xref: /llvm-project/clang/lib/StaticAnalyzer/Checkers/RunLoopAutoreleaseLeakChecker.cpp (revision 1cb15b10ea370178871769929ff9690f461191fc) 
171124832SGeorge Karpenkov //=- RunLoopAutoreleaseLeakChecker.cpp --------------------------*- C++ -*-==//
271124832SGeorge Karpenkov //
32946cd70SChandler Carruth // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
42946cd70SChandler Carruth // See https://llvm.org/LICENSE.txt for license information.
52946cd70SChandler Carruth // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
671124832SGeorge Karpenkov //
771124832SGeorge Karpenkov //
871124832SGeorge Karpenkov //===----------------------------------------------------------------------===//
971124832SGeorge Karpenkov //
1071124832SGeorge Karpenkov // A checker for detecting leaks resulting from allocating temporary
1171124832SGeorge Karpenkov // autoreleased objects before starting the main run loop.
1271124832SGeorge Karpenkov //
1371124832SGeorge Karpenkov // Checks for two antipatterns:
1471124832SGeorge Karpenkov // 1. ObjCMessageExpr followed by [[NSRunLoop mainRunLoop] run] in the same
1571124832SGeorge Karpenkov // autorelease pool.
1671124832SGeorge Karpenkov // 2. ObjCMessageExpr followed by [[NSRunLoop mainRunLoop] run] in no
1771124832SGeorge Karpenkov // autorelease pool.
1871124832SGeorge Karpenkov //
1971124832SGeorge Karpenkov // Any temporary objects autoreleased in code called in those expressions
2071124832SGeorge Karpenkov // will not be deallocated until the program exits, and are effectively leaks.
2171124832SGeorge Karpenkov //
2271124832SGeorge Karpenkov //===----------------------------------------------------------------------===//
2371124832SGeorge Karpenkov //
2471124832SGeorge Karpenkov 
2576a21502SKristof Umann #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
2671124832SGeorge Karpenkov #include "clang/AST/Decl.h"
2771124832SGeorge Karpenkov #include "clang/AST/DeclObjC.h"
2871124832SGeorge Karpenkov #include "clang/ASTMatchers/ASTMatchFinder.h"
2971124832SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
3071124832SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
3171124832SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/Checker.h"
3271124832SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/CheckerManager.h"
3371124832SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
3471124832SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
3571124832SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
3671124832SGeorge Karpenkov 
3771124832SGeorge Karpenkov using namespace clang;
3871124832SGeorge Karpenkov using namespace ento;
3971124832SGeorge Karpenkov using namespace ast_matchers;
4071124832SGeorge Karpenkov 
4171124832SGeorge Karpenkov namespace {
4271124832SGeorge Karpenkov 
4371124832SGeorge Karpenkov const char * RunLoopBind = "NSRunLoopM";
4471124832SGeorge Karpenkov const char * RunLoopRunBind = "RunLoopRunM";
4571124832SGeorge Karpenkov const char * OtherMsgBind = "OtherMessageSentM";
4671124832SGeorge Karpenkov const char * AutoreleasePoolBind = "AutoreleasePoolM";
4781c84a97SGeorge Karpenkov const char * OtherStmtAutoreleasePoolBind = "OtherAutoreleasePoolM";
4871124832SGeorge Karpenkov 
49f44b9070SGeorge Karpenkov class RunLoopAutoreleaseLeakChecker : public Checker<check::ASTCodeBody> {
5071124832SGeorge Karpenkov 
5171124832SGeorge Karpenkov public:
5271124832SGeorge Karpenkov   void checkASTCodeBody(const Decl *D,
5371124832SGeorge Karpenkov                         AnalysisManager &AM,
5471124832SGeorge Karpenkov                         BugReporter &BR) const;
5571124832SGeorge Karpenkov 
5671124832SGeorge Karpenkov };
5771124832SGeorge Karpenkov 
5871124832SGeorge Karpenkov } // end anonymous namespace
5971124832SGeorge Karpenkov 
60*1cb15b10SAaron Puchert /// \return Whether @c A occurs before @c B in traversal of
61*1cb15b10SAaron Puchert /// @c Parent.
62e8240f4dSGeorge Karpenkov /// Conceptually a very incomplete/unsound approximation of happens-before
63e8240f4dSGeorge Karpenkov /// relationship (A is likely to be evaluated before B),
64e8240f4dSGeorge Karpenkov /// but useful enough in this case.
seenBefore(const Stmt * Parent,const Stmt * A,const Stmt * B)65e8240f4dSGeorge Karpenkov static bool seenBefore(const Stmt *Parent, const Stmt *A, const Stmt *B) {
6671124832SGeorge Karpenkov   for (const Stmt *C : Parent->children()) {
67f44b9070SGeorge Karpenkov     if (!C) continue;
68f44b9070SGeorge Karpenkov 
6971124832SGeorge Karpenkov     if (C == A)
7071124832SGeorge Karpenkov       return true;
7171124832SGeorge Karpenkov 
7271124832SGeorge Karpenkov     if (C == B)
7371124832SGeorge Karpenkov       return false;
7471124832SGeorge Karpenkov 
75e8240f4dSGeorge Karpenkov     return seenBefore(C, A, B);
7671124832SGeorge Karpenkov   }
77e8240f4dSGeorge Karpenkov   return false;
7871124832SGeorge Karpenkov }
7971124832SGeorge Karpenkov 
emitDiagnostics(BoundNodes & Match,const Decl * D,BugReporter & BR,AnalysisManager & AM,const RunLoopAutoreleaseLeakChecker * Checker)8071124832SGeorge Karpenkov static void emitDiagnostics(BoundNodes &Match,
8171124832SGeorge Karpenkov                             const Decl *D,
8271124832SGeorge Karpenkov                             BugReporter &BR,
8371124832SGeorge Karpenkov                             AnalysisManager &AM,
8471124832SGeorge Karpenkov                             const RunLoopAutoreleaseLeakChecker *Checker) {
8571124832SGeorge Karpenkov 
8671124832SGeorge Karpenkov   assert(D->hasBody());
8771124832SGeorge Karpenkov   const Stmt *DeclBody = D->getBody();
8871124832SGeorge Karpenkov 
8971124832SGeorge Karpenkov   AnalysisDeclContext *ADC = AM.getAnalysisDeclContext(D);
9071124832SGeorge Karpenkov 
9171124832SGeorge Karpenkov   const auto *ME = Match.getNodeAs<ObjCMessageExpr>(OtherMsgBind);
9271124832SGeorge Karpenkov   assert(ME);
9371124832SGeorge Karpenkov 
9471124832SGeorge Karpenkov   const auto *AP =
9571124832SGeorge Karpenkov       Match.getNodeAs<ObjCAutoreleasePoolStmt>(AutoreleasePoolBind);
9681c84a97SGeorge Karpenkov   const auto *OAP =
9781c84a97SGeorge Karpenkov       Match.getNodeAs<ObjCAutoreleasePoolStmt>(OtherStmtAutoreleasePoolBind);
9871124832SGeorge Karpenkov   bool HasAutoreleasePool = (AP != nullptr);
9971124832SGeorge Karpenkov 
10071124832SGeorge Karpenkov   const auto *RL = Match.getNodeAs<ObjCMessageExpr>(RunLoopBind);
10171124832SGeorge Karpenkov   const auto *RLR = Match.getNodeAs<Stmt>(RunLoopRunBind);
10271124832SGeorge Karpenkov   assert(RLR && "Run loop launch not found");
10371124832SGeorge Karpenkov   assert(ME != RLR);
10481c84a97SGeorge Karpenkov 
10581c84a97SGeorge Karpenkov   // Launch of run loop occurs before the message-sent expression is seen.
10681c84a97SGeorge Karpenkov   if (seenBefore(DeclBody, RLR, ME))
10771124832SGeorge Karpenkov     return;
10871124832SGeorge Karpenkov 
10981c84a97SGeorge Karpenkov   if (HasAutoreleasePool && (OAP != AP))
11071124832SGeorge Karpenkov     return;
11171124832SGeorge Karpenkov 
11271124832SGeorge Karpenkov   PathDiagnosticLocation Location = PathDiagnosticLocation::createBegin(
11371124832SGeorge Karpenkov     ME, BR.getSourceManager(), ADC);
11471124832SGeorge Karpenkov   SourceRange Range = ME->getSourceRange();
11571124832SGeorge Karpenkov 
11671124832SGeorge Karpenkov   BR.EmitBasicReport(ADC->getDecl(), Checker,
11771124832SGeorge Karpenkov                      /*Name=*/"Memory leak inside autorelease pool",
11849a3ad21SRui Ueyama                      /*BugCategory=*/"Memory",
11971124832SGeorge Karpenkov                      /*Name=*/
12071124832SGeorge Karpenkov                      (Twine("Temporary objects allocated in the") +
12171124832SGeorge Karpenkov                       " autorelease pool " +
12271124832SGeorge Karpenkov                       (HasAutoreleasePool ? "" : "of last resort ") +
12371124832SGeorge Karpenkov                       "followed by the launch of " +
12471124832SGeorge Karpenkov                       (RL ? "main run loop " : "xpc_main ") +
12571124832SGeorge Karpenkov                       "may never get released; consider moving them to a "
12671124832SGeorge Karpenkov                       "separate autorelease pool")
12771124832SGeorge Karpenkov                          .str(),
12871124832SGeorge Karpenkov                      Location, Range);
12971124832SGeorge Karpenkov }
13071124832SGeorge Karpenkov 
getRunLoopRunM(StatementMatcher Extra=anything ())13171124832SGeorge Karpenkov static StatementMatcher getRunLoopRunM(StatementMatcher Extra = anything()) {
13271124832SGeorge Karpenkov   StatementMatcher MainRunLoopM =
13371124832SGeorge Karpenkov       objcMessageExpr(hasSelector("mainRunLoop"),
13471124832SGeorge Karpenkov                       hasReceiverType(asString("NSRunLoop")),
13571124832SGeorge Karpenkov                       Extra)
13671124832SGeorge Karpenkov           .bind(RunLoopBind);
13771124832SGeorge Karpenkov 
13871124832SGeorge Karpenkov   StatementMatcher MainRunLoopRunM = objcMessageExpr(hasSelector("run"),
13971124832SGeorge Karpenkov                          hasReceiver(MainRunLoopM),
14071124832SGeorge Karpenkov                          Extra).bind(RunLoopRunBind);
14171124832SGeorge Karpenkov 
14271124832SGeorge Karpenkov   StatementMatcher XPCRunM =
14371124832SGeorge Karpenkov       callExpr(callee(functionDecl(hasName("xpc_main")))).bind(RunLoopRunBind);
14471124832SGeorge Karpenkov   return anyOf(MainRunLoopRunM, XPCRunM);
14571124832SGeorge Karpenkov }
14671124832SGeorge Karpenkov 
getOtherMessageSentM(StatementMatcher Extra=anything ())14771124832SGeorge Karpenkov static StatementMatcher getOtherMessageSentM(StatementMatcher Extra = anything()) {
14871124832SGeorge Karpenkov   return objcMessageExpr(unless(anyOf(equalsBoundNode(RunLoopBind),
14971124832SGeorge Karpenkov                                       equalsBoundNode(RunLoopRunBind))),
15071124832SGeorge Karpenkov                          Extra)
15171124832SGeorge Karpenkov       .bind(OtherMsgBind);
15271124832SGeorge Karpenkov }
15371124832SGeorge Karpenkov 
15471124832SGeorge Karpenkov static void
checkTempObjectsInSamePool(const Decl * D,AnalysisManager & AM,BugReporter & BR,const RunLoopAutoreleaseLeakChecker * Chkr)15571124832SGeorge Karpenkov checkTempObjectsInSamePool(const Decl *D, AnalysisManager &AM, BugReporter &BR,
15671124832SGeorge Karpenkov                            const RunLoopAutoreleaseLeakChecker *Chkr) {
15771124832SGeorge Karpenkov   StatementMatcher RunLoopRunM = getRunLoopRunM();
15881c84a97SGeorge Karpenkov   StatementMatcher OtherMessageSentM = getOtherMessageSentM(
15981c84a97SGeorge Karpenkov     hasAncestor(autoreleasePoolStmt().bind(OtherStmtAutoreleasePoolBind)));
16071124832SGeorge Karpenkov 
16171124832SGeorge Karpenkov   StatementMatcher RunLoopInAutorelease =
16271124832SGeorge Karpenkov       autoreleasePoolStmt(
16371124832SGeorge Karpenkov         hasDescendant(RunLoopRunM),
16471124832SGeorge Karpenkov         hasDescendant(OtherMessageSentM)).bind(AutoreleasePoolBind);
16571124832SGeorge Karpenkov 
16671124832SGeorge Karpenkov   DeclarationMatcher GroupM = decl(hasDescendant(RunLoopInAutorelease));
16771124832SGeorge Karpenkov 
16871124832SGeorge Karpenkov   auto Matches = match(GroupM, *D, AM.getASTContext());
16971124832SGeorge Karpenkov   for (BoundNodes Match : Matches)
17071124832SGeorge Karpenkov     emitDiagnostics(Match, D, BR, AM, Chkr);
17171124832SGeorge Karpenkov }
17271124832SGeorge Karpenkov 
17371124832SGeorge Karpenkov static void
checkTempObjectsInNoPool(const Decl * D,AnalysisManager & AM,BugReporter & BR,const RunLoopAutoreleaseLeakChecker * Chkr)17471124832SGeorge Karpenkov checkTempObjectsInNoPool(const Decl *D, AnalysisManager &AM, BugReporter &BR,
17571124832SGeorge Karpenkov                          const RunLoopAutoreleaseLeakChecker *Chkr) {
17671124832SGeorge Karpenkov 
17771124832SGeorge Karpenkov   auto NoPoolM = unless(hasAncestor(autoreleasePoolStmt()));
17871124832SGeorge Karpenkov 
17971124832SGeorge Karpenkov   StatementMatcher RunLoopRunM = getRunLoopRunM(NoPoolM);
18071124832SGeorge Karpenkov   StatementMatcher OtherMessageSentM = getOtherMessageSentM(NoPoolM);
18171124832SGeorge Karpenkov 
18271124832SGeorge Karpenkov   DeclarationMatcher GroupM = functionDecl(
18371124832SGeorge Karpenkov     isMain(),
18471124832SGeorge Karpenkov     hasDescendant(RunLoopRunM),
18571124832SGeorge Karpenkov     hasDescendant(OtherMessageSentM)
18671124832SGeorge Karpenkov   );
18771124832SGeorge Karpenkov 
18871124832SGeorge Karpenkov   auto Matches = match(GroupM, *D, AM.getASTContext());
18971124832SGeorge Karpenkov 
19071124832SGeorge Karpenkov   for (BoundNodes Match : Matches)
19171124832SGeorge Karpenkov     emitDiagnostics(Match, D, BR, AM, Chkr);
19271124832SGeorge Karpenkov 
19371124832SGeorge Karpenkov }
19471124832SGeorge Karpenkov 
checkASTCodeBody(const Decl * D,AnalysisManager & AM,BugReporter & BR) const19571124832SGeorge Karpenkov void RunLoopAutoreleaseLeakChecker::checkASTCodeBody(const Decl *D,
19671124832SGeorge Karpenkov                         AnalysisManager &AM,
19771124832SGeorge Karpenkov                         BugReporter &BR) const {
19871124832SGeorge Karpenkov   checkTempObjectsInSamePool(D, AM, BR, this);
19971124832SGeorge Karpenkov   checkTempObjectsInNoPool(D, AM, BR, this);
20071124832SGeorge Karpenkov }
20171124832SGeorge Karpenkov 
registerRunLoopAutoreleaseLeakChecker(CheckerManager & mgr)20271124832SGeorge Karpenkov void ento::registerRunLoopAutoreleaseLeakChecker(CheckerManager &mgr) {
20371124832SGeorge Karpenkov   mgr.registerChecker<RunLoopAutoreleaseLeakChecker>();
20471124832SGeorge Karpenkov }
205058a7a45SKristof Umann 
shouldRegisterRunLoopAutoreleaseLeakChecker(const CheckerManager & mgr)206bda3dd0dSKirstóf Umann bool ento::shouldRegisterRunLoopAutoreleaseLeakChecker(const CheckerManager &mgr) {
207058a7a45SKristof Umann   return true;
208058a7a45SKristof Umann }
209