clang 18.0.0git
ObjCSuperDeallocChecker.cpp
Go to the documentation of this file.
1//===- ObjCSuperDeallocChecker.cpp - Check correct use of [super dealloc] -===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines ObjCSuperDeallocChecker, a builtin check that warns when
10// self is used after a call to [super dealloc] in MRR mode.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
16#include "clang/StaticAnalyzer/Core/Checker.h"
17#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
21
22using namespace clang;
23using namespace ento;
24
25namespace {
26class ObjCSuperDeallocChecker
27 : public Checker<check::PostObjCMessage, check::PreObjCMessage,
28 check::PreCall, check::Location> {
29
30 mutable IdentifierInfo *IIdealloc, *IINSObject;
31 mutable Selector SELdealloc;
32
33 std::unique_ptr<BugType> DoubleSuperDeallocBugType;
34
35 void initIdentifierInfoAndSelectors(ASTContext &Ctx) const;
36
37 bool isSuperDeallocMessage(const ObjCMethodCall &M) const;
38
39public:
40 ObjCSuperDeallocChecker();
41 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
42 void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
43
44 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
45
46 void checkLocation(SVal l, bool isLoad, const Stmt *S,
47 CheckerContext &C) const;
48
49private:
50
51 void diagnoseCallArguments(const CallEvent &CE, CheckerContext &C) const;
52
53 void reportUseAfterDealloc(SymbolRef Sym, StringRef Desc, const Stmt *S,
54 CheckerContext &C) const;
55};
56
57} // End anonymous namespace.
58
59// Remember whether [super dealloc] has previously been called on the
60// SymbolRef for the receiver.
61REGISTER_SET_WITH_PROGRAMSTATE(CalledSuperDealloc, SymbolRef)
62
63namespace {
64class SuperDeallocBRVisitor final : public BugReporterVisitor {
65 SymbolRef ReceiverSymbol;
66 bool Satisfied;
67
68public:
69 SuperDeallocBRVisitor(SymbolRef ReceiverSymbol)
70 : ReceiverSymbol(ReceiverSymbol), Satisfied(false) {}
71
72 PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ,
73 BugReporterContext &BRC,
74 PathSensitiveBugReport &BR) override;
75
76 void Profile(llvm::FoldingSetNodeID &ID) const override {
77 ID.Add(ReceiverSymbol);
78 }
79};
80} // End anonymous namespace.
81
82void ObjCSuperDeallocChecker::checkPreObjCMessage(const ObjCMethodCall &M,
83 CheckerContext &C) const {
84
85 ProgramStateRef State = C.getState();
86 SymbolRef ReceiverSymbol = M.getReceiverSVal().getAsSymbol();
87 if (!ReceiverSymbol) {
88 diagnoseCallArguments(M, C);
89 return;
90 }
91
92 bool AlreadyCalled = State->contains<CalledSuperDealloc>(ReceiverSymbol);
93 if (!AlreadyCalled)
94 return;
95
96 StringRef Desc;
97
98 if (isSuperDeallocMessage(M)) {
99 Desc = "[super dealloc] should not be called multiple times";
100 } else {
101 Desc = StringRef();
102 }
103
104 reportUseAfterDealloc(ReceiverSymbol, Desc, M.getOriginExpr(), C);
105}
106
107void ObjCSuperDeallocChecker::checkPreCall(const CallEvent &Call,
108 CheckerContext &C) const {
109 diagnoseCallArguments(Call, C);
110}
111
112void ObjCSuperDeallocChecker::checkPostObjCMessage(const ObjCMethodCall &M,
113 CheckerContext &C) const {
114 // Check for [super dealloc] method call.
115 if (!isSuperDeallocMessage(M))
116 return;
117
118 ProgramStateRef State = C.getState();
119 const LocationContext *LC = C.getLocationContext();
120 SymbolRef SelfSymbol = State->getSelfSVal(LC).getAsSymbol();
121 assert(SelfSymbol && "No receiver symbol at call to [super dealloc]?");
122
123 // We add this transition in checkPostObjCMessage to avoid warning when
124 // we inline a call to [super dealloc] where the inlined call itself
125 // calls [super dealloc].
126 State = State->add<CalledSuperDealloc>(SelfSymbol);
127 C.addTransition(State);
128}
129
130void ObjCSuperDeallocChecker::checkLocation(SVal L, bool IsLoad, const Stmt *S,
131 CheckerContext &C) const {
132 SymbolRef BaseSym = L.getLocSymbolInBase();
133 if (!BaseSym)
134 return;
135
136 ProgramStateRef State = C.getState();
137
138 if (!State->contains<CalledSuperDealloc>(BaseSym))
139 return;
140
141 const MemRegion *R = L.getAsRegion();
142 if (!R)
143 return;
144
145 // Climb the super regions to find the base symbol while recording
146 // the second-to-last region for error reporting.
147 const MemRegion *PriorSubRegion = nullptr;
148 while (const SubRegion *SR = dyn_cast<SubRegion>(R)) {
149 if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(SR)) {
150 BaseSym = SymR->getSymbol();
151 break;
152 } else {
153 R = SR->getSuperRegion();
154 PriorSubRegion = SR;
155 }
156 }
157
158 StringRef Desc = StringRef();
159 auto *IvarRegion = dyn_cast_or_null<ObjCIvarRegion>(PriorSubRegion);
160
161 std::string Buf;
162 llvm::raw_string_ostream OS(Buf);
163 if (IvarRegion) {
164 OS << "Use of instance variable '" << *IvarRegion->getDecl() <<
165 "' after 'self' has been deallocated";
166 Desc = OS.str();
167 }
168
169 reportUseAfterDealloc(BaseSym, Desc, S, C);
170}
171
172/// Report a use-after-dealloc on Sym. If not empty,
173/// Desc will be used to describe the error; otherwise,
174/// a default warning will be used.
175void ObjCSuperDeallocChecker::reportUseAfterDealloc(SymbolRef Sym,
176 StringRef Desc,
177 const Stmt *S,
178 CheckerContext &C) const {
179 // We have a use of self after free.
180 // This likely causes a crash, so stop exploring the
181 // path by generating a sink.
182 ExplodedNode *ErrNode = C.generateErrorNode();
183 // If we've already reached this node on another path, return.
184 if (!ErrNode)
185 return;
186
187 if (Desc.empty())
188 Desc = "Use of 'self' after it has been deallocated";
189
190 // Generate the report.
191 auto BR = std::make_unique<PathSensitiveBugReport>(*DoubleSuperDeallocBugType,
192 Desc, ErrNode);
193 BR->addRange(S->getSourceRange());
194 BR->addVisitor(std::make_unique<SuperDeallocBRVisitor>(Sym));
195 C.emitReport(std::move(BR));
196}
197
198/// Diagnose if any of the arguments to CE have already been
199/// dealloc'd.
200void ObjCSuperDeallocChecker::diagnoseCallArguments(const CallEvent &CE,
201 CheckerContext &C) const {
202 ProgramStateRef State = C.getState();
203 unsigned ArgCount = CE.getNumArgs();
204 for (unsigned I = 0; I < ArgCount; I++) {
205 SymbolRef Sym = CE.getArgSVal(I).getAsSymbol();
206 if (!Sym)
207 continue;
208
209 if (State->contains<CalledSuperDealloc>(Sym)) {
210 reportUseAfterDealloc(Sym, StringRef(), CE.getArgExpr(I), C);
211 return;
212 }
213 }
214}
215
216ObjCSuperDeallocChecker::ObjCSuperDeallocChecker()
217 : IIdealloc(nullptr), IINSObject(nullptr) {
218
219 DoubleSuperDeallocBugType.reset(
220 new BugType(this, "[super dealloc] should not be called more than once",
221 categories::CoreFoundationObjectiveC));
222}
223
224void
225ObjCSuperDeallocChecker::initIdentifierInfoAndSelectors(ASTContext &Ctx) const {
226 if (IIdealloc)
227 return;
228
229 IIdealloc = &Ctx.Idents.get("dealloc");
230 IINSObject = &Ctx.Idents.get("NSObject");
231
232 SELdealloc = Ctx.Selectors.getSelector(0, &IIdealloc);
233}
234
235bool
236ObjCSuperDeallocChecker::isSuperDeallocMessage(const ObjCMethodCall &M) const {
237 if (M.getOriginExpr()->getReceiverKind() != ObjCMessageExpr::SuperInstance)
238 return false;
239
240 ASTContext &Ctx = M.getState()->getStateManager().getContext();
241 initIdentifierInfoAndSelectors(Ctx);
242
243 return M.getSelector() == SELdealloc;
244}
245
246PathDiagnosticPieceRef
247SuperDeallocBRVisitor::VisitNode(const ExplodedNode *Succ,
248 BugReporterContext &BRC,
249 PathSensitiveBugReport &) {
250 if (Satisfied)
251 return nullptr;
252
253 ProgramStateRef State = Succ->getState();
254
255 bool CalledNow =
256 Succ->getState()->contains<CalledSuperDealloc>(ReceiverSymbol);
257 bool CalledBefore =
258 Succ->getFirstPred()->getState()->contains<CalledSuperDealloc>(
259 ReceiverSymbol);
260
261 // Is Succ the node on which the analyzer noted that [super dealloc] was
262 // called on ReceiverSymbol?
263 if (CalledNow && !CalledBefore) {
264 Satisfied = true;
265
266 ProgramPoint P = Succ->getLocation();
267 PathDiagnosticLocation L =
268 PathDiagnosticLocation::create(P, BRC.getSourceManager());
269
270 if (!L.isValid() || !L.asLocation().isValid())
271 return nullptr;
272
273 return std::make_shared<PathDiagnosticEventPiece>(
274 L, "[super dealloc] called here");
275 }
276
277 return nullptr;
278}
279
280//===----------------------------------------------------------------------===//
281// Checker Registration.
282//===----------------------------------------------------------------------===//
283
284void ento::registerObjCSuperDeallocChecker(CheckerManager &Mgr) {
285 Mgr.registerChecker<ObjCSuperDeallocChecker>();
286}
287
288bool ento::shouldRegisterObjCSuperDeallocChecker(const CheckerManager &mgr) {
289 return true;
290}
P
StringRef P
Definition: ASTMatchersInternal.cpp:564
REGISTER_SET_WITH_PROGRAMSTATE
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:112
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:182
clang::ASTContext::Idents
IdentifierTable & Idents
Definition: ASTContext.h:636
clang::ASTContext::Selectors
SelectorTable & Selectors
Definition: ASTContext.h:637
clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:109
clang::IdentifierTable::get
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
Definition: IdentifierTable.h:663
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::ObjCMessageExpr::SuperInstance
@ SuperInstance
The receiver is the instance of the superclass object.
Definition: ExprObjC.h:959
clang::ObjCMessageExpr::getReceiverKind
ReceiverKind getReceiverKind() const
Determine the kind of receiver that this message is being sent to.
Definition: ExprObjC.h:1234
clang::SelectorTable::getSelector
Selector getSelector(unsigned NumArgs, IdentifierInfo **IIV)
Can create any sort of selector.
Definition: IdentifierTable.cpp:754
clang::Selector
Smart pointer class that efficiently represents Objective-C method names.
Definition: IdentifierTable.h:940
clang::SourceLocation::isValid
bool isValid() const
Return true if this is a valid SourceLocation object.
Definition: SourceLocation.h:112
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84
clang::ento::BugReporterContext::getSourceManager
const SourceManager & getSourceManager() const
Definition: BugReporter.h:721
clang::ento::BugReporterVisitor
BugReporterVisitors are used to add custom diagnostics along a path.
Definition: BugReporterVisitors.h:49
clang::ento::BugReporterVisitor::Profile
virtual void Profile(llvm::FoldingSetNodeID &ID) const =0
clang::ento::BugReporterVisitor::VisitNode
virtual PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ, BugReporterContext &BRC, PathSensitiveBugReport &BR)=0
Return a diagnostic piece which should be associated with the given node.
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:152
clang::ento::CallEvent::getState
const ProgramStateRef & getState() const
The state in which the call is being evaluated.
Definition: CallEvent.h:234
clang::ento::CallEvent::getArgSVal
virtual SVal getArgSVal(unsigned Index) const
Returns the value of a given argument at the time of the call.
Definition: CallEvent.cpp:308
clang::ento::CallEvent::getArgExpr
virtual const Expr * getArgExpr(unsigned Index) const
Returns the expression associated with a given argument.
Definition: CallEvent.h:292
clang::ento::CallEvent::getNumArgs
virtual unsigned getNumArgs() const =0
Returns the number of arguments (explicit and implicit).
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::ExplodedNode::getState
const ProgramStateRef & getState() const
Definition: ExplodedGraph.h:169
clang::ento::ExplodedNode::getLocation
ProgramPoint getLocation() const
getLocation - Returns the edge associated with the given node.
Definition: ExplodedGraph.h:145
clang::ento::ExplodedNode::getFirstPred
ExplodedNode * getFirstPred()
Definition: ExplodedGraph.h:209
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96
clang::ento::ObjCMethodCall
Represents any expression that calls an Objective-C method.
Definition: CallEvent.h:1171
clang::ento::ObjCMethodCall::getOriginExpr
const ObjCMessageExpr * getOriginExpr() const override
Returns the expression whose value will be the result of this call.
Definition: CallEvent.h:1197
clang::ento::ObjCMethodCall::getReceiverSVal
SVal getReceiverSVal() const
Returns the value of the receiver at the time of this call.
Definition: CallEvent.cpp:1004
clang::ento::ObjCMethodCall::getSelector
Selector getSelector() const
Definition: CallEvent.h:1219
clang::ento::PathDiagnosticLocation::create
static PathDiagnosticLocation create(const Decl *D, const SourceManager &SM)
Create a location corresponding to the given declaration.
Definition: PathDiagnostic.h:248
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SVal::getAsSymbol
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:104
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
clang::ento::SVal::getLocSymbolInBase
SymbolRef getLocSymbolInBase() const
Get the symbol in the SVal or its base region.
Definition: SVals.cpp:80
clang::ento::SubRegion
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:441
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:30
clang::ento::SymbolicRegion
SymbolicRegion - A special, "non-concrete" region.
Definition: MemRegion.h:775
clang::ento::categories::CoreFoundationObjectiveC
const char *const CoreFoundationObjectiveC
Definition: CommonBugCategories.cpp:16
clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition: PathDiagnostic.h:492
false
#define false
Definition: stdbool.h:22
Generated on Wed Dec 6 2023 11:09:31 for clang by doxygen 1.9.6