1f4a2713aSLionel Sambuc //==- CheckObjCDealloc.cpp - Check ObjC -dealloc implementation --*- C++ -*-==//
2f4a2713aSLionel Sambuc //
3f4a2713aSLionel Sambuc // The LLVM Compiler Infrastructure
4f4a2713aSLionel Sambuc //
5f4a2713aSLionel Sambuc // This file is distributed under the University of Illinois Open Source
6f4a2713aSLionel Sambuc // License. See LICENSE.TXT for details.
7f4a2713aSLionel Sambuc //
8f4a2713aSLionel Sambuc //===----------------------------------------------------------------------===//
9f4a2713aSLionel Sambuc //
10f4a2713aSLionel Sambuc // This file defines a CheckObjCDealloc, a checker that
11f4a2713aSLionel Sambuc // analyzes an Objective-C class's implementation to determine if it
12f4a2713aSLionel Sambuc // correctly implements -dealloc.
13f4a2713aSLionel Sambuc //
14f4a2713aSLionel Sambuc //===----------------------------------------------------------------------===//
15f4a2713aSLionel Sambuc
16f4a2713aSLionel Sambuc #include "ClangSACheckers.h"
17f4a2713aSLionel Sambuc #include "clang/AST/Attr.h"
18f4a2713aSLionel Sambuc #include "clang/AST/DeclObjC.h"
19f4a2713aSLionel Sambuc #include "clang/AST/Expr.h"
20f4a2713aSLionel Sambuc #include "clang/AST/ExprObjC.h"
21f4a2713aSLionel Sambuc #include "clang/Basic/LangOptions.h"
22f4a2713aSLionel Sambuc #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
23f4a2713aSLionel Sambuc #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
24f4a2713aSLionel Sambuc #include "clang/StaticAnalyzer/Core/Checker.h"
25f4a2713aSLionel Sambuc #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
26f4a2713aSLionel Sambuc #include "llvm/Support/raw_ostream.h"
27f4a2713aSLionel Sambuc
28f4a2713aSLionel Sambuc using namespace clang;
29f4a2713aSLionel Sambuc using namespace ento;
30f4a2713aSLionel Sambuc
scan_ivar_release(Stmt * S,ObjCIvarDecl * ID,const ObjCPropertyDecl * PD,Selector Release,IdentifierInfo * SelfII,ASTContext & Ctx)31f4a2713aSLionel Sambuc static bool scan_ivar_release(Stmt *S, ObjCIvarDecl *ID,
32f4a2713aSLionel Sambuc const ObjCPropertyDecl *PD,
33f4a2713aSLionel Sambuc Selector Release,
34f4a2713aSLionel Sambuc IdentifierInfo* SelfII,
35f4a2713aSLionel Sambuc ASTContext &Ctx) {
36f4a2713aSLionel Sambuc
37f4a2713aSLionel Sambuc // [mMyIvar release]
38f4a2713aSLionel Sambuc if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(S))
39f4a2713aSLionel Sambuc if (ME->getSelector() == Release)
40f4a2713aSLionel Sambuc if (ME->getInstanceReceiver())
41f4a2713aSLionel Sambuc if (Expr *Receiver = ME->getInstanceReceiver()->IgnoreParenCasts())
42f4a2713aSLionel Sambuc if (ObjCIvarRefExpr *E = dyn_cast<ObjCIvarRefExpr>(Receiver))
43f4a2713aSLionel Sambuc if (E->getDecl() == ID)
44f4a2713aSLionel Sambuc return true;
45f4a2713aSLionel Sambuc
46f4a2713aSLionel Sambuc // [self setMyIvar:nil];
47f4a2713aSLionel Sambuc if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(S))
48f4a2713aSLionel Sambuc if (ME->getInstanceReceiver())
49f4a2713aSLionel Sambuc if (Expr *Receiver = ME->getInstanceReceiver()->IgnoreParenCasts())
50f4a2713aSLionel Sambuc if (DeclRefExpr *E = dyn_cast<DeclRefExpr>(Receiver))
51f4a2713aSLionel Sambuc if (E->getDecl()->getIdentifier() == SelfII)
52f4a2713aSLionel Sambuc if (ME->getMethodDecl() == PD->getSetterMethodDecl() &&
53f4a2713aSLionel Sambuc ME->getNumArgs() == 1 &&
54f4a2713aSLionel Sambuc ME->getArg(0)->isNullPointerConstant(Ctx,
55f4a2713aSLionel Sambuc Expr::NPC_ValueDependentIsNull))
56f4a2713aSLionel Sambuc return true;
57f4a2713aSLionel Sambuc
58f4a2713aSLionel Sambuc // self.myIvar = nil;
59f4a2713aSLionel Sambuc if (BinaryOperator* BO = dyn_cast<BinaryOperator>(S))
60f4a2713aSLionel Sambuc if (BO->isAssignmentOp())
61f4a2713aSLionel Sambuc if (ObjCPropertyRefExpr *PRE =
62f4a2713aSLionel Sambuc dyn_cast<ObjCPropertyRefExpr>(BO->getLHS()->IgnoreParenCasts()))
63f4a2713aSLionel Sambuc if (PRE->isExplicitProperty() && PRE->getExplicitProperty() == PD)
64f4a2713aSLionel Sambuc if (BO->getRHS()->isNullPointerConstant(Ctx,
65f4a2713aSLionel Sambuc Expr::NPC_ValueDependentIsNull)) {
66f4a2713aSLionel Sambuc // This is only a 'release' if the property kind is not
67f4a2713aSLionel Sambuc // 'assign'.
68f4a2713aSLionel Sambuc return PD->getSetterKind() != ObjCPropertyDecl::Assign;
69f4a2713aSLionel Sambuc }
70f4a2713aSLionel Sambuc
71f4a2713aSLionel Sambuc // Recurse to children.
72f4a2713aSLionel Sambuc for (Stmt::child_iterator I = S->child_begin(), E= S->child_end(); I!=E; ++I)
73f4a2713aSLionel Sambuc if (*I && scan_ivar_release(*I, ID, PD, Release, SelfII, Ctx))
74f4a2713aSLionel Sambuc return true;
75f4a2713aSLionel Sambuc
76f4a2713aSLionel Sambuc return false;
77f4a2713aSLionel Sambuc }
78f4a2713aSLionel Sambuc
checkObjCDealloc(const CheckerBase * Checker,const ObjCImplementationDecl * D,const LangOptions & LOpts,BugReporter & BR)79*0a6a1f1dSLionel Sambuc static void checkObjCDealloc(const CheckerBase *Checker,
80*0a6a1f1dSLionel Sambuc const ObjCImplementationDecl *D,
81f4a2713aSLionel Sambuc const LangOptions &LOpts, BugReporter &BR) {
82f4a2713aSLionel Sambuc
83f4a2713aSLionel Sambuc assert (LOpts.getGC() != LangOptions::GCOnly);
84f4a2713aSLionel Sambuc
85f4a2713aSLionel Sambuc ASTContext &Ctx = BR.getContext();
86f4a2713aSLionel Sambuc const ObjCInterfaceDecl *ID = D->getClassInterface();
87f4a2713aSLionel Sambuc
88f4a2713aSLionel Sambuc // Does the class contain any ivars that are pointers (or id<...>)?
89f4a2713aSLionel Sambuc // If not, skip the check entirely.
90f4a2713aSLionel Sambuc // NOTE: This is motivated by PR 2517:
91f4a2713aSLionel Sambuc // http://llvm.org/bugs/show_bug.cgi?id=2517
92f4a2713aSLionel Sambuc
93f4a2713aSLionel Sambuc bool containsPointerIvar = false;
94f4a2713aSLionel Sambuc
95*0a6a1f1dSLionel Sambuc for (const auto *Ivar : ID->ivars()) {
96*0a6a1f1dSLionel Sambuc QualType T = Ivar->getType();
97f4a2713aSLionel Sambuc
98f4a2713aSLionel Sambuc if (!T->isObjCObjectPointerType() ||
99*0a6a1f1dSLionel Sambuc Ivar->hasAttr<IBOutletAttr>() || // Skip IBOutlets.
100*0a6a1f1dSLionel Sambuc Ivar->hasAttr<IBOutletCollectionAttr>()) // Skip IBOutletCollections.
101f4a2713aSLionel Sambuc continue;
102f4a2713aSLionel Sambuc
103f4a2713aSLionel Sambuc containsPointerIvar = true;
104f4a2713aSLionel Sambuc break;
105f4a2713aSLionel Sambuc }
106f4a2713aSLionel Sambuc
107f4a2713aSLionel Sambuc if (!containsPointerIvar)
108f4a2713aSLionel Sambuc return;
109f4a2713aSLionel Sambuc
110f4a2713aSLionel Sambuc // Determine if the class subclasses NSObject.
111f4a2713aSLionel Sambuc IdentifierInfo* NSObjectII = &Ctx.Idents.get("NSObject");
112f4a2713aSLionel Sambuc IdentifierInfo* SenTestCaseII = &Ctx.Idents.get("SenTestCase");
113f4a2713aSLionel Sambuc
114f4a2713aSLionel Sambuc
115f4a2713aSLionel Sambuc for ( ; ID ; ID = ID->getSuperClass()) {
116f4a2713aSLionel Sambuc IdentifierInfo *II = ID->getIdentifier();
117f4a2713aSLionel Sambuc
118f4a2713aSLionel Sambuc if (II == NSObjectII)
119f4a2713aSLionel Sambuc break;
120f4a2713aSLionel Sambuc
121f4a2713aSLionel Sambuc // FIXME: For now, ignore classes that subclass SenTestCase, as these don't
122f4a2713aSLionel Sambuc // need to implement -dealloc. They implement tear down in another way,
123f4a2713aSLionel Sambuc // which we should try and catch later.
124f4a2713aSLionel Sambuc // http://llvm.org/bugs/show_bug.cgi?id=3187
125f4a2713aSLionel Sambuc if (II == SenTestCaseII)
126f4a2713aSLionel Sambuc return;
127f4a2713aSLionel Sambuc }
128f4a2713aSLionel Sambuc
129f4a2713aSLionel Sambuc if (!ID)
130f4a2713aSLionel Sambuc return;
131f4a2713aSLionel Sambuc
132f4a2713aSLionel Sambuc // Get the "dealloc" selector.
133f4a2713aSLionel Sambuc IdentifierInfo* II = &Ctx.Idents.get("dealloc");
134f4a2713aSLionel Sambuc Selector S = Ctx.Selectors.getSelector(0, &II);
135*0a6a1f1dSLionel Sambuc const ObjCMethodDecl *MD = nullptr;
136f4a2713aSLionel Sambuc
137f4a2713aSLionel Sambuc // Scan the instance methods for "dealloc".
138*0a6a1f1dSLionel Sambuc for (const auto *I : D->instance_methods()) {
139*0a6a1f1dSLionel Sambuc if (I->getSelector() == S) {
140*0a6a1f1dSLionel Sambuc MD = I;
141f4a2713aSLionel Sambuc break;
142f4a2713aSLionel Sambuc }
143f4a2713aSLionel Sambuc }
144f4a2713aSLionel Sambuc
145f4a2713aSLionel Sambuc PathDiagnosticLocation DLoc =
146f4a2713aSLionel Sambuc PathDiagnosticLocation::createBegin(D, BR.getSourceManager());
147f4a2713aSLionel Sambuc
148f4a2713aSLionel Sambuc if (!MD) { // No dealloc found.
149f4a2713aSLionel Sambuc
150f4a2713aSLionel Sambuc const char* name = LOpts.getGC() == LangOptions::NonGC
151f4a2713aSLionel Sambuc ? "missing -dealloc"
152f4a2713aSLionel Sambuc : "missing -dealloc (Hybrid MM, non-GC)";
153f4a2713aSLionel Sambuc
154f4a2713aSLionel Sambuc std::string buf;
155f4a2713aSLionel Sambuc llvm::raw_string_ostream os(buf);
156f4a2713aSLionel Sambuc os << "Objective-C class '" << *D << "' lacks a 'dealloc' instance method";
157f4a2713aSLionel Sambuc
158*0a6a1f1dSLionel Sambuc BR.EmitBasicReport(D, Checker, name, categories::CoreFoundationObjectiveC,
159f4a2713aSLionel Sambuc os.str(), DLoc);
160f4a2713aSLionel Sambuc return;
161f4a2713aSLionel Sambuc }
162f4a2713aSLionel Sambuc
163f4a2713aSLionel Sambuc // Get the "release" selector.
164f4a2713aSLionel Sambuc IdentifierInfo* RII = &Ctx.Idents.get("release");
165f4a2713aSLionel Sambuc Selector RS = Ctx.Selectors.getSelector(0, &RII);
166f4a2713aSLionel Sambuc
167f4a2713aSLionel Sambuc // Get the "self" identifier
168f4a2713aSLionel Sambuc IdentifierInfo* SelfII = &Ctx.Idents.get("self");
169f4a2713aSLionel Sambuc
170f4a2713aSLionel Sambuc // Scan for missing and extra releases of ivars used by implementations
171f4a2713aSLionel Sambuc // of synthesized properties
172*0a6a1f1dSLionel Sambuc for (const auto *I : D->property_impls()) {
173f4a2713aSLionel Sambuc // We can only check the synthesized properties
174f4a2713aSLionel Sambuc if (I->getPropertyImplementation() != ObjCPropertyImplDecl::Synthesize)
175f4a2713aSLionel Sambuc continue;
176f4a2713aSLionel Sambuc
177f4a2713aSLionel Sambuc ObjCIvarDecl *ID = I->getPropertyIvarDecl();
178f4a2713aSLionel Sambuc if (!ID)
179f4a2713aSLionel Sambuc continue;
180f4a2713aSLionel Sambuc
181f4a2713aSLionel Sambuc QualType T = ID->getType();
182f4a2713aSLionel Sambuc if (!T->isObjCObjectPointerType()) // Skip non-pointer ivars
183f4a2713aSLionel Sambuc continue;
184f4a2713aSLionel Sambuc
185f4a2713aSLionel Sambuc const ObjCPropertyDecl *PD = I->getPropertyDecl();
186f4a2713aSLionel Sambuc if (!PD)
187f4a2713aSLionel Sambuc continue;
188f4a2713aSLionel Sambuc
189f4a2713aSLionel Sambuc // ivars cannot be set via read-only properties, so we'll skip them
190f4a2713aSLionel Sambuc if (PD->isReadOnly())
191f4a2713aSLionel Sambuc continue;
192f4a2713aSLionel Sambuc
193f4a2713aSLionel Sambuc // ivar must be released if and only if the kind of setter was not 'assign'
194f4a2713aSLionel Sambuc bool requiresRelease = PD->getSetterKind() != ObjCPropertyDecl::Assign;
195f4a2713aSLionel Sambuc if (scan_ivar_release(MD->getBody(), ID, PD, RS, SelfII, Ctx)
196f4a2713aSLionel Sambuc != requiresRelease) {
197*0a6a1f1dSLionel Sambuc const char *name = nullptr;
198f4a2713aSLionel Sambuc std::string buf;
199f4a2713aSLionel Sambuc llvm::raw_string_ostream os(buf);
200f4a2713aSLionel Sambuc
201f4a2713aSLionel Sambuc if (requiresRelease) {
202f4a2713aSLionel Sambuc name = LOpts.getGC() == LangOptions::NonGC
203f4a2713aSLionel Sambuc ? "missing ivar release (leak)"
204f4a2713aSLionel Sambuc : "missing ivar release (Hybrid MM, non-GC)";
205f4a2713aSLionel Sambuc
206f4a2713aSLionel Sambuc os << "The '" << *ID
207f4a2713aSLionel Sambuc << "' instance variable was retained by a synthesized property but "
208f4a2713aSLionel Sambuc "wasn't released in 'dealloc'";
209f4a2713aSLionel Sambuc } else {
210f4a2713aSLionel Sambuc name = LOpts.getGC() == LangOptions::NonGC
211f4a2713aSLionel Sambuc ? "extra ivar release (use-after-release)"
212f4a2713aSLionel Sambuc : "extra ivar release (Hybrid MM, non-GC)";
213f4a2713aSLionel Sambuc
214f4a2713aSLionel Sambuc os << "The '" << *ID
215f4a2713aSLionel Sambuc << "' instance variable was not retained by a synthesized property "
216f4a2713aSLionel Sambuc "but was released in 'dealloc'";
217f4a2713aSLionel Sambuc }
218f4a2713aSLionel Sambuc
219f4a2713aSLionel Sambuc PathDiagnosticLocation SDLoc =
220*0a6a1f1dSLionel Sambuc PathDiagnosticLocation::createBegin(I, BR.getSourceManager());
221f4a2713aSLionel Sambuc
222*0a6a1f1dSLionel Sambuc BR.EmitBasicReport(MD, Checker, name,
223*0a6a1f1dSLionel Sambuc categories::CoreFoundationObjectiveC, os.str(), SDLoc);
224f4a2713aSLionel Sambuc }
225f4a2713aSLionel Sambuc }
226f4a2713aSLionel Sambuc }
227f4a2713aSLionel Sambuc
228f4a2713aSLionel Sambuc //===----------------------------------------------------------------------===//
229f4a2713aSLionel Sambuc // ObjCDeallocChecker
230f4a2713aSLionel Sambuc //===----------------------------------------------------------------------===//
231f4a2713aSLionel Sambuc
232f4a2713aSLionel Sambuc namespace {
233f4a2713aSLionel Sambuc class ObjCDeallocChecker : public Checker<
234f4a2713aSLionel Sambuc check::ASTDecl<ObjCImplementationDecl> > {
235f4a2713aSLionel Sambuc public:
checkASTDecl(const ObjCImplementationDecl * D,AnalysisManager & mgr,BugReporter & BR) const236f4a2713aSLionel Sambuc void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& mgr,
237f4a2713aSLionel Sambuc BugReporter &BR) const {
238f4a2713aSLionel Sambuc if (mgr.getLangOpts().getGC() == LangOptions::GCOnly)
239f4a2713aSLionel Sambuc return;
240*0a6a1f1dSLionel Sambuc checkObjCDealloc(this, cast<ObjCImplementationDecl>(D), mgr.getLangOpts(),
241*0a6a1f1dSLionel Sambuc BR);
242f4a2713aSLionel Sambuc }
243f4a2713aSLionel Sambuc };
244f4a2713aSLionel Sambuc }
245f4a2713aSLionel Sambuc
registerObjCDeallocChecker(CheckerManager & mgr)246f4a2713aSLionel Sambuc void ento::registerObjCDeallocChecker(CheckerManager &mgr) {
247f4a2713aSLionel Sambuc mgr.registerChecker<ObjCDeallocChecker>();
248f4a2713aSLionel Sambuc }
249