clang 20.0.0git
ObjCSuperDeallocChecker.cpp
Go to the documentation of this file.
1//===- ObjCSuperDeallocChecker.cpp - Check correct use of [super dealloc] -===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines ObjCSuperDeallocChecker, a builtin check that warns when
10// self is used after a call to [super dealloc] in MRR mode.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
16#include "clang/StaticAnalyzer/Core/Checker.h"
17#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
21
22using namespace clang;
23using namespace ento;
24
25namespace {
26class ObjCSuperDeallocChecker
27 : public Checker<check::PostObjCMessage, check::PreObjCMessage,
28 check::PreCall, check::Location> {
29 mutable const IdentifierInfo *IIdealloc = nullptr;
30 mutable const IdentifierInfo *IINSObject = nullptr;
31 mutable Selector SELdealloc;
32
33 const BugType DoubleSuperDeallocBugType{
34 this, "[super dealloc] should not be called more than once",
35 categories::CoreFoundationObjectiveC};
36
37 void initIdentifierInfoAndSelectors(ASTContext &Ctx) const;
38
39 bool isSuperDeallocMessage(const ObjCMethodCall &M) const;
40
41public:
42 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
43 void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
44
45 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
46
47 void checkLocation(SVal l, bool isLoad, const Stmt *S,
48 CheckerContext &C) const;
49
50private:
51
52 void diagnoseCallArguments(const CallEvent &CE, CheckerContext &C) const;
53
54 void reportUseAfterDealloc(SymbolRef Sym, StringRef Desc, const Stmt *S,
55 CheckerContext &C) const;
56};
57
58} // End anonymous namespace.
59
60// Remember whether [super dealloc] has previously been called on the
61// SymbolRef for the receiver.
62REGISTER_SET_WITH_PROGRAMSTATE(CalledSuperDealloc, SymbolRef)
63
64namespace {
65class SuperDeallocBRVisitor final : public BugReporterVisitor {
66 SymbolRef ReceiverSymbol;
67 bool Satisfied;
68
69public:
70 SuperDeallocBRVisitor(SymbolRef ReceiverSymbol)
71 : ReceiverSymbol(ReceiverSymbol), Satisfied(false) {}
72
73 PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ,
74 BugReporterContext &BRC,
75 PathSensitiveBugReport &BR) override;
76
77 void Profile(llvm::FoldingSetNodeID &ID) const override {
78 ID.Add(ReceiverSymbol);
79 }
80};
81} // End anonymous namespace.
82
83void ObjCSuperDeallocChecker::checkPreObjCMessage(const ObjCMethodCall &M,
84 CheckerContext &C) const {
85
86 ProgramStateRef State = C.getState();
87 SymbolRef ReceiverSymbol = M.getReceiverSVal().getAsSymbol();
88 if (!ReceiverSymbol) {
89 diagnoseCallArguments(M, C);
90 return;
91 }
92
93 bool AlreadyCalled = State->contains<CalledSuperDealloc>(ReceiverSymbol);
94 if (!AlreadyCalled)
95 return;
96
97 StringRef Desc;
98
99 if (isSuperDeallocMessage(M)) {
100 Desc = "[super dealloc] should not be called multiple times";
101 } else {
102 Desc = StringRef();
103 }
104
105 reportUseAfterDealloc(ReceiverSymbol, Desc, M.getOriginExpr(), C);
106}
107
108void ObjCSuperDeallocChecker::checkPreCall(const CallEvent &Call,
109 CheckerContext &C) const {
110 diagnoseCallArguments(Call, C);
111}
112
113void ObjCSuperDeallocChecker::checkPostObjCMessage(const ObjCMethodCall &M,
114 CheckerContext &C) const {
115 // Check for [super dealloc] method call.
116 if (!isSuperDeallocMessage(M))
117 return;
118
119 ProgramStateRef State = C.getState();
120 const LocationContext *LC = C.getLocationContext();
121 SymbolRef SelfSymbol = State->getSelfSVal(LC).getAsSymbol();
122 assert(SelfSymbol && "No receiver symbol at call to [super dealloc]?");
123
124 // We add this transition in checkPostObjCMessage to avoid warning when
125 // we inline a call to [super dealloc] where the inlined call itself
126 // calls [super dealloc].
127 State = State->add<CalledSuperDealloc>(SelfSymbol);
128 C.addTransition(State);
129}
130
131void ObjCSuperDeallocChecker::checkLocation(SVal L, bool IsLoad, const Stmt *S,
132 CheckerContext &C) const {
133 SymbolRef BaseSym = L.getLocSymbolInBase();
134 if (!BaseSym)
135 return;
136
137 ProgramStateRef State = C.getState();
138
139 if (!State->contains<CalledSuperDealloc>(BaseSym))
140 return;
141
142 const MemRegion *R = L.getAsRegion();
143 if (!R)
144 return;
145
146 // Climb the super regions to find the base symbol while recording
147 // the second-to-last region for error reporting.
148 const MemRegion *PriorSubRegion = nullptr;
149 while (const SubRegion *SR = dyn_cast<SubRegion>(R)) {
150 if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(SR)) {
151 BaseSym = SymR->getSymbol();
152 break;
153 } else {
154 R = SR->getSuperRegion();
155 PriorSubRegion = SR;
156 }
157 }
158
159 StringRef Desc = StringRef();
160 auto *IvarRegion = dyn_cast_or_null<ObjCIvarRegion>(PriorSubRegion);
161
162 std::string Buf;
163 llvm::raw_string_ostream OS(Buf);
164 if (IvarRegion) {
165 OS << "Use of instance variable '" << *IvarRegion->getDecl() <<
166 "' after 'self' has been deallocated";
167 Desc = OS.str();
168 }
169
170 reportUseAfterDealloc(BaseSym, Desc, S, C);
171}
172
173/// Report a use-after-dealloc on Sym. If not empty,
174/// Desc will be used to describe the error; otherwise,
175/// a default warning will be used.
176void ObjCSuperDeallocChecker::reportUseAfterDealloc(SymbolRef Sym,
177 StringRef Desc,
178 const Stmt *S,
179 CheckerContext &C) const {
180 // We have a use of self after free.
181 // This likely causes a crash, so stop exploring the
182 // path by generating a sink.
183 ExplodedNode *ErrNode = C.generateErrorNode();
184 // If we've already reached this node on another path, return.
185 if (!ErrNode)
186 return;
187
188 if (Desc.empty())
189 Desc = "Use of 'self' after it has been deallocated";
190
191 // Generate the report.
192 auto BR = std::make_unique<PathSensitiveBugReport>(DoubleSuperDeallocBugType,
193 Desc, ErrNode);
194 BR->addRange(S->getSourceRange());
195 BR->addVisitor(std::make_unique<SuperDeallocBRVisitor>(Sym));
196 C.emitReport(std::move(BR));
197}
198
199/// Diagnose if any of the arguments to CE have already been
200/// dealloc'd.
201void ObjCSuperDeallocChecker::diagnoseCallArguments(const CallEvent &CE,
202 CheckerContext &C) const {
203 ProgramStateRef State = C.getState();
204 unsigned ArgCount = CE.getNumArgs();
205 for (unsigned I = 0; I < ArgCount; I++) {
206 SymbolRef Sym = CE.getArgSVal(I).getAsSymbol();
207 if (!Sym)
208 continue;
209
210 if (State->contains<CalledSuperDealloc>(Sym)) {
211 reportUseAfterDealloc(Sym, StringRef(), CE.getArgExpr(I), C);
212 return;
213 }
214 }
215}
216
217void
218ObjCSuperDeallocChecker::initIdentifierInfoAndSelectors(ASTContext &Ctx) const {
219 if (IIdealloc)
220 return;
221
222 IIdealloc = &Ctx.Idents.get("dealloc");
223 IINSObject = &Ctx.Idents.get("NSObject");
224
225 SELdealloc = Ctx.Selectors.getSelector(0, &IIdealloc);
226}
227
228bool
229ObjCSuperDeallocChecker::isSuperDeallocMessage(const ObjCMethodCall &M) const {
230 if (M.getOriginExpr()->getReceiverKind() != ObjCMessageExpr::SuperInstance)
231 return false;
232
233 ASTContext &Ctx = M.getState()->getStateManager().getContext();
234 initIdentifierInfoAndSelectors(Ctx);
235
236 return M.getSelector() == SELdealloc;
237}
238
239PathDiagnosticPieceRef
240SuperDeallocBRVisitor::VisitNode(const ExplodedNode *Succ,
241 BugReporterContext &BRC,
242 PathSensitiveBugReport &) {
243 if (Satisfied)
244 return nullptr;
245
246 ProgramStateRef State = Succ->getState();
247
248 bool CalledNow =
249 Succ->getState()->contains<CalledSuperDealloc>(ReceiverSymbol);
250 bool CalledBefore =
251 Succ->getFirstPred()->getState()->contains<CalledSuperDealloc>(
252 ReceiverSymbol);
253
254 // Is Succ the node on which the analyzer noted that [super dealloc] was
255 // called on ReceiverSymbol?
256 if (CalledNow && !CalledBefore) {
257 Satisfied = true;
258
259 ProgramPoint P = Succ->getLocation();
260 PathDiagnosticLocation L =
261 PathDiagnosticLocation::create(P, BRC.getSourceManager());
262
263 if (!L.isValid() || !L.asLocation().isValid())
264 return nullptr;
265
266 return std::make_shared<PathDiagnosticEventPiece>(
267 L, "[super dealloc] called here");
268 }
269
270 return nullptr;
271}
272
273//===----------------------------------------------------------------------===//
274// Checker Registration.
275//===----------------------------------------------------------------------===//
276
277void ento::registerObjCSuperDeallocChecker(CheckerManager &Mgr) {
278 Mgr.registerChecker<ObjCSuperDeallocChecker>();
279}
280
281bool ento::shouldRegisterObjCSuperDeallocChecker(const CheckerManager &mgr) {
282 return true;
283}
P
StringRef P
Definition: ASTMatchersInternal.cpp:573
REGISTER_SET_WITH_PROGRAMSTATE
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:112
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:187
clang::ASTContext::Idents
IdentifierTable & Idents
Definition: ASTContext.h:660
clang::ASTContext::Selectors
SelectorTable & Selectors
Definition: ASTContext.h:661
clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:117
clang::IdentifierTable::get
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
Definition: IdentifierTable.h:688
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::ObjCMessageExpr::SuperInstance
@ SuperInstance
The receiver is the instance of the superclass object.
Definition: ExprObjC.h:959
clang::ObjCMessageExpr::getReceiverKind
ReceiverKind getReceiverKind() const
Determine the kind of receiver that this message is being sent to.
Definition: ExprObjC.h:1234
clang::SelectorTable::getSelector
Selector getSelector(unsigned NumArgs, const IdentifierInfo **IIV)
Can create any sort of selector.
Definition: IdentifierTable.cpp:759
clang::Selector
Smart pointer class that efficiently represents Objective-C method names.
Definition: IdentifierTable.h:966
clang::SourceLocation::isValid
bool isValid() const
Return true if this is a valid SourceLocation object.
Definition: SourceLocation.h:113
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84
clang::ento::BugReporterContext::getSourceManager
const SourceManager & getSourceManager() const
Definition: BugReporter.h:737
clang::ento::BugReporterVisitor
BugReporterVisitors are used to add custom diagnostics along a path.
Definition: BugReporterVisitors.h:49
clang::ento::BugReporterVisitor::Profile
virtual void Profile(llvm::FoldingSetNodeID &ID) const =0
clang::ento::BugReporterVisitor::VisitNode
virtual PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ, BugReporterContext &BRC, PathSensitiveBugReport &BR)=0
Return a diagnostic piece which should be associated with the given node.
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:153
clang::ento::CallEvent::getState
const ProgramStateRef & getState() const
The state in which the call is being evaluated.
Definition: CallEvent.h:235
clang::ento::CallEvent::getArgSVal
virtual SVal getArgSVal(unsigned Index) const
Returns the value of a given argument at the time of the call.
Definition: CallEvent.cpp:308
clang::ento::CallEvent::getArgExpr
virtual const Expr * getArgExpr(unsigned Index) const
Returns the expression associated with a given argument.
Definition: CallEvent.h:293
clang::ento::CallEvent::getNumArgs
virtual unsigned getNumArgs() const =0
Returns the number of arguments (explicit and implicit).
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::ExplodedNode::getState
const ProgramStateRef & getState() const
Definition: ExplodedGraph.h:169
clang::ento::ExplodedNode::getLocation
ProgramPoint getLocation() const
getLocation - Returns the edge associated with the given node.
Definition: ExplodedGraph.h:145
clang::ento::ExplodedNode::getFirstPred
ExplodedNode * getFirstPred()
Definition: ExplodedGraph.h:209
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:97
clang::ento::ObjCMethodCall
Represents any expression that calls an Objective-C method.
Definition: CallEvent.h:1243
clang::ento::ObjCMethodCall::getOriginExpr
const ObjCMessageExpr * getOriginExpr() const override
Returns the expression whose value will be the result of this call.
Definition: CallEvent.h:1269
clang::ento::ObjCMethodCall::getReceiverSVal
SVal getReceiverSVal() const
Returns the value of the receiver at the time of this call.
Definition: CallEvent.cpp:1023
clang::ento::ObjCMethodCall::getSelector
Selector getSelector() const
Definition: CallEvent.h:1291
clang::ento::PathDiagnosticLocation::create
static PathDiagnosticLocation create(const Decl *D, const SourceManager &SM)
Create a location corresponding to the given declaration.
Definition: PathDiagnostic.h:248
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SVal::getAsSymbol
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:104
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
clang::ento::SVal::getLocSymbolInBase
SymbolRef getLocSymbolInBase() const
Get the symbol in the SVal or its base region.
Definition: SVals.cpp:80
clang::ento::SubRegion
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:446
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:30
clang::ento::SymbolicRegion
SymbolicRegion - A special, "non-concrete" region.
Definition: MemRegion.h:780
clang::ento::categories::CoreFoundationObjectiveC
const char *const CoreFoundationObjectiveC
Definition: CommonBugCategories.cpp:17
clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition: PathDiagnostic.h:492
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
false
#define false
Definition: stdbool.h:26
Generated on Fri Nov 15 2024 16:44:43 for clang by doxygen 1.9.6