/// If we are in -dealloc or -dealloc is on the stack, handle the call if it is
/// a release or a nilling-out property setter.
void ObjCDeallocChecker::checkPreObjCMessage(
const ObjCMethodCall &M, CheckerContext &C) const {
// Only run if -dealloc is on the stack.
SVal DeallocedInstance;
if (!instanceDeallocIsOnStack(C, DeallocedInstance))
return;
SymbolRef ReleasedValue = nullptr;
if (M.getSelector() == ReleaseSel) {
ReleasedValue = M.getReceiverSVal().getAsSymbol();
} else if (M.getSelector() == DeallocSel && !M.isReceiverSelfOrSuper()) {
if (diagnoseMistakenDealloc(M.getReceiverSVal().getAsSymbol(), M, C))
return;
}
if (ReleasedValue) {
// An instance variable symbol was released with -release:
// [_property release];
if (diagnoseExtraRelease(ReleasedValue,M, C))
return;
} else {
// An instance variable symbol was released nilling out its property:
// self.property = nil;
ReleasedValue = getValueReleasedByNillingOut(M, C);
}
if (!ReleasedValue)
return;
transitionToReleaseValue(C, ReleasedValue);
}
void NilArgChecker::warnIfNilArg(CheckerContext &C,
const ObjCMethodCall &msg,
unsigned int Arg,
FoundationClass Class,
bool CanBeSubscript) const {
// Check if the argument is nil.
ProgramStateRef State = C.getState();
if (!State->isNull(msg.getArgSVal(Arg)).isConstrainedTrue())
return;
// NOTE: We cannot throw non-fatal errors from warnIfNilExpr,
// because it's called multiple times from some callers, so it'd cause
// an unwanted state split if two or more non-fatal errors are thrown
// within the same checker callback. For now we don't want to, but
// it'll need to be fixed if we ever want to.
if (ExplodedNode *N = C.generateErrorNode()) {
SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf);
if (CanBeSubscript && msg.getMessageKind() == OCM_Subscript) {
if (Class == FC_NSArray) {
os << "Array element cannot be nil";
} else if (Class == FC_NSDictionary) {
if (Arg == 0) {
os << "Value stored into '";
os << GetReceiverInterfaceName(msg) << "' cannot be nil";
} else {
assert(Arg == 1);
os << "'"<< GetReceiverInterfaceName(msg) << "' key cannot be nil";
}
} else
llvm_unreachable("Missing foundation class for the subscript expr");
} else {
if (Class == FC_NSDictionary) {
if (Arg == 0)
os << "Value argument ";
else {
assert(Arg == 1);
os << "Key argument ";
}
os << "to '";
msg.getSelector().print(os);
os << "' cannot be nil";
} else {
os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '";
msg.getSelector().print(os);
os << "' cannot be nil";
}
}
generateBugReport(N, os.str(), msg.getArgSourceRange(Arg),
msg.getArgExpr(Arg), C);
}
}
void NilArgChecker::WarnIfNilArg(CheckerContext &C,
const ObjCMethodCall &msg,
unsigned int Arg,
FoundationClass Class,
bool CanBeSubscript) const {
// Check if the argument is nil.
ProgramStateRef State = C.getState();
if (!State->isNull(msg.getArgSVal(Arg)).isConstrainedTrue())
return;
if (!BT)
BT.reset(new APIMisuse("nil argument"));
if (ExplodedNode *N = C.generateSink()) {
SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf);
if (CanBeSubscript && msg.getMessageKind() == OCM_Subscript) {
if (Class == FC_NSArray) {
os << "Array element cannot be nil";
} else if (Class == FC_NSDictionary) {
if (Arg == 0) {
os << "Value stored into '";
os << GetReceiverInterfaceName(msg) << "' cannot be nil";
} else {
assert(Arg == 1);
os << "'"<< GetReceiverInterfaceName(msg) << "' key cannot be nil";
}
} else
llvm_unreachable("Missing foundation class for the subscript expr");
} else {
if (Class == FC_NSDictionary) {
if (Arg == 0)
os << "Value argument ";
else {
assert(Arg == 1);
os << "Key argument ";
}
os << "to '" << msg.getSelector().getAsString() << "' cannot be nil";
} else {
os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '"
<< msg.getSelector().getAsString() << "' cannot be nil";
}
}
BugReport *R = new BugReport(*BT, os.str(), N);
R->addRange(msg.getArgSourceRange(Arg));
bugreporter::trackNullOrUndefValue(N, msg.getArgExpr(Arg), *R);
C.emitReport(R);
}
}
void ObjCNonNilReturnValueChecker::checkPostObjCMessage(const ObjCMethodCall &M,
CheckerContext &C)
const {
ProgramStateRef State = C.getState();
if (!Initialized) {
ASTContext &Ctx = C.getASTContext();
ObjectAtIndex = GetUnarySelector("objectAtIndex", Ctx);
ObjectAtIndexedSubscript = GetUnarySelector("objectAtIndexedSubscript", Ctx);
NullSelector = GetNullarySelector("null", Ctx);
}
// Check the receiver type.
if (const ObjCInterfaceDecl *Interface = M.getReceiverInterface()) {
// Assume that object returned from '[self init]' or '[super init]' is not
// 'nil' if we are processing an inlined function/method.
//
// A defensive callee will (and should) check if the object returned by
// '[super init]' is 'nil' before doing it's own initialization. However,
// since 'nil' is rarely returned in practice, we should not warn when the
// caller to the defensive constructor uses the object in contexts where
// 'nil' is not accepted.
if (!C.inTopFrame() && M.getDecl() &&
M.getDecl()->getMethodFamily() == OMF_init &&
M.isReceiverSelfOrSuper()) {
State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
}
FoundationClass Cl = findKnownClass(Interface);
// Objects returned from
// [NSArray|NSOrderedSet]::[ObjectAtIndex|ObjectAtIndexedSubscript]
// are never 'nil'.
if (Cl == FC_NSArray || Cl == FC_NSOrderedSet) {
Selector Sel = M.getSelector();
if (Sel == ObjectAtIndex || Sel == ObjectAtIndexedSubscript) {
// Go ahead and assume the value is non-nil.
State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
}
}
// Objects returned from [NSNull null] are not nil.
if (Cl == FC_NSNull) {
if (M.getSelector() == NullSelector) {
// Go ahead and assume the value is non-nil.
State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
}
}
}
C.addTransition(State);
}
void NilArgChecker::warnIfNilArg(CheckerContext &C,
const ObjCMethodCall &msg,
unsigned int Arg,
FoundationClass Class,
bool CanBeSubscript) const {
// Check if the argument is nil.
ProgramStateRef State = C.getState();
if (!State->isNull(msg.getArgSVal(Arg)).isConstrainedTrue())
return;
if (ExplodedNode *N = C.generateErrorNode()) {
SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf);
if (CanBeSubscript && msg.getMessageKind() == OCM_Subscript) {
if (Class == FC_NSArray) {
os << "Array element cannot be nil";
} else if (Class == FC_NSDictionary) {
if (Arg == 0) {
os << "Value stored into '";
os << GetReceiverInterfaceName(msg) << "' cannot be nil";
} else {
assert(Arg == 1);
os << "'"<< GetReceiverInterfaceName(msg) << "' key cannot be nil";
}
} else
llvm_unreachable("Missing foundation class for the subscript expr");
} else {
if (Class == FC_NSDictionary) {
if (Arg == 0)
os << "Value argument ";
else {
assert(Arg == 1);
os << "Key argument ";
}
os << "to '";
msg.getSelector().print(os);
os << "' cannot be nil";
} else {
os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '";
msg.getSelector().print(os);
os << "' cannot be nil";
}
}
generateBugReport(N, os.str(), msg.getArgSourceRange(Arg),
msg.getArgExpr(Arg), C);
}
}
void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const {
const ObjCInterfaceDecl *ID = msg.getReceiverInterface();
if (!ID)
return;
if (findKnownClass(ID) == FC_NSString) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
// FIXME: This is going to be really slow doing these checks with
// lexical comparisons.
std::string NameStr = S.getAsString();
StringRef Name(NameStr);
assert(!Name.empty());
// FIXME: Checking for initWithFormat: will not work in most cases
// yet because [NSString alloc] returns id, not NSString*. We will
// need support for tracking expected-type information in the analyzer
// to find these errors.
if (Name == "caseInsensitiveCompare:" ||
Name == "compare:" ||
Name == "compare:options:" ||
Name == "compare:options:range:" ||
Name == "compare:options:range:locale:" ||
Name == "componentsSeparatedByCharactersInSet:" ||
Name == "initWithFormat:") {
if (isNil(msg.getArgSVal(0)))
WarnNilArg(C, msg, 0);
}
}
}
/// Returns true if M is a call to '[super dealloc]'.
bool ObjCDeallocChecker::isSuperDeallocMessage(
const ObjCMethodCall &M) const {
if (M.getOriginExpr()->getReceiverKind() != ObjCMessageExpr::SuperInstance)
return false;
return M.getSelector() == DeallocSel;
}
void NSAutoreleasePoolChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const {
if (!msg.isInstanceMessage())
return;
const ObjCInterfaceDecl *OD = msg.getReceiverInterface();
if (!OD)
return;
if (!OD->getIdentifier()->isStr("NSAutoreleasePool"))
return;
if (releaseS.isNull())
releaseS = GetNullarySelector("release", C.getASTContext());
// Sending 'release' message?
if (msg.getSelector() != releaseS)
return;
if (!BT)
BT.reset(new BugType("Use -drain instead of -release",
"API Upgrade (Apple)"));
ExplodedNode *N = C.addTransition();
if (!N) {
assert(0);
return;
}
BugReport *Report = new BugReport(*BT, "Use -drain instead of -release when "
"using NSAutoreleasePool and garbage collection", N);
Report->addRange(msg.getSourceRange());
C.emitReport(Report);
}
bool
ObjCSuperDeallocChecker::isSuperDeallocMessage(const ObjCMethodCall &M) const {
if (M.getOriginExpr()->getReceiverKind() != ObjCMessageExpr::SuperInstance)
return false;
ASTContext &Ctx = M.getState()->getStateManager().getContext();
initIdentifierInfoAndSelectors(Ctx);
return M.getSelector() == SELdealloc;
}
void NoReturnFunctionChecker::checkPostObjCMessage(const ObjCMethodCall &Msg,
CheckerContext &C) const {
// Check if the method is annotated with analyzer_noreturn.
if (const ObjCMethodDecl *MD = Msg.getDecl()) {
MD = MD->getCanonicalDecl();
if (MD->hasAttr<AnalyzerNoReturnAttr>()) {
C.generateSink();
return;
}
}
// HACK: This entire check is to handle two messages in the Cocoa frameworks:
// -[NSAssertionHandler
// handleFailureInMethod:object:file:lineNumber:description:]
// -[NSAssertionHandler
// handleFailureInFunction:file:lineNumber:description:]
// Eventually these should be annotated with __attribute__((noreturn)).
// Because ObjC messages use dynamic dispatch, it is not generally safe to
// assume certain methods can't return. In cases where it is definitely valid,
// see if you can mark the methods noreturn or analyzer_noreturn instead of
// adding more explicit checks to this method.
if (!Msg.isInstanceMessage())
return;
const ObjCInterfaceDecl *Receiver = Msg.getReceiverInterface();
if (!Receiver)
return;
if (!Receiver->getIdentifier()->isStr("NSAssertionHandler"))
return;
Selector Sel = Msg.getSelector();
switch (Sel.getNumArgs()) {
default:
return;
case 4:
lazyInitKeywordSelector(HandleFailureInFunctionSel, C.getASTContext(),
"handleFailureInFunction", "file", "lineNumber",
"description", nullptr);
if (Sel != HandleFailureInFunctionSel)
return;
break;
case 5:
lazyInitKeywordSelector(HandleFailureInMethodSel, C.getASTContext(),
"handleFailureInMethod", "object", "file",
"lineNumber", "description", nullptr);
if (Sel != HandleFailureInMethodSel)
return;
break;
}
// If we got here, it's one of the messages we care about.
C.generateSink();
}
bool ObjCLoopChecker::isCollectionCountMethod(const ObjCMethodCall &M,
CheckerContext &C) const {
Selector S = M.getSelector();
// Initialize the identifiers on first use.
if (!CountSelectorII)
CountSelectorII = &C.getASTContext().Idents.get("count");
// If the method returns collection count, record the value.
return S.isUnarySelector() &&
(S.getIdentifierInfoForSlot(0) == CountSelectorII);
}
/// isVariadicMessage - Returns whether the given message is a variadic message,
/// where all arguments must be Objective-C types.
bool
VariadicMethodTypeChecker::isVariadicMessage(const ObjCMethodCall &msg) const {
const ObjCMethodDecl *MD = msg.getDecl();
if (!MD || !MD->isVariadic() || isa<ObjCProtocolDecl>(MD->getDeclContext()))
return false;
Selector S = msg.getSelector();
if (msg.isInstanceMessage()) {
// FIXME: Ideally we'd look at the receiver interface here, but that's not
// useful for init, because alloc returns 'id'. In theory, this could lead
// to false positives, for example if there existed a class that had an
// initWithObjects: implementation that does accept non-Objective-C pointer
// types, but the chance of that happening is pretty small compared to the
// gains that this analysis gives.
const ObjCInterfaceDecl *Class = MD->getClassInterface();
switch (findKnownClass(Class)) {
case FC_NSArray:
case FC_NSOrderedSet:
case FC_NSSet:
return S == initWithObjectsS;
case FC_NSDictionary:
return S == initWithObjectsAndKeysS;
default:
return false;
}
} else {
const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
switch (findKnownClass(Class)) {
case FC_NSArray:
return S == arrayWithObjectsS;
case FC_NSOrderedSet:
return S == orderedSetWithObjectsS;
case FC_NSSet:
return S == setWithObjectsS;
case FC_NSDictionary:
return S == dictionaryWithObjectsAndKeysS;
default:
return false;
}
}
}
void NilArgChecker::WarnNilArg(CheckerContext &C,
const ObjCMethodCall &msg,
unsigned int Arg) const
{
if (!BT)
BT.reset(new APIMisuse("nil argument"));
if (ExplodedNode *N = C.generateSink()) {
SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf);
os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '"
<< msg.getSelector().getAsString() << "' cannot be nil";
BugReport *R = new BugReport(*BT, os.str(), N);
R->addRange(msg.getArgSourceRange(Arg));
C.emitReport(R);
}
}
void NoReturnSubprogramChecker::checkPostObjCMessage(const ObjCMethodCall &Msg,
CheckerContext &C) const {
// HACK: This entire check is to handle two messages in the Cocoa frameworks:
// -[NSAssertionHandler
// handleFailureInMethod:object:file:lineNumber:description:]
// -[NSAssertionHandler
// handleFailureInSubprogram:file:lineNumber:description:]
// Eventually these should be annotated with __attribute__((noreturn)).
// Because ObjC messages use dynamic dispatch, it is not generally safe to
// assume certain methods can't return. In cases where it is definitely valid,
// see if you can mark the methods noreturn or analyzer_noreturn instead of
// adding more explicit checks to this method.
if (!Msg.isInstanceMessage())
return;
const ObjCInterfaceDecl *Receiver = Msg.getReceiverInterface();
if (!Receiver)
return;
if (!Receiver->getIdentifier()->isStr("NSAssertionHandler"))
return;
Selector Sel = Msg.getSelector();
switch (Sel.getNumArgs()) {
default:
return;
case 4:
if (!isMultiArgSelector(&Sel, "handleFailureInSubprogram", "file",
"lineNumber", "description", NULL))
return;
break;
case 5:
if (!isMultiArgSelector(&Sel, "handleFailureInMethod", "object", "file",
"lineNumber", "description", NULL))
return;
break;
}
// If we got here, it's one of the messages we care about.
C.generateSink();
}
void ClassReleaseChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const {
if (!BT) {
BT.reset(new APIMisuse(
this, "message incorrectly sent to class instead of class instance"));
ASTContext &Ctx = C.getASTContext();
releaseS = GetNullarySelector("release", Ctx);
retainS = GetNullarySelector("retain", Ctx);
autoreleaseS = GetNullarySelector("autorelease", Ctx);
drainS = GetNullarySelector("drain", Ctx);
}
if (msg.isInstanceMessage())
return;
const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
assert(Class);
Selector S = msg.getSelector();
if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS))
return;
if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
SmallString<200> buf;
llvm::raw_svector_ostream os(buf);
os << "The '";
S.print(os);
os << "' message should be sent to instances "
"of class '" << Class->getName()
<< "' and not the class directly";
auto report = llvm::make_unique<BugReport>(*BT, os.str(), N);
report->addRange(msg.getSourceRange());
C.emitReport(std::move(report));
}
}
void VariadicMethodTypeChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const {
if (!BT) {
BT.reset(new APIMisuse(this,
"Arguments passed to variadic method aren't all "
"Objective-C pointer types"));
ASTContext &Ctx = C.getASTContext();
arrayWithObjectsS = GetUnarySelector("arrayWithObjects", Ctx);
dictionaryWithObjectsAndKeysS =
GetUnarySelector("dictionaryWithObjectsAndKeys", Ctx);
setWithObjectsS = GetUnarySelector("setWithObjects", Ctx);
orderedSetWithObjectsS = GetUnarySelector("orderedSetWithObjects", Ctx);
initWithObjectsS = GetUnarySelector("initWithObjects", Ctx);
initWithObjectsAndKeysS = GetUnarySelector("initWithObjectsAndKeys", Ctx);
}
if (!isVariadicMessage(msg))
return;
// We are not interested in the selector arguments since they have
// well-defined types, so the compiler will issue a warning for them.
unsigned variadicArgsBegin = msg.getSelector().getNumArgs();
// We're not interested in the last argument since it has to be nil or the
// compiler would have issued a warning for it elsewhere.
unsigned variadicArgsEnd = msg.getNumArgs() - 1;
if (variadicArgsEnd <= variadicArgsBegin)
return;
// Verify that all arguments have Objective-C types.
Optional<ExplodedNode*> errorNode;
for (unsigned I = variadicArgsBegin; I != variadicArgsEnd; ++I) {
QualType ArgTy = msg.getArgExpr(I)->getType();
if (ArgTy->isObjCObjectPointerType())
continue;
// Block pointers are treaded as Objective-C pointers.
if (ArgTy->isBlockPointerType())
continue;
// Ignore pointer constants.
if (msg.getArgSVal(I).getAs<loc::ConcreteInt>())
continue;
// Ignore pointer types annotated with 'NSObject' attribute.
if (C.getASTContext().isObjCNSObjectType(ArgTy))
continue;
// Ignore CF references, which can be toll-free bridged.
if (coreFoundation::isCFObjectRef(ArgTy))
continue;
// Generate only one error node to use for all bug reports.
if (!errorNode.hasValue())
errorNode = C.generateNonFatalErrorNode();
if (!errorNode.getValue())
continue;
SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf);
StringRef TypeName = GetReceiverInterfaceName(msg);
if (!TypeName.empty())
os << "Argument to '" << TypeName << "' method '";
else
os << "Argument to method '";
msg.getSelector().print(os);
os << "' should be an Objective-C pointer type, not '";
ArgTy.print(os, C.getLangOpts());
os << "'";
auto R = llvm::make_unique<BugReport>(*BT, os.str(), errorNode.getValue());
R->addRange(msg.getArgSourceRange(I));
C.emitReport(std::move(R));
}
}
/// Calculate the nullability of the result of a message expr based on the
/// nullability of the receiver, the nullability of the return value, and the
/// constraints.
void NullabilityChecker::checkPostObjCMessage(const ObjCMethodCall &M,
CheckerContext &C) const {
auto Decl = M.getDecl();
if (!Decl)
return;
QualType RetType = Decl->getReturnType();
if (!RetType->isAnyPointerType())
return;
ProgramStateRef State = C.getState();
if (State->get<PreconditionViolated>())
return;
const MemRegion *ReturnRegion = getTrackRegion(M.getReturnValue());
if (!ReturnRegion)
return;
auto Interface = Decl->getClassInterface();
auto Name = Interface ? Interface->getName() : "";
// In order to reduce the noise in the diagnostics generated by this checker,
// some framework and programming style based heuristics are used. These
// heuristics are for Cocoa APIs which have NS prefix.
if (Name.startswith("NS")) {
// Developers rely on dynamic invariants such as an item should be available
// in a collection, or a collection is not empty often. Those invariants can
// not be inferred by any static analysis tool. To not to bother the users
// with too many false positives, every item retrieval function should be
// ignored for collections. The instance methods of dictionaries in Cocoa
// are either item retrieval related or not interesting nullability wise.
// Using this fact, to keep the code easier to read just ignore the return
// value of every instance method of dictionaries.
if (M.isInstanceMessage() && Name.find("Dictionary") != StringRef::npos) {
State =
State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted);
C.addTransition(State);
return;
}
// For similar reasons ignore some methods of Cocoa arrays.
StringRef FirstSelectorSlot = M.getSelector().getNameForSlot(0);
if (Name.find("Array") != StringRef::npos &&
(FirstSelectorSlot == "firstObject" ||
FirstSelectorSlot == "lastObject")) {
State =
State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted);
C.addTransition(State);
return;
}
// Encoding related methods of string should not fail when lossless
// encodings are used. Using lossless encodings is so frequent that ignoring
// this class of methods reduced the emitted diagnostics by about 30% on
// some projects (and all of that was false positives).
if (Name.find("String") != StringRef::npos) {
for (auto Param : M.parameters()) {
if (Param->getName() == "encoding") {
State = State->set<NullabilityMap>(ReturnRegion,
Nullability::Contradicted);
C.addTransition(State);
return;
}
}
}
}
const ObjCMessageExpr *Message = M.getOriginExpr();
Nullability SelfNullability = getReceiverNullability(M, State);
const NullabilityState *NullabilityOfReturn =
State->get<NullabilityMap>(ReturnRegion);
if (NullabilityOfReturn) {
// When we have a nullability tracked for the return value, the nullability
// of the expression will be the most nullable of the receiver and the
// return value.
Nullability RetValTracked = NullabilityOfReturn->getValue();
Nullability ComputedNullab =
getMostNullable(RetValTracked, SelfNullability);
if (ComputedNullab != RetValTracked &&
ComputedNullab != Nullability::Unspecified) {
const Stmt *NullabilitySource =
ComputedNullab == RetValTracked
? NullabilityOfReturn->getNullabilitySource()
: Message->getInstanceReceiver();
State = State->set<NullabilityMap>(
ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource));
C.addTransition(State);
}
return;
}
// No tracked information. Use static type information for return value.
Nullability RetNullability = getNullabilityAnnotation(RetType);
// Properties might be computed. For this reason the static analyzer creates a
// new symbol each time an unknown property is read. To avoid false pozitives
// do not treat unknown properties as nullable, even when they explicitly
// marked nullable.
if (M.getMessageKind() == OCM_PropertyAccess && !C.wasInlined)
RetNullability = Nullability::Nonnull;
Nullability ComputedNullab = getMostNullable(RetNullability, SelfNullability);
if (ComputedNullab == Nullability::Nullable) {
const Stmt *NullabilitySource = ComputedNullab == RetNullability
? Message
: Message->getInstanceReceiver();
State = State->set<NullabilityMap>(
ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource));
C.addTransition(State);
}
}
void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const {
const ObjCInterfaceDecl *ID = msg.getReceiverInterface();
if (!ID)
return;
FoundationClass Class = findKnownClass(ID);
static const unsigned InvalidArgIndex = UINT_MAX;
unsigned Arg = InvalidArgIndex;
bool CanBeSubscript = false;
if (Class == FC_NSString) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
if (StringSelectors.empty()) {
ASTContext &Ctx = C.getASTContext();
Selector Sels[] = {
getKeywordSelector(Ctx, "caseInsensitiveCompare", nullptr),
getKeywordSelector(Ctx, "compare", nullptr),
getKeywordSelector(Ctx, "compare", "options", nullptr),
getKeywordSelector(Ctx, "compare", "options", "range", nullptr),
getKeywordSelector(Ctx, "compare", "options", "range", "locale",
nullptr),
getKeywordSelector(Ctx, "componentsSeparatedByCharactersInSet",
nullptr),
getKeywordSelector(Ctx, "initWithFormat",
nullptr),
getKeywordSelector(Ctx, "localizedCaseInsensitiveCompare", nullptr),
getKeywordSelector(Ctx, "localizedCompare", nullptr),
getKeywordSelector(Ctx, "localizedStandardCompare", nullptr),
};
for (Selector KnownSel : Sels)
StringSelectors[KnownSel] = 0;
}
auto I = StringSelectors.find(S);
if (I == StringSelectors.end())
return;
Arg = I->second;
} else if (Class == FC_NSArray) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
if (ArrayWithObjectSel.isNull()) {
ASTContext &Ctx = C.getASTContext();
ArrayWithObjectSel = getKeywordSelector(Ctx, "arrayWithObject", nullptr);
AddObjectSel = getKeywordSelector(Ctx, "addObject", nullptr);
InsertObjectAtIndexSel =
getKeywordSelector(Ctx, "insertObject", "atIndex", nullptr);
ReplaceObjectAtIndexWithObjectSel =
getKeywordSelector(Ctx, "replaceObjectAtIndex", "withObject", nullptr);
SetObjectAtIndexedSubscriptSel =
getKeywordSelector(Ctx, "setObject", "atIndexedSubscript", nullptr);
ArrayByAddingObjectSel =
getKeywordSelector(Ctx, "arrayByAddingObject", nullptr);
}
if (S == ArrayWithObjectSel || S == AddObjectSel ||
S == InsertObjectAtIndexSel || S == ArrayByAddingObjectSel) {
Arg = 0;
} else if (S == SetObjectAtIndexedSubscriptSel) {
Arg = 0;
CanBeSubscript = true;
} else if (S == ReplaceObjectAtIndexWithObjectSel) {
Arg = 1;
}
} else if (Class == FC_NSDictionary) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
if (DictionaryWithObjectForKeySel.isNull()) {
ASTContext &Ctx = C.getASTContext();
DictionaryWithObjectForKeySel =
getKeywordSelector(Ctx, "dictionaryWithObject", "forKey", nullptr);
SetObjectForKeySel =
getKeywordSelector(Ctx, "setObject", "forKey", nullptr);
SetObjectForKeyedSubscriptSel =
getKeywordSelector(Ctx, "setObject", "forKeyedSubscript", nullptr);
RemoveObjectForKeySel =
getKeywordSelector(Ctx, "removeObjectForKey", nullptr);
}
if (S == DictionaryWithObjectForKeySel || S == SetObjectForKeySel) {
Arg = 0;
warnIfNilArg(C, msg, /* Arg */1, Class);
} else if (S == SetObjectForKeyedSubscriptSel) {
CanBeSubscript = true;
Arg = 0;
warnIfNilArg(C, msg, /* Arg */1, Class, CanBeSubscript);
} else if (S == RemoveObjectForKeySel) {
Arg = 0;
}
}
// If argument is '0', report a warning.
if ((Arg != InvalidArgIndex))
warnIfNilArg(C, msg, Arg, Class, CanBeSubscript);
}
//FIXME: Consider other methods than setObject like dictionaryWithObjectsAndKeys
/// Process call to NSMutableArray:setObject:forKey:
void iOSAppSecInsecureKeyChainStorageChecker::checkPreObjCMessage
(const ObjCMethodCall &M, CheckerContext &C) const
{
MSEC_DEBUG_FUNC("redwud:","ENTER") ;
do
{
const ObjCInterfaceDecl *pRxInterface = M.getReceiverInterface() ;
if ( !pRxInterface )
{
break ;
}
ASTContext &Ctx = C.getASTContext() ;
Selector selCurr = M.getSelector() ;
initIdentifierInfo( Ctx ) ;
//TODO: Check this with property, this might not work on it
//NSMutableDictionary
if ( pRxInterface ->getIdentifier() != m_piiNSMutableDictionary )
{
break ;
}
//setObject
IdentifierInfo *piiSetObject = selCurr.getIdentifierInfoForSlot(0) ;
if ( piiSetObject != m_piiSetObject )
{
break ;
}
//forKey
IdentifierInfo *piiForKey = selCurr.getIdentifierInfoForSlot(1) ;
if ( piiForKey != m_piiForKey )
{
break ;
}
// MSEC_DEBUG("redwud: ", "'" << selCurr.getAsString() << "' num args: " << selCurr.getNumArgs() ) ;
if ( selCurr.getNumArgs() != 2 )
{
// Unlikely to be of concerned
break ;
}
ProgramStateRef pProgState = C.getState() ;
const LocationContext *pLCtx = C.getLocationContext() ;
//Get the value for "aKey" parameter (2nd)
// Checking this first because checking the first parameter takes a bit longer
const Expr *pKeyExpr = M.getArgExpr(1) ;
SVal argValKey = pProgState ->getSVal( pKeyExpr, pLCtx ) ;
if ( !CMSecCommon::isSValContains( argValKey, "kSecAttrAccessible" ) )
{
// Not of concern
break ;
}
//Get the value for "anObject" parameter (1st)
const Expr *pObjExpr = M.getArgExpr(0) ;
SVal argValAnObject = pProgState ->getSVal( pObjExpr, pLCtx ) ;
//Get receiver as symbol, should be used in either condition
SymbolRef pSymQuery = M.getReceiverSVal().getAsSymbol() ;
if ( !pSymQuery )
{
// redwud: Can't save empty receiver symbol,
// so there is no point of moving on,
// there must be something wrong with this
break ;
}
//Idea: if [query] is currently being tracked change it to different status, e.g. secure
// if not tracked add new secure state
bool bInsecureObject = isInsecureObject( argValAnObject ) ;
pProgState = pProgState ->set <StreamMap>( pSymQuery, bInsecureObject ?
KeyChainState::getNotSecure() : KeyChainState::getSecure() ) ;
// Add transition of state
//redwud: it seems that the states are transitioned at some point
C.addTransition( pProgState ) ;
MSEC_DEBUG( "redwud: ", "Finish checking!" ) ;
} while (_PASSING_) ;
MSEC_DEBUG_FUNC("redwud:","EXIT") ;
}
void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const {
const ObjCInterfaceDecl *ID = msg.getReceiverInterface();
if (!ID)
return;
FoundationClass Class = findKnownClass(ID);
static const unsigned InvalidArgIndex = UINT_MAX;
unsigned Arg = InvalidArgIndex;
bool CanBeSubscript = false;
if (Class == FC_NSString) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
// FIXME: This is going to be really slow doing these checks with
// lexical comparisons.
std::string NameStr = S.getAsString();
StringRef Name(NameStr);
assert(!Name.empty());
// FIXME: Checking for initWithFormat: will not work in most cases
// yet because [NSString alloc] returns id, not NSString*. We will
// need support for tracking expected-type information in the analyzer
// to find these errors.
if (Name == "caseInsensitiveCompare:" ||
Name == "compare:" ||
Name == "compare:options:" ||
Name == "compare:options:range:" ||
Name == "compare:options:range:locale:" ||
Name == "componentsSeparatedByCharactersInSet:" ||
Name == "initWithFormat:") {
Arg = 0;
}
} else if (Class == FC_NSArray) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
if (S.getNameForSlot(0).equals("addObject")) {
Arg = 0;
} else if (S.getNameForSlot(0).equals("insertObject") &&
S.getNameForSlot(1).equals("atIndex")) {
Arg = 0;
} else if (S.getNameForSlot(0).equals("replaceObjectAtIndex") &&
S.getNameForSlot(1).equals("withObject")) {
Arg = 1;
} else if (S.getNameForSlot(0).equals("setObject") &&
S.getNameForSlot(1).equals("atIndexedSubscript")) {
Arg = 0;
CanBeSubscript = true;
} else if (S.getNameForSlot(0).equals("arrayByAddingObject")) {
Arg = 0;
}
} else if (Class == FC_NSDictionary) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
if (S.getNameForSlot(0).equals("dictionaryWithObject") &&
S.getNameForSlot(1).equals("forKey")) {
Arg = 0;
WarnIfNilArg(C, msg, /* Arg */1, Class);
} else if (S.getNameForSlot(0).equals("setObject") &&
S.getNameForSlot(1).equals("forKey")) {
Arg = 0;
WarnIfNilArg(C, msg, /* Arg */1, Class);
} else if (S.getNameForSlot(0).equals("setObject") &&
S.getNameForSlot(1).equals("forKeyedSubscript")) {
CanBeSubscript = true;
Arg = 0;
WarnIfNilArg(C, msg, /* Arg */1, Class, CanBeSubscript);
} else if (S.getNameForSlot(0).equals("removeObjectForKey")) {
Arg = 0;
}
}
// If argument is '0', report a warning.
if ((Arg != InvalidArgIndex))
WarnIfNilArg(C, msg, Arg, Class, CanBeSubscript);
}
