1 //=- RunLoopAutoreleaseLeakChecker.cpp --------------------------*- C++ -*-==// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 // 9 //===----------------------------------------------------------------------===// 10 // 11 // A checker for detecting leaks resulting from allocating temporary 12 // autoreleased objects before starting the main run loop. 13 // 14 // Checks for two antipatterns: 15 // 1. ObjCMessageExpr followed by [[NSRunLoop mainRunLoop] run] in the same 16 // autorelease pool. 17 // 2. ObjCMessageExpr followed by [[NSRunLoop mainRunLoop] run] in no 18 // autorelease pool. 19 // 20 // Any temporary objects autoreleased in code called in those expressions 21 // will not be deallocated until the program exits, and are effectively leaks. 22 // 23 //===----------------------------------------------------------------------===// 24 // 25 26 #include "ClangSACheckers.h" 27 #include "clang/AST/Decl.h" 28 #include "clang/AST/DeclObjC.h" 29 #include "clang/ASTMatchers/ASTMatchFinder.h" 30 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 31 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 32 #include "clang/StaticAnalyzer/Core/Checker.h" 33 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 34 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 35 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 36 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 37 38 using namespace clang; 39 using namespace ento; 40 using namespace ast_matchers; 41 42 namespace { 43 44 const char * RunLoopBind = "NSRunLoopM"; 45 const char * RunLoopRunBind = "RunLoopRunM"; 46 const char * OtherMsgBind = "OtherMessageSentM"; 47 const char * AutoreleasePoolBind = "AutoreleasePoolM"; 48 49 class RunLoopAutoreleaseLeakChecker : public Checker<check::ASTCodeBody> { 50 51 public: 52 void checkASTCodeBody(const Decl *D, 53 AnalysisManager &AM, 54 BugReporter &BR) const; 55 56 }; 57 58 } // end anonymous namespace 59 60 61 using TriBoolTy = Optional<bool>; 62 using MemoizationMapTy = llvm::DenseMap<const Stmt *, Optional<TriBoolTy>>; 63 64 static TriBoolTy 65 seenBeforeRec(const Stmt *Parent, const Stmt *A, const Stmt *B, 66 MemoizationMapTy &Memoization) { 67 for (const Stmt *C : Parent->children()) { 68 if (!C) continue; 69 70 if (C == A) 71 return true; 72 73 if (C == B) 74 return false; 75 76 Optional<TriBoolTy> &Cached = Memoization[C]; 77 if (!Cached) 78 Cached = seenBeforeRec(C, A, B, Memoization); 79 80 if (Cached->hasValue()) 81 return Cached->getValue(); 82 } 83 84 return None; 85 } 86 87 /// \return Whether {@code A} occurs before {@code B} in traversal of 88 /// {@code Parent}. 89 /// Conceptually a very incomplete/unsound approximation of happens-before 90 /// relationship (A is likely to be evaluated before B), 91 /// but useful enough in this case. 92 static bool seenBefore(const Stmt *Parent, const Stmt *A, const Stmt *B) { 93 MemoizationMapTy Memoization; 94 TriBoolTy Val = seenBeforeRec(Parent, A, B, Memoization); 95 return Val.getValue(); 96 } 97 98 static void emitDiagnostics(BoundNodes &Match, 99 const Decl *D, 100 BugReporter &BR, 101 AnalysisManager &AM, 102 const RunLoopAutoreleaseLeakChecker *Checker) { 103 104 assert(D->hasBody()); 105 const Stmt *DeclBody = D->getBody(); 106 107 AnalysisDeclContext *ADC = AM.getAnalysisDeclContext(D); 108 109 const auto *ME = Match.getNodeAs<ObjCMessageExpr>(OtherMsgBind); 110 assert(ME); 111 112 const auto *AP = 113 Match.getNodeAs<ObjCAutoreleasePoolStmt>(AutoreleasePoolBind); 114 bool HasAutoreleasePool = (AP != nullptr); 115 116 const auto *RL = Match.getNodeAs<ObjCMessageExpr>(RunLoopBind); 117 const auto *RLR = Match.getNodeAs<Stmt>(RunLoopRunBind); 118 assert(RLR && "Run loop launch not found"); 119 120 assert(ME != RLR); 121 if (HasAutoreleasePool && seenBefore(AP, RLR, ME)) 122 return; 123 124 if (!HasAutoreleasePool && seenBefore(DeclBody, RLR, ME)) 125 return; 126 127 PathDiagnosticLocation Location = PathDiagnosticLocation::createBegin( 128 ME, BR.getSourceManager(), ADC); 129 SourceRange Range = ME->getSourceRange(); 130 131 BR.EmitBasicReport(ADC->getDecl(), Checker, 132 /*Name=*/"Memory leak inside autorelease pool", 133 /*Category=*/"Memory", 134 /*Name=*/ 135 (Twine("Temporary objects allocated in the") + 136 " autorelease pool " + 137 (HasAutoreleasePool ? "" : "of last resort ") + 138 "followed by the launch of " + 139 (RL ? "main run loop " : "xpc_main ") + 140 "may never get released; consider moving them to a " 141 "separate autorelease pool") 142 .str(), 143 Location, Range); 144 } 145 146 static StatementMatcher getRunLoopRunM(StatementMatcher Extra = anything()) { 147 StatementMatcher MainRunLoopM = 148 objcMessageExpr(hasSelector("mainRunLoop"), 149 hasReceiverType(asString("NSRunLoop")), 150 Extra) 151 .bind(RunLoopBind); 152 153 StatementMatcher MainRunLoopRunM = objcMessageExpr(hasSelector("run"), 154 hasReceiver(MainRunLoopM), 155 Extra).bind(RunLoopRunBind); 156 157 StatementMatcher XPCRunM = 158 callExpr(callee(functionDecl(hasName("xpc_main")))).bind(RunLoopRunBind); 159 return anyOf(MainRunLoopRunM, XPCRunM); 160 } 161 162 static StatementMatcher getOtherMessageSentM(StatementMatcher Extra = anything()) { 163 return objcMessageExpr(unless(anyOf(equalsBoundNode(RunLoopBind), 164 equalsBoundNode(RunLoopRunBind))), 165 Extra) 166 .bind(OtherMsgBind); 167 } 168 169 static void 170 checkTempObjectsInSamePool(const Decl *D, AnalysisManager &AM, BugReporter &BR, 171 const RunLoopAutoreleaseLeakChecker *Chkr) { 172 StatementMatcher RunLoopRunM = getRunLoopRunM(); 173 StatementMatcher OtherMessageSentM = getOtherMessageSentM(); 174 175 StatementMatcher RunLoopInAutorelease = 176 autoreleasePoolStmt( 177 hasDescendant(RunLoopRunM), 178 hasDescendant(OtherMessageSentM)).bind(AutoreleasePoolBind); 179 180 DeclarationMatcher GroupM = decl(hasDescendant(RunLoopInAutorelease)); 181 182 auto Matches = match(GroupM, *D, AM.getASTContext()); 183 for (BoundNodes Match : Matches) 184 emitDiagnostics(Match, D, BR, AM, Chkr); 185 } 186 187 static void 188 checkTempObjectsInNoPool(const Decl *D, AnalysisManager &AM, BugReporter &BR, 189 const RunLoopAutoreleaseLeakChecker *Chkr) { 190 191 auto NoPoolM = unless(hasAncestor(autoreleasePoolStmt())); 192 193 StatementMatcher RunLoopRunM = getRunLoopRunM(NoPoolM); 194 StatementMatcher OtherMessageSentM = getOtherMessageSentM(NoPoolM); 195 196 DeclarationMatcher GroupM = functionDecl( 197 isMain(), 198 hasDescendant(RunLoopRunM), 199 hasDescendant(OtherMessageSentM) 200 ); 201 202 auto Matches = match(GroupM, *D, AM.getASTContext()); 203 204 for (BoundNodes Match : Matches) 205 emitDiagnostics(Match, D, BR, AM, Chkr); 206 207 } 208 209 void RunLoopAutoreleaseLeakChecker::checkASTCodeBody(const Decl *D, 210 AnalysisManager &AM, 211 BugReporter &BR) const { 212 checkTempObjectsInSamePool(D, AM, BR, this); 213 checkTempObjectsInNoPool(D, AM, BR, this); 214 } 215 216 void ento::registerRunLoopAutoreleaseLeakChecker(CheckerManager &mgr) { 217 mgr.registerChecker<RunLoopAutoreleaseLeakChecker>(); 218 } 219