetUnarySelector("orderedSetWithObjects", Ctx);
727
728 initWithObjectsS = GetUnarySelector("initWithObjects", Ctx);
729 initWithObjectsAndKeysS = GetUnarySelector("initWithObjectsAndKeys", Ctx);
730 }
731
732 if (!isVariadicMessage(msg))
733 return;
734
735 // We are not interested in the selector arguments since they have
736 // well-defined types, so the compiler will issue a warning for them.
737 unsigned variadicArgsBegin = msg.getSelector().getNumArgs();
738
739 // We're not interested in the last argument since it has to be nil or the
740 // compiler would have issued a warning for it elsewhere.
741 unsigned variadicArgsEnd = msg.getNumArgs() - 1;
742
743 if (variadicArgsEnd <= variadicArgsBegin)
744 return;
745
746 // Verify that all arguments have Objective-C types.
747 std::optional<ExplodedNode *> errorNode;
748
749 for (unsigned I = variadicArgsBegin; I != variadicArgsEnd; ++I) {
750 QualType ArgTy = msg.getArgExpr(I)->getType();
751 if (ArgTy->isObjCObjectPointerType())
752 continue;
753
754 // Block pointers are treaded as Objective-C pointers.
755 if (ArgTy->isBlockPointerType())
756 continue;
757
758 // Ignore pointer constants.
759 if (isa<loc::ConcreteInt>(msg.getArgSVal(I)))
760 continue;
761
762 // Ignore pointer types annotated with 'NSObject' attribute.
763 if (C.getASTContext().isObjCNSObjectType(ArgTy))
764 continue;
765
766 // Ignore CF references, which can be toll-free bridged.
767 if (coreFoundation::isCFObjectRef(ArgTy))
768 continue;
769
770 // Generate only one error node to use for all bug reports.
771 if (!errorNode)
772 errorNode = C.generateNonFatalErrorNode();
773
774 if (!*errorNode)
775 continue;
776
777 SmallString<128> sbuf;
778 llvm::raw_svector_ostream os(sbuf);
779
780 StringRef TypeName = GetReceiverInterfaceName(msg);
781 if (!TypeName.empty())
782 os << "Argument to '" << TypeName << "' method '";
783 else
784 os << "Argument to method '";
785
786 msg.getSelector().print(os);
787 os << "' should be an Objective-C pointer type, not '";
788 ArgTy.print(os, C.getLangOpts());
789 os << "'";
790
791 auto R =
792 std::make_unique<PathSensitiveBugReport>(*BT, os.str(), *errorNode);
793 R->addRange(msg.getArgSourceRange(I));
794 C.emitReport(std::move(R));
795 }
796}
797
798//===----------------------------------------------------------------------===//
799// Improves the modeling of loops over Cocoa collections.
800//===----------------------------------------------------------------------===//
801
802// The map from container symbol to the container count symbol.
803// We currently will remember the last container count symbol encountered.
804REGISTER_MAP_WITH_PROGRAMSTATE(ContainerCountMap, SymbolRef, SymbolRef)
805REGISTER_MAP_WITH_PROGRAMSTATE(ContainerNonEmptyMap, SymbolRef, bool)
806
807namespace {
808class ObjCLoopChecker
809 : public Checker<check::PostStmt<ObjCForCollectionStmt>,
810 check::PostObjCMessage,
811 check::DeadSymbols,
812 check::PointerEscape > {
813 mutable IdentifierInfo *CountSelectorII;
814
815 bool isCollectionCountMethod(const ObjCMethodCall &M,
816 CheckerContext &C) const;
817
818public:
819 ObjCLoopChecker() : CountSelectorII(nullptr) {}
820 void checkPostStmt(const ObjCForCollectionStmt *FCS, CheckerContext &C) const;
821 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
822 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
823 ProgramStateRef checkPointerEscape(ProgramStateRef State,
824 const InvalidatedSymbols &Escaped,
825 const CallEvent *Call,
826 PointerEscapeKind Kind) const;
827};
828} // end anonymous namespace
829
830static bool isKnownNonNilCollectionType(QualType T) {
831 const ObjCObjectPointerType *PT = T->getAs<ObjCObjectPointerType>();
832 if (!PT)
833 return false;
834
835 const ObjCInterfaceDecl *ID = PT->getInterfaceDecl();
836 if (!ID)
837 return false;
838
839 switch (findKnownClass(ID)) {
840 case FC_NSArray:
841 case FC_NSDictionary:
842 case FC_NSEnumerator:
843 case FC_NSOrderedSet:
844 case FC_NSSet:
845 return true;
846 default:
847 return false;
848 }
849}
850
851/// Assumes that the collection is non-nil.
852///
853/// If the collection is known to be nil, returns NULL to indicate an infeasible
854/// path.
855static ProgramStateRef checkCollectionNonNil(CheckerContext &C,
856 ProgramStateRef State,
857 const ObjCForCollectionStmt *FCS) {
858 if (!State)
859 return nullptr;
860
861 SVal CollectionVal = C.getSVal(FCS->getCollection());
862 std::optional<DefinedSVal> KnownCollection =
863 CollectionVal.getAs<DefinedSVal>();
864 if (!KnownCollection)
865 return State;
866
867 ProgramStateRef StNonNil, StNil;
868 std::tie(StNonNil, StNil) = State->assume(*KnownCollection);
869 if (StNil && !StNonNil) {
870 // The collection is nil. This path is infeasible.
871 return nullptr;
872 }
873
874 return StNonNil;
875}
876
877/// Assumes that the collection elements are non-nil.
878///
879/// This only applies if the collection is one of those known not to contain
880/// nil values.
881static ProgramStateRef checkElementNonNil(CheckerContext &C,
882 ProgramStateRef State,
883 const ObjCForCollectionStmt *FCS) {
884 if (!State)
885 return nullptr;
886
887 // See if the collection is one where we /know/ the elements are non-nil.
888 if (!isKnownNonNilCollectionType(FCS->getCollection()->getType()))
889 return State;
890
891 const LocationContext *LCtx = C.getLocationContext();
892 const Stmt *Element = FCS->getElement();
893
894 // FIXME: Copied from ExprEngineObjC.
895 std::optional<Loc> ElementLoc;
896 if (const DeclStmt *DS = dyn_cast<DeclStmt>(Element)) {
897 const VarDecl *ElemDecl = cast<VarDecl>(DS->getSingleDecl());
898 assert(ElemDecl->getInit() == nullptr);
899 ElementLoc = State->getLValue(ElemDecl, LCtx);
900 } else {
901 ElementLoc = State->getSVal(Element, LCtx).getAs<Loc>();
902 }
903
904 if (!ElementLoc)
905 return State;
906
907 // Go ahead and assume the value is non-nil.
908 SVal Val = State->getSVal(*ElementLoc);
909 return State->assume(cast<DefinedOrUnknownSVal>(Val), true);
910}
911
912/// Returns NULL state if the collection is known to contain elements
913/// (or is known not to contain elements if the Assumption parameter is false.)
914static ProgramStateRef
915assumeCollectionNonEmpty(CheckerContext &C, ProgramStateRef State,
916 SymbolRef CollectionS, bool Assumption) {
917 if (!State || !CollectionS)
918 return State;
919
920 const SymbolRef *CountS = State->get<ContainerCountMap>(CollectionS);
921 if (!CountS) {
922 const bool *KnownNonEmpty = State->get<ContainerNonEmptyMap>(CollectionS);
923 if (!KnownNonEmpty)
924 return State->set<ContainerNonEmptyMap>(CollectionS, Assumption);
925 return (Assumption == *KnownNonEmpty) ? State : nullptr;
926 }
927
928 SValBuilder &SvalBuilder = C.getSValBuilder();
929 SVal CountGreaterThanZeroVal =
930 SvalBuilder.evalBinOp(State, BO_GT,
931 nonloc::SymbolVal(*CountS),
932 SvalBuilder.makeIntVal(0, (*CountS)->getType()),
933 SvalBuilder.getConditionType());
934 std::optional<DefinedSVal> CountGreaterThanZero =
935 CountGreaterThanZeroVal.getAs<DefinedSVal>();
936 if (!CountGreaterThanZero) {
937 // The SValBuilder cannot construct a valid SVal for this condition.
938 // This means we cannot properly reason about it.
939 return State;
940 }
941
942 return State->assume(*CountGreaterThanZero, Assumption);
943}
944
945static ProgramStateRef
946assumeCollectionNonEmpty(CheckerContext &C, ProgramStateRef State,
947 const ObjCForCollectionStmt *FCS,
948 bool Assumption) {
949 if (!State)
950 return nullptr;
951
952 SymbolRef CollectionS = C.getSVal(FCS->getCollection()).getAsSymbol();
953 return assumeCollectionNonEmpty(C, State, CollectionS, Assumption);
954}
955
956/// If the fist block edge is a back edge, we are reentering the loop.
957static bool alreadyExecutedAtLeastOneLoopIteration(const ExplodedNode *N,
958 const ObjCForCollectionStmt *FCS) {
959 if (!N)
960 return false;
961
962 ProgramPoint P = N->getLocation();
963 if (std::optional<BlockEdge> BE = P.getAs<BlockEdge>()) {
964 return BE->getSrc()->getLoopTarget() == FCS;
965 }
966
967 // Keep looking for a block edge.
968 for (ExplodedNode::const_pred_iterator I = N->pred_begin(),
969 E = N->pred_end(); I != E; ++I) {
970 if (alreadyExecutedAtLeastOneLoopIteration(*I, FCS))
971 return true;
972 }
973
974 return false;
975}
976
977void ObjCLoopChecker::checkPostStmt(const ObjCForCollectionStmt *FCS,
978 CheckerContext &C) const {
979 ProgramStateRef State = C.getState();
980
981 // Check if this is the branch for the end of the loop.
982 if (!ExprEngine::hasMoreIteration(State, FCS, C.getLocationContext())) {
983 if (!alreadyExecutedAtLeastOneLoopIteration(C.getPredecessor(), FCS))
984 State = assumeCollectionNonEmpty(C, State, FCS, /*Assumption*/false);
985
986 // Otherwise, this is a branch that goes through the loop body.
987 } else {
988 State = checkCollectionNonNil(C, State, FCS);
989 State = checkElementNonNil(C, State, FCS);
990 State = assumeCollectionNonEmpty(C, State, FCS, /*Assumption*/true);
991 }
992
993 if (!State)
994 C.generateSink(C.getState(), C.getPredecessor());
995 else if (State != C.getState())
996 C.addTransition(State);
997}
998
999bool ObjCLoopChecker::isCollectionCountMethod(const ObjCMethodCall &M,
1000 CheckerContext &C) const {
1001 Selector S = M.getSelector();
1002 // Initialize the identifiers on first use.
1003 if (!CountSelectorII)
1004 CountSelectorII = &C.getASTContext().Idents.get("count");
1005
1006 // If the method returns collection count, record the value.
1007 return S.isUnarySelector() &&
1008 (S.getIdentifierInfoForSlot(0) == CountSelectorII);
1009}
1010
1011void ObjCLoopChecker::checkPostObjCMessage(const ObjCMethodCall &M,
1012 CheckerContext &C) const {
1013 if (!M.isInstanceMessage())
1014 return;
1015
1016 const ObjCInterfaceDecl *ClassID = M.getReceiverInterface();
1017 if (!ClassID)
1018 return;
1019
1020 FoundationClass Class = findKnownClass(ClassID);
1021 if (Class != FC_NSDictionary &&
1022 Class != FC_NSArray &&
1023 Class != FC_NSSet &&
1024 Class != FC_NSOrderedSet)
1025 return;
1026
1027 SymbolRef ContainerS = M.getReceiverSVal().getAsSymbol();
1028 if (!ContainerS)
1029 return;
1030
1031 // If we are processing a call to "count", get the symbolic value returned by
1032 // a call to "count" and add it to the map.
1033 if (!isCollectionCountMethod(M, C))
1034 return;
1035
1036 const Expr *MsgExpr = M.getOriginExpr();
1037 SymbolRef CountS = C.getSVal(MsgExpr).getAsSymbol();
1038 if (CountS) {
1039 ProgramStateRef State = C.getState();
1040
1041 C.getSymbolManager().addSymbolDependency(ContainerS, CountS);
1042 State = State->set<ContainerCountMap>(ContainerS, CountS);
1043
1044 if (const bool *NonEmpty = State->get<ContainerNonEmptyMap>(ContainerS)) {
1045 State = State->remove<ContainerNonEmptyMap>(ContainerS);
1046 State = assumeCollectionNonEmpty(C, State, ContainerS, *NonEmpty);
1047 }
1048
1049 C.addTransition(State);
1050 }
1051}
1052
1053static SymbolRef getMethodReceiverIfKnownImmutable(const CallEvent *Call) {
1054 const ObjCMethodCall *Message = dyn_cast_or_null<ObjCMethodCall>(Call);
1055 if (!Message)
1056 return nullptr;
1057
1058 const ObjCMethodDecl *MD = Message->getDecl();
1059 if (!MD)
1060 return nullptr;
1061
1062 const ObjCInterfaceDecl *StaticClass;
1063 if (isa<ObjCProtocolDecl>(MD->getDeclContext())) {
1064 // We can't find out where the method was declared without doing more work.
1065 // Instead, see if the receiver is statically typed as a known immutable
1066 // collection.
1067 StaticClass = Message->getOriginExpr()->getReceiverInterface();
1068 } else {
1069 StaticClass = MD->getClassInterface();
1070 }
1071
1072 if (!StaticClass)
1073 return nullptr;
1074
1075 switch (findKnownClass(StaticClass, /*IncludeSuper=*/false)) {
1076 case FC_None:
1077 return nullptr;
1078 case FC_NSArray:
1079 case FC_NSDictionary:
1080 case FC_NSEnumerator:
1081 case FC_NSNull:
1082 case FC_NSOrderedSet:
1083 case FC_NSSet:
1084 case FC_NSString:
1085 break;
1086 }
1087
1088 return Message->getReceiverSVal().getAsSymbol();
1089}
1090
1091ProgramStateRef
1092ObjCLoopChecker::checkPointerEscape(ProgramStateRef State,
1093 const InvalidatedSymbols &Escaped,
1094 const CallEvent *Call,
1095 PointerEscapeKind Kind) const {
1096 SymbolRef ImmutableReceiver = getMethodReceiverIfKnownImmutable(Call);
1097
1098 // Remove the invalidated symbols from the collection count map.
1099 for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
1100 E = Escaped.end();
1101 I != E; ++I) {
1102 SymbolRef Sym = *I;
1103
1104 // Don't invalidate this symbol's count if we know the method being called
1105 // is declared on an immutable class. This isn't completely correct if the
1106 // receiver is also passed as an argument, but in most uses of NSArray,
1107 // NSDictionary, etc. this isn't likely to happen in a dangerous way.
1108 if (Sym == ImmutableReceiver)
1109 continue;
1110
1111 // The symbol escaped. Pessimistically, assume that the count could have
1112 // changed.
1113 State = State->remove<ContainerCountMap>(Sym);
1114 State = State->remove<ContainerNonEmptyMap>(Sym);
1115 }
1116 return State;
1117}
1118
1119void ObjCLoopChecker::checkDeadSymbols(SymbolReaper &SymReaper,
1120 CheckerContext &C) const {
1121 ProgramStateRef State = C.getState();
1122
1123 // Remove the dead symbols from the collection count map.
1124 ContainerCountMapTy Tracked = State->get<ContainerCountMap>();
1125 for (ContainerCountMapTy::iterator I = Tracked.begin(),
1126 E = Tracked.end(); I != E; ++I) {
1127 SymbolRef Sym = I->first;
1128 if (SymReaper.isDead(Sym)) {
1129 State = State->remove<ContainerCountMap>(Sym);
1130 State = State->remove<ContainerNonEmptyMap>(Sym);
1131 }
1132 }
1133
1134 C.addTransition(State);
1135}
1136
1137namespace {
1138/// \class ObjCNonNilReturnValueChecker
1139/// The checker restricts the return values of APIs known to
1140/// never (or almost never) return 'nil'.
1141class ObjCNonNilReturnValueChecker
1142 : public Checker<check::PostObjCMessage,
1143 check::PostStmt<ObjCArrayLiteral>,
1144 check::PostStmt<ObjCDictionaryLiteral>,
1145 check::PostStmt<ObjCBoxedExpr> > {
1146 mutable bool Initialized;
1147 mutable Selector ObjectAtIndex;
1148 mutable Selector ObjectAtIndexedSubscript;
1149 mutable Selector NullSelector;
1150
1151public:
1152 ObjCNonNilReturnValueChecker() : Initialized(false) {}
1153
1154 ProgramStateRef assumeExprIsNonNull(const Expr *NonNullExpr,
1155 ProgramStateRef State,
1156 CheckerContext &C) const;
1157 void assumeExprIsNonNull(const Expr *E, CheckerContext &C) const {
1158 C.addTransition(assumeExprIsNonNull(E, C.getState(), C));
1159 }
1160
1161 void checkPostStmt(const ObjCArrayLiteral *E, CheckerContext &C) const {
1162 assumeExprIsNonNull(E, C);
1163 }
1164 void checkPostStmt(const ObjCDictionaryLiteral *E, CheckerContext &C) const {
1165 assumeExprIsNonNull(E, C);
1166 }
1167 void checkPostStmt(const ObjCBoxedExpr *E, CheckerContext &C) const {
1168 assumeExprIsNonNull(E, C);
1169 }
1170
1171 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
1172};
1173} // end anonymous namespace
1174
1175ProgramStateRef
1176ObjCNonNilReturnValueChecker::assumeExprIsNonNull(const Expr *NonNullExpr,
1177 ProgramStateRef State,
1178 CheckerContext &C) const {
1179 SVal Val = C.getSVal(NonNullExpr);
1180 if (std::optional<DefinedOrUnknownSVal> DV =
1181 Val.getAs<DefinedOrUnknownSVal>())
1182 return State->assume(*DV, true);
1183 return State;
1184}
1185
1186void ObjCNonNilReturnValueChecker::checkPostObjCMessage(const ObjCMethodCall &M,
1187 CheckerContext &C)
1188 const {
1189 ProgramStateRef State = C.getState();
1190
1191 if (!Initialized) {
1192 ASTContext &Ctx = C.getASTContext();
1193 ObjectAtIndex = GetUnarySelector("objectAtIndex", Ctx);
1194 ObjectAtIndexedSubscript = GetUnarySelector("objectAtIndexedSubscript", Ctx);
1195 NullSelector = GetNullarySelector("null", Ctx);
1196 }
1197
1198 // Check the receiver type.
1199 if (const ObjCInterfaceDecl *Interface = M.getReceiverInterface()) {
1200
1201 // Assume that object returned from '[self init]' or '[super init]' is not
1202 // 'nil' if we are processing an inlined function/method.
1203 //
1204 // A defensive callee will (and should) check if the object returned by
1205 // '[super init]' is 'nil' before doing it's own initialization. However,
1206 // since 'nil' is rarely returned in practice, we should not warn when the
1207 // caller to the defensive constructor uses the object in contexts where
1208 // 'nil' is not accepted.
1209 if (!C.inTopFrame() && M.getDecl() &&
1210 M.getDecl()->getMethodFamily() == OMF_init &&
1211 M.isReceiverSelfOrSuper()) {
1212 State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
1213 }
1214
1215 FoundationClass Cl = findKnownClass(Interface);
1216
1217 // Objects returned from
1218 // [NSArray|NSOrderedSet]::[ObjectAtIndex|ObjectAtIndexedSubscript]
1219 // are never 'nil'.
1220 if (Cl == FC_NSArray || Cl == FC_NSOrderedSet) {
1221 Selector Sel = M.getSelector();
1222 if (Sel == ObjectAtIndex || Sel == ObjectAtIndexedSubscript) {
1223 // Go ahead and assume the value is non-nil.
1224 State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
1225 }
1226 }
1227
1228 // Objects returned from [NSNull null] are not nil.
1229 if (Cl == FC_NSNull) {
1230 if (M.getSelector() == NullSelector) {
1231 // Go ahead and assume the value is non-nil.
1232 State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
1233 }
1234 }
1235 }
1236 C.addTransition(State);
1237}
1238
1239//===----------------------------------------------------------------------===//
1240// Check registration.
1241//===----------------------------------------------------------------------===//
1242
1243void ento::registerNilArgChecker(CheckerManager &mgr) {
1244 mgr.registerChecker<NilArgChecker>();
1245}
1246
1247bool ento::shouldRegisterNilArgChecker(const CheckerManager &mgr) {
1248 return true;
1249}
1250
1251void ento::registerCFNumberChecker(CheckerManager &mgr) {
1252 mgr.registerChecker<CFNumberChecker>();
1253}
1254
1255bool ento::shouldRegisterCFNumberChecker(const CheckerManager &mgr) {
1256 return true;
1257}
1258
1259void ento::registerCFRetainReleaseChecker(CheckerManager &mgr) {
1260 mgr.registerChecker<CFRetainReleaseChecker>();
1261}
1262
1263bool ento::shouldRegisterCFRetainReleaseChecker(const CheckerManager &mgr) {
1264 return true;
1265}
1266
1267void ento::registerClassReleaseChecker(CheckerManager &mgr) {
1268 mgr.registerChecker<ClassReleaseChecker>();
1269}
1270
1271bool ento::shouldRegisterClassReleaseChecker(const CheckerManager &mgr) {
1272 return true;
1273}
1274
1275void ento::registerVariadicMethodTypeChecker(CheckerManager &mgr) {
1276 mgr.registerChecker<VariadicMethodTypeChecker>();
1277}
1278
1279bool ento::shouldRegisterVariadicMethodTypeChecker(const CheckerManager &mgr) {
1280 return true;
1281}
1282
1283void ento::registerObjCLoopChecker(CheckerManager &mgr) {
1284 mgr.registerChecker<ObjCLoopChecker>();
1285}
1286
1287bool ento::shouldRegisterObjCLoopChecker(const CheckerManager &mgr) {
1288 return true;
1289}
1290
1291void ento::registerObjCNonNilReturnValueChecker(CheckerManager &mgr) {
1292 mgr.registerChecker<ObjCNonNilReturnValueChecker>();
1293}
1294
1295bool ento::shouldRegisterObjCNonNilReturnValueChecker(const CheckerManager &mgr) {
1296 return true;
1297}
ASTContext.h
Defines the clang::ASTContext interface.
V
#define V(N, I)
Definition: ASTContext.h:3217
P
StringRef P
Definition: ASTMatchersInternal.cpp:564
alreadyExecutedAtLeastOneLoopIteration
static bool alreadyExecutedAtLeastOneLoopIteration(const ExplodedNode *N, const ObjCForCollectionStmt *FCS)
If the fist block edge is a back edge, we are reentering the loop.
Definition: BasicObjCFoundationChecks.cpp:957
checkCollectionNonNil
static ProgramStateRef checkCollectionNonNil(CheckerContext &C, ProgramStateRef State, const ObjCForCollectionStmt *FCS)
Assumes that the collection is non-nil.
Definition: BasicObjCFoundationChecks.cpp:855
findKnownClass
static FoundationClass findKnownClass(const ObjCInterfaceDecl *ID, bool IncludeSuperclasses=true)
Definition: BasicObjCFoundationChecks.cpp:71
isKnownNonNilCollectionType
static bool isKnownNonNilCollectionType(QualType T)
Definition: BasicObjCFoundationChecks.cpp:830
assumeCollectionNonEmpty
static ProgramStateRef assumeCollectionNonEmpty(CheckerContext &C, ProgramStateRef State, SymbolRef CollectionS, bool Assumption)
Returns NULL state if the collection is known to contain elements (or is known not to contain element...
Definition: BasicObjCFoundationChecks.cpp:915
getMethodReceiverIfKnownImmutable
static SymbolRef getMethodReceiverIfKnownImmutable(const CallEvent *Call)
Definition: BasicObjCFoundationChecks.cpp:1053
GetReceiverInterfaceName
static StringRef GetReceiverInterfaceName(const ObjCMethodCall &msg)
Definition: BasicObjCFoundationChecks.cpp:54
GetCFNumberSize
static std::optional< uint64_t > GetCFNumberSize(ASTContext &Ctx, uint64_t i)
Definition: BasicObjCFoundationChecks.cpp:373
checkElementNonNil
static ProgramStateRef checkElementNonNil(CheckerContext &C, ProgramStateRef State, const ObjCForCollectionStmt *FCS)
Assumes that the collection elements are non-nil.
Definition: BasicObjCFoundationChecks.cpp:881
OS
llvm::raw_ostream & OS
Definition: Logger.cpp:24
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:87
StmtObjC.h
Defines the Objective-C statement AST node classes.
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:182
clang::ASTContext::LongTy
CanQualType LongTy
Definition: ASTContext.h:1087
clang::ASTContext::FloatTy
CanQualType FloatTy
Definition: ASTContext.h:1090
clang::ASTContext::getCanonicalType
CanQualType getCanonicalType(QualType T) const
Return the canonical (structural) type corresponding to the specified potentially non-canonical type ...
Definition: ASTContext.h:2505
clang::ASTContext::DoubleTy
CanQualType DoubleTy
Definition: ASTContext.h:1090
clang::ASTContext::Idents
IdentifierTable & Idents
Definition: ASTContext.h:631
clang::ASTContext::CharTy
CanQualType CharTy
Definition: ASTContext.h:1080
clang::ASTContext::IntTy
CanQualType IntTy
Definition: ASTContext.h:1087
clang::ASTContext::getTypeSize
uint64_t getTypeSize(QualType T) const
Return the size of the specified (complete) type T, in bits.
Definition: ASTContext.h:2279
clang::ASTContext::ShortTy
CanQualType ShortTy
Definition: ASTContext.h:1087
clang::ASTContext::LongLongTy
CanQualType LongLongTy
Definition: ASTContext.h:1087
clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2812
clang::CallExpr::getArg
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:3003
clang::CallExpr::getNumArgs
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2990
clang::DeclStmt
DeclStmt - Adaptor class for mixing declarations with statements and expressions.
Definition: Stmt.h:1311
clang::Decl::getDeclContext
DeclContext * getDeclContext()
Definition: DeclBase.h:441
clang::Expr::Classification
The return type of classify().
Definition: Expr.h:324
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::Expr::getType
QualType getType() const
Definition: Expr.h:142
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1917
clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:85
clang::IdentifierTable::get
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
Definition: IdentifierTable.h:597
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::NamedDecl::getIdentifier
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:268
clang::ObjCArrayLiteral
ObjCArrayLiteral - used for objective-c array containers; as in: @["Hello", NSApp,...
Definition: ExprObjC.h:191
clang::ObjCArrayLiteral::getElement
Expr * getElement(unsigned Index)
getElement - Return the Element at the specified index.
Definition: ExprObjC.h:231
clang::ObjCArrayLiteral::getNumElements
unsigned getNumElements() const
getNumElements - Return number of elements of objective-c array literal.
Definition: ExprObjC.h:228
clang::ObjCBoxedExpr
ObjCBoxedExpr - used for generalized expression boxing.
Definition: ExprObjC.h:127
clang::ObjCDictionaryLiteral
ObjCDictionaryLiteral - AST node to represent objective-c dictionary literals; as in:"name" : NSUserN...
Definition: ExprObjC.h:309
clang::ObjCDictionaryLiteral::getNumElements
unsigned getNumElements() const
getNumElements - Return number of elements of objective-c dictionary literal.
Definition: ExprObjC.h:359
clang::ObjCDictionaryLiteral::getKeyValueElement
ObjCDictionaryElement getKeyValueElement(unsigned Index) const
Definition: ExprObjC.h:361
clang::ObjCForCollectionStmt
Represents Objective-C's collection statement.
Definition: StmtObjC.h:23
clang::ObjCInterfaceDecl
Represents an ObjC class declaration.
Definition: DeclObjC.h:1147
clang::ObjCMethodDecl
ObjCMethodDecl - Represents an instance or class method declaration.
Definition: DeclObjC.h:138
clang::ObjCMethodDecl::isVariadic
bool isVariadic() const
Definition: DeclObjC.h:433
clang::ObjCMethodDecl::getMethodFamily
ObjCMethodFamily getMethodFamily() const
Determines the family of this method.
Definition: DeclObjC.cpp:1053
clang::ObjCMethodDecl::getClassInterface
ObjCInterfaceDecl * getClassInterface()
Definition: DeclObjC.cpp:1211
clang::ObjCObjectPointerType
Represents a pointer to an Objective C object.
Definition: Type.h:6297
clang::ObjCObjectPointerType::getInterfaceDecl
ObjCInterfaceDecl * getInterfaceDecl() const
If this pointer points to an Objective @interface type, gets the declaration for that interface.
Definition: Type.h:6349
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:736
clang::QualType::print
void print(raw_ostream &OS, const PrintingPolicy &Policy, const Twine &PlaceHolder=Twine(), unsigned Indentation=0) const
Definition: TypePrinter.cpp:2355
clang::Selector
Smart pointer class that efficiently represents Objective-C method names.
Definition: IdentifierTable.h:759
clang::Selector::print
void print(llvm::raw_ostream &OS) const
Prints the full selector name (e.g. "foo:bar:").
Definition: IdentifierTable.cpp:625
clang::Selector::getNumArgs
unsigned getNumArgs() const
Definition: IdentifierTable.cpp:563
clang::SourceRange
A trivial tuple used to represent a source range.
Definition: SourceLocation.h:210
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:72
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325
clang::Type::isBlockPointerType
bool isBlockPointerType() const
Definition: Type.h:6918
clang::Type::isIntegralOrEnumerationType
bool isIntegralOrEnumerationType() const
Determine whether this type is an integral or enumeration type.
Definition: Type.h:7321
clang::Type::isObjCObjectPointerType
bool isObjCObjectPointerType() const
Definition: Type.h:7038
clang::Type::getAs
const T * getAs() const
Member-template getAs<specific type>'.
Definition: Type.h:7424
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:913
clang::VarDecl::getInit
const Expr * getInit() const
Definition: Decl.h:1325
clang::ento::CallDescriptionSet
An immutable set of CallDescriptions.
Definition: CallDescription.h:228
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:149
clang::ento::CallEvent::getArgSourceRange
virtual SourceRange getArgSourceRange(unsigned Index) const
Returns the source range for errors associated with this argument.
Definition: CallEvent.cpp:315
clang::ento::CallEvent::getArgSVal
virtual SVal getArgSVal(unsigned Index) const
Returns the value of a given argument at the time of the call.
Definition: CallEvent.cpp:308
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::ExplodedNode::pred_end
pred_iterator pred_end()
Definition: ExplodedGraph.h:238
clang::ento::ExplodedNode::pred_begin
pred_iterator pred_begin()
Definition: ExplodedGraph.h:237
clang::ento::ExplodedNode::getLocation
ProgramPoint getLocation() const
getLocation - Returns the edge associated with the given node.
Definition: ExplodedGraph.h:144
clang::ento::ExplodedNode::const_pred_iterator
const ExplodedNode *const * const_pred_iterator
Definition: ExplodedGraph.h:234
clang::ento::ExprEngine::hasMoreIteration
static bool hasMoreIteration(ProgramStateRef State, const ObjCForCollectionStmt *O, const LocationContext *LC)
Definition: ExprEngine.cpp:2673
clang::ento::ObjCMethodCall
Represents any expression that calls an Objective-C method.
Definition: CallEvent.h:1163
clang::ento::ObjCMethodCall::getDecl
const ObjCMethodDecl * getDecl() const override
Returns the declaration of the function or method that will be called.
Definition: CallEvent.h:1192
clang::ento::ObjCMethodCall::isInstanceMessage
bool isInstanceMessage() const
Definition: CallEvent.h:1204
clang::ento::ObjCMethodCall::getArgExpr
const Expr * getArgExpr(unsigned Index) const override
Returns the expression associated with a given argument.
Definition: CallEvent.h:1200
clang::ento::ObjCMethodCall::getMessageKind
ObjCMessageKind getMessageKind() const
Returns how the message was written in the source (property access, subscript, or explicit message se...
Definition: CallEvent.cpp:1040
clang::ento::ObjCMethodCall::getNumArgs
unsigned getNumArgs() const override
Returns the number of arguments (explicit and implicit).
Definition: CallEvent.h:1196
clang::ento::ObjCMethodCall::getOriginExpr
const ObjCMessageExpr * getOriginExpr() const override
Returns the expression whose value will be the result of this call.
Definition: CallEvent.h:1188
clang::ento::ObjCMethodCall::getSourceRange
SourceRange getSourceRange() const override
Returns a source range for the entire call, suitable for outputting in diagnostics.
Definition: CallEvent.cpp:1009
clang::ento::ObjCMethodCall::getReceiverSVal
SVal getReceiverSVal() const
Returns the value of the receiver at the time of this call.
Definition: CallEvent.cpp:979
clang::ento::ObjCMethodCall::getReceiverInterface
const ObjCInterfaceDecl * getReceiverInterface() const
Get the interface for the receiver.
Definition: CallEvent.h:1225
clang::ento::ObjCMethodCall::isReceiverSelfOrSuper
bool isReceiverSelfOrSuper() const
Checks if the receiver refers to 'self' or 'super'.
Definition: CallEvent.cpp:995
clang::ento::ObjCMethodCall::getSelector
Selector getSelector() const
Definition: CallEvent.h:1212
clang::ento::Range
A Range represents the closed range [from, to].
Definition: RangedConstraintManager.h:29
clang::ento::SValBuilder::makeIntVal
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:269
clang::ento::SValBuilder::getConditionType
QualType getConditionType() const
Definition: SValBuilder.h:141
clang::ento::SValBuilder::evalBinOp
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
Definition: SValBuilder.cpp:486
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72
clang::ento::SVal::getAsSymbol
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:104
clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:103
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:29
clang::ento::SymbolReaper
A class responsible for cleaning up unused symbols.
Definition: SymbolManager.h:572
clang::ento::SymbolReaper::isDead
bool isDead(SymbolRef sym)
Returns whether or not a symbol has been confirmed dead.
Definition: SymbolManager.h:643
clang::ento::TypedValueRegion
TypedValueRegion - An abstract class representing regions having a typed value.
Definition: MemRegion.h:531
clang::ento::TypedValueRegion::getValueType
virtual QualType getValueType() const =0
clang::ento::nonloc::SymbolVal
Represents symbolic expression that isn't a location.
Definition: SVals.h:304
UINT_MAX
#define UINT_MAX
Definition: limits.h:60
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2667
clang::ento::PointerEscapeKind
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Definition: CheckerManager.h:78
clang::interp::Call
bool Call(InterpState &S, CodePtr &PC, const Function *Func)
Definition: Interp.h:1493
clang::transformer::name
RangeSelector name(std::string ID)
Given a node with a "name", (like NamedDecl, DeclRefExpr, CxxCtorInitializer, and TypeLoc) selects th...
Definition: RangeSelector.cpp:200
clang::Language::C
@ C
Languages that the frontend can parse and compile.
clang::GetUnarySelector
Selector GetUnarySelector(StringRef name, ASTContext &Ctx)
Utility function for constructing an unary selector.
Definition: ASTContext.h:3363
clang::GetNullarySelector
Selector GetNullarySelector(StringRef name, ASTContext &Ctx)
Utility function for constructing a nullary selector.
Definition: ASTContext.h:3357
clang::getKeywordSelector
static Selector getKeywordSelector(ASTContext &Ctx, IdentifierInfos *... IIs)
Definition: SelectorExtras.h:17
hlsl::uint64_t
unsigned long uint64_t
Definition: hlsl_basic_types.h:25
llvm
YAML serialization mapping.
Definition: Dominators.h:30
false
#define false
Definition: stdbool.h:22
clang::ObjCDictionaryElement
An element in an Objective-C dictionary literal.
Definition: ExprObjC.h:262
clang::ObjCDictionaryElement::Value
Expr * Value
The value of the dictionary element.
Definition: ExprObjC.h:267
clang::ObjCDictionaryElement::Key
Expr * Key
The key for the dictionary element.
Definition: ExprObjC.h:264
Generated on Thu Mar 30 2023 02:04:19 for clang by doxygen 1.9.6