1 //==-- RetainCountChecker.cpp - Checks for leaks and other issues -*- C++ -*--//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 //  This file defines the methods for RetainCountChecker, which implements
11 //  a reference count checker for Core Foundation and Cocoa on (Mac OS X).
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "AllocationDiagnostics.h"
17 #include "SelectorExtras.h"
18 #include "clang/AST/Attr.h"
19 #include "clang/AST/DeclCXX.h"
20 #include "clang/AST/DeclObjC.h"
21 #include "clang/AST/ParentMap.h"
22 #include "clang/Analysis/DomainSpecific/CocoaConventions.h"
23 #include "clang/Basic/LangOptions.h"
24 #include "clang/Basic/SourceManager.h"
25 #include "clang/StaticAnalyzer/Checkers/ObjCRetainCount.h"
26 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
27 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
28 #include "clang/StaticAnalyzer/Core/Checker.h"
29 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
30 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
31 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
32 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
33 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
34 #include "llvm/ADT/DenseMap.h"
35 #include "llvm/ADT/FoldingSet.h"
36 #include "llvm/ADT/ImmutableList.h"
37 #include "llvm/ADT/ImmutableMap.h"
38 #include "llvm/ADT/STLExtras.h"
39 #include "llvm/ADT/SmallString.h"
40 #include "llvm/ADT/StringExtras.h"
41 #include <cstdarg>
42 
43 using namespace clang;
44 using namespace ento;
45 using namespace objc_retain;
46 using llvm::StrInStrNoCase;
47 
48 //===----------------------------------------------------------------------===//
49 // Adapters for FoldingSet.
50 //===----------------------------------------------------------------------===//
51 
52 namespace llvm {
53 template <> struct FoldingSetTrait<ArgEffect> {
Profilellvm::FoldingSetTrait54 static inline void Profile(const ArgEffect X, FoldingSetNodeID &ID) {
55   ID.AddInteger((unsigned) X);
56 }
57 };
58 template <> struct FoldingSetTrait<RetEffect> {
Profilellvm::FoldingSetTrait59   static inline void Profile(const RetEffect &X, FoldingSetNodeID &ID) {
60     ID.AddInteger((unsigned) X.getKind());
61     ID.AddInteger((unsigned) X.getObjKind());
62 }
63 };
64 } // end llvm namespace
65 
66 //===----------------------------------------------------------------------===//
67 // Reference-counting logic (typestate + counts).
68 //===----------------------------------------------------------------------===//
69 
70 /// ArgEffects summarizes the effects of a function/method call on all of
71 /// its arguments.
72 typedef llvm::ImmutableMap<unsigned,ArgEffect> ArgEffects;
73 
74 namespace {
75 class RefVal {
76 public:
77   enum Kind {
78     Owned = 0, // Owning reference.
79     NotOwned,  // Reference is not owned by still valid (not freed).
80     Released,  // Object has been released.
81     ReturnedOwned, // Returned object passes ownership to caller.
82     ReturnedNotOwned, // Return object does not pass ownership to caller.
83     ERROR_START,
84     ErrorDeallocNotOwned, // -dealloc called on non-owned object.
85     ErrorDeallocGC, // Calling -dealloc with GC enabled.
86     ErrorUseAfterRelease, // Object used after released.
87     ErrorReleaseNotOwned, // Release of an object that was not owned.
88     ERROR_LEAK_START,
89     ErrorLeak,  // A memory leak due to excessive reference counts.
90     ErrorLeakReturned, // A memory leak due to the returning method not having
91                        // the correct naming conventions.
92     ErrorGCLeakReturned,
93     ErrorOverAutorelease,
94     ErrorReturnedNotOwned
95   };
96 
97   /// Tracks how an object referenced by an ivar has been used.
98   ///
99   /// This accounts for us not knowing if an arbitrary ivar is supposed to be
100   /// stored at +0 or +1.
101   enum class IvarAccessHistory {
102     None,
103     AccessedDirectly,
104     ReleasedAfterDirectAccess
105   };
106 
107 private:
108   /// The number of outstanding retains.
109   unsigned Cnt;
110   /// The number of outstanding autoreleases.
111   unsigned ACnt;
112   /// The (static) type of the object at the time we started tracking it.
113   QualType T;
114 
115   /// The current state of the object.
116   ///
117   /// See the RefVal::Kind enum for possible values.
118   unsigned RawKind : 5;
119 
120   /// The kind of object being tracked (CF or ObjC), if known.
121   ///
122   /// See the RetEffect::ObjKind enum for possible values.
123   unsigned RawObjectKind : 2;
124 
125   /// True if the current state and/or retain count may turn out to not be the
126   /// best possible approximation of the reference counting state.
127   ///
128   /// If true, the checker may decide to throw away ("override") this state
129   /// in favor of something else when it sees the object being used in new ways.
130   ///
131   /// This setting should not be propagated to state derived from this state.
132   /// Once we start deriving new states, it would be inconsistent to override
133   /// them.
134   unsigned RawIvarAccessHistory : 2;
135 
RefVal(Kind k,RetEffect::ObjKind o,unsigned cnt,unsigned acnt,QualType t,IvarAccessHistory IvarAccess)136   RefVal(Kind k, RetEffect::ObjKind o, unsigned cnt, unsigned acnt, QualType t,
137          IvarAccessHistory IvarAccess)
138     : Cnt(cnt), ACnt(acnt), T(t), RawKind(static_cast<unsigned>(k)),
139       RawObjectKind(static_cast<unsigned>(o)),
140       RawIvarAccessHistory(static_cast<unsigned>(IvarAccess)) {
141     assert(getKind() == k && "not enough bits for the kind");
142     assert(getObjKind() == o && "not enough bits for the object kind");
143     assert(getIvarAccessHistory() == IvarAccess && "not enough bits");
144   }
145 
146 public:
getKind() const147   Kind getKind() const { return static_cast<Kind>(RawKind); }
148 
getObjKind() const149   RetEffect::ObjKind getObjKind() const {
150     return static_cast<RetEffect::ObjKind>(RawObjectKind);
151   }
152 
getCount() const153   unsigned getCount() const { return Cnt; }
getAutoreleaseCount() const154   unsigned getAutoreleaseCount() const { return ACnt; }
getCombinedCounts() const155   unsigned getCombinedCounts() const { return Cnt + ACnt; }
clearCounts()156   void clearCounts() {
157     Cnt = 0;
158     ACnt = 0;
159   }
setCount(unsigned i)160   void setCount(unsigned i) {
161     Cnt = i;
162   }
setAutoreleaseCount(unsigned i)163   void setAutoreleaseCount(unsigned i) {
164     ACnt = i;
165   }
166 
getType() const167   QualType getType() const { return T; }
168 
169   /// Returns what the analyzer knows about direct accesses to a particular
170   /// instance variable.
171   ///
172   /// If the object with this refcount wasn't originally from an Objective-C
173   /// ivar region, this should always return IvarAccessHistory::None.
getIvarAccessHistory() const174   IvarAccessHistory getIvarAccessHistory() const {
175     return static_cast<IvarAccessHistory>(RawIvarAccessHistory);
176   }
177 
isOwned() const178   bool isOwned() const {
179     return getKind() == Owned;
180   }
181 
isNotOwned() const182   bool isNotOwned() const {
183     return getKind() == NotOwned;
184   }
185 
isReturnedOwned() const186   bool isReturnedOwned() const {
187     return getKind() == ReturnedOwned;
188   }
189 
isReturnedNotOwned() const190   bool isReturnedNotOwned() const {
191     return getKind() == ReturnedNotOwned;
192   }
193 
194   /// Create a state for an object whose lifetime is the responsibility of the
195   /// current function, at least partially.
196   ///
197   /// Most commonly, this is an owned object with a retain count of +1.
makeOwned(RetEffect::ObjKind o,QualType t,unsigned Count=1)198   static RefVal makeOwned(RetEffect::ObjKind o, QualType t,
199                           unsigned Count = 1) {
200     return RefVal(Owned, o, Count, 0, t, IvarAccessHistory::None);
201   }
202 
203   /// Create a state for an object whose lifetime is not the responsibility of
204   /// the current function.
205   ///
206   /// Most commonly, this is an unowned object with a retain count of +0.
makeNotOwned(RetEffect::ObjKind o,QualType t,unsigned Count=0)207   static RefVal makeNotOwned(RetEffect::ObjKind o, QualType t,
208                              unsigned Count = 0) {
209     return RefVal(NotOwned, o, Count, 0, t, IvarAccessHistory::None);
210   }
211 
operator -(size_t i) const212   RefVal operator-(size_t i) const {
213     return RefVal(getKind(), getObjKind(), getCount() - i,
214                   getAutoreleaseCount(), getType(), getIvarAccessHistory());
215   }
216 
operator +(size_t i) const217   RefVal operator+(size_t i) const {
218     return RefVal(getKind(), getObjKind(), getCount() + i,
219                   getAutoreleaseCount(), getType(), getIvarAccessHistory());
220   }
221 
operator ^(Kind k) const222   RefVal operator^(Kind k) const {
223     return RefVal(k, getObjKind(), getCount(), getAutoreleaseCount(),
224                   getType(), getIvarAccessHistory());
225   }
226 
autorelease() const227   RefVal autorelease() const {
228     return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount()+1,
229                   getType(), getIvarAccessHistory());
230   }
231 
withIvarAccess() const232   RefVal withIvarAccess() const {
233     assert(getIvarAccessHistory() == IvarAccessHistory::None);
234     return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount(),
235                   getType(), IvarAccessHistory::AccessedDirectly);
236   }
237 
releaseViaIvar() const238   RefVal releaseViaIvar() const {
239     assert(getIvarAccessHistory() == IvarAccessHistory::AccessedDirectly);
240     return RefVal(getKind(), getObjKind(), getCount(), getAutoreleaseCount(),
241                   getType(), IvarAccessHistory::ReleasedAfterDirectAccess);
242   }
243 
244   // Comparison, profiling, and pretty-printing.
245 
hasSameState(const RefVal & X) const246   bool hasSameState(const RefVal &X) const {
247     return getKind() == X.getKind() && Cnt == X.Cnt && ACnt == X.ACnt &&
248            getIvarAccessHistory() == X.getIvarAccessHistory();
249   }
250 
operator ==(const RefVal & X) const251   bool operator==(const RefVal& X) const {
252     return T == X.T && hasSameState(X) && getObjKind() == X.getObjKind();
253   }
254 
Profile(llvm::FoldingSetNodeID & ID) const255   void Profile(llvm::FoldingSetNodeID& ID) const {
256     ID.Add(T);
257     ID.AddInteger(RawKind);
258     ID.AddInteger(Cnt);
259     ID.AddInteger(ACnt);
260     ID.AddInteger(RawObjectKind);
261     ID.AddInteger(RawIvarAccessHistory);
262   }
263 
264   void print(raw_ostream &Out) const;
265 };
266 
print(raw_ostream & Out) const267 void RefVal::print(raw_ostream &Out) const {
268   if (!T.isNull())
269     Out << "Tracked " << T.getAsString() << '/';
270 
271   switch (getKind()) {
272     default: llvm_unreachable("Invalid RefVal kind");
273     case Owned: {
274       Out << "Owned";
275       unsigned cnt = getCount();
276       if (cnt) Out << " (+ " << cnt << ")";
277       break;
278     }
279 
280     case NotOwned: {
281       Out << "NotOwned";
282       unsigned cnt = getCount();
283       if (cnt) Out << " (+ " << cnt << ")";
284       break;
285     }
286 
287     case ReturnedOwned: {
288       Out << "ReturnedOwned";
289       unsigned cnt = getCount();
290       if (cnt) Out << " (+ " << cnt << ")";
291       break;
292     }
293 
294     case ReturnedNotOwned: {
295       Out << "ReturnedNotOwned";
296       unsigned cnt = getCount();
297       if (cnt) Out << " (+ " << cnt << ")";
298       break;
299     }
300 
301     case Released:
302       Out << "Released";
303       break;
304 
305     case ErrorDeallocGC:
306       Out << "-dealloc (GC)";
307       break;
308 
309     case ErrorDeallocNotOwned:
310       Out << "-dealloc (not-owned)";
311       break;
312 
313     case ErrorLeak:
314       Out << "Leaked";
315       break;
316 
317     case ErrorLeakReturned:
318       Out << "Leaked (Bad naming)";
319       break;
320 
321     case ErrorGCLeakReturned:
322       Out << "Leaked (GC-ed at return)";
323       break;
324 
325     case ErrorUseAfterRelease:
326       Out << "Use-After-Release [ERROR]";
327       break;
328 
329     case ErrorReleaseNotOwned:
330       Out << "Release of Not-Owned [ERROR]";
331       break;
332 
333     case RefVal::ErrorOverAutorelease:
334       Out << "Over-autoreleased";
335       break;
336 
337     case RefVal::ErrorReturnedNotOwned:
338       Out << "Non-owned object returned instead of owned";
339       break;
340   }
341 
342   switch (getIvarAccessHistory()) {
343   case IvarAccessHistory::None:
344     break;
345   case IvarAccessHistory::AccessedDirectly:
346     Out << " [direct ivar access]";
347     break;
348   case IvarAccessHistory::ReleasedAfterDirectAccess:
349     Out << " [released after direct ivar access]";
350   }
351 
352   if (ACnt) {
353     Out << " [autorelease -" << ACnt << ']';
354   }
355 }
356 } //end anonymous namespace
357 
358 //===----------------------------------------------------------------------===//
359 // RefBindings - State used to track object reference counts.
360 //===----------------------------------------------------------------------===//
361 
REGISTER_MAP_WITH_PROGRAMSTATE(RefBindings,SymbolRef,RefVal) const362 REGISTER_MAP_WITH_PROGRAMSTATE(RefBindings, SymbolRef, RefVal)
363 
364 static inline const RefVal *getRefBinding(ProgramStateRef State,
365                                           SymbolRef Sym) {
366   return State->get<RefBindings>(Sym);
367 }
368 
setRefBinding(ProgramStateRef State,SymbolRef Sym,RefVal Val)369 static inline ProgramStateRef setRefBinding(ProgramStateRef State,
370                                             SymbolRef Sym, RefVal Val) {
371   return State->set<RefBindings>(Sym, Val);
372 }
373 
removeRefBinding(ProgramStateRef State,SymbolRef Sym)374 static ProgramStateRef removeRefBinding(ProgramStateRef State, SymbolRef Sym) {
375   return State->remove<RefBindings>(Sym);
376 }
377 
378 //===----------------------------------------------------------------------===//
379 // Function/Method behavior summaries.
380 //===----------------------------------------------------------------------===//
381 
382 namespace {
383 class RetainSummary {
384   /// Args - a map of (index, ArgEffect) pairs, where index
385   ///  specifies the argument (starting from 0).  This can be sparsely
386   ///  populated; arguments with no entry in Args use 'DefaultArgEffect'.
387   ArgEffects Args;
388 
389   /// DefaultArgEffect - The default ArgEffect to apply to arguments that
390   ///  do not have an entry in Args.
391   ArgEffect DefaultArgEffect;
392 
393   /// Receiver - If this summary applies to an Objective-C message expression,
394   ///  this is the effect applied to the state of the receiver.
395   ArgEffect Receiver;
396 
397   /// Ret - The effect on the return value.  Used to indicate if the
398   ///  function/method call returns a new tracked symbol.
399   RetEffect Ret;
400 
401 public:
RetainSummary(ArgEffects A,RetEffect R,ArgEffect defaultEff,ArgEffect ReceiverEff)402   RetainSummary(ArgEffects A, RetEffect R, ArgEffect defaultEff,
403                 ArgEffect ReceiverEff)
404     : Args(A), DefaultArgEffect(defaultEff), Receiver(ReceiverEff), Ret(R) {}
405 
406   /// getArg - Return the argument effect on the argument specified by
407   ///  idx (starting from 0).
getArg(unsigned idx) const408   ArgEffect getArg(unsigned idx) const {
409     if (const ArgEffect *AE = Args.lookup(idx))
410       return *AE;
411 
412     return DefaultArgEffect;
413   }
414 
addArg(ArgEffects::Factory & af,unsigned idx,ArgEffect e)415   void addArg(ArgEffects::Factory &af, unsigned idx, ArgEffect e) {
416     Args = af.add(Args, idx, e);
417   }
418 
419   /// setDefaultArgEffect - Set the default argument effect.
setDefaultArgEffect(ArgEffect E)420   void setDefaultArgEffect(ArgEffect E) {
421     DefaultArgEffect = E;
422   }
423 
424   /// getRetEffect - Returns the effect on the return value of the call.
getRetEffect() const425   RetEffect getRetEffect() const { return Ret; }
426 
427   /// setRetEffect - Set the effect of the return value of the call.
setRetEffect(RetEffect E)428   void setRetEffect(RetEffect E) { Ret = E; }
429 
430 
431   /// Sets the effect on the receiver of the message.
setReceiverEffect(ArgEffect e)432   void setReceiverEffect(ArgEffect e) { Receiver = e; }
433 
434   /// getReceiverEffect - Returns the effect on the receiver of the call.
435   ///  This is only meaningful if the summary applies to an ObjCMessageExpr*.
getReceiverEffect() const436   ArgEffect getReceiverEffect() const { return Receiver; }
437 
438   /// Test if two retain summaries are identical. Note that merely equivalent
439   /// summaries are not necessarily identical (for example, if an explicit
440   /// argument effect matches the default effect).
operator ==(const RetainSummary & Other) const441   bool operator==(const RetainSummary &Other) const {
442     return Args == Other.Args && DefaultArgEffect == Other.DefaultArgEffect &&
443            Receiver == Other.Receiver && Ret == Other.Ret;
444   }
445 
446   /// Profile this summary for inclusion in a FoldingSet.
Profile(llvm::FoldingSetNodeID & ID) const447   void Profile(llvm::FoldingSetNodeID& ID) const {
448     ID.Add(Args);
449     ID.Add(DefaultArgEffect);
450     ID.Add(Receiver);
451     ID.Add(Ret);
452   }
453 
454   /// A retain summary is simple if it has no ArgEffects other than the default.
isSimple() const455   bool isSimple() const {
456     return Args.isEmpty();
457   }
458 
459 private:
getArgEffects() const460   ArgEffects getArgEffects() const { return Args; }
getDefaultArgEffect() const461   ArgEffect getDefaultArgEffect() const { return DefaultArgEffect; }
462 
463   friend class RetainSummaryManager;
464 };
465 } // end anonymous namespace
466 
467 //===----------------------------------------------------------------------===//
468 // Data structures for constructing summaries.
469 //===----------------------------------------------------------------------===//
470 
471 namespace {
472 class ObjCSummaryKey {
473   IdentifierInfo* II;
474   Selector S;
475 public:
ObjCSummaryKey(IdentifierInfo * ii,Selector s)476   ObjCSummaryKey(IdentifierInfo* ii, Selector s)
477     : II(ii), S(s) {}
478 
ObjCSummaryKey(const ObjCInterfaceDecl * d,Selector s)479   ObjCSummaryKey(const ObjCInterfaceDecl *d, Selector s)
480     : II(d ? d->getIdentifier() : nullptr), S(s) {}
481 
ObjCSummaryKey(Selector s)482   ObjCSummaryKey(Selector s)
483     : II(nullptr), S(s) {}
484 
getIdentifier() const485   IdentifierInfo *getIdentifier() const { return II; }
getSelector() const486   Selector getSelector() const { return S; }
487 };
488 } // end anonymous namespace
489 
490 namespace llvm {
491 template <> struct DenseMapInfo<ObjCSummaryKey> {
getEmptyKeyllvm::DenseMapInfo492   static inline ObjCSummaryKey getEmptyKey() {
493     return ObjCSummaryKey(DenseMapInfo<IdentifierInfo*>::getEmptyKey(),
494                           DenseMapInfo<Selector>::getEmptyKey());
495   }
496 
getTombstoneKeyllvm::DenseMapInfo497   static inline ObjCSummaryKey getTombstoneKey() {
498     return ObjCSummaryKey(DenseMapInfo<IdentifierInfo*>::getTombstoneKey(),
499                           DenseMapInfo<Selector>::getTombstoneKey());
500   }
501 
getHashValuellvm::DenseMapInfo502   static unsigned getHashValue(const ObjCSummaryKey &V) {
503     typedef std::pair<IdentifierInfo*, Selector> PairTy;
504     return DenseMapInfo<PairTy>::getHashValue(PairTy(V.getIdentifier(),
505                                                      V.getSelector()));
506   }
507 
isEqualllvm::DenseMapInfo508   static bool isEqual(const ObjCSummaryKey& LHS, const ObjCSummaryKey& RHS) {
509     return LHS.getIdentifier() == RHS.getIdentifier() &&
510            LHS.getSelector() == RHS.getSelector();
511   }
512 
513 };
514 } // end llvm namespace
515 
516 namespace {
517 class ObjCSummaryCache {
518   typedef llvm::DenseMap<ObjCSummaryKey, const RetainSummary *> MapTy;
519   MapTy M;
520 public:
ObjCSummaryCache()521   ObjCSummaryCache() {}
522 
find(const ObjCInterfaceDecl * D,Selector S)523   const RetainSummary * find(const ObjCInterfaceDecl *D, Selector S) {
524     // Do a lookup with the (D,S) pair.  If we find a match return
525     // the iterator.
526     ObjCSummaryKey K(D, S);
527     MapTy::iterator I = M.find(K);
528 
529     if (I != M.end())
530       return I->second;
531     if (!D)
532       return nullptr;
533 
534     // Walk the super chain.  If we find a hit with a parent, we'll end
535     // up returning that summary.  We actually allow that key (null,S), as
536     // we cache summaries for the null ObjCInterfaceDecl* to allow us to
537     // generate initial summaries without having to worry about NSObject
538     // being declared.
539     // FIXME: We may change this at some point.
540     for (ObjCInterfaceDecl *C=D->getSuperClass() ;; C=C->getSuperClass()) {
541       if ((I = M.find(ObjCSummaryKey(C, S))) != M.end())
542         break;
543 
544       if (!C)
545         return nullptr;
546     }
547 
548     // Cache the summary with original key to make the next lookup faster
549     // and return the iterator.
550     const RetainSummary *Summ = I->second;
551     M[K] = Summ;
552     return Summ;
553   }
554 
find(IdentifierInfo * II,Selector S)555   const RetainSummary *find(IdentifierInfo* II, Selector S) {
556     // FIXME: Class method lookup.  Right now we dont' have a good way
557     // of going between IdentifierInfo* and the class hierarchy.
558     MapTy::iterator I = M.find(ObjCSummaryKey(II, S));
559 
560     if (I == M.end())
561       I = M.find(ObjCSummaryKey(S));
562 
563     return I == M.end() ? nullptr : I->second;
564   }
565 
operator [](ObjCSummaryKey K)566   const RetainSummary *& operator[](ObjCSummaryKey K) {
567     return M[K];
568   }
569 
operator [](Selector S)570   const RetainSummary *& operator[](Selector S) {
571     return M[ ObjCSummaryKey(S) ];
572   }
573 };
574 } // end anonymous namespace
575 
576 //===----------------------------------------------------------------------===//
577 // Data structures for managing collections of summaries.
578 //===----------------------------------------------------------------------===//
579 
580 namespace {
581 class RetainSummaryManager {
582 
583   //==-----------------------------------------------------------------==//
584   //  Typedefs.
585   //==-----------------------------------------------------------------==//
586 
587   typedef llvm::DenseMap<const FunctionDecl*, const RetainSummary *>
588           FuncSummariesTy;
589 
590   typedef ObjCSummaryCache ObjCMethodSummariesTy;
591 
592   typedef llvm::FoldingSetNodeWrapper<RetainSummary> CachedSummaryNode;
593 
594   //==-----------------------------------------------------------------==//
595   //  Data.
596   //==-----------------------------------------------------------------==//
597 
598   /// Ctx - The ASTContext object for the analyzed ASTs.
599   ASTContext &Ctx;
600 
601   /// GCEnabled - Records whether or not the analyzed code runs in GC mode.
602   const bool GCEnabled;
603 
604   /// Records whether or not the analyzed code runs in ARC mode.
605   const bool ARCEnabled;
606 
607   /// FuncSummaries - A map from FunctionDecls to summaries.
608   FuncSummariesTy FuncSummaries;
609 
610   /// ObjCClassMethodSummaries - A map from selectors (for instance methods)
611   ///  to summaries.
612   ObjCMethodSummariesTy ObjCClassMethodSummaries;
613 
614   /// ObjCMethodSummaries - A map from selectors to summaries.
615   ObjCMethodSummariesTy ObjCMethodSummaries;
616 
617   /// BPAlloc - A BumpPtrAllocator used for allocating summaries, ArgEffects,
618   ///  and all other data used by the checker.
619   llvm::BumpPtrAllocator BPAlloc;
620 
621   /// AF - A factory for ArgEffects objects.
622   ArgEffects::Factory AF;
623 
624   /// ScratchArgs - A holding buffer for construct ArgEffects.
625   ArgEffects ScratchArgs;
626 
627   /// ObjCAllocRetE - Default return effect for methods returning Objective-C
628   ///  objects.
629   RetEffect ObjCAllocRetE;
630 
631   /// ObjCInitRetE - Default return effect for init methods returning
632   ///   Objective-C objects.
633   RetEffect ObjCInitRetE;
634 
635   /// SimpleSummaries - Used for uniquing summaries that don't have special
636   /// effects.
637   llvm::FoldingSet<CachedSummaryNode> SimpleSummaries;
638 
639   //==-----------------------------------------------------------------==//
640   //  Methods.
641   //==-----------------------------------------------------------------==//
642 
643   /// getArgEffects - Returns a persistent ArgEffects object based on the
644   ///  data in ScratchArgs.
645   ArgEffects getArgEffects();
646 
647   enum UnaryFuncKind { cfretain, cfrelease, cfautorelease, cfmakecollectable };
648 
649   const RetainSummary *getUnarySummary(const FunctionType* FT,
650                                        UnaryFuncKind func);
651 
652   const RetainSummary *getCFSummaryCreateRule(const FunctionDecl *FD);
653   const RetainSummary *getCFSummaryGetRule(const FunctionDecl *FD);
654   const RetainSummary *getCFCreateGetRuleSummary(const FunctionDecl *FD);
655 
656   const RetainSummary *getPersistentSummary(const RetainSummary &OldSumm);
657 
getPersistentSummary(RetEffect RetEff,ArgEffect ReceiverEff=DoNothing,ArgEffect DefaultEff=MayEscape)658   const RetainSummary *getPersistentSummary(RetEffect RetEff,
659                                             ArgEffect ReceiverEff = DoNothing,
660                                             ArgEffect DefaultEff = MayEscape) {
661     RetainSummary Summ(getArgEffects(), RetEff, DefaultEff, ReceiverEff);
662     return getPersistentSummary(Summ);
663   }
664 
getDoNothingSummary()665   const RetainSummary *getDoNothingSummary() {
666     return getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing);
667   }
668 
getDefaultSummary()669   const RetainSummary *getDefaultSummary() {
670     return getPersistentSummary(RetEffect::MakeNoRet(),
671                                 DoNothing, MayEscape);
672   }
673 
getPersistentStopSummary()674   const RetainSummary *getPersistentStopSummary() {
675     return getPersistentSummary(RetEffect::MakeNoRet(),
676                                 StopTracking, StopTracking);
677   }
678 
679   void InitializeClassMethodSummaries();
680   void InitializeMethodSummaries();
681 private:
addNSObjectClsMethSummary(Selector S,const RetainSummary * Summ)682   void addNSObjectClsMethSummary(Selector S, const RetainSummary *Summ) {
683     ObjCClassMethodSummaries[S] = Summ;
684   }
685 
addNSObjectMethSummary(Selector S,const RetainSummary * Summ)686   void addNSObjectMethSummary(Selector S, const RetainSummary *Summ) {
687     ObjCMethodSummaries[S] = Summ;
688   }
689 
addClassMethSummary(const char * Cls,const char * name,const RetainSummary * Summ,bool isNullary=true)690   void addClassMethSummary(const char* Cls, const char* name,
691                            const RetainSummary *Summ, bool isNullary = true) {
692     IdentifierInfo* ClsII = &Ctx.Idents.get(Cls);
693     Selector S = isNullary ? GetNullarySelector(name, Ctx)
694                            : GetUnarySelector(name, Ctx);
695     ObjCClassMethodSummaries[ObjCSummaryKey(ClsII, S)]  = Summ;
696   }
697 
addInstMethSummary(const char * Cls,const char * nullaryName,const RetainSummary * Summ)698   void addInstMethSummary(const char* Cls, const char* nullaryName,
699                           const RetainSummary *Summ) {
700     IdentifierInfo* ClsII = &Ctx.Idents.get(Cls);
701     Selector S = GetNullarySelector(nullaryName, Ctx);
702     ObjCMethodSummaries[ObjCSummaryKey(ClsII, S)]  = Summ;
703   }
704 
addMethodSummary(IdentifierInfo * ClsII,ObjCMethodSummariesTy & Summaries,const RetainSummary * Summ,va_list argp)705   void addMethodSummary(IdentifierInfo *ClsII, ObjCMethodSummariesTy &Summaries,
706                         const RetainSummary *Summ, va_list argp) {
707     Selector S = getKeywordSelector(Ctx, argp);
708     Summaries[ObjCSummaryKey(ClsII, S)] = Summ;
709   }
710 
addInstMethSummary(const char * Cls,const RetainSummary * Summ,...)711   void addInstMethSummary(const char* Cls, const RetainSummary * Summ, ...) {
712     va_list argp;
713     va_start(argp, Summ);
714     addMethodSummary(&Ctx.Idents.get(Cls), ObjCMethodSummaries, Summ, argp);
715     va_end(argp);
716   }
717 
addClsMethSummary(const char * Cls,const RetainSummary * Summ,...)718   void addClsMethSummary(const char* Cls, const RetainSummary * Summ, ...) {
719     va_list argp;
720     va_start(argp, Summ);
721     addMethodSummary(&Ctx.Idents.get(Cls),ObjCClassMethodSummaries, Summ, argp);
722     va_end(argp);
723   }
724 
addClsMethSummary(IdentifierInfo * II,const RetainSummary * Summ,...)725   void addClsMethSummary(IdentifierInfo *II, const RetainSummary * Summ, ...) {
726     va_list argp;
727     va_start(argp, Summ);
728     addMethodSummary(II, ObjCClassMethodSummaries, Summ, argp);
729     va_end(argp);
730   }
731 
732 public:
733 
RetainSummaryManager(ASTContext & ctx,bool gcenabled,bool usesARC)734   RetainSummaryManager(ASTContext &ctx, bool gcenabled, bool usesARC)
735    : Ctx(ctx),
736      GCEnabled(gcenabled),
737      ARCEnabled(usesARC),
738      AF(BPAlloc), ScratchArgs(AF.getEmptyMap()),
739      ObjCAllocRetE(gcenabled
740                     ? RetEffect::MakeGCNotOwned()
741                     : (usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC)
742                                : RetEffect::MakeOwned(RetEffect::ObjC, true))),
743      ObjCInitRetE(gcenabled
744                     ? RetEffect::MakeGCNotOwned()
745                     : (usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC)
746                                : RetEffect::MakeOwnedWhenTrackedReceiver())) {
747     InitializeClassMethodSummaries();
748     InitializeMethodSummaries();
749   }
750 
751   const RetainSummary *getSummary(const CallEvent &Call,
752                                   ProgramStateRef State = nullptr);
753 
754   const RetainSummary *getFunctionSummary(const FunctionDecl *FD);
755 
756   const RetainSummary *getMethodSummary(Selector S, const ObjCInterfaceDecl *ID,
757                                         const ObjCMethodDecl *MD,
758                                         QualType RetTy,
759                                         ObjCMethodSummariesTy &CachedSummaries);
760 
761   const RetainSummary *getInstanceMethodSummary(const ObjCMethodCall &M,
762                                                 ProgramStateRef State);
763 
getClassMethodSummary(const ObjCMethodCall & M)764   const RetainSummary *getClassMethodSummary(const ObjCMethodCall &M) {
765     assert(!M.isInstanceMessage());
766     const ObjCInterfaceDecl *Class = M.getReceiverInterface();
767 
768     return getMethodSummary(M.getSelector(), Class, M.getDecl(),
769                             M.getResultType(), ObjCClassMethodSummaries);
770   }
771 
772   /// getMethodSummary - This version of getMethodSummary is used to query
773   ///  the summary for the current method being analyzed.
getMethodSummary(const ObjCMethodDecl * MD)774   const RetainSummary *getMethodSummary(const ObjCMethodDecl *MD) {
775     const ObjCInterfaceDecl *ID = MD->getClassInterface();
776     Selector S = MD->getSelector();
777     QualType ResultTy = MD->getReturnType();
778 
779     ObjCMethodSummariesTy *CachedSummaries;
780     if (MD->isInstanceMethod())
781       CachedSummaries = &ObjCMethodSummaries;
782     else
783       CachedSummaries = &ObjCClassMethodSummaries;
784 
785     return getMethodSummary(S, ID, MD, ResultTy, *CachedSummaries);
786   }
787 
788   const RetainSummary *getStandardMethodSummary(const ObjCMethodDecl *MD,
789                                                 Selector S, QualType RetTy);
790 
791   /// Determine if there is a special return effect for this function or method.
792   Optional<RetEffect> getRetEffectFromAnnotations(QualType RetTy,
793                                                   const Decl *D);
794 
795   void updateSummaryFromAnnotations(const RetainSummary *&Summ,
796                                     const ObjCMethodDecl *MD);
797 
798   void updateSummaryFromAnnotations(const RetainSummary *&Summ,
799                                     const FunctionDecl *FD);
800 
801   void updateSummaryForCall(const RetainSummary *&Summ,
802                             const CallEvent &Call);
803 
isGCEnabled() const804   bool isGCEnabled() const { return GCEnabled; }
805 
isARCEnabled() const806   bool isARCEnabled() const { return ARCEnabled; }
807 
isARCorGCEnabled() const808   bool isARCorGCEnabled() const { return GCEnabled || ARCEnabled; }
809 
getObjAllocRetEffect() const810   RetEffect getObjAllocRetEffect() const { return ObjCAllocRetE; }
811 
812   friend class RetainSummaryTemplate;
813 };
814 
815 // Used to avoid allocating long-term (BPAlloc'd) memory for default retain
816 // summaries. If a function or method looks like it has a default summary, but
817 // it has annotations, the annotations are added to the stack-based template
818 // and then copied into managed memory.
819 class RetainSummaryTemplate {
820   RetainSummaryManager &Manager;
821   const RetainSummary *&RealSummary;
822   RetainSummary ScratchSummary;
823   bool Accessed;
824 public:
RetainSummaryTemplate(const RetainSummary * & real,RetainSummaryManager & mgr)825   RetainSummaryTemplate(const RetainSummary *&real, RetainSummaryManager &mgr)
826     : Manager(mgr), RealSummary(real), ScratchSummary(*real), Accessed(false) {}
827 
~RetainSummaryTemplate()828   ~RetainSummaryTemplate() {
829     if (Accessed)
830       RealSummary = Manager.getPersistentSummary(ScratchSummary);
831   }
832 
operator *()833   RetainSummary &operator*() {
834     Accessed = true;
835     return ScratchSummary;
836   }
837 
operator ->()838   RetainSummary *operator->() {
839     Accessed = true;
840     return &ScratchSummary;
841   }
842 };
843 
844 } // end anonymous namespace
845 
846 //===----------------------------------------------------------------------===//
847 // Implementation of checker data structures.
848 //===----------------------------------------------------------------------===//
849 
getArgEffects()850 ArgEffects RetainSummaryManager::getArgEffects() {
851   ArgEffects AE = ScratchArgs;
852   ScratchArgs = AF.getEmptyMap();
853   return AE;
854 }
855 
856 const RetainSummary *
getPersistentSummary(const RetainSummary & OldSumm)857 RetainSummaryManager::getPersistentSummary(const RetainSummary &OldSumm) {
858   // Unique "simple" summaries -- those without ArgEffects.
859   if (OldSumm.isSimple()) {
860     llvm::FoldingSetNodeID ID;
861     OldSumm.Profile(ID);
862 
863     void *Pos;
864     CachedSummaryNode *N = SimpleSummaries.FindNodeOrInsertPos(ID, Pos);
865 
866     if (!N) {
867       N = (CachedSummaryNode *) BPAlloc.Allocate<CachedSummaryNode>();
868       new (N) CachedSummaryNode(OldSumm);
869       SimpleSummaries.InsertNode(N, Pos);
870     }
871 
872     return &N->getValue();
873   }
874 
875   RetainSummary *Summ = (RetainSummary *) BPAlloc.Allocate<RetainSummary>();
876   new (Summ) RetainSummary(OldSumm);
877   return Summ;
878 }
879 
880 //===----------------------------------------------------------------------===//
881 // Summary creation for functions (largely uses of Core Foundation).
882 //===----------------------------------------------------------------------===//
883 
isRetain(const FunctionDecl * FD,StringRef FName)884 static bool isRetain(const FunctionDecl *FD, StringRef FName) {
885   return FName.endswith("Retain");
886 }
887 
isRelease(const FunctionDecl * FD,StringRef FName)888 static bool isRelease(const FunctionDecl *FD, StringRef FName) {
889   return FName.endswith("Release");
890 }
891 
isAutorelease(const FunctionDecl * FD,StringRef FName)892 static bool isAutorelease(const FunctionDecl *FD, StringRef FName) {
893   return FName.endswith("Autorelease");
894 }
895 
isMakeCollectable(const FunctionDecl * FD,StringRef FName)896 static bool isMakeCollectable(const FunctionDecl *FD, StringRef FName) {
897   // FIXME: Remove FunctionDecl parameter.
898   // FIXME: Is it really okay if MakeCollectable isn't a suffix?
899   return FName.find("MakeCollectable") != StringRef::npos;
900 }
901 
getStopTrackingHardEquivalent(ArgEffect E)902 static ArgEffect getStopTrackingHardEquivalent(ArgEffect E) {
903   switch (E) {
904   case DoNothing:
905   case Autorelease:
906   case DecRefBridgedTransferred:
907   case IncRef:
908   case IncRefMsg:
909   case MakeCollectable:
910   case UnretainedOutParameter:
911   case RetainedOutParameter:
912   case MayEscape:
913   case StopTracking:
914   case StopTrackingHard:
915     return StopTrackingHard;
916   case DecRef:
917   case DecRefAndStopTrackingHard:
918     return DecRefAndStopTrackingHard;
919   case DecRefMsg:
920   case DecRefMsgAndStopTrackingHard:
921     return DecRefMsgAndStopTrackingHard;
922   case Dealloc:
923     return Dealloc;
924   }
925 
926   llvm_unreachable("Unknown ArgEffect kind");
927 }
928 
updateSummaryForCall(const RetainSummary * & S,const CallEvent & Call)929 void RetainSummaryManager::updateSummaryForCall(const RetainSummary *&S,
930                                                 const CallEvent &Call) {
931   if (Call.hasNonZeroCallbackArg()) {
932     ArgEffect RecEffect =
933       getStopTrackingHardEquivalent(S->getReceiverEffect());
934     ArgEffect DefEffect =
935       getStopTrackingHardEquivalent(S->getDefaultArgEffect());
936 
937     ArgEffects CustomArgEffects = S->getArgEffects();
938     for (ArgEffects::iterator I = CustomArgEffects.begin(),
939                               E = CustomArgEffects.end();
940          I != E; ++I) {
941       ArgEffect Translated = getStopTrackingHardEquivalent(I->second);
942       if (Translated != DefEffect)
943         ScratchArgs = AF.add(ScratchArgs, I->first, Translated);
944     }
945 
946     RetEffect RE = RetEffect::MakeNoRetHard();
947 
948     // Special cases where the callback argument CANNOT free the return value.
949     // This can generally only happen if we know that the callback will only be
950     // called when the return value is already being deallocated.
951     if (const SimpleFunctionCall *FC = dyn_cast<SimpleFunctionCall>(&Call)) {
952       if (IdentifierInfo *Name = FC->getDecl()->getIdentifier()) {
953         // When the CGBitmapContext is deallocated, the callback here will free
954         // the associated data buffer.
955         if (Name->isStr("CGBitmapContextCreateWithData"))
956           RE = S->getRetEffect();
957       }
958     }
959 
960     S = getPersistentSummary(RE, RecEffect, DefEffect);
961   }
962 
963   // Special case '[super init];' and '[self init];'
964   //
965   // Even though calling '[super init]' without assigning the result to self
966   // and checking if the parent returns 'nil' is a bad pattern, it is common.
967   // Additionally, our Self Init checker already warns about it. To avoid
968   // overwhelming the user with messages from both checkers, we model the case
969   // of '[super init]' in cases when it is not consumed by another expression
970   // as if the call preserves the value of 'self'; essentially, assuming it can
971   // never fail and return 'nil'.
972   // Note, we don't want to just stop tracking the value since we want the
973   // RetainCount checker to report leaks and use-after-free if SelfInit checker
974   // is turned off.
975   if (const ObjCMethodCall *MC = dyn_cast<ObjCMethodCall>(&Call)) {
976     if (MC->getMethodFamily() == OMF_init && MC->isReceiverSelfOrSuper()) {
977 
978       // Check if the message is not consumed, we know it will not be used in
979       // an assignment, ex: "self = [super init]".
980       const Expr *ME = MC->getOriginExpr();
981       const LocationContext *LCtx = MC->getLocationContext();
982       ParentMap &PM = LCtx->getAnalysisDeclContext()->getParentMap();
983       if (!PM.isConsumedExpr(ME)) {
984         RetainSummaryTemplate ModifiableSummaryTemplate(S, *this);
985         ModifiableSummaryTemplate->setReceiverEffect(DoNothing);
986         ModifiableSummaryTemplate->setRetEffect(RetEffect::MakeNoRet());
987       }
988     }
989   }
990 }
991 
992 const RetainSummary *
getSummary(const CallEvent & Call,ProgramStateRef State)993 RetainSummaryManager::getSummary(const CallEvent &Call,
994                                  ProgramStateRef State) {
995   const RetainSummary *Summ;
996   switch (Call.getKind()) {
997   case CE_Function:
998     Summ = getFunctionSummary(cast<SimpleFunctionCall>(Call).getDecl());
999     break;
1000   case CE_CXXMember:
1001   case CE_CXXMemberOperator:
1002   case CE_Block:
1003   case CE_CXXConstructor:
1004   case CE_CXXDestructor:
1005   case CE_CXXAllocator:
1006     // FIXME: These calls are currently unsupported.
1007     return getPersistentStopSummary();
1008   case CE_ObjCMessage: {
1009     const ObjCMethodCall &Msg = cast<ObjCMethodCall>(Call);
1010     if (Msg.isInstanceMessage())
1011       Summ = getInstanceMethodSummary(Msg, State);
1012     else
1013       Summ = getClassMethodSummary(Msg);
1014     break;
1015   }
1016   }
1017 
1018   updateSummaryForCall(Summ, Call);
1019 
1020   assert(Summ && "Unknown call type?");
1021   return Summ;
1022 }
1023 
1024 const RetainSummary *
getFunctionSummary(const FunctionDecl * FD)1025 RetainSummaryManager::getFunctionSummary(const FunctionDecl *FD) {
1026   // If we don't know what function we're calling, use our default summary.
1027   if (!FD)
1028     return getDefaultSummary();
1029 
1030   // Look up a summary in our cache of FunctionDecls -> Summaries.
1031   FuncSummariesTy::iterator I = FuncSummaries.find(FD);
1032   if (I != FuncSummaries.end())
1033     return I->second;
1034 
1035   // No summary?  Generate one.
1036   const RetainSummary *S = nullptr;
1037   bool AllowAnnotations = true;
1038 
1039   do {
1040     // We generate "stop" summaries for implicitly defined functions.
1041     if (FD->isImplicit()) {
1042       S = getPersistentStopSummary();
1043       break;
1044     }
1045 
1046     // [PR 3337] Use 'getAs<FunctionType>' to strip away any typedefs on the
1047     // function's type.
1048     const FunctionType* FT = FD->getType()->getAs<FunctionType>();
1049     const IdentifierInfo *II = FD->getIdentifier();
1050     if (!II)
1051       break;
1052 
1053     StringRef FName = II->getName();
1054 
1055     // Strip away preceding '_'.  Doing this here will effect all the checks
1056     // down below.
1057     FName = FName.substr(FName.find_first_not_of('_'));
1058 
1059     // Inspect the result type.
1060     QualType RetTy = FT->getReturnType();
1061 
1062     // FIXME: This should all be refactored into a chain of "summary lookup"
1063     //  filters.
1064     assert(ScratchArgs.isEmpty());
1065 
1066     if (FName == "pthread_create" || FName == "pthread_setspecific") {
1067       // Part of: <rdar://problem/7299394> and <rdar://problem/11282706>.
1068       // This will be addressed better with IPA.
1069       S = getPersistentStopSummary();
1070     } else if (FName == "NSMakeCollectable") {
1071       // Handle: id NSMakeCollectable(CFTypeRef)
1072       S = (RetTy->isObjCIdType())
1073           ? getUnarySummary(FT, cfmakecollectable)
1074           : getPersistentStopSummary();
1075       // The headers on OS X 10.8 use cf_consumed/ns_returns_retained,
1076       // but we can fully model NSMakeCollectable ourselves.
1077       AllowAnnotations = false;
1078     } else if (FName == "CFPlugInInstanceCreate") {
1079       S = getPersistentSummary(RetEffect::MakeNoRet());
1080     } else if (FName == "IOBSDNameMatching" ||
1081                FName == "IOServiceMatching" ||
1082                FName == "IOServiceNameMatching" ||
1083                FName == "IORegistryEntrySearchCFProperty" ||
1084                FName == "IORegistryEntryIDMatching" ||
1085                FName == "IOOpenFirmwarePathMatching") {
1086       // Part of <rdar://problem/6961230>. (IOKit)
1087       // This should be addressed using a API table.
1088       S = getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true),
1089                                DoNothing, DoNothing);
1090     } else if (FName == "IOServiceGetMatchingService" ||
1091                FName == "IOServiceGetMatchingServices") {
1092       // FIXES: <rdar://problem/6326900>
1093       // This should be addressed using a API table.  This strcmp is also
1094       // a little gross, but there is no need to super optimize here.
1095       ScratchArgs = AF.add(ScratchArgs, 1, DecRef);
1096       S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing);
1097     } else if (FName == "IOServiceAddNotification" ||
1098                FName == "IOServiceAddMatchingNotification") {
1099       // Part of <rdar://problem/6961230>. (IOKit)
1100       // This should be addressed using a API table.
1101       ScratchArgs = AF.add(ScratchArgs, 2, DecRef);
1102       S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing);
1103     } else if (FName == "CVPixelBufferCreateWithBytes") {
1104       // FIXES: <rdar://problem/7283567>
1105       // Eventually this can be improved by recognizing that the pixel
1106       // buffer passed to CVPixelBufferCreateWithBytes is released via
1107       // a callback and doing full IPA to make sure this is done correctly.
1108       // FIXME: This function has an out parameter that returns an
1109       // allocated object.
1110       ScratchArgs = AF.add(ScratchArgs, 7, StopTracking);
1111       S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing);
1112     } else if (FName == "CGBitmapContextCreateWithData") {
1113       // FIXES: <rdar://problem/7358899>
1114       // Eventually this can be improved by recognizing that 'releaseInfo'
1115       // passed to CGBitmapContextCreateWithData is released via
1116       // a callback and doing full IPA to make sure this is done correctly.
1117       ScratchArgs = AF.add(ScratchArgs, 8, StopTracking);
1118       S = getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true),
1119                                DoNothing, DoNothing);
1120     } else if (FName == "CVPixelBufferCreateWithPlanarBytes") {
1121       // FIXES: <rdar://problem/7283567>
1122       // Eventually this can be improved by recognizing that the pixel
1123       // buffer passed to CVPixelBufferCreateWithPlanarBytes is released
1124       // via a callback and doing full IPA to make sure this is done
1125       // correctly.
1126       ScratchArgs = AF.add(ScratchArgs, 12, StopTracking);
1127       S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing);
1128     } else if (FName == "dispatch_set_context" ||
1129                FName == "xpc_connection_set_context") {
1130       // <rdar://problem/11059275> - The analyzer currently doesn't have
1131       // a good way to reason about the finalizer function for libdispatch.
1132       // If we pass a context object that is memory managed, stop tracking it.
1133       // <rdar://problem/13783514> - Same problem, but for XPC.
1134       // FIXME: this hack should possibly go away once we can handle
1135       // libdispatch and XPC finalizers.
1136       ScratchArgs = AF.add(ScratchArgs, 1, StopTracking);
1137       S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing);
1138     } else if (FName.startswith("NSLog")) {
1139       S = getDoNothingSummary();
1140     } else if (FName.startswith("NS") &&
1141                 (FName.find("Insert") != StringRef::npos)) {
1142       // Whitelist NSXXInsertXX, for example NSMapInsertIfAbsent, since they can
1143       // be deallocated by NSMapRemove. (radar://11152419)
1144       ScratchArgs = AF.add(ScratchArgs, 1, StopTracking);
1145       ScratchArgs = AF.add(ScratchArgs, 2, StopTracking);
1146       S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing);
1147     }
1148 
1149     // Did we get a summary?
1150     if (S)
1151       break;
1152 
1153     if (RetTy->isPointerType()) {
1154       // For CoreFoundation ('CF') types.
1155       if (cocoa::isRefType(RetTy, "CF", FName)) {
1156         if (isRetain(FD, FName)) {
1157           S = getUnarySummary(FT, cfretain);
1158         } else if (isAutorelease(FD, FName)) {
1159           S = getUnarySummary(FT, cfautorelease);
1160           // The headers use cf_consumed, but we can fully model CFAutorelease
1161           // ourselves.
1162           AllowAnnotations = false;
1163         } else if (isMakeCollectable(FD, FName)) {
1164           S = getUnarySummary(FT, cfmakecollectable);
1165           AllowAnnotations = false;
1166         } else {
1167           S = getCFCreateGetRuleSummary(FD);
1168         }
1169 
1170         break;
1171       }
1172 
1173       // For CoreGraphics ('CG') types.
1174       if (cocoa::isRefType(RetTy, "CG", FName)) {
1175         if (isRetain(FD, FName))
1176           S = getUnarySummary(FT, cfretain);
1177         else
1178           S = getCFCreateGetRuleSummary(FD);
1179 
1180         break;
1181       }
1182 
1183       // For the Disk Arbitration API (DiskArbitration/DADisk.h)
1184       if (cocoa::isRefType(RetTy, "DADisk") ||
1185           cocoa::isRefType(RetTy, "DADissenter") ||
1186           cocoa::isRefType(RetTy, "DASessionRef")) {
1187         S = getCFCreateGetRuleSummary(FD);
1188         break;
1189       }
1190 
1191       if (FD->hasAttr<CFAuditedTransferAttr>()) {
1192         S = getCFCreateGetRuleSummary(FD);
1193         break;
1194       }
1195 
1196       break;
1197     }
1198 
1199     // Check for release functions, the only kind of functions that we care
1200     // about that don't return a pointer type.
1201     if (FName[0] == 'C' && (FName[1] == 'F' || FName[1] == 'G')) {
1202       // Test for 'CGCF'.
1203       FName = FName.substr(FName.startswith("CGCF") ? 4 : 2);
1204 
1205       if (isRelease(FD, FName))
1206         S = getUnarySummary(FT, cfrelease);
1207       else {
1208         assert (ScratchArgs.isEmpty());
1209         // Remaining CoreFoundation and CoreGraphics functions.
1210         // We use to assume that they all strictly followed the ownership idiom
1211         // and that ownership cannot be transferred.  While this is technically
1212         // correct, many methods allow a tracked object to escape.  For example:
1213         //
1214         //   CFMutableDictionaryRef x = CFDictionaryCreateMutable(...);
1215         //   CFDictionaryAddValue(y, key, x);
1216         //   CFRelease(x);
1217         //   ... it is okay to use 'x' since 'y' has a reference to it
1218         //
1219         // We handle this and similar cases with the follow heuristic.  If the
1220         // function name contains "InsertValue", "SetValue", "AddValue",
1221         // "AppendValue", or "SetAttribute", then we assume that arguments may
1222         // "escape."  This means that something else holds on to the object,
1223         // allowing it be used even after its local retain count drops to 0.
1224         ArgEffect E = (StrInStrNoCase(FName, "InsertValue") != StringRef::npos||
1225                        StrInStrNoCase(FName, "AddValue") != StringRef::npos ||
1226                        StrInStrNoCase(FName, "SetValue") != StringRef::npos ||
1227                        StrInStrNoCase(FName, "AppendValue") != StringRef::npos||
1228                        StrInStrNoCase(FName, "SetAttribute") != StringRef::npos)
1229                       ? MayEscape : DoNothing;
1230 
1231         S = getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, E);
1232       }
1233     }
1234   }
1235   while (0);
1236 
1237   // If we got all the way here without any luck, use a default summary.
1238   if (!S)
1239     S = getDefaultSummary();
1240 
1241   // Annotations override defaults.
1242   if (AllowAnnotations)
1243     updateSummaryFromAnnotations(S, FD);
1244 
1245   FuncSummaries[FD] = S;
1246   return S;
1247 }
1248 
1249 const RetainSummary *
getCFCreateGetRuleSummary(const FunctionDecl * FD)1250 RetainSummaryManager::getCFCreateGetRuleSummary(const FunctionDecl *FD) {
1251   if (coreFoundation::followsCreateRule(FD))
1252     return getCFSummaryCreateRule(FD);
1253 
1254   return getCFSummaryGetRule(FD);
1255 }
1256 
1257 const RetainSummary *
getUnarySummary(const FunctionType * FT,UnaryFuncKind func)1258 RetainSummaryManager::getUnarySummary(const FunctionType* FT,
1259                                       UnaryFuncKind func) {
1260 
1261   // Sanity check that this is *really* a unary function.  This can
1262   // happen if people do weird things.
1263   const FunctionProtoType* FTP = dyn_cast<FunctionProtoType>(FT);
1264   if (!FTP || FTP->getNumParams() != 1)
1265     return getPersistentStopSummary();
1266 
1267   assert (ScratchArgs.isEmpty());
1268 
1269   ArgEffect Effect;
1270   switch (func) {
1271   case cfretain: Effect = IncRef; break;
1272   case cfrelease: Effect = DecRef; break;
1273   case cfautorelease: Effect = Autorelease; break;
1274   case cfmakecollectable: Effect = MakeCollectable; break;
1275   }
1276 
1277   ScratchArgs = AF.add(ScratchArgs, 0, Effect);
1278   return getPersistentSummary(RetEffect::MakeNoRet(), DoNothing, DoNothing);
1279 }
1280 
1281 const RetainSummary *
getCFSummaryCreateRule(const FunctionDecl * FD)1282 RetainSummaryManager::getCFSummaryCreateRule(const FunctionDecl *FD) {
1283   assert (ScratchArgs.isEmpty());
1284 
1285   return getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true));
1286 }
1287 
1288 const RetainSummary *
getCFSummaryGetRule(const FunctionDecl * FD)1289 RetainSummaryManager::getCFSummaryGetRule(const FunctionDecl *FD) {
1290   assert (ScratchArgs.isEmpty());
1291   return getPersistentSummary(RetEffect::MakeNotOwned(RetEffect::CF),
1292                               DoNothing, DoNothing);
1293 }
1294 
1295 //===----------------------------------------------------------------------===//
1296 // Summary creation for Selectors.
1297 //===----------------------------------------------------------------------===//
1298 
1299 Optional<RetEffect>
getRetEffectFromAnnotations(QualType RetTy,const Decl * D)1300 RetainSummaryManager::getRetEffectFromAnnotations(QualType RetTy,
1301                                                   const Decl *D) {
1302   if (cocoa::isCocoaObjectRef(RetTy)) {
1303     if (D->hasAttr<NSReturnsRetainedAttr>())
1304       return ObjCAllocRetE;
1305 
1306     if (D->hasAttr<NSReturnsNotRetainedAttr>() ||
1307         D->hasAttr<NSReturnsAutoreleasedAttr>())
1308       return RetEffect::MakeNotOwned(RetEffect::ObjC);
1309 
1310   } else if (!RetTy->isPointerType()) {
1311     return None;
1312   }
1313 
1314   if (D->hasAttr<CFReturnsRetainedAttr>())
1315     return RetEffect::MakeOwned(RetEffect::CF, true);
1316 
1317   if (D->hasAttr<CFReturnsNotRetainedAttr>())
1318     return RetEffect::MakeNotOwned(RetEffect::CF);
1319 
1320   return None;
1321 }
1322 
1323 void
updateSummaryFromAnnotations(const RetainSummary * & Summ,const FunctionDecl * FD)1324 RetainSummaryManager::updateSummaryFromAnnotations(const RetainSummary *&Summ,
1325                                                    const FunctionDecl *FD) {
1326   if (!FD)
1327     return;
1328 
1329   assert(Summ && "Must have a summary to add annotations to.");
1330   RetainSummaryTemplate Template(Summ, *this);
1331 
1332   // Effects on the parameters.
1333   unsigned parm_idx = 0;
1334   for (FunctionDecl::param_const_iterator pi = FD->param_begin(),
1335          pe = FD->param_end(); pi != pe; ++pi, ++parm_idx) {
1336     const ParmVarDecl *pd = *pi;
1337     if (pd->hasAttr<NSConsumedAttr>())
1338       Template->addArg(AF, parm_idx, DecRefMsg);
1339     else if (pd->hasAttr<CFConsumedAttr>())
1340       Template->addArg(AF, parm_idx, DecRef);
1341     else if (pd->hasAttr<CFReturnsRetainedAttr>()) {
1342       QualType PointeeTy = pd->getType()->getPointeeType();
1343       if (!PointeeTy.isNull())
1344         if (coreFoundation::isCFObjectRef(PointeeTy))
1345           Template->addArg(AF, parm_idx, RetainedOutParameter);
1346     } else if (pd->hasAttr<CFReturnsNotRetainedAttr>()) {
1347       QualType PointeeTy = pd->getType()->getPointeeType();
1348       if (!PointeeTy.isNull())
1349         if (coreFoundation::isCFObjectRef(PointeeTy))
1350           Template->addArg(AF, parm_idx, UnretainedOutParameter);
1351     }
1352   }
1353 
1354   QualType RetTy = FD->getReturnType();
1355   if (Optional<RetEffect> RetE = getRetEffectFromAnnotations(RetTy, FD))
1356     Template->setRetEffect(*RetE);
1357 }
1358 
1359 void
updateSummaryFromAnnotations(const RetainSummary * & Summ,const ObjCMethodDecl * MD)1360 RetainSummaryManager::updateSummaryFromAnnotations(const RetainSummary *&Summ,
1361                                                    const ObjCMethodDecl *MD) {
1362   if (!MD)
1363     return;
1364 
1365   assert(Summ && "Must have a valid summary to add annotations to");
1366   RetainSummaryTemplate Template(Summ, *this);
1367 
1368   // Effects on the receiver.
1369   if (MD->hasAttr<NSConsumesSelfAttr>())
1370     Template->setReceiverEffect(DecRefMsg);
1371 
1372   // Effects on the parameters.
1373   unsigned parm_idx = 0;
1374   for (ObjCMethodDecl::param_const_iterator
1375          pi=MD->param_begin(), pe=MD->param_end();
1376        pi != pe; ++pi, ++parm_idx) {
1377     const ParmVarDecl *pd = *pi;
1378     if (pd->hasAttr<NSConsumedAttr>())
1379       Template->addArg(AF, parm_idx, DecRefMsg);
1380     else if (pd->hasAttr<CFConsumedAttr>()) {
1381       Template->addArg(AF, parm_idx, DecRef);
1382     } else if (pd->hasAttr<CFReturnsRetainedAttr>()) {
1383       QualType PointeeTy = pd->getType()->getPointeeType();
1384       if (!PointeeTy.isNull())
1385         if (coreFoundation::isCFObjectRef(PointeeTy))
1386           Template->addArg(AF, parm_idx, RetainedOutParameter);
1387     } else if (pd->hasAttr<CFReturnsNotRetainedAttr>()) {
1388       QualType PointeeTy = pd->getType()->getPointeeType();
1389       if (!PointeeTy.isNull())
1390         if (coreFoundation::isCFObjectRef(PointeeTy))
1391           Template->addArg(AF, parm_idx, UnretainedOutParameter);
1392     }
1393   }
1394 
1395   QualType RetTy = MD->getReturnType();
1396   if (Optional<RetEffect> RetE = getRetEffectFromAnnotations(RetTy, MD))
1397     Template->setRetEffect(*RetE);
1398 }
1399 
1400 const RetainSummary *
getStandardMethodSummary(const ObjCMethodDecl * MD,Selector S,QualType RetTy)1401 RetainSummaryManager::getStandardMethodSummary(const ObjCMethodDecl *MD,
1402                                                Selector S, QualType RetTy) {
1403   // Any special effects?
1404   ArgEffect ReceiverEff = DoNothing;
1405   RetEffect ResultEff = RetEffect::MakeNoRet();
1406 
1407   // Check the method family, and apply any default annotations.
1408   switch (MD ? MD->getMethodFamily() : S.getMethodFamily()) {
1409     case OMF_None:
1410     case OMF_initialize:
1411     case OMF_performSelector:
1412       // Assume all Objective-C methods follow Cocoa Memory Management rules.
1413       // FIXME: Does the non-threaded performSelector family really belong here?
1414       // The selector could be, say, @selector(copy).
1415       if (cocoa::isCocoaObjectRef(RetTy))
1416         ResultEff = RetEffect::MakeNotOwned(RetEffect::ObjC);
1417       else if (coreFoundation::isCFObjectRef(RetTy)) {
1418         // ObjCMethodDecl currently doesn't consider CF objects as valid return
1419         // values for alloc, new, copy, or mutableCopy, so we have to
1420         // double-check with the selector. This is ugly, but there aren't that
1421         // many Objective-C methods that return CF objects, right?
1422         if (MD) {
1423           switch (S.getMethodFamily()) {
1424           case OMF_alloc:
1425           case OMF_new:
1426           case OMF_copy:
1427           case OMF_mutableCopy:
1428             ResultEff = RetEffect::MakeOwned(RetEffect::CF, true);
1429             break;
1430           default:
1431             ResultEff = RetEffect::MakeNotOwned(RetEffect::CF);
1432             break;
1433           }
1434         } else {
1435           ResultEff = RetEffect::MakeNotOwned(RetEffect::CF);
1436         }
1437       }
1438       break;
1439     case OMF_init:
1440       ResultEff = ObjCInitRetE;
1441       ReceiverEff = DecRefMsg;
1442       break;
1443     case OMF_alloc:
1444     case OMF_new:
1445     case OMF_copy:
1446     case OMF_mutableCopy:
1447       if (cocoa::isCocoaObjectRef(RetTy))
1448         ResultEff = ObjCAllocRetE;
1449       else if (coreFoundation::isCFObjectRef(RetTy))
1450         ResultEff = RetEffect::MakeOwned(RetEffect::CF, true);
1451       break;
1452     case OMF_autorelease:
1453       ReceiverEff = Autorelease;
1454       break;
1455     case OMF_retain:
1456       ReceiverEff = IncRefMsg;
1457       break;
1458     case OMF_release:
1459       ReceiverEff = DecRefMsg;
1460       break;
1461     case OMF_dealloc:
1462       ReceiverEff = Dealloc;
1463       break;
1464     case OMF_self:
1465       // -self is handled specially by the ExprEngine to propagate the receiver.
1466       break;
1467     case OMF_retainCount:
1468     case OMF_finalize:
1469       // These methods don't return objects.
1470       break;
1471   }
1472 
1473   // If one of the arguments in the selector has the keyword 'delegate' we
1474   // should stop tracking the reference count for the receiver.  This is
1475   // because the reference count is quite possibly handled by a delegate
1476   // method.
1477   if (S.isKeywordSelector()) {
1478     for (unsigned i = 0, e = S.getNumArgs(); i != e; ++i) {
1479       StringRef Slot = S.getNameForSlot(i);
1480       if (Slot.substr(Slot.size() - 8).equals_lower("delegate")) {
1481         if (ResultEff == ObjCInitRetE)
1482           ResultEff = RetEffect::MakeNoRetHard();
1483         else
1484           ReceiverEff = StopTrackingHard;
1485       }
1486     }
1487   }
1488 
1489   if (ScratchArgs.isEmpty() && ReceiverEff == DoNothing &&
1490       ResultEff.getKind() == RetEffect::NoRet)
1491     return getDefaultSummary();
1492 
1493   return getPersistentSummary(ResultEff, ReceiverEff, MayEscape);
1494 }
1495 
1496 const RetainSummary *
getInstanceMethodSummary(const ObjCMethodCall & Msg,ProgramStateRef State)1497 RetainSummaryManager::getInstanceMethodSummary(const ObjCMethodCall &Msg,
1498                                                ProgramStateRef State) {
1499   const ObjCInterfaceDecl *ReceiverClass = nullptr;
1500 
1501   // We do better tracking of the type of the object than the core ExprEngine.
1502   // See if we have its type in our private state.
1503   // FIXME: Eventually replace the use of state->get<RefBindings> with
1504   // a generic API for reasoning about the Objective-C types of symbolic
1505   // objects.
1506   SVal ReceiverV = Msg.getReceiverSVal();
1507   if (SymbolRef Sym = ReceiverV.getAsLocSymbol())
1508     if (const RefVal *T = getRefBinding(State, Sym))
1509       if (const ObjCObjectPointerType *PT =
1510             T->getType()->getAs<ObjCObjectPointerType>())
1511         ReceiverClass = PT->getInterfaceDecl();
1512 
1513   // If we don't know what kind of object this is, fall back to its static type.
1514   if (!ReceiverClass)
1515     ReceiverClass = Msg.getReceiverInterface();
1516 
1517   // FIXME: The receiver could be a reference to a class, meaning that
1518   //  we should use the class method.
1519   // id x = [NSObject class];
1520   // [x performSelector:... withObject:... afterDelay:...];
1521   Selector S = Msg.getSelector();
1522   const ObjCMethodDecl *Method = Msg.getDecl();
1523   if (!Method && ReceiverClass)
1524     Method = ReceiverClass->getInstanceMethod(S);
1525 
1526   return getMethodSummary(S, ReceiverClass, Method, Msg.getResultType(),
1527                           ObjCMethodSummaries);
1528 }
1529 
1530 const RetainSummary *
getMethodSummary(Selector S,const ObjCInterfaceDecl * ID,const ObjCMethodDecl * MD,QualType RetTy,ObjCMethodSummariesTy & CachedSummaries)1531 RetainSummaryManager::getMethodSummary(Selector S, const ObjCInterfaceDecl *ID,
1532                                        const ObjCMethodDecl *MD, QualType RetTy,
1533                                        ObjCMethodSummariesTy &CachedSummaries) {
1534 
1535   // Look up a summary in our summary cache.
1536   const RetainSummary *Summ = CachedSummaries.find(ID, S);
1537 
1538   if (!Summ) {
1539     Summ = getStandardMethodSummary(MD, S, RetTy);
1540 
1541     // Annotations override defaults.
1542     updateSummaryFromAnnotations(Summ, MD);
1543 
1544     // Memoize the summary.
1545     CachedSummaries[ObjCSummaryKey(ID, S)] = Summ;
1546   }
1547 
1548   return Summ;
1549 }
1550 
InitializeClassMethodSummaries()1551 void RetainSummaryManager::InitializeClassMethodSummaries() {
1552   assert(ScratchArgs.isEmpty());
1553   // Create the [NSAssertionHandler currentHander] summary.
1554   addClassMethSummary("NSAssertionHandler", "currentHandler",
1555                 getPersistentSummary(RetEffect::MakeNotOwned(RetEffect::ObjC)));
1556 
1557   // Create the [NSAutoreleasePool addObject:] summary.
1558   ScratchArgs = AF.add(ScratchArgs, 0, Autorelease);
1559   addClassMethSummary("NSAutoreleasePool", "addObject",
1560                       getPersistentSummary(RetEffect::MakeNoRet(),
1561                                            DoNothing, Autorelease));
1562 }
1563 
InitializeMethodSummaries()1564 void RetainSummaryManager::InitializeMethodSummaries() {
1565 
1566   assert (ScratchArgs.isEmpty());
1567 
1568   // Create the "init" selector.  It just acts as a pass-through for the
1569   // receiver.
1570   const RetainSummary *InitSumm = getPersistentSummary(ObjCInitRetE, DecRefMsg);
1571   addNSObjectMethSummary(GetNullarySelector("init", Ctx), InitSumm);
1572 
1573   // awakeAfterUsingCoder: behaves basically like an 'init' method.  It
1574   // claims the receiver and returns a retained object.
1575   addNSObjectMethSummary(GetUnarySelector("awakeAfterUsingCoder", Ctx),
1576                          InitSumm);
1577 
1578   // The next methods are allocators.
1579   const RetainSummary *AllocSumm = getPersistentSummary(ObjCAllocRetE);
1580   const RetainSummary *CFAllocSumm =
1581     getPersistentSummary(RetEffect::MakeOwned(RetEffect::CF, true));
1582 
1583   // Create the "retain" selector.
1584   RetEffect NoRet = RetEffect::MakeNoRet();
1585   const RetainSummary *Summ = getPersistentSummary(NoRet, IncRefMsg);
1586   addNSObjectMethSummary(GetNullarySelector("retain", Ctx), Summ);
1587 
1588   // Create the "release" selector.
1589   Summ = getPersistentSummary(NoRet, DecRefMsg);
1590   addNSObjectMethSummary(GetNullarySelector("release", Ctx), Summ);
1591 
1592   // Create the -dealloc summary.
1593   Summ = getPersistentSummary(NoRet, Dealloc);
1594   addNSObjectMethSummary(GetNullarySelector("dealloc", Ctx), Summ);
1595 
1596   // Create the "autorelease" selector.
1597   Summ = getPersistentSummary(NoRet, Autorelease);
1598   addNSObjectMethSummary(GetNullarySelector("autorelease", Ctx), Summ);
1599 
1600   // For NSWindow, allocated objects are (initially) self-owned.
1601   // FIXME: For now we opt for false negatives with NSWindow, as these objects
1602   //  self-own themselves.  However, they only do this once they are displayed.
1603   //  Thus, we need to track an NSWindow's display status.
1604   //  This is tracked in <rdar://problem/6062711>.
1605   //  See also http://llvm.org/bugs/show_bug.cgi?id=3714.
1606   const RetainSummary *NoTrackYet = getPersistentSummary(RetEffect::MakeNoRet(),
1607                                                    StopTracking,
1608                                                    StopTracking);
1609 
1610   addClassMethSummary("NSWindow", "alloc", NoTrackYet);
1611 
1612   // For NSPanel (which subclasses NSWindow), allocated objects are not
1613   //  self-owned.
1614   // FIXME: For now we don't track NSPanels. object for the same reason
1615   //   as for NSWindow objects.
1616   addClassMethSummary("NSPanel", "alloc", NoTrackYet);
1617 
1618   // For NSNull, objects returned by +null are singletons that ignore
1619   // retain/release semantics.  Just don't track them.
1620   // <rdar://problem/12858915>
1621   addClassMethSummary("NSNull", "null", NoTrackYet);
1622 
1623   // Don't track allocated autorelease pools, as it is okay to prematurely
1624   // exit a method.
1625   addClassMethSummary("NSAutoreleasePool", "alloc", NoTrackYet);
1626   addClassMethSummary("NSAutoreleasePool", "allocWithZone", NoTrackYet, false);
1627   addClassMethSummary("NSAutoreleasePool", "new", NoTrackYet);
1628 
1629   // Create summaries QCRenderer/QCView -createSnapShotImageOfType:
1630   addInstMethSummary("QCRenderer", AllocSumm,
1631                      "createSnapshotImageOfType", nullptr);
1632   addInstMethSummary("QCView", AllocSumm,
1633                      "createSnapshotImageOfType", nullptr);
1634 
1635   // Create summaries for CIContext, 'createCGImage' and
1636   // 'createCGLayerWithSize'.  These objects are CF objects, and are not
1637   // automatically garbage collected.
1638   addInstMethSummary("CIContext", CFAllocSumm,
1639                      "createCGImage", "fromRect", nullptr);
1640   addInstMethSummary("CIContext", CFAllocSumm, "createCGImage", "fromRect",
1641                      "format", "colorSpace", nullptr);
1642   addInstMethSummary("CIContext", CFAllocSumm, "createCGLayerWithSize", "info",
1643                      nullptr);
1644 }
1645 
1646 //===----------------------------------------------------------------------===//
1647 // Error reporting.
1648 //===----------------------------------------------------------------------===//
1649 namespace {
1650   typedef llvm::DenseMap<const ExplodedNode *, const RetainSummary *>
1651     SummaryLogTy;
1652 
1653   //===-------------===//
1654   // Bug Descriptions. //
1655   //===-------------===//
1656 
1657   class CFRefBug : public BugType {
1658   protected:
CFRefBug(const CheckerBase * checker,StringRef name)1659     CFRefBug(const CheckerBase *checker, StringRef name)
1660         : BugType(checker, name, categories::MemoryCoreFoundationObjectiveC) {}
1661 
1662   public:
1663 
1664     // FIXME: Eventually remove.
1665     virtual const char *getDescription() const = 0;
1666 
isLeak() const1667     virtual bool isLeak() const { return false; }
1668   };
1669 
1670   class UseAfterRelease : public CFRefBug {
1671   public:
UseAfterRelease(const CheckerBase * checker)1672     UseAfterRelease(const CheckerBase *checker)
1673         : CFRefBug(checker, "Use-after-release") {}
1674 
getDescription() const1675     const char *getDescription() const override {
1676       return "Reference-counted object is used after it is released";
1677     }
1678   };
1679 
1680   class BadRelease : public CFRefBug {
1681   public:
BadRelease(const CheckerBase * checker)1682     BadRelease(const CheckerBase *checker) : CFRefBug(checker, "Bad release") {}
1683 
getDescription() const1684     const char *getDescription() const override {
1685       return "Incorrect decrement of the reference count of an object that is "
1686              "not owned at this point by the caller";
1687     }
1688   };
1689 
1690   class DeallocGC : public CFRefBug {
1691   public:
DeallocGC(const CheckerBase * checker)1692     DeallocGC(const CheckerBase *checker)
1693         : CFRefBug(checker, "-dealloc called while using garbage collection") {}
1694 
getDescription() const1695     const char *getDescription() const override {
1696       return "-dealloc called while using garbage collection";
1697     }
1698   };
1699 
1700   class DeallocNotOwned : public CFRefBug {
1701   public:
DeallocNotOwned(const CheckerBase * checker)1702     DeallocNotOwned(const CheckerBase *checker)
1703         : CFRefBug(checker, "-dealloc sent to non-exclusively owned object") {}
1704 
getDescription() const1705     const char *getDescription() const override {
1706       return "-dealloc sent to object that may be referenced elsewhere";
1707     }
1708   };
1709 
1710   class OverAutorelease : public CFRefBug {
1711   public:
OverAutorelease(const CheckerBase * checker)1712     OverAutorelease(const CheckerBase *checker)
1713         : CFRefBug(checker, "Object autoreleased too many times") {}
1714 
getDescription() const1715     const char *getDescription() const override {
1716       return "Object autoreleased too many times";
1717     }
1718   };
1719 
1720   class ReturnedNotOwnedForOwned : public CFRefBug {
1721   public:
ReturnedNotOwnedForOwned(const CheckerBase * checker)1722     ReturnedNotOwnedForOwned(const CheckerBase *checker)
1723         : CFRefBug(checker, "Method should return an owned object") {}
1724 
getDescription() const1725     const char *getDescription() const override {
1726       return "Object with a +0 retain count returned to caller where a +1 "
1727              "(owning) retain count is expected";
1728     }
1729   };
1730 
1731   class Leak : public CFRefBug {
1732   public:
Leak(const CheckerBase * checker,StringRef name)1733     Leak(const CheckerBase *checker, StringRef name) : CFRefBug(checker, name) {
1734       // Leaks should not be reported if they are post-dominated by a sink.
1735       setSuppressOnSink(true);
1736     }
1737 
getDescription() const1738     const char *getDescription() const override { return ""; }
1739 
isLeak() const1740     bool isLeak() const override { return true; }
1741   };
1742 
1743   //===---------===//
1744   // Bug Reports.  //
1745   //===---------===//
1746 
1747   class CFRefReportVisitor : public BugReporterVisitorImpl<CFRefReportVisitor> {
1748   protected:
1749     SymbolRef Sym;
1750     const SummaryLogTy &SummaryLog;
1751     bool GCEnabled;
1752 
1753   public:
CFRefReportVisitor(SymbolRef sym,bool gcEnabled,const SummaryLogTy & log)1754     CFRefReportVisitor(SymbolRef sym, bool gcEnabled, const SummaryLogTy &log)
1755        : Sym(sym), SummaryLog(log), GCEnabled(gcEnabled) {}
1756 
Profile(llvm::FoldingSetNodeID & ID) const1757     void Profile(llvm::FoldingSetNodeID &ID) const override {
1758       static int x = 0;
1759       ID.AddPointer(&x);
1760       ID.AddPointer(Sym);
1761     }
1762 
1763     PathDiagnosticPiece *VisitNode(const ExplodedNode *N,
1764                                    const ExplodedNode *PrevN,
1765                                    BugReporterContext &BRC,
1766                                    BugReport &BR) override;
1767 
1768     std::unique_ptr<PathDiagnosticPiece> getEndPath(BugReporterContext &BRC,
1769                                                     const ExplodedNode *N,
1770                                                     BugReport &BR) override;
1771   };
1772 
1773   class CFRefLeakReportVisitor : public CFRefReportVisitor {
1774   public:
CFRefLeakReportVisitor(SymbolRef sym,bool GCEnabled,const SummaryLogTy & log)1775     CFRefLeakReportVisitor(SymbolRef sym, bool GCEnabled,
1776                            const SummaryLogTy &log)
1777        : CFRefReportVisitor(sym, GCEnabled, log) {}
1778 
1779     std::unique_ptr<PathDiagnosticPiece> getEndPath(BugReporterContext &BRC,
1780                                                     const ExplodedNode *N,
1781                                                     BugReport &BR) override;
1782 
clone() const1783     std::unique_ptr<BugReporterVisitor> clone() const override {
1784       // The curiously-recurring template pattern only works for one level of
1785       // subclassing. Rather than make a new template base for
1786       // CFRefReportVisitor, we simply override clone() to do the right thing.
1787       // This could be trouble someday if BugReporterVisitorImpl is ever
1788       // used for something else besides a convenient implementation of clone().
1789       return llvm::make_unique<CFRefLeakReportVisitor>(*this);
1790     }
1791   };
1792 
1793   class CFRefReport : public BugReport {
1794     void addGCModeDescription(const LangOptions &LOpts, bool GCEnabled);
1795 
1796   public:
CFRefReport(CFRefBug & D,const LangOptions & LOpts,bool GCEnabled,const SummaryLogTy & Log,ExplodedNode * n,SymbolRef sym,bool registerVisitor=true)1797     CFRefReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled,
1798                 const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym,
1799                 bool registerVisitor = true)
1800       : BugReport(D, D.getDescription(), n) {
1801       if (registerVisitor)
1802         addVisitor(llvm::make_unique<CFRefReportVisitor>(sym, GCEnabled, Log));
1803       addGCModeDescription(LOpts, GCEnabled);
1804     }
1805 
CFRefReport(CFRefBug & D,const LangOptions & LOpts,bool GCEnabled,const SummaryLogTy & Log,ExplodedNode * n,SymbolRef sym,StringRef endText)1806     CFRefReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled,
1807                 const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym,
1808                 StringRef endText)
1809       : BugReport(D, D.getDescription(), endText, n) {
1810       addVisitor(llvm::make_unique<CFRefReportVisitor>(sym, GCEnabled, Log));
1811       addGCModeDescription(LOpts, GCEnabled);
1812     }
1813 
getRanges()1814     llvm::iterator_range<ranges_iterator> getRanges() override {
1815       const CFRefBug& BugTy = static_cast<CFRefBug&>(getBugType());
1816       if (!BugTy.isLeak())
1817         return BugReport::getRanges();
1818       return llvm::make_range(ranges_iterator(), ranges_iterator());
1819     }
1820   };
1821 
1822   class CFRefLeakReport : public CFRefReport {
1823     const MemRegion* AllocBinding;
1824   public:
1825     CFRefLeakReport(CFRefBug &D, const LangOptions &LOpts, bool GCEnabled,
1826                     const SummaryLogTy &Log, ExplodedNode *n, SymbolRef sym,
1827                     CheckerContext &Ctx,
1828                     bool IncludeAllocationLine);
1829 
getLocation(const SourceManager & SM) const1830     PathDiagnosticLocation getLocation(const SourceManager &SM) const override {
1831       assert(Location.isValid());
1832       return Location;
1833     }
1834   };
1835 } // end anonymous namespace
1836 
addGCModeDescription(const LangOptions & LOpts,bool GCEnabled)1837 void CFRefReport::addGCModeDescription(const LangOptions &LOpts,
1838                                        bool GCEnabled) {
1839   const char *GCModeDescription = nullptr;
1840 
1841   switch (LOpts.getGC()) {
1842   case LangOptions::GCOnly:
1843     assert(GCEnabled);
1844     GCModeDescription = "Code is compiled to only use garbage collection";
1845     break;
1846 
1847   case LangOptions::NonGC:
1848     assert(!GCEnabled);
1849     GCModeDescription = "Code is compiled to use reference counts";
1850     break;
1851 
1852   case LangOptions::HybridGC:
1853     if (GCEnabled) {
1854       GCModeDescription = "Code is compiled to use either garbage collection "
1855                           "(GC) or reference counts (non-GC).  The bug occurs "
1856                           "with GC enabled";
1857       break;
1858     } else {
1859       GCModeDescription = "Code is compiled to use either garbage collection "
1860                           "(GC) or reference counts (non-GC).  The bug occurs "
1861                           "in non-GC mode";
1862       break;
1863     }
1864   }
1865 
1866   assert(GCModeDescription && "invalid/unknown GC mode");
1867   addExtraText(GCModeDescription);
1868 }
1869 
isNumericLiteralExpression(const Expr * E)1870 static bool isNumericLiteralExpression(const Expr *E) {
1871   // FIXME: This set of cases was copied from SemaExprObjC.
1872   return isa<IntegerLiteral>(E) ||
1873          isa<CharacterLiteral>(E) ||
1874          isa<FloatingLiteral>(E) ||
1875          isa<ObjCBoolLiteralExpr>(E) ||
1876          isa<CXXBoolLiteralExpr>(E);
1877 }
1878 
1879 /// Returns true if this stack frame is for an Objective-C method that is a
1880 /// property getter or setter whose body has been synthesized by the analyzer.
isSynthesizedAccessor(const StackFrameContext * SFC)1881 static bool isSynthesizedAccessor(const StackFrameContext *SFC) {
1882   auto Method = dyn_cast_or_null<ObjCMethodDecl>(SFC->getDecl());
1883   if (!Method || !Method->isPropertyAccessor())
1884     return false;
1885 
1886   return SFC->getAnalysisDeclContext()->isBodyAutosynthesized();
1887 }
1888 
VisitNode(const ExplodedNode * N,const ExplodedNode * PrevN,BugReporterContext & BRC,BugReport & BR)1889 PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N,
1890                                                    const ExplodedNode *PrevN,
1891                                                    BugReporterContext &BRC,
1892                                                    BugReport &BR) {
1893   // FIXME: We will eventually need to handle non-statement-based events
1894   // (__attribute__((cleanup))).
1895   if (!N->getLocation().getAs<StmtPoint>())
1896     return nullptr;
1897 
1898   // Check if the type state has changed.
1899   ProgramStateRef PrevSt = PrevN->getState();
1900   ProgramStateRef CurrSt = N->getState();
1901   const LocationContext *LCtx = N->getLocationContext();
1902 
1903   const RefVal* CurrT = getRefBinding(CurrSt, Sym);
1904   if (!CurrT) return nullptr;
1905 
1906   const RefVal &CurrV = *CurrT;
1907   const RefVal *PrevT = getRefBinding(PrevSt, Sym);
1908 
1909   // Create a string buffer to constain all the useful things we want
1910   // to tell the user.
1911   std::string sbuf;
1912   llvm::raw_string_ostream os(sbuf);
1913 
1914   // This is the allocation site since the previous node had no bindings
1915   // for this symbol.
1916   if (!PrevT) {
1917     const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt();
1918 
1919     if (isa<ObjCIvarRefExpr>(S) &&
1920         isSynthesizedAccessor(LCtx->getCurrentStackFrame())) {
1921       S = LCtx->getCurrentStackFrame()->getCallSite();
1922     }
1923 
1924     if (isa<ObjCArrayLiteral>(S)) {
1925       os << "NSArray literal is an object with a +0 retain count";
1926     }
1927     else if (isa<ObjCDictionaryLiteral>(S)) {
1928       os << "NSDictionary literal is an object with a +0 retain count";
1929     }
1930     else if (const ObjCBoxedExpr *BL = dyn_cast<ObjCBoxedExpr>(S)) {
1931       if (isNumericLiteralExpression(BL->getSubExpr()))
1932         os << "NSNumber literal is an object with a +0 retain count";
1933       else {
1934         const ObjCInterfaceDecl *BoxClass = nullptr;
1935         if (const ObjCMethodDecl *Method = BL->getBoxingMethod())
1936           BoxClass = Method->getClassInterface();
1937 
1938         // We should always be able to find the boxing class interface,
1939         // but consider this future-proofing.
1940         if (BoxClass)
1941           os << *BoxClass << " b";
1942         else
1943           os << "B";
1944 
1945         os << "oxed expression produces an object with a +0 retain count";
1946       }
1947     }
1948     else if (isa<ObjCIvarRefExpr>(S)) {
1949       os << "Object loaded from instance variable";
1950     }
1951     else {
1952       if (const CallExpr *CE = dyn_cast<CallExpr>(S)) {
1953         // Get the name of the callee (if it is available).
1954         SVal X = CurrSt->getSValAsScalarOrLoc(CE->getCallee(), LCtx);
1955         if (const FunctionDecl *FD = X.getAsFunctionDecl())
1956           os << "Call to function '" << *FD << '\'';
1957         else
1958           os << "function call";
1959       }
1960       else {
1961         assert(isa<ObjCMessageExpr>(S));
1962         CallEventManager &Mgr = CurrSt->getStateManager().getCallEventManager();
1963         CallEventRef<ObjCMethodCall> Call
1964           = Mgr.getObjCMethodCall(cast<ObjCMessageExpr>(S), CurrSt, LCtx);
1965 
1966         switch (Call->getMessageKind()) {
1967         case OCM_Message:
1968           os << "Method";
1969           break;
1970         case OCM_PropertyAccess:
1971           os << "Property";
1972           break;
1973         case OCM_Subscript:
1974           os << "Subscript";
1975           break;
1976         }
1977       }
1978 
1979       if (CurrV.getObjKind() == RetEffect::CF) {
1980         os << " returns a Core Foundation object with a ";
1981       }
1982       else {
1983         assert (CurrV.getObjKind() == RetEffect::ObjC);
1984         os << " returns an Objective-C object with a ";
1985       }
1986 
1987       if (CurrV.isOwned()) {
1988         os << "+1 retain count";
1989 
1990         if (GCEnabled) {
1991           assert(CurrV.getObjKind() == RetEffect::CF);
1992           os << ".  "
1993           "Core Foundation objects are not automatically garbage collected.";
1994         }
1995       }
1996       else {
1997         assert (CurrV.isNotOwned());
1998         os << "+0 retain count";
1999       }
2000     }
2001 
2002     PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
2003                                   N->getLocationContext());
2004     return new PathDiagnosticEventPiece(Pos, os.str());
2005   }
2006 
2007   // Gather up the effects that were performed on the object at this
2008   // program point
2009   SmallVector<ArgEffect, 2> AEffects;
2010 
2011   const ExplodedNode *OrigNode = BRC.getNodeResolver().getOriginalNode(N);
2012   if (const RetainSummary *Summ = SummaryLog.lookup(OrigNode)) {
2013     // We only have summaries attached to nodes after evaluating CallExpr and
2014     // ObjCMessageExprs.
2015     const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt();
2016 
2017     if (const CallExpr *CE = dyn_cast<CallExpr>(S)) {
2018       // Iterate through the parameter expressions and see if the symbol
2019       // was ever passed as an argument.
2020       unsigned i = 0;
2021 
2022       for (CallExpr::const_arg_iterator AI=CE->arg_begin(), AE=CE->arg_end();
2023            AI!=AE; ++AI, ++i) {
2024 
2025         // Retrieve the value of the argument.  Is it the symbol
2026         // we are interested in?
2027         if (CurrSt->getSValAsScalarOrLoc(*AI, LCtx).getAsLocSymbol() != Sym)
2028           continue;
2029 
2030         // We have an argument.  Get the effect!
2031         AEffects.push_back(Summ->getArg(i));
2032       }
2033     }
2034     else if (const ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(S)) {
2035       if (const Expr *receiver = ME->getInstanceReceiver())
2036         if (CurrSt->getSValAsScalarOrLoc(receiver, LCtx)
2037               .getAsLocSymbol() == Sym) {
2038           // The symbol we are tracking is the receiver.
2039           AEffects.push_back(Summ->getReceiverEffect());
2040         }
2041     }
2042   }
2043 
2044   do {
2045     // Get the previous type state.
2046     RefVal PrevV = *PrevT;
2047 
2048     // Specially handle -dealloc.
2049     if (!GCEnabled && std::find(AEffects.begin(), AEffects.end(), Dealloc) !=
2050                           AEffects.end()) {
2051       // Determine if the object's reference count was pushed to zero.
2052       assert(!PrevV.hasSameState(CurrV) && "The state should have changed.");
2053       // We may not have transitioned to 'release' if we hit an error.
2054       // This case is handled elsewhere.
2055       if (CurrV.getKind() == RefVal::Released) {
2056         assert(CurrV.getCombinedCounts() == 0);
2057         os << "Object released by directly sending the '-dealloc' message";
2058         break;
2059       }
2060     }
2061 
2062     // Specially handle CFMakeCollectable and friends.
2063     if (std::find(AEffects.begin(), AEffects.end(), MakeCollectable) !=
2064         AEffects.end()) {
2065       // Get the name of the function.
2066       const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt();
2067       SVal X =
2068         CurrSt->getSValAsScalarOrLoc(cast<CallExpr>(S)->getCallee(), LCtx);
2069       const FunctionDecl *FD = X.getAsFunctionDecl();
2070 
2071       if (GCEnabled) {
2072         // Determine if the object's reference count was pushed to zero.
2073         assert(!PrevV.hasSameState(CurrV) && "The state should have changed.");
2074 
2075         os << "In GC mode a call to '" << *FD
2076         <<  "' decrements an object's retain count and registers the "
2077         "object with the garbage collector. ";
2078 
2079         if (CurrV.getKind() == RefVal::Released) {
2080           assert(CurrV.getCount() == 0);
2081           os << "Since it now has a 0 retain count the object can be "
2082           "automatically collected by the garbage collector.";
2083         }
2084         else
2085           os << "An object must have a 0 retain count to be garbage collected. "
2086           "After this call its retain count is +" << CurrV.getCount()
2087           << '.';
2088       }
2089       else
2090         os << "When GC is not enabled a call to '" << *FD
2091         << "' has no effect on its argument.";
2092 
2093       // Nothing more to say.
2094       break;
2095     }
2096 
2097     // Determine if the typestate has changed.
2098     if (!PrevV.hasSameState(CurrV))
2099       switch (CurrV.getKind()) {
2100         case RefVal::Owned:
2101         case RefVal::NotOwned:
2102           if (PrevV.getCount() == CurrV.getCount()) {
2103             // Did an autorelease message get sent?
2104             if (PrevV.getAutoreleaseCount() == CurrV.getAutoreleaseCount())
2105               return nullptr;
2106 
2107             assert(PrevV.getAutoreleaseCount() < CurrV.getAutoreleaseCount());
2108             os << "Object autoreleased";
2109             break;
2110           }
2111 
2112           if (PrevV.getCount() > CurrV.getCount())
2113             os << "Reference count decremented.";
2114           else
2115             os << "Reference count incremented.";
2116 
2117           if (unsigned Count = CurrV.getCount())
2118             os << " The object now has a +" << Count << " retain count.";
2119 
2120           if (PrevV.getKind() == RefVal::Released) {
2121             assert(GCEnabled && CurrV.getCount() > 0);
2122             os << " The object is not eligible for garbage collection until "
2123                   "the retain count reaches 0 again.";
2124           }
2125 
2126           break;
2127 
2128         case RefVal::Released:
2129           if (CurrV.getIvarAccessHistory() ==
2130                 RefVal::IvarAccessHistory::ReleasedAfterDirectAccess &&
2131               CurrV.getIvarAccessHistory() != PrevV.getIvarAccessHistory()) {
2132             os << "Strong instance variable relinquished. ";
2133           }
2134           os << "Object released.";
2135           break;
2136 
2137         case RefVal::ReturnedOwned:
2138           // Autoreleases can be applied after marking a node ReturnedOwned.
2139           if (CurrV.getAutoreleaseCount())
2140             return nullptr;
2141 
2142           os << "Object returned to caller as an owning reference (single "
2143                 "retain count transferred to caller)";
2144           break;
2145 
2146         case RefVal::ReturnedNotOwned:
2147           os << "Object returned to caller with a +0 retain count";
2148           break;
2149 
2150         default:
2151           return nullptr;
2152       }
2153 
2154     // Emit any remaining diagnostics for the argument effects (if any).
2155     for (SmallVectorImpl<ArgEffect>::iterator I=AEffects.begin(),
2156          E=AEffects.end(); I != E; ++I) {
2157 
2158       // A bunch of things have alternate behavior under GC.
2159       if (GCEnabled)
2160         switch (*I) {
2161           default: break;
2162           case Autorelease:
2163             os << "In GC mode an 'autorelease' has no effect.";
2164             continue;
2165           case IncRefMsg:
2166             os << "In GC mode the 'retain' message has no effect.";
2167             continue;
2168           case DecRefMsg:
2169             os << "In GC mode the 'release' message has no effect.";
2170             continue;
2171         }
2172     }
2173   } while (0);
2174 
2175   if (os.str().empty())
2176     return nullptr; // We have nothing to say!
2177 
2178   const Stmt *S = N->getLocation().castAs<StmtPoint>().getStmt();
2179   PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
2180                                 N->getLocationContext());
2181   PathDiagnosticPiece *P = new PathDiagnosticEventPiece(Pos, os.str());
2182 
2183   // Add the range by scanning the children of the statement for any bindings
2184   // to Sym.
2185   for (const Stmt *Child : S->children())
2186     if (const Expr *Exp = dyn_cast_or_null<Expr>(Child))
2187       if (CurrSt->getSValAsScalarOrLoc(Exp, LCtx).getAsLocSymbol() == Sym) {
2188         P->addRange(Exp->getSourceRange());
2189         break;
2190       }
2191 
2192   return P;
2193 }
2194 
2195 namespace {
2196 // Find the first node in the current function context that referred to the
2197 // tracked symbol and the memory location that value was stored to. Note, the
2198 // value is only reported if the allocation occurred in the same function as
2199 // the leak. The function can also return a location context, which should be
2200 // treated as interesting.
2201 struct AllocationInfo {
2202   const ExplodedNode* N;
2203   const MemRegion *R;
2204   const LocationContext *InterestingMethodContext;
AllocationInfo__anonbe000e510711::AllocationInfo2205   AllocationInfo(const ExplodedNode *InN,
2206                  const MemRegion *InR,
2207                  const LocationContext *InInterestingMethodContext) :
2208     N(InN), R(InR), InterestingMethodContext(InInterestingMethodContext) {}
2209 };
2210 } // end anonymous namespace
2211 
2212 static AllocationInfo
GetAllocationSite(ProgramStateManager & StateMgr,const ExplodedNode * N,SymbolRef Sym)2213 GetAllocationSite(ProgramStateManager& StateMgr, const ExplodedNode *N,
2214                   SymbolRef Sym) {
2215   const ExplodedNode *AllocationNode = N;
2216   const ExplodedNode *AllocationNodeInCurrentOrParentContext = N;
2217   const MemRegion *FirstBinding = nullptr;
2218   const LocationContext *LeakContext = N->getLocationContext();
2219 
2220   // The location context of the init method called on the leaked object, if
2221   // available.
2222   const LocationContext *InitMethodContext = nullptr;
2223 
2224   while (N) {
2225     ProgramStateRef St = N->getState();
2226     const LocationContext *NContext = N->getLocationContext();
2227 
2228     if (!getRefBinding(St, Sym))
2229       break;
2230 
2231     StoreManager::FindUniqueBinding FB(Sym);
2232     StateMgr.iterBindings(St, FB);
2233 
2234     if (FB) {
2235       const MemRegion *R = FB.getRegion();
2236       const VarRegion *VR = R->getBaseRegion()->getAs<VarRegion>();
2237       // Do not show local variables belonging to a function other than
2238       // where the error is reported.
2239       if (!VR || VR->getStackFrame() == LeakContext->getCurrentStackFrame())
2240         FirstBinding = R;
2241     }
2242 
2243     // AllocationNode is the last node in which the symbol was tracked.
2244     AllocationNode = N;
2245 
2246     // AllocationNodeInCurrentContext, is the last node in the current or
2247     // parent context in which the symbol was tracked.
2248     //
2249     // Note that the allocation site might be in the parent conext. For example,
2250     // the case where an allocation happens in a block that captures a reference
2251     // to it and that reference is overwritten/dropped by another call to
2252     // the block.
2253     if (NContext == LeakContext || NContext->isParentOf(LeakContext))
2254       AllocationNodeInCurrentOrParentContext = N;
2255 
2256     // Find the last init that was called on the given symbol and store the
2257     // init method's location context.
2258     if (!InitMethodContext)
2259       if (Optional<CallEnter> CEP = N->getLocation().getAs<CallEnter>()) {
2260         const Stmt *CE = CEP->getCallExpr();
2261         if (const ObjCMessageExpr *ME = dyn_cast_or_null<ObjCMessageExpr>(CE)) {
2262           const Stmt *RecExpr = ME->getInstanceReceiver();
2263           if (RecExpr) {
2264             SVal RecV = St->getSVal(RecExpr, NContext);
2265             if (ME->getMethodFamily() == OMF_init && RecV.getAsSymbol() == Sym)
2266               InitMethodContext = CEP->getCalleeContext();
2267           }
2268         }
2269       }
2270 
2271     N = N->pred_empty() ? nullptr : *(N->pred_begin());
2272   }
2273 
2274   // If we are reporting a leak of the object that was allocated with alloc,
2275   // mark its init method as interesting.
2276   const LocationContext *InterestingMethodContext = nullptr;
2277   if (InitMethodContext) {
2278     const ProgramPoint AllocPP = AllocationNode->getLocation();
2279     if (Optional<StmtPoint> SP = AllocPP.getAs<StmtPoint>())
2280       if (const ObjCMessageExpr *ME = SP->getStmtAs<ObjCMessageExpr>())
2281         if (ME->getMethodFamily() == OMF_alloc)
2282           InterestingMethodContext = InitMethodContext;
2283   }
2284 
2285   // If allocation happened in a function different from the leak node context,
2286   // do not report the binding.
2287   assert(N && "Could not find allocation node");
2288   if (N->getLocationContext() != LeakContext) {
2289     FirstBinding = nullptr;
2290   }
2291 
2292   return AllocationInfo(AllocationNodeInCurrentOrParentContext,
2293                         FirstBinding,
2294                         InterestingMethodContext);
2295 }
2296 
2297 std::unique_ptr<PathDiagnosticPiece>
getEndPath(BugReporterContext & BRC,const ExplodedNode * EndN,BugReport & BR)2298 CFRefReportVisitor::getEndPath(BugReporterContext &BRC,
2299                                const ExplodedNode *EndN, BugReport &BR) {
2300   BR.markInteresting(Sym);
2301   return BugReporterVisitor::getDefaultEndPath(BRC, EndN, BR);
2302 }
2303 
2304 std::unique_ptr<PathDiagnosticPiece>
getEndPath(BugReporterContext & BRC,const ExplodedNode * EndN,BugReport & BR)2305 CFRefLeakReportVisitor::getEndPath(BugReporterContext &BRC,
2306                                    const ExplodedNode *EndN, BugReport &BR) {
2307 
2308   // Tell the BugReporterContext to report cases when the tracked symbol is
2309   // assigned to different variables, etc.
2310   BR.markInteresting(Sym);
2311 
2312   // We are reporting a leak.  Walk up the graph to get to the first node where
2313   // the symbol appeared, and also get the first VarDecl that tracked object
2314   // is stored to.
2315   AllocationInfo AllocI =
2316     GetAllocationSite(BRC.getStateManager(), EndN, Sym);
2317 
2318   const MemRegion* FirstBinding = AllocI.R;
2319   BR.markInteresting(AllocI.InterestingMethodContext);
2320 
2321   SourceManager& SM = BRC.getSourceManager();
2322 
2323   // Compute an actual location for the leak.  Sometimes a leak doesn't
2324   // occur at an actual statement (e.g., transition between blocks; end
2325   // of function) so we need to walk the graph and compute a real location.
2326   const ExplodedNode *LeakN = EndN;
2327   PathDiagnosticLocation L = PathDiagnosticLocation::createEndOfPath(LeakN, SM);
2328 
2329   std::string sbuf;
2330   llvm::raw_string_ostream os(sbuf);
2331 
2332   os << "Object leaked: ";
2333 
2334   if (FirstBinding) {
2335     os << "object allocated and stored into '"
2336        << FirstBinding->getString() << '\'';
2337   }
2338   else
2339     os << "allocated object";
2340 
2341   // Get the retain count.
2342   const RefVal* RV = getRefBinding(EndN->getState(), Sym);
2343   assert(RV);
2344 
2345   if (RV->getKind() == RefVal::ErrorLeakReturned) {
2346     // FIXME: Per comments in rdar://6320065, "create" only applies to CF
2347     // objects.  Only "copy", "alloc", "retain" and "new" transfer ownership
2348     // to the caller for NS objects.
2349     const Decl *D = &EndN->getCodeDecl();
2350 
2351     os << (isa<ObjCMethodDecl>(D) ? " is returned from a method "
2352                                   : " is returned from a function ");
2353 
2354     if (D->hasAttr<CFReturnsNotRetainedAttr>())
2355       os << "that is annotated as CF_RETURNS_NOT_RETAINED";
2356     else if (D->hasAttr<NSReturnsNotRetainedAttr>())
2357       os << "that is annotated as NS_RETURNS_NOT_RETAINED";
2358     else {
2359       if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) {
2360         os << "whose name ('" << MD->getSelector().getAsString()
2361            << "') does not start with 'copy', 'mutableCopy', 'alloc' or 'new'."
2362               "  This violates the naming convention rules"
2363               " given in the Memory Management Guide for Cocoa";
2364       }
2365       else {
2366         const FunctionDecl *FD = cast<FunctionDecl>(D);
2367         os << "whose name ('" << *FD
2368            << "') does not contain 'Copy' or 'Create'.  This violates the naming"
2369               " convention rules given in the Memory Management Guide for Core"
2370               " Foundation";
2371       }
2372     }
2373   }
2374   else if (RV->getKind() == RefVal::ErrorGCLeakReturned) {
2375     const ObjCMethodDecl &MD = cast<ObjCMethodDecl>(EndN->getCodeDecl());
2376     os << " and returned from method '" << MD.getSelector().getAsString()
2377        << "' is potentially leaked when using garbage collection.  Callers "
2378           "of this method do not expect a returned object with a +1 retain "
2379           "count since they expect the object to be managed by the garbage "
2380           "collector";
2381   }
2382   else
2383     os << " is not referenced later in this execution path and has a retain "
2384           "count of +" << RV->getCount();
2385 
2386   return llvm::make_unique<PathDiagnosticEventPiece>(L, os.str());
2387 }
2388 
CFRefLeakReport(CFRefBug & D,const LangOptions & LOpts,bool GCEnabled,const SummaryLogTy & Log,ExplodedNode * n,SymbolRef sym,CheckerContext & Ctx,bool IncludeAllocationLine)2389 CFRefLeakReport::CFRefLeakReport(CFRefBug &D, const LangOptions &LOpts,
2390                                  bool GCEnabled, const SummaryLogTy &Log,
2391                                  ExplodedNode *n, SymbolRef sym,
2392                                  CheckerContext &Ctx,
2393                                  bool IncludeAllocationLine)
2394   : CFRefReport(D, LOpts, GCEnabled, Log, n, sym, false) {
2395 
2396   // Most bug reports are cached at the location where they occurred.
2397   // With leaks, we want to unique them by the location where they were
2398   // allocated, and only report a single path.  To do this, we need to find
2399   // the allocation site of a piece of tracked memory, which we do via a
2400   // call to GetAllocationSite.  This will walk the ExplodedGraph backwards.
2401   // Note that this is *not* the trimmed graph; we are guaranteed, however,
2402   // that all ancestor nodes that represent the allocation site have the
2403   // same SourceLocation.
2404   const ExplodedNode *AllocNode = nullptr;
2405 
2406   const SourceManager& SMgr = Ctx.getSourceManager();
2407 
2408   AllocationInfo AllocI =
2409     GetAllocationSite(Ctx.getStateManager(), getErrorNode(), sym);
2410 
2411   AllocNode = AllocI.N;
2412   AllocBinding = AllocI.R;
2413   markInteresting(AllocI.InterestingMethodContext);
2414 
2415   // Get the SourceLocation for the allocation site.
2416   // FIXME: This will crash the analyzer if an allocation comes from an
2417   // implicit call (ex: a destructor call).
2418   // (Currently there are no such allocations in Cocoa, though.)
2419   const Stmt *AllocStmt = nullptr;
2420   ProgramPoint P = AllocNode->getLocation();
2421   if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>())
2422     AllocStmt = Exit->getCalleeContext()->getCallSite();
2423   else
2424     AllocStmt = P.castAs<PostStmt>().getStmt();
2425   assert(AllocStmt && "Cannot find allocation statement");
2426 
2427   PathDiagnosticLocation AllocLocation =
2428     PathDiagnosticLocation::createBegin(AllocStmt, SMgr,
2429                                         AllocNode->getLocationContext());
2430   Location = AllocLocation;
2431 
2432   // Set uniqieing info, which will be used for unique the bug reports. The
2433   // leaks should be uniqued on the allocation site.
2434   UniqueingLocation = AllocLocation;
2435   UniqueingDecl = AllocNode->getLocationContext()->getDecl();
2436 
2437   // Fill in the description of the bug.
2438   Description.clear();
2439   llvm::raw_string_ostream os(Description);
2440   os << "Potential leak ";
2441   if (GCEnabled)
2442     os << "(when using garbage collection) ";
2443   os << "of an object";
2444 
2445   if (AllocBinding) {
2446     os << " stored into '" << AllocBinding->getString() << '\'';
2447     if (IncludeAllocationLine) {
2448       FullSourceLoc SL(AllocStmt->getLocStart(), Ctx.getSourceManager());
2449       os << " (allocated on line " << SL.getSpellingLineNumber() << ")";
2450     }
2451   }
2452 
2453   addVisitor(llvm::make_unique<CFRefLeakReportVisitor>(sym, GCEnabled, Log));
2454 }
2455 
2456 //===----------------------------------------------------------------------===//
2457 // Main checker logic.
2458 //===----------------------------------------------------------------------===//
2459 
2460 namespace {
2461 class RetainCountChecker
2462   : public Checker< check::Bind,
2463                     check::DeadSymbols,
2464                     check::EndAnalysis,
2465                     check::EndFunction,
2466                     check::PostStmt<BlockExpr>,
2467                     check::PostStmt<CastExpr>,
2468                     check::PostStmt<ObjCArrayLiteral>,
2469                     check::PostStmt<ObjCDictionaryLiteral>,
2470                     check::PostStmt<ObjCBoxedExpr>,
2471                     check::PostStmt<ObjCIvarRefExpr>,
2472                     check::PostCall,
2473                     check::PreStmt<ReturnStmt>,
2474                     check::RegionChanges,
2475                     eval::Assume,
2476                     eval::Call > {
2477   mutable std::unique_ptr<CFRefBug> useAfterRelease, releaseNotOwned;
2478   mutable std::unique_ptr<CFRefBug> deallocGC, deallocNotOwned;
2479   mutable std::unique_ptr<CFRefBug> overAutorelease, returnNotOwnedForOwned;
2480   mutable std::unique_ptr<CFRefBug> leakWithinFunction, leakAtReturn;
2481   mutable std::unique_ptr<CFRefBug> leakWithinFunctionGC, leakAtReturnGC;
2482 
2483   typedef llvm::DenseMap<SymbolRef, const CheckerProgramPointTag *> SymbolTagMap;
2484 
2485   // This map is only used to ensure proper deletion of any allocated tags.
2486   mutable SymbolTagMap DeadSymbolTags;
2487 
2488   mutable std::unique_ptr<RetainSummaryManager> Summaries;
2489   mutable std::unique_ptr<RetainSummaryManager> SummariesGC;
2490   mutable SummaryLogTy SummaryLog;
2491   mutable bool ShouldResetSummaryLog;
2492 
2493   /// Optional setting to indicate if leak reports should include
2494   /// the allocation line.
2495   mutable bool IncludeAllocationLine;
2496 
2497 public:
RetainCountChecker(AnalyzerOptions & AO)2498   RetainCountChecker(AnalyzerOptions &AO)
2499     : ShouldResetSummaryLog(false),
2500       IncludeAllocationLine(shouldIncludeAllocationSiteInLeakDiagnostics(AO)) {}
2501 
~RetainCountChecker()2502   ~RetainCountChecker() override { DeleteContainerSeconds(DeadSymbolTags); }
2503 
checkEndAnalysis(ExplodedGraph & G,BugReporter & BR,ExprEngine & Eng) const2504   void checkEndAnalysis(ExplodedGraph &G, BugReporter &BR,
2505                         ExprEngine &Eng) const {
2506     // FIXME: This is a hack to make sure the summary log gets cleared between
2507     // analyses of different code bodies.
2508     //
2509     // Why is this necessary? Because a checker's lifetime is tied to a
2510     // translation unit, but an ExplodedGraph's lifetime is just a code body.
2511     // Once in a blue moon, a new ExplodedNode will have the same address as an
2512     // old one with an associated summary, and the bug report visitor gets very
2513     // confused. (To make things worse, the summary lifetime is currently also
2514     // tied to a code body, so we get a crash instead of incorrect results.)
2515     //
2516     // Why is this a bad solution? Because if the lifetime of the ExplodedGraph
2517     // changes, things will start going wrong again. Really the lifetime of this
2518     // log needs to be tied to either the specific nodes in it or the entire
2519     // ExplodedGraph, not to a specific part of the code being analyzed.
2520     //
2521     // (Also, having stateful local data means that the same checker can't be
2522     // used from multiple threads, but a lot of checkers have incorrect
2523     // assumptions about that anyway. So that wasn't a priority at the time of
2524     // this fix.)
2525     //
2526     // This happens at the end of analysis, but bug reports are emitted /after/
2527     // this point. So we can't just clear the summary log now. Instead, we mark
2528     // that the next time we access the summary log, it should be cleared.
2529 
2530     // If we never reset the summary log during /this/ code body analysis,
2531     // there were no new summaries. There might still have been summaries from
2532     // the /last/ analysis, so clear them out to make sure the bug report
2533     // visitors don't get confused.
2534     if (ShouldResetSummaryLog)
2535       SummaryLog.clear();
2536 
2537     ShouldResetSummaryLog = !SummaryLog.empty();
2538   }
2539 
getLeakWithinFunctionBug(const LangOptions & LOpts,bool GCEnabled) const2540   CFRefBug *getLeakWithinFunctionBug(const LangOptions &LOpts,
2541                                      bool GCEnabled) const {
2542     if (GCEnabled) {
2543       if (!leakWithinFunctionGC)
2544         leakWithinFunctionGC.reset(new Leak(this, "Leak of object when using "
2545                                                   "garbage collection"));
2546       return leakWithinFunctionGC.get();
2547     } else {
2548       if (!leakWithinFunction) {
2549         if (LOpts.getGC() == LangOptions::HybridGC) {
2550           leakWithinFunction.reset(new Leak(this,
2551                                             "Leak of object when not using "
2552                                             "garbage collection (GC) in "
2553                                             "dual GC/non-GC code"));
2554         } else {
2555           leakWithinFunction.reset(new Leak(this, "Leak"));
2556         }
2557       }
2558       return leakWithinFunction.get();
2559     }
2560   }
2561 
getLeakAtReturnBug(const LangOptions & LOpts,bool GCEnabled) const2562   CFRefBug *getLeakAtReturnBug(const LangOptions &LOpts, bool GCEnabled) const {
2563     if (GCEnabled) {
2564       if (!leakAtReturnGC)
2565         leakAtReturnGC.reset(new Leak(this,
2566                                       "Leak of returned object when using "
2567                                       "garbage collection"));
2568       return leakAtReturnGC.get();
2569     } else {
2570       if (!leakAtReturn) {
2571         if (LOpts.getGC() == LangOptions::HybridGC) {
2572           leakAtReturn.reset(new Leak(this,
2573                                       "Leak of returned object when not using "
2574                                       "garbage collection (GC) in dual "
2575                                       "GC/non-GC code"));
2576         } else {
2577           leakAtReturn.reset(new Leak(this, "Leak of returned object"));
2578         }
2579       }
2580       return leakAtReturn.get();
2581     }
2582   }
2583 
getSummaryManager(ASTContext & Ctx,bool GCEnabled) const2584   RetainSummaryManager &getSummaryManager(ASTContext &Ctx,
2585                                           bool GCEnabled) const {
2586     // FIXME: We don't support ARC being turned on and off during one analysis.
2587     // (nor, for that matter, do we support changing ASTContexts)
2588     bool ARCEnabled = (bool)Ctx.getLangOpts().ObjCAutoRefCount;
2589     if (GCEnabled) {
2590       if (!SummariesGC)
2591         SummariesGC.reset(new RetainSummaryManager(Ctx, true, ARCEnabled));
2592       else
2593         assert(SummariesGC->isARCEnabled() == ARCEnabled);
2594       return *SummariesGC;
2595     } else {
2596       if (!Summaries)
2597         Summaries.reset(new RetainSummaryManager(Ctx, false, ARCEnabled));
2598       else
2599         assert(Summaries->isARCEnabled() == ARCEnabled);
2600       return *Summaries;
2601     }
2602   }
2603 
getSummaryManager(CheckerContext & C) const2604   RetainSummaryManager &getSummaryManager(CheckerContext &C) const {
2605     return getSummaryManager(C.getASTContext(), C.isObjCGCEnabled());
2606   }
2607 
2608   void printState(raw_ostream &Out, ProgramStateRef State,
2609                   const char *NL, const char *Sep) const override;
2610 
2611   void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const;
2612   void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
2613   void checkPostStmt(const CastExpr *CE, CheckerContext &C) const;
2614 
2615   void checkPostStmt(const ObjCArrayLiteral *AL, CheckerContext &C) const;
2616   void checkPostStmt(const ObjCDictionaryLiteral *DL, CheckerContext &C) const;
2617   void checkPostStmt(const ObjCBoxedExpr *BE, CheckerContext &C) const;
2618 
2619   void checkPostStmt(const ObjCIvarRefExpr *IRE, CheckerContext &C) const;
2620 
2621   void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
2622 
2623   void checkSummary(const RetainSummary &Summ, const CallEvent &Call,
2624                     CheckerContext &C) const;
2625 
2626   void processSummaryOfInlined(const RetainSummary &Summ,
2627                                const CallEvent &Call,
2628                                CheckerContext &C) const;
2629 
2630   bool evalCall(const CallExpr *CE, CheckerContext &C) const;
2631 
2632   ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
2633                                  bool Assumption) const;
2634 
2635   ProgramStateRef
2636   checkRegionChanges(ProgramStateRef state,
2637                      const InvalidatedSymbols *invalidated,
2638                      ArrayRef<const MemRegion *> ExplicitRegions,
2639                      ArrayRef<const MemRegion *> Regions,
2640                      const CallEvent *Call) const;
2641 
wantsRegionChangeUpdate(ProgramStateRef state) const2642   bool wantsRegionChangeUpdate(ProgramStateRef state) const {
2643     return true;
2644   }
2645 
2646   void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
2647   void checkReturnWithRetEffect(const ReturnStmt *S, CheckerContext &C,
2648                                 ExplodedNode *Pred, RetEffect RE, RefVal X,
2649                                 SymbolRef Sym, ProgramStateRef state) const;
2650 
2651   void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
2652   void checkEndFunction(CheckerContext &C) const;
2653 
2654   ProgramStateRef updateSymbol(ProgramStateRef state, SymbolRef sym,
2655                                RefVal V, ArgEffect E, RefVal::Kind &hasErr,
2656                                CheckerContext &C) const;
2657 
2658   void processNonLeakError(ProgramStateRef St, SourceRange ErrorRange,
2659                            RefVal::Kind ErrorKind, SymbolRef Sym,
2660                            CheckerContext &C) const;
2661 
2662   void processObjCLiterals(CheckerContext &C, const Expr *Ex) const;
2663 
2664   const ProgramPointTag *getDeadSymbolTag(SymbolRef sym) const;
2665 
2666   ProgramStateRef handleSymbolDeath(ProgramStateRef state,
2667                                     SymbolRef sid, RefVal V,
2668                                     SmallVectorImpl<SymbolRef> &Leaked) const;
2669 
2670   ProgramStateRef
2671   handleAutoreleaseCounts(ProgramStateRef state, ExplodedNode *Pred,
2672                           const ProgramPointTag *Tag, CheckerContext &Ctx,
2673                           SymbolRef Sym, RefVal V) const;
2674 
2675   ExplodedNode *processLeaks(ProgramStateRef state,
2676                              SmallVectorImpl<SymbolRef> &Leaked,
2677                              CheckerContext &Ctx,
2678                              ExplodedNode *Pred = nullptr) const;
2679 };
2680 } // end anonymous namespace
2681 
2682 namespace {
2683 class StopTrackingCallback final : public SymbolVisitor {
2684   ProgramStateRef state;
2685 public:
StopTrackingCallback(ProgramStateRef st)2686   StopTrackingCallback(ProgramStateRef st) : state(st) {}
getState() const2687   ProgramStateRef getState() const { return state; }
2688 
VisitSymbol(SymbolRef sym)2689   bool VisitSymbol(SymbolRef sym) override {
2690     state = state->remove<RefBindings>(sym);
2691     return true;
2692   }
2693 };
2694 } // end anonymous namespace
2695 
2696 //===----------------------------------------------------------------------===//
2697 // Handle statements that may have an effect on refcounts.
2698 //===----------------------------------------------------------------------===//
2699 
checkPostStmt(const BlockExpr * BE,CheckerContext & C) const2700 void RetainCountChecker::checkPostStmt(const BlockExpr *BE,
2701                                        CheckerContext &C) const {
2702 
2703   // Scan the BlockDecRefExprs for any object the retain count checker
2704   // may be tracking.
2705   if (!BE->getBlockDecl()->hasCaptures())
2706     return;
2707 
2708   ProgramStateRef state = C.getState();
2709   const BlockDataRegion *R =
2710     cast<BlockDataRegion>(state->getSVal(BE,
2711                                          C.getLocationContext()).getAsRegion());
2712 
2713   BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
2714                                             E = R->referenced_vars_end();
2715 
2716   if (I == E)
2717     return;
2718 
2719   // FIXME: For now we invalidate the tracking of all symbols passed to blocks
2720   // via captured variables, even though captured variables result in a copy
2721   // and in implicit increment/decrement of a retain count.
2722   SmallVector<const MemRegion*, 10> Regions;
2723   const LocationContext *LC = C.getLocationContext();
2724   MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
2725 
2726   for ( ; I != E; ++I) {
2727     const VarRegion *VR = I.getCapturedRegion();
2728     if (VR->getSuperRegion() == R) {
2729       VR = MemMgr.getVarRegion(VR->getDecl(), LC);
2730     }
2731     Regions.push_back(VR);
2732   }
2733 
2734   state =
2735     state->scanReachableSymbols<StopTrackingCallback>(Regions.data(),
2736                                     Regions.data() + Regions.size()).getState();
2737   C.addTransition(state);
2738 }
2739 
checkPostStmt(const CastExpr * CE,CheckerContext & C) const2740 void RetainCountChecker::checkPostStmt(const CastExpr *CE,
2741                                        CheckerContext &C) const {
2742   const ObjCBridgedCastExpr *BE = dyn_cast<ObjCBridgedCastExpr>(CE);
2743   if (!BE)
2744     return;
2745 
2746   ArgEffect AE = IncRef;
2747 
2748   switch (BE->getBridgeKind()) {
2749     case clang::OBC_Bridge:
2750       // Do nothing.
2751       return;
2752     case clang::OBC_BridgeRetained:
2753       AE = IncRef;
2754       break;
2755     case clang::OBC_BridgeTransfer:
2756       AE = DecRefBridgedTransferred;
2757       break;
2758   }
2759 
2760   ProgramStateRef state = C.getState();
2761   SymbolRef Sym = state->getSVal(CE, C.getLocationContext()).getAsLocSymbol();
2762   if (!Sym)
2763     return;
2764   const RefVal* T = getRefBinding(state, Sym);
2765   if (!T)
2766     return;
2767 
2768   RefVal::Kind hasErr = (RefVal::Kind) 0;
2769   state = updateSymbol(state, Sym, *T, AE, hasErr, C);
2770 
2771   if (hasErr) {
2772     // FIXME: If we get an error during a bridge cast, should we report it?
2773     return;
2774   }
2775 
2776   C.addTransition(state);
2777 }
2778 
processObjCLiterals(CheckerContext & C,const Expr * Ex) const2779 void RetainCountChecker::processObjCLiterals(CheckerContext &C,
2780                                              const Expr *Ex) const {
2781   ProgramStateRef state = C.getState();
2782   const ExplodedNode *pred = C.getPredecessor();
2783   for (const Stmt *Child : Ex->children()) {
2784     SVal V = state->getSVal(Child, pred->getLocationContext());
2785     if (SymbolRef sym = V.getAsSymbol())
2786       if (const RefVal* T = getRefBinding(state, sym)) {
2787         RefVal::Kind hasErr = (RefVal::Kind) 0;
2788         state = updateSymbol(state, sym, *T, MayEscape, hasErr, C);
2789         if (hasErr) {
2790           processNonLeakError(state, Child->getSourceRange(), hasErr, sym, C);
2791           return;
2792         }
2793       }
2794   }
2795 
2796   // Return the object as autoreleased.
2797   //  RetEffect RE = RetEffect::MakeNotOwned(RetEffect::ObjC);
2798   if (SymbolRef sym =
2799         state->getSVal(Ex, pred->getLocationContext()).getAsSymbol()) {
2800     QualType ResultTy = Ex->getType();
2801     state = setRefBinding(state, sym,
2802                           RefVal::makeNotOwned(RetEffect::ObjC, ResultTy));
2803   }
2804 
2805   C.addTransition(state);
2806 }
2807 
checkPostStmt(const ObjCArrayLiteral * AL,CheckerContext & C) const2808 void RetainCountChecker::checkPostStmt(const ObjCArrayLiteral *AL,
2809                                        CheckerContext &C) const {
2810   // Apply the 'MayEscape' to all values.
2811   processObjCLiterals(C, AL);
2812 }
2813 
checkPostStmt(const ObjCDictionaryLiteral * DL,CheckerContext & C) const2814 void RetainCountChecker::checkPostStmt(const ObjCDictionaryLiteral *DL,
2815                                        CheckerContext &C) const {
2816   // Apply the 'MayEscape' to all keys and values.
2817   processObjCLiterals(C, DL);
2818 }
2819 
checkPostStmt(const ObjCBoxedExpr * Ex,CheckerContext & C) const2820 void RetainCountChecker::checkPostStmt(const ObjCBoxedExpr *Ex,
2821                                        CheckerContext &C) const {
2822   const ExplodedNode *Pred = C.getPredecessor();
2823   const LocationContext *LCtx = Pred->getLocationContext();
2824   ProgramStateRef State = Pred->getState();
2825 
2826   if (SymbolRef Sym = State->getSVal(Ex, LCtx).getAsSymbol()) {
2827     QualType ResultTy = Ex->getType();
2828     State = setRefBinding(State, Sym,
2829                           RefVal::makeNotOwned(RetEffect::ObjC, ResultTy));
2830   }
2831 
2832   C.addTransition(State);
2833 }
2834 
wasLoadedFromIvar(SymbolRef Sym)2835 static bool wasLoadedFromIvar(SymbolRef Sym) {
2836   if (auto DerivedVal = dyn_cast<SymbolDerived>(Sym))
2837     return isa<ObjCIvarRegion>(DerivedVal->getRegion());
2838   if (auto RegionVal = dyn_cast<SymbolRegionValue>(Sym))
2839     return isa<ObjCIvarRegion>(RegionVal->getRegion());
2840   return false;
2841 }
2842 
checkPostStmt(const ObjCIvarRefExpr * IRE,CheckerContext & C) const2843 void RetainCountChecker::checkPostStmt(const ObjCIvarRefExpr *IRE,
2844                                        CheckerContext &C) const {
2845   Optional<Loc> IVarLoc = C.getSVal(IRE).getAs<Loc>();
2846   if (!IVarLoc)
2847     return;
2848 
2849   ProgramStateRef State = C.getState();
2850   SymbolRef Sym = State->getSVal(*IVarLoc).getAsSymbol();
2851   if (!Sym || !wasLoadedFromIvar(Sym))
2852     return;
2853 
2854   // Accessing an ivar directly is unusual. If we've done that, be more
2855   // forgiving about what the surrounding code is allowed to do.
2856 
2857   QualType Ty = Sym->getType();
2858   RetEffect::ObjKind Kind;
2859   if (Ty->isObjCRetainableType())
2860     Kind = RetEffect::ObjC;
2861   else if (coreFoundation::isCFObjectRef(Ty))
2862     Kind = RetEffect::CF;
2863   else
2864     return;
2865 
2866   // If the value is already known to be nil, don't bother tracking it.
2867   ConstraintManager &CMgr = State->getConstraintManager();
2868   if (CMgr.isNull(State, Sym).isConstrainedTrue())
2869     return;
2870 
2871   if (const RefVal *RV = getRefBinding(State, Sym)) {
2872     // If we've seen this symbol before, or we're only seeing it now because
2873     // of something the analyzer has synthesized, don't do anything.
2874     if (RV->getIvarAccessHistory() != RefVal::IvarAccessHistory::None ||
2875         isSynthesizedAccessor(C.getStackFrame())) {
2876       return;
2877     }
2878 
2879     // Note that this value has been loaded from an ivar.
2880     C.addTransition(setRefBinding(State, Sym, RV->withIvarAccess()));
2881     return;
2882   }
2883 
2884   RefVal PlusZero = RefVal::makeNotOwned(Kind, Ty);
2885 
2886   // In a synthesized accessor, the effective retain count is +0.
2887   if (isSynthesizedAccessor(C.getStackFrame())) {
2888     C.addTransition(setRefBinding(State, Sym, PlusZero));
2889     return;
2890   }
2891 
2892   State = setRefBinding(State, Sym, PlusZero.withIvarAccess());
2893   C.addTransition(State);
2894 }
2895 
checkPostCall(const CallEvent & Call,CheckerContext & C) const2896 void RetainCountChecker::checkPostCall(const CallEvent &Call,
2897                                        CheckerContext &C) const {
2898   RetainSummaryManager &Summaries = getSummaryManager(C);
2899   const RetainSummary *Summ = Summaries.getSummary(Call, C.getState());
2900 
2901   if (C.wasInlined) {
2902     processSummaryOfInlined(*Summ, Call, C);
2903     return;
2904   }
2905   checkSummary(*Summ, Call, C);
2906 }
2907 
2908 /// GetReturnType - Used to get the return type of a message expression or
2909 ///  function call with the intention of affixing that type to a tracked symbol.
2910 ///  While the return type can be queried directly from RetEx, when
2911 ///  invoking class methods we augment to the return type to be that of
2912 ///  a pointer to the class (as opposed it just being id).
2913 // FIXME: We may be able to do this with related result types instead.
2914 // This function is probably overestimating.
GetReturnType(const Expr * RetE,ASTContext & Ctx)2915 static QualType GetReturnType(const Expr *RetE, ASTContext &Ctx) {
2916   QualType RetTy = RetE->getType();
2917   // If RetE is not a message expression just return its type.
2918   // If RetE is a message expression, return its types if it is something
2919   /// more specific than id.
2920   if (const ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(RetE))
2921     if (const ObjCObjectPointerType *PT = RetTy->getAs<ObjCObjectPointerType>())
2922       if (PT->isObjCQualifiedIdType() || PT->isObjCIdType() ||
2923           PT->isObjCClassType()) {
2924         // At this point we know the return type of the message expression is
2925         // id, id<...>, or Class. If we have an ObjCInterfaceDecl, we know this
2926         // is a call to a class method whose type we can resolve.  In such
2927         // cases, promote the return type to XXX* (where XXX is the class).
2928         const ObjCInterfaceDecl *D = ME->getReceiverInterface();
2929         return !D ? RetTy :
2930                     Ctx.getObjCObjectPointerType(Ctx.getObjCInterfaceType(D));
2931       }
2932 
2933   return RetTy;
2934 }
2935 
2936 // We don't always get the exact modeling of the function with regards to the
2937 // retain count checker even when the function is inlined. For example, we need
2938 // to stop tracking the symbols which were marked with StopTrackingHard.
processSummaryOfInlined(const RetainSummary & Summ,const CallEvent & CallOrMsg,CheckerContext & C) const2939 void RetainCountChecker::processSummaryOfInlined(const RetainSummary &Summ,
2940                                                  const CallEvent &CallOrMsg,
2941                                                  CheckerContext &C) const {
2942   ProgramStateRef state = C.getState();
2943 
2944   // Evaluate the effect of the arguments.
2945   for (unsigned idx = 0, e = CallOrMsg.getNumArgs(); idx != e; ++idx) {
2946     if (Summ.getArg(idx) == StopTrackingHard) {
2947       SVal V = CallOrMsg.getArgSVal(idx);
2948       if (SymbolRef Sym = V.getAsLocSymbol()) {
2949         state = removeRefBinding(state, Sym);
2950       }
2951     }
2952   }
2953 
2954   // Evaluate the effect on the message receiver.
2955   const ObjCMethodCall *MsgInvocation = dyn_cast<ObjCMethodCall>(&CallOrMsg);
2956   if (MsgInvocation) {
2957     if (SymbolRef Sym = MsgInvocation->getReceiverSVal().getAsLocSymbol()) {
2958       if (Summ.getReceiverEffect() == StopTrackingHard) {
2959         state = removeRefBinding(state, Sym);
2960       }
2961     }
2962   }
2963 
2964   // Consult the summary for the return value.
2965   RetEffect RE = Summ.getRetEffect();
2966   if (RE.getKind() == RetEffect::NoRetHard) {
2967     SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol();
2968     if (Sym)
2969       state = removeRefBinding(state, Sym);
2970   }
2971 
2972   C.addTransition(state);
2973 }
2974 
updateOutParameter(ProgramStateRef State,SVal ArgVal,ArgEffect Effect)2975 static ProgramStateRef updateOutParameter(ProgramStateRef State,
2976                                           SVal ArgVal,
2977                                           ArgEffect Effect) {
2978   auto *ArgRegion = dyn_cast_or_null<TypedValueRegion>(ArgVal.getAsRegion());
2979   if (!ArgRegion)
2980     return State;
2981 
2982   QualType PointeeTy = ArgRegion->getValueType();
2983   if (!coreFoundation::isCFObjectRef(PointeeTy))
2984     return State;
2985 
2986   SVal PointeeVal = State->getSVal(ArgRegion);
2987   SymbolRef Pointee = PointeeVal.getAsLocSymbol();
2988   if (!Pointee)
2989     return State;
2990 
2991   switch (Effect) {
2992   case UnretainedOutParameter:
2993     State = setRefBinding(State, Pointee,
2994                           RefVal::makeNotOwned(RetEffect::CF, PointeeTy));
2995     break;
2996   case RetainedOutParameter:
2997     // Do nothing. Retained out parameters will either point to a +1 reference
2998     // or NULL, but the way you check for failure differs depending on the API.
2999     // Consequently, we don't have a good way to track them yet.
3000     break;
3001 
3002   default:
3003     llvm_unreachable("only for out parameters");
3004   }
3005 
3006   return State;
3007 }
3008 
checkSummary(const RetainSummary & Summ,const CallEvent & CallOrMsg,CheckerContext & C) const3009 void RetainCountChecker::checkSummary(const RetainSummary &Summ,
3010                                       const CallEvent &CallOrMsg,
3011                                       CheckerContext &C) const {
3012   ProgramStateRef state = C.getState();
3013 
3014   // Evaluate the effect of the arguments.
3015   RefVal::Kind hasErr = (RefVal::Kind) 0;
3016   SourceRange ErrorRange;
3017   SymbolRef ErrorSym = nullptr;
3018 
3019   for (unsigned idx = 0, e = CallOrMsg.getNumArgs(); idx != e; ++idx) {
3020     SVal V = CallOrMsg.getArgSVal(idx);
3021 
3022     ArgEffect Effect = Summ.getArg(idx);
3023     if (Effect == RetainedOutParameter || Effect == UnretainedOutParameter) {
3024       state = updateOutParameter(state, V, Effect);
3025     } else if (SymbolRef Sym = V.getAsLocSymbol()) {
3026       if (const RefVal *T = getRefBinding(state, Sym)) {
3027         state = updateSymbol(state, Sym, *T, Effect, hasErr, C);
3028         if (hasErr) {
3029           ErrorRange = CallOrMsg.getArgSourceRange(idx);
3030           ErrorSym = Sym;
3031           break;
3032         }
3033       }
3034     }
3035   }
3036 
3037   // Evaluate the effect on the message receiver.
3038   bool ReceiverIsTracked = false;
3039   if (!hasErr) {
3040     const ObjCMethodCall *MsgInvocation = dyn_cast<ObjCMethodCall>(&CallOrMsg);
3041     if (MsgInvocation) {
3042       if (SymbolRef Sym = MsgInvocation->getReceiverSVal().getAsLocSymbol()) {
3043         if (const RefVal *T = getRefBinding(state, Sym)) {
3044           ReceiverIsTracked = true;
3045           state = updateSymbol(state, Sym, *T, Summ.getReceiverEffect(),
3046                                  hasErr, C);
3047           if (hasErr) {
3048             ErrorRange = MsgInvocation->getOriginExpr()->getReceiverRange();
3049             ErrorSym = Sym;
3050           }
3051         }
3052       }
3053     }
3054   }
3055 
3056   // Process any errors.
3057   if (hasErr) {
3058     processNonLeakError(state, ErrorRange, hasErr, ErrorSym, C);
3059     return;
3060   }
3061 
3062   // Consult the summary for the return value.
3063   RetEffect RE = Summ.getRetEffect();
3064 
3065   if (RE.getKind() == RetEffect::OwnedWhenTrackedReceiver) {
3066     if (ReceiverIsTracked)
3067       RE = getSummaryManager(C).getObjAllocRetEffect();
3068     else
3069       RE = RetEffect::MakeNoRet();
3070   }
3071 
3072   switch (RE.getKind()) {
3073     default:
3074       llvm_unreachable("Unhandled RetEffect.");
3075 
3076     case RetEffect::NoRet:
3077     case RetEffect::NoRetHard:
3078       // No work necessary.
3079       break;
3080 
3081     case RetEffect::OwnedAllocatedSymbol:
3082     case RetEffect::OwnedSymbol: {
3083       SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol();
3084       if (!Sym)
3085         break;
3086 
3087       // Use the result type from the CallEvent as it automatically adjusts
3088       // for methods/functions that return references.
3089       QualType ResultTy = CallOrMsg.getResultType();
3090       state = setRefBinding(state, Sym, RefVal::makeOwned(RE.getObjKind(),
3091                                                           ResultTy));
3092 
3093       // FIXME: Add a flag to the checker where allocations are assumed to
3094       // *not* fail.
3095       break;
3096     }
3097 
3098     case RetEffect::GCNotOwnedSymbol:
3099     case RetEffect::NotOwnedSymbol: {
3100       const Expr *Ex = CallOrMsg.getOriginExpr();
3101       SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol();
3102       if (!Sym)
3103         break;
3104       assert(Ex);
3105       // Use GetReturnType in order to give [NSFoo alloc] the type NSFoo *.
3106       QualType ResultTy = GetReturnType(Ex, C.getASTContext());
3107       state = setRefBinding(state, Sym, RefVal::makeNotOwned(RE.getObjKind(),
3108                                                              ResultTy));
3109       break;
3110     }
3111   }
3112 
3113   // This check is actually necessary; otherwise the statement builder thinks
3114   // we've hit a previously-found path.
3115   // Normally addTransition takes care of this, but we want the node pointer.
3116   ExplodedNode *NewNode;
3117   if (state == C.getState()) {
3118     NewNode = C.getPredecessor();
3119   } else {
3120     NewNode = C.addTransition(state);
3121   }
3122 
3123   // Annotate the node with summary we used.
3124   if (NewNode) {
3125     // FIXME: This is ugly. See checkEndAnalysis for why it's necessary.
3126     if (ShouldResetSummaryLog) {
3127       SummaryLog.clear();
3128       ShouldResetSummaryLog = false;
3129     }
3130     SummaryLog[NewNode] = &Summ;
3131   }
3132 }
3133 
3134 ProgramStateRef
updateSymbol(ProgramStateRef state,SymbolRef sym,RefVal V,ArgEffect E,RefVal::Kind & hasErr,CheckerContext & C) const3135 RetainCountChecker::updateSymbol(ProgramStateRef state, SymbolRef sym,
3136                                  RefVal V, ArgEffect E, RefVal::Kind &hasErr,
3137                                  CheckerContext &C) const {
3138   // In GC mode [... release] and [... retain] do nothing.
3139   // In ARC mode they shouldn't exist at all, but we just ignore them.
3140   bool IgnoreRetainMsg = C.isObjCGCEnabled();
3141   if (!IgnoreRetainMsg)
3142     IgnoreRetainMsg = (bool)C.getASTContext().getLangOpts().ObjCAutoRefCount;
3143 
3144   switch (E) {
3145   default:
3146     break;
3147   case IncRefMsg:
3148     E = IgnoreRetainMsg ? DoNothing : IncRef;
3149     break;
3150   case DecRefMsg:
3151     E = IgnoreRetainMsg ? DoNothing : DecRef;
3152     break;
3153   case DecRefMsgAndStopTrackingHard:
3154     E = IgnoreRetainMsg ? StopTracking : DecRefAndStopTrackingHard;
3155     break;
3156   case MakeCollectable:
3157     E = C.isObjCGCEnabled() ? DecRef : DoNothing;
3158     break;
3159   }
3160 
3161   // Handle all use-after-releases.
3162   if (!C.isObjCGCEnabled() && V.getKind() == RefVal::Released) {
3163     V = V ^ RefVal::ErrorUseAfterRelease;
3164     hasErr = V.getKind();
3165     return setRefBinding(state, sym, V);
3166   }
3167 
3168   switch (E) {
3169     case DecRefMsg:
3170     case IncRefMsg:
3171     case MakeCollectable:
3172     case DecRefMsgAndStopTrackingHard:
3173       llvm_unreachable("DecRefMsg/IncRefMsg/MakeCollectable already converted");
3174 
3175     case UnretainedOutParameter:
3176     case RetainedOutParameter:
3177       llvm_unreachable("Applies to pointer-to-pointer parameters, which should "
3178                        "not have ref state.");
3179 
3180     case Dealloc:
3181       // Any use of -dealloc in GC is *bad*.
3182       if (C.isObjCGCEnabled()) {
3183         V = V ^ RefVal::ErrorDeallocGC;
3184         hasErr = V.getKind();
3185         break;
3186       }
3187 
3188       switch (V.getKind()) {
3189         default:
3190           llvm_unreachable("Invalid RefVal state for an explicit dealloc.");
3191         case RefVal::Owned:
3192           // The object immediately transitions to the released state.
3193           V = V ^ RefVal::Released;
3194           V.clearCounts();
3195           return setRefBinding(state, sym, V);
3196         case RefVal::NotOwned:
3197           V = V ^ RefVal::ErrorDeallocNotOwned;
3198           hasErr = V.getKind();
3199           break;
3200       }
3201       break;
3202 
3203     case MayEscape:
3204       if (V.getKind() == RefVal::Owned) {
3205         V = V ^ RefVal::NotOwned;
3206         break;
3207       }
3208 
3209       // Fall-through.
3210 
3211     case DoNothing:
3212       return state;
3213 
3214     case Autorelease:
3215       if (C.isObjCGCEnabled())
3216         return state;
3217       // Update the autorelease counts.
3218       V = V.autorelease();
3219       break;
3220 
3221     case StopTracking:
3222     case StopTrackingHard:
3223       return removeRefBinding(state, sym);
3224 
3225     case IncRef:
3226       switch (V.getKind()) {
3227         default:
3228           llvm_unreachable("Invalid RefVal state for a retain.");
3229         case RefVal::Owned:
3230         case RefVal::NotOwned:
3231           V = V + 1;
3232           break;
3233         case RefVal::Released:
3234           // Non-GC cases are handled above.
3235           assert(C.isObjCGCEnabled());
3236           V = (V ^ RefVal::Owned) + 1;
3237           break;
3238       }
3239       break;
3240 
3241     case DecRef:
3242     case DecRefBridgedTransferred:
3243     case DecRefAndStopTrackingHard:
3244       switch (V.getKind()) {
3245         default:
3246           // case 'RefVal::Released' handled above.
3247           llvm_unreachable("Invalid RefVal state for a release.");
3248 
3249         case RefVal::Owned:
3250           assert(V.getCount() > 0);
3251           if (V.getCount() == 1) {
3252             if (E == DecRefBridgedTransferred ||
3253                 V.getIvarAccessHistory() ==
3254                   RefVal::IvarAccessHistory::AccessedDirectly)
3255               V = V ^ RefVal::NotOwned;
3256             else
3257               V = V ^ RefVal::Released;
3258           } else if (E == DecRefAndStopTrackingHard) {
3259             return removeRefBinding(state, sym);
3260           }
3261 
3262           V = V - 1;
3263           break;
3264 
3265         case RefVal::NotOwned:
3266           if (V.getCount() > 0) {
3267             if (E == DecRefAndStopTrackingHard)
3268               return removeRefBinding(state, sym);
3269             V = V - 1;
3270           } else if (V.getIvarAccessHistory() ==
3271                        RefVal::IvarAccessHistory::AccessedDirectly) {
3272             // Assume that the instance variable was holding on the object at
3273             // +1, and we just didn't know.
3274             if (E == DecRefAndStopTrackingHard)
3275               return removeRefBinding(state, sym);
3276             V = V.releaseViaIvar() ^ RefVal::Released;
3277           } else {
3278             V = V ^ RefVal::ErrorReleaseNotOwned;
3279             hasErr = V.getKind();
3280           }
3281           break;
3282 
3283         case RefVal::Released:
3284           // Non-GC cases are handled above.
3285           assert(C.isObjCGCEnabled());
3286           V = V ^ RefVal::ErrorUseAfterRelease;
3287           hasErr = V.getKind();
3288           break;
3289       }
3290       break;
3291   }
3292   return setRefBinding(state, sym, V);
3293 }
3294 
processNonLeakError(ProgramStateRef St,SourceRange ErrorRange,RefVal::Kind ErrorKind,SymbolRef Sym,CheckerContext & C) const3295 void RetainCountChecker::processNonLeakError(ProgramStateRef St,
3296                                              SourceRange ErrorRange,
3297                                              RefVal::Kind ErrorKind,
3298                                              SymbolRef Sym,
3299                                              CheckerContext &C) const {
3300   // HACK: Ignore retain-count issues on values accessed through ivars,
3301   // because of cases like this:
3302   //   [_contentView retain];
3303   //   [_contentView removeFromSuperview];
3304   //   [self addSubview:_contentView]; // invalidates 'self'
3305   //   [_contentView release];
3306   if (const RefVal *RV = getRefBinding(St, Sym))
3307     if (RV->getIvarAccessHistory() != RefVal::IvarAccessHistory::None)
3308       return;
3309 
3310   ExplodedNode *N = C.generateErrorNode(St);
3311   if (!N)
3312     return;
3313 
3314   CFRefBug *BT;
3315   switch (ErrorKind) {
3316     default:
3317       llvm_unreachable("Unhandled error.");
3318     case RefVal::ErrorUseAfterRelease:
3319       if (!useAfterRelease)
3320         useAfterRelease.reset(new UseAfterRelease(this));
3321       BT = useAfterRelease.get();
3322       break;
3323     case RefVal::ErrorReleaseNotOwned:
3324       if (!releaseNotOwned)
3325         releaseNotOwned.reset(new BadRelease(this));
3326       BT = releaseNotOwned.get();
3327       break;
3328     case RefVal::ErrorDeallocGC:
3329       if (!deallocGC)
3330         deallocGC.reset(new DeallocGC(this));
3331       BT = deallocGC.get();
3332       break;
3333     case RefVal::ErrorDeallocNotOwned:
3334       if (!deallocNotOwned)
3335         deallocNotOwned.reset(new DeallocNotOwned(this));
3336       BT = deallocNotOwned.get();
3337       break;
3338   }
3339 
3340   assert(BT);
3341   auto report = std::unique_ptr<BugReport>(
3342       new CFRefReport(*BT, C.getASTContext().getLangOpts(), C.isObjCGCEnabled(),
3343                       SummaryLog, N, Sym));
3344   report->addRange(ErrorRange);
3345   C.emitReport(std::move(report));
3346 }
3347 
3348 //===----------------------------------------------------------------------===//
3349 // Handle the return values of retain-count-related functions.
3350 //===----------------------------------------------------------------------===//
3351 
evalCall(const CallExpr * CE,CheckerContext & C) const3352 bool RetainCountChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
3353   // Get the callee. We're only interested in simple C functions.
3354   ProgramStateRef state = C.getState();
3355   const FunctionDecl *FD = C.getCalleeDecl(CE);
3356   if (!FD)
3357     return false;
3358 
3359   IdentifierInfo *II = FD->getIdentifier();
3360   if (!II)
3361     return false;
3362 
3363   // For now, we're only handling the functions that return aliases of their
3364   // arguments: CFRetain and CFMakeCollectable (and their families).
3365   // Eventually we should add other functions we can model entirely,
3366   // such as CFRelease, which don't invalidate their arguments or globals.
3367   if (CE->getNumArgs() != 1)
3368     return false;
3369 
3370   // Get the name of the function.
3371   StringRef FName = II->getName();
3372   FName = FName.substr(FName.find_first_not_of('_'));
3373 
3374   // See if it's one of the specific functions we know how to eval.
3375   bool canEval = false;
3376 
3377   QualType ResultTy = CE->getCallReturnType(C.getASTContext());
3378   if (ResultTy->isObjCIdType()) {
3379     // Handle: id NSMakeCollectable(CFTypeRef)
3380     canEval = II->isStr("NSMakeCollectable");
3381   } else if (ResultTy->isPointerType()) {
3382     // Handle: (CF|CG)Retain
3383     //         CFAutorelease
3384     //         CFMakeCollectable
3385     // It's okay to be a little sloppy here (CGMakeCollectable doesn't exist).
3386     if (cocoa::isRefType(ResultTy, "CF", FName) ||
3387         cocoa::isRefType(ResultTy, "CG", FName)) {
3388       canEval = isRetain(FD, FName) || isAutorelease(FD, FName) ||
3389                 isMakeCollectable(FD, FName);
3390     }
3391   }
3392 
3393   if (!canEval)
3394     return false;
3395 
3396   // Bind the return value.
3397   const LocationContext *LCtx = C.getLocationContext();
3398   SVal RetVal = state->getSVal(CE->getArg(0), LCtx);
3399   if (RetVal.isUnknown()) {
3400     // If the receiver is unknown, conjure a return value.
3401     SValBuilder &SVB = C.getSValBuilder();
3402     RetVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, ResultTy, C.blockCount());
3403   }
3404   state = state->BindExpr(CE, LCtx, RetVal, false);
3405 
3406   // FIXME: This should not be necessary, but otherwise the argument seems to be
3407   // considered alive during the next statement.
3408   if (const MemRegion *ArgRegion = RetVal.getAsRegion()) {
3409     // Save the refcount status of the argument.
3410     SymbolRef Sym = RetVal.getAsLocSymbol();
3411     const RefVal *Binding = nullptr;
3412     if (Sym)
3413       Binding = getRefBinding(state, Sym);
3414 
3415     // Invalidate the argument region.
3416     state = state->invalidateRegions(ArgRegion, CE, C.blockCount(), LCtx,
3417                                      /*CausesPointerEscape*/ false);
3418 
3419     // Restore the refcount status of the argument.
3420     if (Binding)
3421       state = setRefBinding(state, Sym, *Binding);
3422   }
3423 
3424   C.addTransition(state);
3425   return true;
3426 }
3427 
3428 //===----------------------------------------------------------------------===//
3429 // Handle return statements.
3430 //===----------------------------------------------------------------------===//
3431 
checkPreStmt(const ReturnStmt * S,CheckerContext & C) const3432 void RetainCountChecker::checkPreStmt(const ReturnStmt *S,
3433                                       CheckerContext &C) const {
3434 
3435   // Only adjust the reference count if this is the top-level call frame,
3436   // and not the result of inlining.  In the future, we should do
3437   // better checking even for inlined calls, and see if they match
3438   // with their expected semantics (e.g., the method should return a retained
3439   // object, etc.).
3440   if (!C.inTopFrame())
3441     return;
3442 
3443   const Expr *RetE = S->getRetValue();
3444   if (!RetE)
3445     return;
3446 
3447   ProgramStateRef state = C.getState();
3448   SymbolRef Sym =
3449     state->getSValAsScalarOrLoc(RetE, C.getLocationContext()).getAsLocSymbol();
3450   if (!Sym)
3451     return;
3452 
3453   // Get the reference count binding (if any).
3454   const RefVal *T = getRefBinding(state, Sym);
3455   if (!T)
3456     return;
3457 
3458   // Change the reference count.
3459   RefVal X = *T;
3460 
3461   switch (X.getKind()) {
3462     case RefVal::Owned: {
3463       unsigned cnt = X.getCount();
3464       assert(cnt > 0);
3465       X.setCount(cnt - 1);
3466       X = X ^ RefVal::ReturnedOwned;
3467       break;
3468     }
3469 
3470     case RefVal::NotOwned: {
3471       unsigned cnt = X.getCount();
3472       if (cnt) {
3473         X.setCount(cnt - 1);
3474         X = X ^ RefVal::ReturnedOwned;
3475       }
3476       else {
3477         X = X ^ RefVal::ReturnedNotOwned;
3478       }
3479       break;
3480     }
3481 
3482     default:
3483       return;
3484   }
3485 
3486   // Update the binding.
3487   state = setRefBinding(state, Sym, X);
3488   ExplodedNode *Pred = C.addTransition(state);
3489 
3490   // At this point we have updated the state properly.
3491   // Everything after this is merely checking to see if the return value has
3492   // been over- or under-retained.
3493 
3494   // Did we cache out?
3495   if (!Pred)
3496     return;
3497 
3498   // Update the autorelease counts.
3499   static CheckerProgramPointTag AutoreleaseTag(this, "Autorelease");
3500   state = handleAutoreleaseCounts(state, Pred, &AutoreleaseTag, C, Sym, X);
3501 
3502   // Did we cache out?
3503   if (!state)
3504     return;
3505 
3506   // Get the updated binding.
3507   T = getRefBinding(state, Sym);
3508   assert(T);
3509   X = *T;
3510 
3511   // Consult the summary of the enclosing method.
3512   RetainSummaryManager &Summaries = getSummaryManager(C);
3513   const Decl *CD = &Pred->getCodeDecl();
3514   RetEffect RE = RetEffect::MakeNoRet();
3515 
3516   // FIXME: What is the convention for blocks? Is there one?
3517   if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(CD)) {
3518     const RetainSummary *Summ = Summaries.getMethodSummary(MD);
3519     RE = Summ->getRetEffect();
3520   } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CD)) {
3521     if (!isa<CXXMethodDecl>(FD)) {
3522       const RetainSummary *Summ = Summaries.getFunctionSummary(FD);
3523       RE = Summ->getRetEffect();
3524     }
3525   }
3526 
3527   checkReturnWithRetEffect(S, C, Pred, RE, X, Sym, state);
3528 }
3529 
checkReturnWithRetEffect(const ReturnStmt * S,CheckerContext & C,ExplodedNode * Pred,RetEffect RE,RefVal X,SymbolRef Sym,ProgramStateRef state) const3530 void RetainCountChecker::checkReturnWithRetEffect(const ReturnStmt *S,
3531                                                   CheckerContext &C,
3532                                                   ExplodedNode *Pred,
3533                                                   RetEffect RE, RefVal X,
3534                                                   SymbolRef Sym,
3535                                                   ProgramStateRef state) const {
3536   // HACK: Ignore retain-count issues on values accessed through ivars,
3537   // because of cases like this:
3538   //   [_contentView retain];
3539   //   [_contentView removeFromSuperview];
3540   //   [self addSubview:_contentView]; // invalidates 'self'
3541   //   [_contentView release];
3542   if (X.getIvarAccessHistory() != RefVal::IvarAccessHistory::None)
3543     return;
3544 
3545   // Any leaks or other errors?
3546   if (X.isReturnedOwned() && X.getCount() == 0) {
3547     if (RE.getKind() != RetEffect::NoRet) {
3548       bool hasError = false;
3549       if (C.isObjCGCEnabled() && RE.getObjKind() == RetEffect::ObjC) {
3550         // Things are more complicated with garbage collection.  If the
3551         // returned object is suppose to be an Objective-C object, we have
3552         // a leak (as the caller expects a GC'ed object) because no
3553         // method should return ownership unless it returns a CF object.
3554         hasError = true;
3555         X = X ^ RefVal::ErrorGCLeakReturned;
3556       }
3557       else if (!RE.isOwned()) {
3558         // Either we are using GC and the returned object is a CF type
3559         // or we aren't using GC.  In either case, we expect that the
3560         // enclosing method is expected to return ownership.
3561         hasError = true;
3562         X = X ^ RefVal::ErrorLeakReturned;
3563       }
3564 
3565       if (hasError) {
3566         // Generate an error node.
3567         state = setRefBinding(state, Sym, X);
3568 
3569         static CheckerProgramPointTag ReturnOwnLeakTag(this, "ReturnsOwnLeak");
3570         ExplodedNode *N = C.addTransition(state, Pred, &ReturnOwnLeakTag);
3571         if (N) {
3572           const LangOptions &LOpts = C.getASTContext().getLangOpts();
3573           bool GCEnabled = C.isObjCGCEnabled();
3574           C.emitReport(std::unique_ptr<BugReport>(new CFRefLeakReport(
3575               *getLeakAtReturnBug(LOpts, GCEnabled), LOpts, GCEnabled,
3576               SummaryLog, N, Sym, C, IncludeAllocationLine)));
3577         }
3578       }
3579     }
3580   } else if (X.isReturnedNotOwned()) {
3581     if (RE.isOwned()) {
3582       if (X.getIvarAccessHistory() ==
3583             RefVal::IvarAccessHistory::AccessedDirectly) {
3584         // Assume the method was trying to transfer a +1 reference from a
3585         // strong ivar to the caller.
3586         state = setRefBinding(state, Sym,
3587                               X.releaseViaIvar() ^ RefVal::ReturnedOwned);
3588       } else {
3589         // Trying to return a not owned object to a caller expecting an
3590         // owned object.
3591         state = setRefBinding(state, Sym, X ^ RefVal::ErrorReturnedNotOwned);
3592 
3593         static CheckerProgramPointTag
3594             ReturnNotOwnedTag(this, "ReturnNotOwnedForOwned");
3595 
3596         ExplodedNode *N = C.addTransition(state, Pred, &ReturnNotOwnedTag);
3597         if (N) {
3598           if (!returnNotOwnedForOwned)
3599             returnNotOwnedForOwned.reset(new ReturnedNotOwnedForOwned(this));
3600 
3601           C.emitReport(std::unique_ptr<BugReport>(new CFRefReport(
3602               *returnNotOwnedForOwned, C.getASTContext().getLangOpts(),
3603               C.isObjCGCEnabled(), SummaryLog, N, Sym)));
3604         }
3605       }
3606     }
3607   }
3608 }
3609 
3610 //===----------------------------------------------------------------------===//
3611 // Check various ways a symbol can be invalidated.
3612 //===----------------------------------------------------------------------===//
3613 
checkBind(SVal loc,SVal val,const Stmt * S,CheckerContext & C) const3614 void RetainCountChecker::checkBind(SVal loc, SVal val, const Stmt *S,
3615                                    CheckerContext &C) const {
3616   // Are we storing to something that causes the value to "escape"?
3617   bool escapes = true;
3618 
3619   // A value escapes in three possible cases (this may change):
3620   //
3621   // (1) we are binding to something that is not a memory region.
3622   // (2) we are binding to a memregion that does not have stack storage
3623   // (3) we are binding to a memregion with stack storage that the store
3624   //     does not understand.
3625   ProgramStateRef state = C.getState();
3626 
3627   if (Optional<loc::MemRegionVal> regionLoc = loc.getAs<loc::MemRegionVal>()) {
3628     escapes = !regionLoc->getRegion()->hasStackStorage();
3629 
3630     if (!escapes) {
3631       // To test (3), generate a new state with the binding added.  If it is
3632       // the same state, then it escapes (since the store cannot represent
3633       // the binding).
3634       // Do this only if we know that the store is not supposed to generate the
3635       // same state.
3636       SVal StoredVal = state->getSVal(regionLoc->getRegion());
3637       if (StoredVal != val)
3638         escapes = (state == (state->bindLoc(*regionLoc, val)));
3639     }
3640     if (!escapes) {
3641       // Case 4: We do not currently model what happens when a symbol is
3642       // assigned to a struct field, so be conservative here and let the symbol
3643       // go. TODO: This could definitely be improved upon.
3644       escapes = !isa<VarRegion>(regionLoc->getRegion());
3645     }
3646   }
3647 
3648   // If we are storing the value into an auto function scope variable annotated
3649   // with (__attribute__((cleanup))), stop tracking the value to avoid leak
3650   // false positives.
3651   if (const VarRegion *LVR = dyn_cast_or_null<VarRegion>(loc.getAsRegion())) {
3652     const VarDecl *VD = LVR->getDecl();
3653     if (VD->hasAttr<CleanupAttr>()) {
3654       escapes = true;
3655     }
3656   }
3657 
3658   // If our store can represent the binding and we aren't storing to something
3659   // that doesn't have local storage then just return and have the simulation
3660   // state continue as is.
3661   if (!escapes)
3662       return;
3663 
3664   // Otherwise, find all symbols referenced by 'val' that we are tracking
3665   // and stop tracking them.
3666   state = state->scanReachableSymbols<StopTrackingCallback>(val).getState();
3667   C.addTransition(state);
3668 }
3669 
evalAssume(ProgramStateRef state,SVal Cond,bool Assumption) const3670 ProgramStateRef RetainCountChecker::evalAssume(ProgramStateRef state,
3671                                                    SVal Cond,
3672                                                    bool Assumption) const {
3673   // FIXME: We may add to the interface of evalAssume the list of symbols
3674   //  whose assumptions have changed.  For now we just iterate through the
3675   //  bindings and check if any of the tracked symbols are NULL.  This isn't
3676   //  too bad since the number of symbols we will track in practice are
3677   //  probably small and evalAssume is only called at branches and a few
3678   //  other places.
3679   RefBindingsTy B = state->get<RefBindings>();
3680 
3681   if (B.isEmpty())
3682     return state;
3683 
3684   bool changed = false;
3685   RefBindingsTy::Factory &RefBFactory = state->get_context<RefBindings>();
3686 
3687   for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) {
3688     // Check if the symbol is null stop tracking the symbol.
3689     ConstraintManager &CMgr = state->getConstraintManager();
3690     ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
3691     if (AllocFailed.isConstrainedTrue()) {
3692       changed = true;
3693       B = RefBFactory.remove(B, I.getKey());
3694     }
3695   }
3696 
3697   if (changed)
3698     state = state->set<RefBindings>(B);
3699 
3700   return state;
3701 }
3702 
3703 ProgramStateRef
checkRegionChanges(ProgramStateRef state,const InvalidatedSymbols * invalidated,ArrayRef<const MemRegion * > ExplicitRegions,ArrayRef<const MemRegion * > Regions,const CallEvent * Call) const3704 RetainCountChecker::checkRegionChanges(ProgramStateRef state,
3705                                     const InvalidatedSymbols *invalidated,
3706                                     ArrayRef<const MemRegion *> ExplicitRegions,
3707                                     ArrayRef<const MemRegion *> Regions,
3708                                     const CallEvent *Call) const {
3709   if (!invalidated)
3710     return state;
3711 
3712   llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols;
3713   for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(),
3714        E = ExplicitRegions.end(); I != E; ++I) {
3715     if (const SymbolicRegion *SR = (*I)->StripCasts()->getAs<SymbolicRegion>())
3716       WhitelistedSymbols.insert(SR->getSymbol());
3717   }
3718 
3719   for (InvalidatedSymbols::const_iterator I=invalidated->begin(),
3720        E = invalidated->end(); I!=E; ++I) {
3721     SymbolRef sym = *I;
3722     if (WhitelistedSymbols.count(sym))
3723       continue;
3724     // Remove any existing reference-count binding.
3725     state = removeRefBinding(state, sym);
3726   }
3727   return state;
3728 }
3729 
3730 //===----------------------------------------------------------------------===//
3731 // Handle dead symbols and end-of-path.
3732 //===----------------------------------------------------------------------===//
3733 
3734 ProgramStateRef
handleAutoreleaseCounts(ProgramStateRef state,ExplodedNode * Pred,const ProgramPointTag * Tag,CheckerContext & Ctx,SymbolRef Sym,RefVal V) const3735 RetainCountChecker::handleAutoreleaseCounts(ProgramStateRef state,
3736                                             ExplodedNode *Pred,
3737                                             const ProgramPointTag *Tag,
3738                                             CheckerContext &Ctx,
3739                                             SymbolRef Sym, RefVal V) const {
3740   unsigned ACnt = V.getAutoreleaseCount();
3741 
3742   // No autorelease counts?  Nothing to be done.
3743   if (!ACnt)
3744     return state;
3745 
3746   assert(!Ctx.isObjCGCEnabled() && "Autorelease counts in GC mode?");
3747   unsigned Cnt = V.getCount();
3748 
3749   // FIXME: Handle sending 'autorelease' to already released object.
3750 
3751   if (V.getKind() == RefVal::ReturnedOwned)
3752     ++Cnt;
3753 
3754   // If we would over-release here, but we know the value came from an ivar,
3755   // assume it was a strong ivar that's just been relinquished.
3756   if (ACnt > Cnt &&
3757       V.getIvarAccessHistory() == RefVal::IvarAccessHistory::AccessedDirectly) {
3758     V = V.releaseViaIvar();
3759     --ACnt;
3760   }
3761 
3762   if (ACnt <= Cnt) {
3763     if (ACnt == Cnt) {
3764       V.clearCounts();
3765       if (V.getKind() == RefVal::ReturnedOwned)
3766         V = V ^ RefVal::ReturnedNotOwned;
3767       else
3768         V = V ^ RefVal::NotOwned;
3769     } else {
3770       V.setCount(V.getCount() - ACnt);
3771       V.setAutoreleaseCount(0);
3772     }
3773     return setRefBinding(state, Sym, V);
3774   }
3775 
3776   // HACK: Ignore retain-count issues on values accessed through ivars,
3777   // because of cases like this:
3778   //   [_contentView retain];
3779   //   [_contentView removeFromSuperview];
3780   //   [self addSubview:_contentView]; // invalidates 'self'
3781   //   [_contentView release];
3782   if (V.getIvarAccessHistory() != RefVal::IvarAccessHistory::None)
3783     return state;
3784 
3785   // Woah!  More autorelease counts then retain counts left.
3786   // Emit hard error.
3787   V = V ^ RefVal::ErrorOverAutorelease;
3788   state = setRefBinding(state, Sym, V);
3789 
3790   ExplodedNode *N = Ctx.generateSink(state, Pred, Tag);
3791   if (N) {
3792     SmallString<128> sbuf;
3793     llvm::raw_svector_ostream os(sbuf);
3794     os << "Object was autoreleased ";
3795     if (V.getAutoreleaseCount() > 1)
3796       os << V.getAutoreleaseCount() << " times but the object ";
3797     else
3798       os << "but ";
3799     os << "has a +" << V.getCount() << " retain count";
3800 
3801     if (!overAutorelease)
3802       overAutorelease.reset(new OverAutorelease(this));
3803 
3804     const LangOptions &LOpts = Ctx.getASTContext().getLangOpts();
3805     Ctx.emitReport(std::unique_ptr<BugReport>(
3806         new CFRefReport(*overAutorelease, LOpts, /* GCEnabled = */ false,
3807                         SummaryLog, N, Sym, os.str())));
3808   }
3809 
3810   return nullptr;
3811 }
3812 
3813 ProgramStateRef
handleSymbolDeath(ProgramStateRef state,SymbolRef sid,RefVal V,SmallVectorImpl<SymbolRef> & Leaked) const3814 RetainCountChecker::handleSymbolDeath(ProgramStateRef state,
3815                                       SymbolRef sid, RefVal V,
3816                                     SmallVectorImpl<SymbolRef> &Leaked) const {
3817   bool hasLeak;
3818 
3819   // HACK: Ignore retain-count issues on values accessed through ivars,
3820   // because of cases like this:
3821   //   [_contentView retain];
3822   //   [_contentView removeFromSuperview];
3823   //   [self addSubview:_contentView]; // invalidates 'self'
3824   //   [_contentView release];
3825   if (V.getIvarAccessHistory() != RefVal::IvarAccessHistory::None)
3826     hasLeak = false;
3827   else if (V.isOwned())
3828     hasLeak = true;
3829   else if (V.isNotOwned() || V.isReturnedOwned())
3830     hasLeak = (V.getCount() > 0);
3831   else
3832     hasLeak = false;
3833 
3834   if (!hasLeak)
3835     return removeRefBinding(state, sid);
3836 
3837   Leaked.push_back(sid);
3838   return setRefBinding(state, sid, V ^ RefVal::ErrorLeak);
3839 }
3840 
3841 ExplodedNode *
processLeaks(ProgramStateRef state,SmallVectorImpl<SymbolRef> & Leaked,CheckerContext & Ctx,ExplodedNode * Pred) const3842 RetainCountChecker::processLeaks(ProgramStateRef state,
3843                                  SmallVectorImpl<SymbolRef> &Leaked,
3844                                  CheckerContext &Ctx,
3845                                  ExplodedNode *Pred) const {
3846   // Generate an intermediate node representing the leak point.
3847   ExplodedNode *N = Ctx.addTransition(state, Pred);
3848 
3849   if (N) {
3850     for (SmallVectorImpl<SymbolRef>::iterator
3851          I = Leaked.begin(), E = Leaked.end(); I != E; ++I) {
3852 
3853       const LangOptions &LOpts = Ctx.getASTContext().getLangOpts();
3854       bool GCEnabled = Ctx.isObjCGCEnabled();
3855       CFRefBug *BT = Pred ? getLeakWithinFunctionBug(LOpts, GCEnabled)
3856                           : getLeakAtReturnBug(LOpts, GCEnabled);
3857       assert(BT && "BugType not initialized.");
3858 
3859       Ctx.emitReport(std::unique_ptr<BugReport>(
3860           new CFRefLeakReport(*BT, LOpts, GCEnabled, SummaryLog, N, *I, Ctx,
3861                               IncludeAllocationLine)));
3862     }
3863   }
3864 
3865   return N;
3866 }
3867 
checkEndFunction(CheckerContext & Ctx) const3868 void RetainCountChecker::checkEndFunction(CheckerContext &Ctx) const {
3869   ProgramStateRef state = Ctx.getState();
3870   RefBindingsTy B = state->get<RefBindings>();
3871   ExplodedNode *Pred = Ctx.getPredecessor();
3872 
3873   // Don't process anything within synthesized bodies.
3874   const LocationContext *LCtx = Pred->getLocationContext();
3875   if (LCtx->getAnalysisDeclContext()->isBodyAutosynthesized()) {
3876     assert(LCtx->getParent());
3877     return;
3878   }
3879 
3880   for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) {
3881     state = handleAutoreleaseCounts(state, Pred, /*Tag=*/nullptr, Ctx,
3882                                     I->first, I->second);
3883     if (!state)
3884       return;
3885   }
3886 
3887   // If the current LocationContext has a parent, don't check for leaks.
3888   // We will do that later.
3889   // FIXME: we should instead check for imbalances of the retain/releases,
3890   // and suggest annotations.
3891   if (LCtx->getParent())
3892     return;
3893 
3894   B = state->get<RefBindings>();
3895   SmallVector<SymbolRef, 10> Leaked;
3896 
3897   for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I)
3898     state = handleSymbolDeath(state, I->first, I->second, Leaked);
3899 
3900   processLeaks(state, Leaked, Ctx, Pred);
3901 }
3902 
3903 const ProgramPointTag *
getDeadSymbolTag(SymbolRef sym) const3904 RetainCountChecker::getDeadSymbolTag(SymbolRef sym) const {
3905   const CheckerProgramPointTag *&tag = DeadSymbolTags[sym];
3906   if (!tag) {
3907     SmallString<64> buf;
3908     llvm::raw_svector_ostream out(buf);
3909     out << "Dead Symbol : ";
3910     sym->dumpToStream(out);
3911     tag = new CheckerProgramPointTag(this, out.str());
3912   }
3913   return tag;
3914 }
3915 
checkDeadSymbols(SymbolReaper & SymReaper,CheckerContext & C) const3916 void RetainCountChecker::checkDeadSymbols(SymbolReaper &SymReaper,
3917                                           CheckerContext &C) const {
3918   ExplodedNode *Pred = C.getPredecessor();
3919 
3920   ProgramStateRef state = C.getState();
3921   RefBindingsTy B = state->get<RefBindings>();
3922   SmallVector<SymbolRef, 10> Leaked;
3923 
3924   // Update counts from autorelease pools
3925   for (SymbolReaper::dead_iterator I = SymReaper.dead_begin(),
3926        E = SymReaper.dead_end(); I != E; ++I) {
3927     SymbolRef Sym = *I;
3928     if (const RefVal *T = B.lookup(Sym)){
3929       // Use the symbol as the tag.
3930       // FIXME: This might not be as unique as we would like.
3931       const ProgramPointTag *Tag = getDeadSymbolTag(Sym);
3932       state = handleAutoreleaseCounts(state, Pred, Tag, C, Sym, *T);
3933       if (!state)
3934         return;
3935 
3936       // Fetch the new reference count from the state, and use it to handle
3937       // this symbol.
3938       state = handleSymbolDeath(state, *I, *getRefBinding(state, Sym), Leaked);
3939     }
3940   }
3941 
3942   if (Leaked.empty()) {
3943     C.addTransition(state);
3944     return;
3945   }
3946 
3947   Pred = processLeaks(state, Leaked, C, Pred);
3948 
3949   // Did we cache out?
3950   if (!Pred)
3951     return;
3952 
3953   // Now generate a new node that nukes the old bindings.
3954   // The only bindings left at this point are the leaked symbols.
3955   RefBindingsTy::Factory &F = state->get_context<RefBindings>();
3956   B = state->get<RefBindings>();
3957 
3958   for (SmallVectorImpl<SymbolRef>::iterator I = Leaked.begin(),
3959                                             E = Leaked.end();
3960        I != E; ++I)
3961     B = F.remove(B, *I);
3962 
3963   state = state->set<RefBindings>(B);
3964   C.addTransition(state, Pred);
3965 }
3966 
printState(raw_ostream & Out,ProgramStateRef State,const char * NL,const char * Sep) const3967 void RetainCountChecker::printState(raw_ostream &Out, ProgramStateRef State,
3968                                     const char *NL, const char *Sep) const {
3969 
3970   RefBindingsTy B = State->get<RefBindings>();
3971 
3972   if (B.isEmpty())
3973     return;
3974 
3975   Out << Sep << NL;
3976 
3977   for (RefBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) {
3978     Out << I->first << " : ";
3979     I->second.print(Out);
3980     Out << NL;
3981   }
3982 }
3983 
3984 //===----------------------------------------------------------------------===//
3985 // Checker registration.
3986 //===----------------------------------------------------------------------===//
3987 
registerRetainCountChecker(CheckerManager & Mgr)3988 void ento::registerRetainCountChecker(CheckerManager &Mgr) {
3989   Mgr.registerChecker<RetainCountChecker>(Mgr.getAnalyzerOptions());
3990 }
3991 
3992 //===----------------------------------------------------------------------===//
3993 // Implementation of the CallEffects API.
3994 //===----------------------------------------------------------------------===//
3995 
3996 namespace clang {
3997 namespace ento {
3998 namespace objc_retain {
3999 
4000 // This is a bit gross, but it allows us to populate CallEffects without
4001 // creating a bunch of accessors.  This kind is very localized, so the
4002 // damage of this macro is limited.
4003 #define createCallEffect(D, KIND)\
4004   ASTContext &Ctx = D->getASTContext();\
4005   LangOptions L = Ctx.getLangOpts();\
4006   RetainSummaryManager M(Ctx, L.GCOnly, L.ObjCAutoRefCount);\
4007   const RetainSummary *S = M.get ## KIND ## Summary(D);\
4008   CallEffects CE(S->getRetEffect());\
4009   CE.Receiver = S->getReceiverEffect();\
4010   unsigned N = D->param_size();\
4011   for (unsigned i = 0; i < N; ++i) {\
4012     CE.Args.push_back(S->getArg(i));\
4013   }
4014 
getEffect(const ObjCMethodDecl * MD)4015 CallEffects CallEffects::getEffect(const ObjCMethodDecl *MD) {
4016   createCallEffect(MD, Method);
4017   return CE;
4018 }
4019 
getEffect(const FunctionDecl * FD)4020 CallEffects CallEffects::getEffect(const FunctionDecl *FD) {
4021   createCallEffect(FD, Function);
4022   return CE;
4023 }
4024 
4025 #undef createCallEffect
4026 
4027 } // end namespace objc_retain
4028 } // end namespace ento
4029 } // end namespace clang
4030