clang 18.0.0git
ObjCSelfInitChecker.cpp
Go to the documentation of this file.
1//== ObjCSelfInitChecker.cpp - Checker for 'self' initialization -*- C++ -*--=//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines ObjCSelfInitChecker, a builtin check that checks for uses of
10// 'self' before proper initialization.
11//
12//===----------------------------------------------------------------------===//
13
14// This checks initialization methods to verify that they assign 'self' to the
15// result of an initialization call (e.g. [super init], or [self initWith..])
16// before using 'self' or any instance variable.
17//
18// To perform the required checking, values are tagged with flags that indicate
19// 1) if the object is the one pointed to by 'self', and 2) if the object
20// is the result of an initializer (e.g. [super init]).
21//
22// Uses of an object that is true for 1) but not 2) trigger a diagnostic.
23// The uses that are currently checked are:
24// - Using instance variables.
25// - Returning the object.
26//
27// Note that we don't check for an invalid 'self' that is the receiver of an
28// obj-c message expression to cut down false positives where logging functions
29// get information from self (like its class) or doing "invalidation" on self
30// when the initialization fails.
31//
32// Because the object that 'self' points to gets invalidated when a call
33// receives a reference to 'self', the checker keeps track and passes the flags
34// for 1) and 2) to the new object that 'self' points to after the call.
35//
36//===----------------------------------------------------------------------===//
37
38#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
39#include "clang/AST/ParentMap.h"
40#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
41#include "clang/StaticAnalyzer/Core/Checker.h"
42#include "clang/StaticAnalyzer/Core/CheckerManager.h"
43#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
44#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
45#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
46#include "llvm/Support/raw_ostream.h"
47
48using namespace clang;
49using namespace ento;
50
51static bool shouldRunOnFunctionOrMethod(const NamedDecl *ND);
52static bool isInitializationMethod(const ObjCMethodDecl *MD);
53static bool isInitMessage(const ObjCMethodCall &Msg);
54static bool isSelfVar(SVal location, CheckerContext &C);
55
56namespace {
57class ObjCSelfInitChecker : public Checker< check::PostObjCMessage,
58 check::PostStmt<ObjCIvarRefExpr>,
59 check::PreStmt<ReturnStmt>,
60 check::PreCall,
61 check::PostCall,
62 check::Location,
63 check::Bind > {
64 mutable std::unique_ptr<BugType> BT;
65
66 void checkForInvalidSelf(const Expr *E, CheckerContext &C,
67 const char *errorStr) const;
68
69public:
70 ObjCSelfInitChecker() {}
71 void checkPostObjCMessage(const ObjCMethodCall &Msg, CheckerContext &C) const;
72 void checkPostStmt(const ObjCIvarRefExpr *E, CheckerContext &C) const;
73 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
74 void checkLocation(SVal location, bool isLoad, const Stmt *S,
75 CheckerContext &C) const;
76 void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const;
77
78 void checkPreCall(const CallEvent &CE, CheckerContext &C) const;
79 void checkPostCall(const CallEvent &CE, CheckerContext &C) const;
80
81 void printState(raw_ostream &Out, ProgramStateRef State,
82 const char *NL, const char *Sep) const override;
83};
84} // end anonymous namespace
85
86namespace {
87enum SelfFlagEnum {
88 /// No flag set.
89 SelfFlag_None = 0x0,
90 /// Value came from 'self'.
91 SelfFlag_Self = 0x1,
92 /// Value came from the result of an initializer (e.g. [super init]).
93 SelfFlag_InitRes = 0x2
94};
95}
96
97REGISTER_MAP_WITH_PROGRAMSTATE(SelfFlag, SymbolRef, SelfFlagEnum)
98REGISTER_TRAIT_WITH_PROGRAMSTATE(CalledInit, bool)
99
100/// A call receiving a reference to 'self' invalidates the object that
101/// 'self' contains. This keeps the "self flags" assigned to the 'self'
102/// object before the call so we can assign them to the new object that 'self'
103/// points to after the call.
104REGISTER_TRAIT_WITH_PROGRAMSTATE(PreCallSelfFlags, SelfFlagEnum)
105
106static SelfFlagEnum getSelfFlags(SVal val, ProgramStateRef state) {
107 if (SymbolRef sym = val.getAsSymbol())
108 if (const SelfFlagEnum *attachedFlags = state->get<SelfFlag>(sym))
109 return *attachedFlags;
110 return SelfFlag_None;
111}
112
113static SelfFlagEnum getSelfFlags(SVal val, CheckerContext &C) {
114 return getSelfFlags(val, C.getState());
115}
116
117static void addSelfFlag(ProgramStateRef state, SVal val,
118 SelfFlagEnum flag, CheckerContext &C) {
119 // We tag the symbol that the SVal wraps.
120 if (SymbolRef sym = val.getAsSymbol()) {
121 state = state->set<SelfFlag>(sym,
122 SelfFlagEnum(getSelfFlags(val, state) | flag));
123 C.addTransition(state);
124 }
125}
126
127static bool hasSelfFlag(SVal val, SelfFlagEnum flag, CheckerContext &C) {
128 return getSelfFlags(val, C) & flag;
129}
130
131/// Returns true of the value of the expression is the object that 'self'
132/// points to and is an object that did not come from the result of calling
133/// an initializer.
134static bool isInvalidSelf(const Expr *E, CheckerContext &C) {
135 SVal exprVal = C.getSVal(E);
136 if (!hasSelfFlag(exprVal, SelfFlag_Self, C))
137 return false; // value did not come from 'self'.
138 if (hasSelfFlag(exprVal, SelfFlag_InitRes, C))
139 return false; // 'self' is properly initialized.
140
141 return true;
142}
143
144void ObjCSelfInitChecker::checkForInvalidSelf(const Expr *E, CheckerContext &C,
145 const char *errorStr) const {
146 if (!E)
147 return;
148
149 if (!C.getState()->get<CalledInit>())
150 return;
151
152 if (!isInvalidSelf(E, C))
153 return;
154
155 // Generate an error node.
156 ExplodedNode *N = C.generateErrorNode();
157 if (!N)
158 return;
159
160 if (!BT)
161 BT.reset(new BugType(this, "Missing \"self = [(super or self) init...]\"",
162 categories::CoreFoundationObjectiveC));
163 C.emitReport(std::make_unique<PathSensitiveBugReport>(*BT, errorStr, N));
164}
165
166void ObjCSelfInitChecker::checkPostObjCMessage(const ObjCMethodCall &Msg,
167 CheckerContext &C) const {
168 // When encountering a message that does initialization (init rule),
169 // tag the return value so that we know later on that if self has this value
170 // then it is properly initialized.
171
172 // FIXME: A callback should disable checkers at the start of functions.
173 if (!shouldRunOnFunctionOrMethod(dyn_cast<NamedDecl>(
174 C.getCurrentAnalysisDeclContext()->getDecl())))
175 return;
176
177 if (isInitMessage(Msg)) {
178 // Tag the return value as the result of an initializer.
179 ProgramStateRef state = C.getState();
180
181 // FIXME this really should be context sensitive, where we record
182 // the current stack frame (for IPA). Also, we need to clean this
183 // value out when we return from this method.
184 state = state->set<CalledInit>(true);
185
186 SVal V = C.getSVal(Msg.getOriginExpr());
187 addSelfFlag(state, V, SelfFlag_InitRes, C);
188 return;
189 }
190
191 // We don't check for an invalid 'self' in an obj-c message expression to cut
192 // down false positives where logging functions get information from self
193 // (like its class) or doing "invalidation" on self when the initialization
194 // fails.
195}
196
197void ObjCSelfInitChecker::checkPostStmt(const ObjCIvarRefExpr *E,
198 CheckerContext &C) const {
199 // FIXME: A callback should disable checkers at the start of functions.
200 if (!shouldRunOnFunctionOrMethod(dyn_cast<NamedDecl>(
201 C.getCurrentAnalysisDeclContext()->getDecl())))
202 return;
203
204 checkForInvalidSelf(
205 E->getBase(), C,
206 "Instance variable used while 'self' is not set to the result of "
207 "'[(super or self) init...]'");
208}
209
210void ObjCSelfInitChecker::checkPreStmt(const ReturnStmt *S,
211 CheckerContext &C) const {
212 // FIXME: A callback should disable checkers at the start of functions.
213 if (!shouldRunOnFunctionOrMethod(dyn_cast<NamedDecl>(
214 C.getCurrentAnalysisDeclContext()->getDecl())))
215 return;
216
217 checkForInvalidSelf(S->getRetValue(), C,
218 "Returning 'self' while it is not set to the result of "
219 "'[(super or self) init...]'");
220}
221
222// When a call receives a reference to 'self', [Pre/Post]Call pass
223// the SelfFlags from the object 'self' points to before the call to the new
224// object after the call. This is to avoid invalidation of 'self' by logging
225// functions.
226// Another common pattern in classes with multiple initializers is to put the
227// subclass's common initialization bits into a static function that receives
228// the value of 'self', e.g:
229// @code
230// if (!(self = [super init]))
231// return nil;
232// if (!(self = _commonInit(self)))
233// return nil;
234// @endcode
235// Until we can use inter-procedural analysis, in such a call, transfer the
236// SelfFlags to the result of the call.
237
238void ObjCSelfInitChecker::checkPreCall(const CallEvent &CE,
239 CheckerContext &C) const {
240 // FIXME: A callback should disable checkers at the start of functions.
241 if (!shouldRunOnFunctionOrMethod(dyn_cast<NamedDecl>(
242 C.getCurrentAnalysisDeclContext()->getDecl())))
243 return;
244
245 ProgramStateRef state = C.getState();
246 unsigned NumArgs = CE.getNumArgs();
247 // If we passed 'self' as and argument to the call, record it in the state
248 // to be propagated after the call.
249 // Note, we could have just given up, but try to be more optimistic here and
250 // assume that the functions are going to continue initialization or will not
251 // modify self.
252 for (unsigned i = 0; i < NumArgs; ++i) {
253 SVal argV = CE.getArgSVal(i);
254 if (isSelfVar(argV, C)) {
255 SelfFlagEnum selfFlags =
256 getSelfFlags(state->getSVal(argV.castAs<Loc>()), C);
257 C.addTransition(state->set<PreCallSelfFlags>(selfFlags));
258 return;
259 } else if (hasSelfFlag(argV, SelfFlag_Self, C)) {
260 SelfFlagEnum selfFlags = getSelfFlags(argV, C);
261 C.addTransition(state->set<PreCallSelfFlags>(selfFlags));
262 return;
263 }
264 }
265}
266
267void ObjCSelfInitChecker::checkPostCall(const CallEvent &CE,
268 CheckerContext &C) const {
269 // FIXME: A callback should disable checkers at the start of functions.
270 if (!shouldRunOnFunctionOrMethod(dyn_cast<NamedDecl>(
271 C.getCurrentAnalysisDeclContext()->getDecl())))
272 return;
273
274 ProgramStateRef state = C.getState();
275 SelfFlagEnum prevFlags = state->get<PreCallSelfFlags>();
276 if (!prevFlags)
277 return;
278 state = state->remove<PreCallSelfFlags>();
279
280 unsigned NumArgs = CE.getNumArgs();
281 for (unsigned i = 0; i < NumArgs; ++i) {
282 SVal argV = CE.getArgSVal(i);
283 if (isSelfVar(argV, C)) {
284 // If the address of 'self' is being passed to the call, assume that the
285 // 'self' after the call will have the same flags.
286 // EX: log(&self)
287 addSelfFlag(state, state->getSVal(argV.castAs<Loc>()), prevFlags, C);
288 return;
289 } else if (hasSelfFlag(argV, SelfFlag_Self, C)) {
290 // If 'self' is passed to the call by value, assume that the function
291 // returns 'self'. So assign the flags, which were set on 'self' to the
292 // return value.
293 // EX: self = performMoreInitialization(self)
294 addSelfFlag(state, CE.getReturnValue(), prevFlags, C);
295 return;
296 }
297 }
298
299 C.addTransition(state);
300}
301
302void ObjCSelfInitChecker::checkLocation(SVal location, bool isLoad,
303 const Stmt *S,
304 CheckerContext &C) const {
305 if (!shouldRunOnFunctionOrMethod(dyn_cast<NamedDecl>(
306 C.getCurrentAnalysisDeclContext()->getDecl())))
307 return;
308
309 // Tag the result of a load from 'self' so that we can easily know that the
310 // value is the object that 'self' points to.
311 ProgramStateRef state = C.getState();
312 if (isSelfVar(location, C))
313 addSelfFlag(state, state->getSVal(location.castAs<Loc>()), SelfFlag_Self,
314 C);
315}
316
317
318void ObjCSelfInitChecker::checkBind(SVal loc, SVal val, const Stmt *S,
319 CheckerContext &C) const {
320 // Allow assignment of anything to self. Self is a local variable in the
321 // initializer, so it is legal to assign anything to it, like results of
322 // static functions/method calls. After self is assigned something we cannot
323 // reason about, stop enforcing the rules.
324 // (Only continue checking if the assigned value should be treated as self.)
325 if ((isSelfVar(loc, C)) &&
326 !hasSelfFlag(val, SelfFlag_InitRes, C) &&
327 !hasSelfFlag(val, SelfFlag_Self, C) &&
328 !isSelfVar(val, C)) {
329
330 // Stop tracking the checker-specific state in the state.
331 ProgramStateRef State = C.getState();
332 State = State->remove<CalledInit>();
333 if (SymbolRef sym = loc.getAsSymbol())
334 State = State->remove<SelfFlag>(sym);
335 C.addTransition(State);
336 }
337}
338
339void ObjCSelfInitChecker::printState(raw_ostream &Out, ProgramStateRef State,
340 const char *NL, const char *Sep) const {
341 SelfFlagTy FlagMap = State->get<SelfFlag>();
342 bool DidCallInit = State->get<CalledInit>();
343 SelfFlagEnum PreCallFlags = State->get<PreCallSelfFlags>();
344
345 if (FlagMap.isEmpty() && !DidCallInit && !PreCallFlags)
346 return;
347
348 Out << Sep << NL << *this << " :" << NL;
349
350 if (DidCallInit)
351 Out << " An init method has been called." << NL;
352
353 if (PreCallFlags != SelfFlag_None) {
354 if (PreCallFlags & SelfFlag_Self) {
355 Out << " An argument of the current call came from the 'self' variable."
356 << NL;
357 }
358 if (PreCallFlags & SelfFlag_InitRes) {
359 Out << " An argument of the current call came from an init method."
360 << NL;
361 }
362 }
363
364 Out << NL;
365 for (auto [Sym, Flag] : FlagMap) {
366 Out << Sym << " : ";
367
368 if (Flag == SelfFlag_None)
369 Out << "none";
370
371 if (Flag & SelfFlag_Self)
372 Out << "self variable";
373
374 if (Flag & SelfFlag_InitRes) {
375 if (Flag != SelfFlag_InitRes)
376 Out << " | ";
377 Out << "result of init method";
378 }
379
380 Out << NL;
381 }
382}
383
384
385// FIXME: A callback should disable checkers at the start of functions.
386static bool shouldRunOnFunctionOrMethod(const NamedDecl *ND) {
387 if (!ND)
388 return false;
389
390 const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(ND);
391 if (!MD)
392 return false;
393 if (!isInitializationMethod(MD))
394 return false;
395
396 // self = [super init] applies only to NSObject subclasses.
397 // For instance, NSProxy doesn't implement -init.
398 ASTContext &Ctx = MD->getASTContext();
399 IdentifierInfo* NSObjectII = &Ctx.Idents.get("NSObject");
400 ObjCInterfaceDecl *ID = MD->getClassInterface()->getSuperClass();
401 for ( ; ID ; ID = ID->getSuperClass()) {
402 IdentifierInfo *II = ID->getIdentifier();
403
404 if (II == NSObjectII)
405 break;
406 }
407 return ID != nullptr;
408}
409
410/// Returns true if the location is 'self'.
411static bool isSelfVar(SVal location, CheckerContext &C) {
412 AnalysisDeclContext *analCtx = C.getCurrentAnalysisDeclContext();
413 if (!analCtx->getSelfDecl())
414 return false;
415 if (!isa<loc::MemRegionVal>(location))
416 return false;
417
418 loc::MemRegionVal MRV = location.castAs<loc::MemRegionVal>();
419 if (const DeclRegion *DR = dyn_cast<DeclRegion>(MRV.stripCasts()))
420 return (DR->getDecl() == analCtx->getSelfDecl());
421
422 return false;
423}
424
425static bool isInitializationMethod(const ObjCMethodDecl *MD) {
426 return MD->getMethodFamily() == OMF_init;
427}
428
429static bool isInitMessage(const ObjCMethodCall &Call) {
430 return Call.getMethodFamily() == OMF_init;
431}
432
433//===----------------------------------------------------------------------===//
434// Registration.
435//===----------------------------------------------------------------------===//
436
437void ento::registerObjCSelfInitChecker(CheckerManager &mgr) {
438 mgr.registerChecker<ObjCSelfInitChecker>();
439}
440
441bool ento::shouldRegisterObjCSelfInitChecker(const CheckerManager &mgr) {
442 return true;
443}
V
#define V(N, I)
Definition: ASTContext.h:3241
isInitMessage
static bool isInitMessage(const ObjCMethodCall &Msg)
Definition: ObjCSelfInitChecker.cpp:429
isSelfVar
static bool isSelfVar(SVal location, CheckerContext &C)
Returns true if the location is 'self'.
Definition: ObjCSelfInitChecker.cpp:411
shouldRunOnFunctionOrMethod
static bool shouldRunOnFunctionOrMethod(const NamedDecl *ND)
Definition: ObjCSelfInitChecker.cpp:386
isInitializationMethod
static bool isInitializationMethod(const ObjCMethodDecl *MD)
Definition: ObjCSelfInitChecker.cpp:425
isInvalidSelf
static bool isInvalidSelf(const Expr *E, CheckerContext &C)
Returns true of the value of the expression is the object that 'self' points to and is an object that...
Definition: ObjCSelfInitChecker.cpp:134
getSelfFlags
static SelfFlagEnum getSelfFlags(SVal val, ProgramStateRef state)
A call receiving a reference to 'self' invalidates the object that 'self' contains.
Definition: ObjCSelfInitChecker.cpp:106
hasSelfFlag
static bool hasSelfFlag(SVal val, SelfFlagEnum flag, CheckerContext &C)
Definition: ObjCSelfInitChecker.cpp:127
addSelfFlag
static void addSelfFlag(ProgramStateRef state, SVal val, SelfFlagEnum flag, CheckerContext &C)
Definition: ObjCSelfInitChecker.cpp:117
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:87
REGISTER_TRAIT_WITH_PROGRAMSTATE
#define REGISTER_TRAIT_WITH_PROGRAMSTATE(Name, Type)
Declares a program state trait for type Type called Name, and introduce a type named NameTy.
Definition: ProgramStateTrait.h:34
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:182
clang::ASTContext::Idents
IdentifierTable & Idents
Definition: ASTContext.h:636
clang::AnalysisDeclContext
AnalysisDeclContext contains the context data for the function, method or block under analysis.
Definition: AnalysisDeclContext.h:72
clang::AnalysisDeclContext::getSelfDecl
const ImplicitParamDecl * getSelfDecl() const
Definition: AnalysisDeclContext.cpp:148
clang::Decl::getASTContext
ASTContext & getASTContext() const LLVM_READONLY
Definition: DeclBase.cpp:501
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:109
clang::IdentifierTable::get
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
Definition: IdentifierTable.h:663
clang::NamedDecl
This represents a decl that may have a name.
Definition: Decl.h:248
clang::ObjCInterfaceDecl
Represents an ObjC class declaration.
Definition: DeclObjC.h:1150
clang::ObjCInterfaceDecl::getSuperClass
ObjCInterfaceDecl * getSuperClass() const
Definition: DeclObjC.cpp:351
clang::ObjCIvarRefExpr
ObjCIvarRefExpr - A reference to an ObjC instance variable.
Definition: ExprObjC.h:549
clang::ObjCIvarRefExpr::getBase
const Expr * getBase() const
Definition: ExprObjC.h:583
clang::ObjCMethodDecl
ObjCMethodDecl - Represents an instance or class method declaration.
Definition: DeclObjC.h:140
clang::ObjCMethodDecl::getMethodFamily
ObjCMethodFamily getMethodFamily() const
Determines the family of this method.
Definition: DeclObjC.cpp:1053
clang::ObjCMethodDecl::getClassInterface
ObjCInterfaceDecl * getClassInterface()
Definition: DeclObjC.cpp:1211
clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:3013
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:152
clang::ento::CallEvent::getArgSVal
virtual SVal getArgSVal(unsigned Index) const
Returns the value of a given argument at the time of the call.
Definition: CallEvent.cpp:308
clang::ento::CallEvent::getNumArgs
virtual unsigned getNumArgs() const =0
Returns the number of arguments (explicit and implicit).
clang::ento::CallEvent::getReturnValue
SVal getReturnValue() const
Returns the return value of the call.
Definition: CallEvent.cpp:322
clang::ento::CheckerBase::printState
virtual void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, const char *Sep) const
See CheckerManager::runCheckersForPrintState.
Definition: Checker.h:500
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::ObjCMethodCall
Represents any expression that calls an Objective-C method.
Definition: CallEvent.h:1171
clang::ento::ObjCMethodCall::getOriginExpr
const ObjCMessageExpr * getOriginExpr() const override
Returns the expression whose value will be the result of this call.
Definition: CallEvent.h:1197
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SVal::getAsSymbol
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:104
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:82
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:30
clang::ento::loc::MemRegionVal::stripCasts
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * stripCasts(bool StripBaseCasts=true) const
Get the underlining region and strip casts.
Definition: SVals.cpp:186
clang::ento::categories::CoreFoundationObjectiveC
const char *const CoreFoundationObjectiveC
Definition: CommonBugCategories.cpp:16
Generated on Wed Nov 29 2023 19:54:27 for clang by doxygen 1.9.6