xref: /llvm-project/clang/lib/StaticAnalyzer/Checkers/RunLoopAutoreleaseLeakChecker.cpp (revision 76a21502fdc12366cdda4fe92b2dbdfe7661064a) 
1 //=- RunLoopAutoreleaseLeakChecker.cpp --------------------------*- C++ -*-==//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //
9 //===----------------------------------------------------------------------===//
10 //
11 // A checker for detecting leaks resulting from allocating temporary
12 // autoreleased objects before starting the main run loop.
13 //
14 // Checks for two antipatterns:
15 // 1. ObjCMessageExpr followed by [[NSRunLoop mainRunLoop] run] in the same
16 // autorelease pool.
17 // 2. ObjCMessageExpr followed by [[NSRunLoop mainRunLoop] run] in no
18 // autorelease pool.
19 //
20 // Any temporary objects autoreleased in code called in those expressions
21 // will not be deallocated until the program exits, and are effectively leaks.
22 //
23 //===----------------------------------------------------------------------===//
24 //
25 
26 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
27 #include "clang/AST/Decl.h"
28 #include "clang/AST/DeclObjC.h"
29 #include "clang/ASTMatchers/ASTMatchFinder.h"
30 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
31 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
32 #include "clang/StaticAnalyzer/Core/Checker.h"
33 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
34 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
35 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
36 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
37 
38 using namespace clang;
39 using namespace ento;
40 using namespace ast_matchers;
41 
42 namespace {
43 
44 const char * RunLoopBind = "NSRunLoopM";
45 const char * RunLoopRunBind = "RunLoopRunM";
46 const char * OtherMsgBind = "OtherMessageSentM";
47 const char * AutoreleasePoolBind = "AutoreleasePoolM";
48 const char * OtherStmtAutoreleasePoolBind = "OtherAutoreleasePoolM";
49 
50 class RunLoopAutoreleaseLeakChecker : public Checker<check::ASTCodeBody> {
51 
52 public:
53   void checkASTCodeBody(const Decl *D,
54                         AnalysisManager &AM,
55                         BugReporter &BR) const;
56 
57 };
58 
59 } // end anonymous namespace
60 
61 /// \return Whether {@code A} occurs before {@code B} in traversal of
62 /// {@code Parent}.
63 /// Conceptually a very incomplete/unsound approximation of happens-before
64 /// relationship (A is likely to be evaluated before B),
65 /// but useful enough in this case.
66 static bool seenBefore(const Stmt *Parent, const Stmt *A, const Stmt *B) {
67   for (const Stmt *C : Parent->children()) {
68     if (!C) continue;
69 
70     if (C == A)
71       return true;
72 
73     if (C == B)
74       return false;
75 
76     return seenBefore(C, A, B);
77   }
78   return false;
79 }
80 
81 static void emitDiagnostics(BoundNodes &Match,
82                             const Decl *D,
83                             BugReporter &BR,
84                             AnalysisManager &AM,
85                             const RunLoopAutoreleaseLeakChecker *Checker) {
86 
87   assert(D->hasBody());
88   const Stmt *DeclBody = D->getBody();
89 
90   AnalysisDeclContext *ADC = AM.getAnalysisDeclContext(D);
91 
92   const auto *ME = Match.getNodeAs<ObjCMessageExpr>(OtherMsgBind);
93   assert(ME);
94 
95   const auto *AP =
96       Match.getNodeAs<ObjCAutoreleasePoolStmt>(AutoreleasePoolBind);
97   const auto *OAP =
98       Match.getNodeAs<ObjCAutoreleasePoolStmt>(OtherStmtAutoreleasePoolBind);
99   bool HasAutoreleasePool = (AP != nullptr);
100 
101   const auto *RL = Match.getNodeAs<ObjCMessageExpr>(RunLoopBind);
102   const auto *RLR = Match.getNodeAs<Stmt>(RunLoopRunBind);
103   assert(RLR && "Run loop launch not found");
104   assert(ME != RLR);
105 
106   // Launch of run loop occurs before the message-sent expression is seen.
107   if (seenBefore(DeclBody, RLR, ME))
108     return;
109 
110   if (HasAutoreleasePool && (OAP != AP))
111     return;
112 
113   PathDiagnosticLocation Location = PathDiagnosticLocation::createBegin(
114     ME, BR.getSourceManager(), ADC);
115   SourceRange Range = ME->getSourceRange();
116 
117   BR.EmitBasicReport(ADC->getDecl(), Checker,
118                      /*Name=*/"Memory leak inside autorelease pool",
119                      /*Category=*/"Memory",
120                      /*Name=*/
121                      (Twine("Temporary objects allocated in the") +
122                       " autorelease pool " +
123                       (HasAutoreleasePool ? "" : "of last resort ") +
124                       "followed by the launch of " +
125                       (RL ? "main run loop " : "xpc_main ") +
126                       "may never get released; consider moving them to a "
127                       "separate autorelease pool")
128                          .str(),
129                      Location, Range);
130 }
131 
132 static StatementMatcher getRunLoopRunM(StatementMatcher Extra = anything()) {
133   StatementMatcher MainRunLoopM =
134       objcMessageExpr(hasSelector("mainRunLoop"),
135                       hasReceiverType(asString("NSRunLoop")),
136                       Extra)
137           .bind(RunLoopBind);
138 
139   StatementMatcher MainRunLoopRunM = objcMessageExpr(hasSelector("run"),
140                          hasReceiver(MainRunLoopM),
141                          Extra).bind(RunLoopRunBind);
142 
143   StatementMatcher XPCRunM =
144       callExpr(callee(functionDecl(hasName("xpc_main")))).bind(RunLoopRunBind);
145   return anyOf(MainRunLoopRunM, XPCRunM);
146 }
147 
148 static StatementMatcher getOtherMessageSentM(StatementMatcher Extra = anything()) {
149   return objcMessageExpr(unless(anyOf(equalsBoundNode(RunLoopBind),
150                                       equalsBoundNode(RunLoopRunBind))),
151                          Extra)
152       .bind(OtherMsgBind);
153 }
154 
155 static void
156 checkTempObjectsInSamePool(const Decl *D, AnalysisManager &AM, BugReporter &BR,
157                            const RunLoopAutoreleaseLeakChecker *Chkr) {
158   StatementMatcher RunLoopRunM = getRunLoopRunM();
159   StatementMatcher OtherMessageSentM = getOtherMessageSentM(
160     hasAncestor(autoreleasePoolStmt().bind(OtherStmtAutoreleasePoolBind)));
161 
162   StatementMatcher RunLoopInAutorelease =
163       autoreleasePoolStmt(
164         hasDescendant(RunLoopRunM),
165         hasDescendant(OtherMessageSentM)).bind(AutoreleasePoolBind);
166 
167   DeclarationMatcher GroupM = decl(hasDescendant(RunLoopInAutorelease));
168 
169   auto Matches = match(GroupM, *D, AM.getASTContext());
170   for (BoundNodes Match : Matches)
171     emitDiagnostics(Match, D, BR, AM, Chkr);
172 }
173 
174 static void
175 checkTempObjectsInNoPool(const Decl *D, AnalysisManager &AM, BugReporter &BR,
176                          const RunLoopAutoreleaseLeakChecker *Chkr) {
177 
178   auto NoPoolM = unless(hasAncestor(autoreleasePoolStmt()));
179 
180   StatementMatcher RunLoopRunM = getRunLoopRunM(NoPoolM);
181   StatementMatcher OtherMessageSentM = getOtherMessageSentM(NoPoolM);
182 
183   DeclarationMatcher GroupM = functionDecl(
184     isMain(),
185     hasDescendant(RunLoopRunM),
186     hasDescendant(OtherMessageSentM)
187   );
188 
189   auto Matches = match(GroupM, *D, AM.getASTContext());
190 
191   for (BoundNodes Match : Matches)
192     emitDiagnostics(Match, D, BR, AM, Chkr);
193 
194 }
195 
196 void RunLoopAutoreleaseLeakChecker::checkASTCodeBody(const Decl *D,
197                         AnalysisManager &AM,
198                         BugReporter &BR) const {
199   checkTempObjectsInSamePool(D, AM, BR, this);
200   checkTempObjectsInNoPool(D, AM, BR, this);
201 }
202 
203 void ento::registerRunLoopAutoreleaseLeakChecker(CheckerManager &mgr) {
204   mgr.registerChecker<RunLoopAutoreleaseLeakChecker>();
205 }
206