clang 20.0.0git
ExprEngineObjC.cpp
Go to the documentation of this file.
1//=-- ExprEngineObjC.cpp - ExprEngine support for Objective-C ---*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines ExprEngine's support for Objective-C expressions.
10//
11//===----------------------------------------------------------------------===//
12
13#include "clang/AST/StmtObjC.h"
14#include "clang/StaticAnalyzer/Core/CheckerManager.h"
15#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
16#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
17
18using namespace clang;
19using namespace ento;
20
21void ExprEngine::VisitLvalObjCIvarRefExpr(const ObjCIvarRefExpr *Ex,
22 ExplodedNode *Pred,
23 ExplodedNodeSet &Dst) {
24 ProgramStateRef state = Pred->getState();
25 const LocationContext *LCtx = Pred->getLocationContext();
26 SVal baseVal = state->getSVal(Ex->getBase(), LCtx);
27 SVal location = state->getLValue(Ex->getDecl(), baseVal);
28
29 ExplodedNodeSet dstIvar;
30 StmtNodeBuilder Bldr(Pred, dstIvar, *currBldrCtx);
31 Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, location));
32
33 // Perform the post-condition check of the ObjCIvarRefExpr and store
34 // the created nodes in 'Dst'.
35 getCheckerManager().runCheckersForPostStmt(Dst, dstIvar, Ex, *this);
36}
37
38void ExprEngine::VisitObjCAtSynchronizedStmt(const ObjCAtSynchronizedStmt *S,
39 ExplodedNode *Pred,
40 ExplodedNodeSet &Dst) {
41 getCheckerManager().runCheckersForPreStmt(Dst, Pred, S, *this);
42}
43
44/// Generate a node in \p Bldr for an iteration statement using ObjC
45/// for-loop iterator.
46static void populateObjCForDestinationSet(
47 ExplodedNodeSet &dstLocation, SValBuilder &svalBuilder,
48 const ObjCForCollectionStmt *S, const Stmt *elem, SVal elementV,
49 SymbolManager &SymMgr, const NodeBuilderContext *currBldrCtx,
50 StmtNodeBuilder &Bldr, bool hasElements) {
51
52 for (ExplodedNode *Pred : dstLocation) {
53 ProgramStateRef state = Pred->getState();
54 const LocationContext *LCtx = Pred->getLocationContext();
55
56 ProgramStateRef nextState =
57 ExprEngine::setWhetherHasMoreIteration(state, S, LCtx, hasElements);
58
59 if (auto MV = elementV.getAs<loc::MemRegionVal>())
60 if (const auto *R = dyn_cast<TypedValueRegion>(MV->getRegion())) {
61 // FIXME: The proper thing to do is to really iterate over the
62 // container. We will do this with dispatch logic to the store.
63 // For now, just 'conjure' up a symbolic value.
64 QualType T = R->getValueType();
65 assert(Loc::isLocType(T));
66
67 SVal V;
68 if (hasElements) {
69 SymbolRef Sym = SymMgr.conjureSymbol(elem, LCtx, T,
70 currBldrCtx->blockCount());
71 V = svalBuilder.makeLoc(Sym);
72 } else {
73 V = svalBuilder.makeIntVal(0, T);
74 }
75
76 nextState = nextState->bindLoc(elementV, V, LCtx);
77 }
78
79 Bldr.generateNode(S, Pred, nextState);
80 }
81}
82
83void ExprEngine::VisitObjCForCollectionStmt(const ObjCForCollectionStmt *S,
84 ExplodedNode *Pred,
85 ExplodedNodeSet &Dst) {
86
87 // ObjCForCollectionStmts are processed in two places. This method
88 // handles the case where an ObjCForCollectionStmt* occurs as one of the
89 // statements within a basic block. This transfer function does two things:
90 //
91 // (1) binds the next container value to 'element'. This creates a new
92 // node in the ExplodedGraph.
93 //
94 // (2) note whether the collection has any more elements (or in other words,
95 // whether the loop has more iterations). This will be tested in
96 // processBranch.
97 //
98 // FIXME: Eventually this logic should actually do dispatches to
99 // 'countByEnumeratingWithState:objects:count:' (NSFastEnumeration).
100 // This will require simulating a temporary NSFastEnumerationState, either
101 // through an SVal or through the use of MemRegions. This value can
102 // be affixed to the ObjCForCollectionStmt* instead of 0/1; when the loop
103 // terminates we reclaim the temporary (it goes out of scope) and we
104 // we can test if the SVal is 0 or if the MemRegion is null (depending
105 // on what approach we take).
106 //
107 // For now: simulate (1) by assigning either a symbol or nil if the
108 // container is empty. Thus this transfer function will by default
109 // result in state splitting.
110
111 const Stmt *elem = S->getElement();
112 const Stmt *collection = S->getCollection();
113 ProgramStateRef state = Pred->getState();
114 SVal collectionV = state->getSVal(collection, Pred->getLocationContext());
115
116 SVal elementV;
117 if (const auto *DS = dyn_cast<DeclStmt>(elem)) {
118 const VarDecl *elemD = cast<VarDecl>(DS->getSingleDecl());
119 assert(elemD->getInit() == nullptr);
120 elementV = state->getLValue(elemD, Pred->getLocationContext());
121 } else {
122 elementV = state->getSVal(elem, Pred->getLocationContext());
123 }
124
125 bool isContainerNull = state->isNull(collectionV).isConstrainedTrue();
126
127 ExplodedNodeSet dstLocation;
128 evalLocation(dstLocation, S, elem, Pred, state, elementV, false);
129
130 ExplodedNodeSet Tmp;
131 StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx);
132
133 if (!isContainerNull)
134 populateObjCForDestinationSet(dstLocation, svalBuilder, S, elem, elementV,
135 SymMgr, currBldrCtx, Bldr,
136 /*hasElements=*/true);
137
138 populateObjCForDestinationSet(dstLocation, svalBuilder, S, elem, elementV,
139 SymMgr, currBldrCtx, Bldr,
140 /*hasElements=*/false);
141
142 // Finally, run any custom checkers.
143 // FIXME: Eventually all pre- and post-checks should live in VisitStmt.
144 getCheckerManager().runCheckersForPostStmt(Dst, Tmp, S, *this);
145}
146
147void ExprEngine::VisitObjCMessage(const ObjCMessageExpr *ME,
148 ExplodedNode *Pred,
149 ExplodedNodeSet &Dst) {
150 CallEventManager &CEMgr = getStateManager().getCallEventManager();
151 CallEventRef<ObjCMethodCall> Msg = CEMgr.getObjCMethodCall(
152 ME, Pred->getState(), Pred->getLocationContext(), getCFGElementRef());
153
154 // There are three cases for the receiver:
155 // (1) it is definitely nil,
156 // (2) it is definitely non-nil, and
157 // (3) we don't know.
158 //
159 // If the receiver is definitely nil, we skip the pre/post callbacks and
160 // instead call the ObjCMessageNil callbacks and return.
161 //
162 // If the receiver is definitely non-nil, we call the pre- callbacks,
163 // evaluate the call, and call the post- callbacks.
164 //
165 // If we don't know, we drop the potential nil flow and instead
166 // continue from the assumed non-nil state as in (2). This approach
167 // intentionally drops coverage in order to prevent false alarms
168 // in the following scenario:
169 //
170 // id result = [o someMethod]
171 // if (result) {
172 // if (!o) {
173 // // <-- This program point should be unreachable because if o is nil
174 // // it must the case that result is nil as well.
175 // }
176 // }
177 //
178 // However, it also loses coverage of the nil path prematurely,
179 // leading to missed reports.
180 //
181 // It's possible to handle this by performing a state split on every call:
182 // explore the state where the receiver is non-nil, and independently
183 // explore the state where it's nil. But this is not only slow, but
184 // completely unwarranted. The mere presence of the message syntax in the code
185 // isn't sufficient evidence that nil is a realistic possibility.
186 //
187 // An ideal solution would be to add the following constraint that captures
188 // both possibilities without splitting the state:
189 //
190 // ($x == 0) => ($y == 0) (1)
191 //
192 // where in our case '$x' is the receiver symbol, '$y' is the returned symbol,
193 // and '=>' is logical implication. But RangeConstraintManager can't handle
194 // such constraints yet, so for now we go with a simpler, more restrictive
195 // constraint: $x != 0, from which (1) follows as a vacuous truth.
196 if (Msg->isInstanceMessage()) {
197 SVal recVal = Msg->getReceiverSVal();
198 if (!recVal.isUndef()) {
199 // Bifurcate the state into nil and non-nil ones.
200 DefinedOrUnknownSVal receiverVal =
201 recVal.castAs<DefinedOrUnknownSVal>();
202 ProgramStateRef State = Pred->getState();
203
204 ProgramStateRef notNilState, nilState;
205 std::tie(notNilState, nilState) = State->assume(receiverVal);
206
207 // Receiver is definitely nil, so run ObjCMessageNil callbacks and return.
208 if (nilState && !notNilState) {
209 ExplodedNodeSet dstNil;
210 StmtNodeBuilder Bldr(Pred, dstNil, *currBldrCtx);
211 bool HasTag = Pred->getLocation().getTag();
212 Pred = Bldr.generateNode(ME, Pred, nilState, nullptr,
213 ProgramPoint::PreStmtKind);
214 assert((Pred || HasTag) && "Should have cached out already!");
215 (void)HasTag;
216 if (!Pred)
217 return;
218
219 ExplodedNodeSet dstPostCheckers;
220 getCheckerManager().runCheckersForObjCMessageNil(dstPostCheckers, Pred,
221 *Msg, *this);
222 for (auto *I : dstPostCheckers)
223 finishArgumentConstruction(Dst, I, *Msg);
224 return;
225 }
226
227 ExplodedNodeSet dstNonNil;
228 StmtNodeBuilder Bldr(Pred, dstNonNil, *currBldrCtx);
229 // Generate a transition to the non-nil state, dropping any potential
230 // nil flow.
231 if (notNilState != State) {
232 bool HasTag = Pred->getLocation().getTag();
233 Pred = Bldr.generateNode(ME, Pred, notNilState);
234 assert((Pred || HasTag) && "Should have cached out already!");
235 (void)HasTag;
236 if (!Pred)
237 return;
238 }
239 }
240 }
241
242 // Handle the previsits checks.
243 ExplodedNodeSet dstPrevisit;
244 getCheckerManager().runCheckersForPreObjCMessage(dstPrevisit, Pred,
245 *Msg, *this);
246 ExplodedNodeSet dstGenericPrevisit;
247 getCheckerManager().runCheckersForPreCall(dstGenericPrevisit, dstPrevisit,
248 *Msg, *this);
249
250 // Proceed with evaluate the message expression.
251 ExplodedNodeSet dstEval;
252 StmtNodeBuilder Bldr(dstGenericPrevisit, dstEval, *currBldrCtx);
253
254 for (ExplodedNodeSet::iterator DI = dstGenericPrevisit.begin(),
255 DE = dstGenericPrevisit.end(); DI != DE; ++DI) {
256 ExplodedNode *Pred = *DI;
257 ProgramStateRef State = Pred->getState();
258 CallEventRef<ObjCMethodCall> UpdatedMsg = Msg.cloneWithState(State);
259
260 if (UpdatedMsg->isInstanceMessage()) {
261 SVal recVal = UpdatedMsg->getReceiverSVal();
262 if (!recVal.isUndef()) {
263 if (ObjCNoRet.isImplicitNoReturn(ME)) {
264 // If we raise an exception, for now treat it as a sink.
265 // Eventually we will want to handle exceptions properly.
266 Bldr.generateSink(ME, Pred, State);
267 continue;
268 }
269 }
270 } else {
271 // Check for special class methods that are known to not return
272 // and that we should treat as a sink.
273 if (ObjCNoRet.isImplicitNoReturn(ME)) {
274 // If we raise an exception, for now treat it as a sink.
275 // Eventually we will want to handle exceptions properly.
276 Bldr.generateSink(ME, Pred, Pred->getState());
277 continue;
278 }
279 }
280
281 defaultEvalCall(Bldr, Pred, *UpdatedMsg);
282 }
283
284 // If there were constructors called for object-type arguments, clean them up.
285 ExplodedNodeSet dstArgCleanup;
286 for (auto *I : dstEval)
287 finishArgumentConstruction(dstArgCleanup, I, *Msg);
288
289 ExplodedNodeSet dstPostvisit;
290 getCheckerManager().runCheckersForPostCall(dstPostvisit, dstArgCleanup,
291 *Msg, *this);
292
293 // Finally, perform the post-condition check of the ObjCMessageExpr and store
294 // the created nodes in 'Dst'.
295 getCheckerManager().runCheckersForPostObjCMessage(Dst, dstPostvisit,
296 *Msg, *this);
297}
V
#define V(N, I)
Definition: ASTContext.h:3460
populateObjCForDestinationSet
static void populateObjCForDestinationSet(ExplodedNodeSet &dstLocation, SValBuilder &svalBuilder, const ObjCForCollectionStmt *S, const Stmt *elem, SVal elementV, SymbolManager &SymMgr, const NodeBuilderContext *currBldrCtx, StmtNodeBuilder &Bldr, bool hasElements)
Generate a node in Bldr for an iteration statement using ObjC for-loop iterator.
Definition: ExprEngineObjC.cpp:46
StmtObjC.h
Defines the Objective-C statement AST node classes.
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::ObjCAtSynchronizedStmt
Represents Objective-C's @synchronized statement.
Definition: StmtObjC.h:303
clang::ObjCForCollectionStmt
Represents Objective-C's collection statement.
Definition: StmtObjC.h:23
clang::ObjCIvarRefExpr
ObjCIvarRefExpr - A reference to an ObjC instance variable.
Definition: ExprObjC.h:549
clang::ObjCIvarRefExpr::getDecl
ObjCIvarDecl * getDecl()
Definition: ExprObjC.h:579
clang::ObjCIvarRefExpr::getBase
const Expr * getBase() const
Definition: ExprObjC.h:583
clang::ObjCMessageExpr
An expression that sends a message to the given Objective-C object or class.
Definition: ExprObjC.h:941
clang::ObjCNoReturn::isImplicitNoReturn
bool isImplicitNoReturn(const ObjCMessageExpr *ME)
Return true if the given message expression is known to never return.
Definition: ObjCNoReturn.cpp:49
clang::ProgramPoint::getTag
const ProgramPointTag * getTag() const
Definition: ProgramPoint.h:173
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:929
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:882
clang::VarDecl::getInit
const Expr * getInit() const
Definition: Decl.h:1319
clang::ento::CallEventManager
Manages the lifetime of CallEvent objects.
Definition: CallEvent.h:1361
clang::ento::CallEventManager::getObjCMethodCall
CallEventRef< ObjCMethodCall > getObjCMethodCall(const ObjCMessageExpr *E, ProgramStateRef State, const LocationContext *LCtx, CFGBlock::ConstCFGElementRef ElemRef)
Definition: CallEvent.h:1432
clang::ento::CallEventRef::cloneWithState
CallEventRef< T > cloneWithState(ProgramStateRef State) const
Definition: CallEvent.h:92
clang::ento::CheckerManager::runCheckersForPreObjCMessage
void runCheckersForPreObjCMessage(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const ObjCMethodCall &msg, ExprEngine &Eng)
Run checkers for pre-visiting obj-c messages.
Definition: CheckerManager.h:278
clang::ento::CheckerManager::runCheckersForPreCall
void runCheckersForPreCall(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const CallEvent &Call, ExprEngine &Eng)
Run checkers for pre-visiting obj-c messages.
Definition: CheckerManager.h:312
clang::ento::CheckerManager::runCheckersForPostObjCMessage
void runCheckersForPostObjCMessage(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const ObjCMethodCall &msg, ExprEngine &Eng, bool wasInlined=false)
Run checkers for post-visiting obj-c messages.
Definition: CheckerManager.h:286
clang::ento::CheckerManager::runCheckersForPostStmt
void runCheckersForPostStmt(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const Stmt *S, ExprEngine &Eng, bool wasInlined=false)
Run checkers for post-visiting Stmts.
Definition: CheckerManager.h:263
clang::ento::CheckerManager::runCheckersForPreStmt
void runCheckersForPreStmt(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const Stmt *S, ExprEngine &Eng)
Run checkers for pre-visiting Stmts.
Definition: CheckerManager.h:250
clang::ento::CheckerManager::runCheckersForObjCMessageNil
void runCheckersForObjCMessageNil(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const ObjCMethodCall &msg, ExprEngine &Eng)
Run checkers for visiting an obj-c message to nil.
Definition: CheckerManager.h:296
clang::ento::CheckerManager::runCheckersForPostCall
void runCheckersForPostCall(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const CallEvent &Call, ExprEngine &Eng, bool wasInlined=false)
Run checkers for post-visiting obj-c messages.
Definition: CheckerManager.h:318
clang::ento::ExplodedNode::getState
const ProgramStateRef & getState() const
Definition: ExplodedGraph.h:169
clang::ento::ExplodedNode::getLocation
ProgramPoint getLocation() const
getLocation - Returns the edge associated with the given node.
Definition: ExplodedGraph.h:145
clang::ento::ExplodedNode::getLocationContext
const LocationContext * getLocationContext() const
Definition: ExplodedGraph.h:147
clang::ento::ExprEngine::getStateManager
ProgramStateManager & getStateManager()
Definition: ExprEngine.h:414
clang::ento::ExprEngine::VisitObjCMessage
void VisitObjCMessage(const ObjCMessageExpr *ME, ExplodedNode *Pred, ExplodedNodeSet &Dst)
Definition: ExprEngineObjC.cpp:147
clang::ento::ExprEngine::VisitObjCAtSynchronizedStmt
void VisitObjCAtSynchronizedStmt(const ObjCAtSynchronizedStmt *S, ExplodedNode *Pred, ExplodedNodeSet &Dst)
Transfer function logic for ObjCAtSynchronizedStmts.
Definition: ExprEngineObjC.cpp:38
clang::ento::ExprEngine::VisitObjCForCollectionStmt
void VisitObjCForCollectionStmt(const ObjCForCollectionStmt *S, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitObjCForCollectionStmt - Transfer function logic for ObjCForCollectionStmt.
Definition: ExprEngineObjC.cpp:83
clang::ento::ExprEngine::VisitLvalObjCIvarRefExpr
void VisitLvalObjCIvarRefExpr(const ObjCIvarRefExpr *DR, ExplodedNode *Pred, ExplodedNodeSet &Dst)
Transfer function logic for computing the lvalue of an Objective-C ivar.
Definition: ExprEngineObjC.cpp:21
clang::ento::ExprEngine::getCFGElementRef
CFGBlock::ConstCFGElementRef getCFGElementRef() const
Definition: ExprEngine.h:229
clang::ento::ExprEngine::getCheckerManager
CheckerManager & getCheckerManager() const
Definition: ExprEngine.h:204
clang::ento::ExprEngine::defaultEvalCall
void defaultEvalCall(NodeBuilder &B, ExplodedNode *Pred, const CallEvent &Call, const EvalCallOptions &CallOpts={})
Default implementation of call evaluation.
Definition: ExprEngineCallAndReturn.cpp:1218
clang::ento::ExprEngine::setWhetherHasMoreIteration
static ProgramStateRef setWhetherHasMoreIteration(ProgramStateRef State, const ObjCForCollectionStmt *O, const LocationContext *LC, bool HasMoreIteraton)
Note whether this loop has any more iteratios to model.
Definition: ExprEngine.cpp:2694
clang::ento::Loc::isLocType
static bool isLocType(QualType T)
Definition: SVals.h:262
clang::ento::NodeBuilderContext::blockCount
unsigned blockCount() const
Returns the number of times the current basic block has been visited on the exploded graph path.
Definition: CoreEngine.h:224
clang::ento::ProgramStateManager::getCallEventManager
CallEventManager & getCallEventManager()
Definition: ProgramState.h:571
clang::ento::SValBuilder::makeIntVal
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:288
clang::ento::SValBuilder::makeLoc
loc::MemRegionVal makeLoc(SymbolRef sym)
Definition: SValBuilder.h:374
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:56
clang::ento::SVal::isUndef
bool isUndef() const
Definition: SVals.h:107
clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:87
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:83
clang::ento::StmtNodeBuilder
This builder class is useful for generating nodes that resulted from visiting a statement.
Definition: CoreEngine.h:384
clang::ento::StmtNodeBuilder::generateNode
ExplodedNode * generateNode(const Stmt *S, ExplodedNode *Pred, ProgramStateRef St, const ProgramPointTag *tag=nullptr, ProgramPoint::Kind K=ProgramPoint::PostStmtKind)
Definition: CoreEngine.h:413
clang::ento::StmtNodeBuilder::generateSink
ExplodedNode * generateSink(const Stmt *S, ExplodedNode *Pred, ProgramStateRef St, const ProgramPointTag *tag=nullptr, ProgramPoint::Kind K=ProgramPoint::PostStmtKind)
Definition: CoreEngine.h:423
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:32
clang::ento::SymbolManager::conjureSymbol
const SymbolConjured * conjureSymbol(const Stmt *E, const LocationContext *LCtx, QualType T, unsigned VisitCount, const void *SymbolTag=nullptr)
Definition: SymbolManager.h:536
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
clang::T
const FunctionProtoType * T
Definition: RecursiveASTVisitor.h:1365
Generated on Mon Jun 23 2025 18:55:42 for clang by doxygen 1.9.6