/// Remove the Value requiring a release from the tracked set for
/// Instance and return the resultant state.
ProgramStateRef ObjCDeallocChecker::removeValueRequiringRelease(
ProgramStateRef State, SymbolRef Instance, SymbolRef Value) const {
assert(Instance);
assert(Value);
const ObjCIvarRegion *RemovedRegion = getIvarRegionForIvarSymbol(Value);
if (!RemovedRegion)
return State;
const SymbolSet *Unreleased = State->get<UnreleasedIvarMap>(Instance);
if (!Unreleased)
return State;
// Mark the value as no longer requiring a release.
SymbolSet::Factory &F = State->getStateManager().get_context<SymbolSet>();
SymbolSet NewUnreleased = *Unreleased;
for (auto &Sym : *Unreleased) {
const ObjCIvarRegion *UnreleasedRegion = getIvarRegionForIvarSymbol(Sym);
assert(UnreleasedRegion);
if (RemovedRegion->getDecl() == UnreleasedRegion->getDecl()) {
NewUnreleased = F.remove(NewUnreleased, Sym);
}
}
if (NewUnreleased.isEmpty()) {
return State->remove<UnreleasedIvarMap>(Instance);
}
return State->set<UnreleasedIvarMap>(Instance, NewUnreleased);
}
/// If this is the beginning of -dealloc, mark the values initially stored in
/// instance variables that must be released by the end of -dealloc
/// as unreleased in the state.
void ObjCDeallocChecker::checkBeginFunction(
CheckerContext &C) const {
initIdentifierInfoAndSelectors(C.getASTContext());
// Only do this if the current method is -dealloc.
SVal SelfVal;
if (!isInInstanceDealloc(C, SelfVal))
return;
SymbolRef SelfSymbol = SelfVal.getAsSymbol();
const LocationContext *LCtx = C.getLocationContext();
ProgramStateRef InitialState = C.getState();
ProgramStateRef State = InitialState;
SymbolSet::Factory &F = State->getStateManager().get_context<SymbolSet>();
// Symbols that must be released by the end of the -dealloc;
SymbolSet RequiredReleases = F.getEmptySet();
// If we're an inlined -dealloc, we should add our symbols to the existing
// set from our subclass.
if (const SymbolSet *CurrSet = State->get<UnreleasedIvarMap>(SelfSymbol))
RequiredReleases = *CurrSet;
for (auto *PropImpl : getContainingObjCImpl(LCtx)->property_impls()) {
ReleaseRequirement Requirement = getDeallocReleaseRequirement(PropImpl);
if (Requirement != ReleaseRequirement::MustRelease)
continue;
SVal LVal = State->getLValue(PropImpl->getPropertyIvarDecl(), SelfVal);
Optional<Loc> LValLoc = LVal.getAs<Loc>();
if (!LValLoc)
continue;
SVal InitialVal = State->getSVal(LValLoc.getValue());
SymbolRef Symbol = InitialVal.getAsSymbol();
if (!Symbol || !isa<SymbolRegionValue>(Symbol))
continue;
// Mark the value as requiring a release.
RequiredReleases = F.add(RequiredReleases, Symbol);
}
if (!RequiredReleases.isEmpty()) {
State = State->set<UnreleasedIvarMap>(SelfSymbol, RequiredReleases);
}
if (State != InitialState) {
C.addTransition(State);
}
}
/// Report any unreleased instance variables for the current instance being
/// dealloced.
void ObjCDeallocChecker::diagnoseMissingReleases(CheckerContext &C) const {
ProgramStateRef State = C.getState();
SVal SelfVal;
if (!isInInstanceDealloc(C, SelfVal))
return;
const MemRegion *SelfRegion = SelfVal.castAs<loc::MemRegionVal>().getRegion();
const LocationContext *LCtx = C.getLocationContext();
ExplodedNode *ErrNode = nullptr;
SymbolRef SelfSym = SelfVal.getAsSymbol();
if (!SelfSym)
return;
const SymbolSet *OldUnreleased = State->get<UnreleasedIvarMap>(SelfSym);
if (!OldUnreleased)
return;
SymbolSet NewUnreleased = *OldUnreleased;
SymbolSet::Factory &F = State->getStateManager().get_context<SymbolSet>();
ProgramStateRef InitialState = State;
for (auto *IvarSymbol : *OldUnreleased) {
const TypedValueRegion *TVR =
cast<SymbolRegionValue>(IvarSymbol)->getRegion();
const ObjCIvarRegion *IvarRegion = cast<ObjCIvarRegion>(TVR);
// Don't warn if the ivar is not for this instance.
if (SelfRegion != IvarRegion->getSuperRegion())
continue;
const ObjCIvarDecl *IvarDecl = IvarRegion->getDecl();
// Prevent an inlined call to -dealloc in a super class from warning
// about the values the subclass's -dealloc should release.
if (IvarDecl->getContainingInterface() !=
cast<ObjCMethodDecl>(LCtx->getDecl())->getClassInterface())
continue;
// Prevents diagnosing multiple times for the same instance variable
// at, for example, both a return and at the end of the function.
NewUnreleased = F.remove(NewUnreleased, IvarSymbol);
if (State->getStateManager()
.getConstraintManager()
.isNull(State, IvarSymbol)
.isConstrainedTrue()) {
continue;
}
// A missing release manifests as a leak, so treat as a non-fatal error.
if (!ErrNode)
ErrNode = C.generateNonFatalErrorNode();
// If we've already reached this node on another path, return without
// diagnosing.
if (!ErrNode)
return;
std::string Buf;
llvm::raw_string_ostream OS(Buf);
const ObjCInterfaceDecl *Interface = IvarDecl->getContainingInterface();
// If the class is known to have a lifecycle with teardown that is
// separate from -dealloc, do not warn about missing releases. We
// suppress here (rather than not tracking for instance variables in
// such classes) because these classes are rare.
if (classHasSeparateTeardown(Interface))
return;
ObjCImplDecl *ImplDecl = Interface->getImplementation();
const ObjCPropertyImplDecl *PropImpl =
ImplDecl->FindPropertyImplIvarDecl(IvarDecl->getIdentifier());
const ObjCPropertyDecl *PropDecl = PropImpl->getPropertyDecl();
assert(PropDecl->getSetterKind() == ObjCPropertyDecl::Copy ||
PropDecl->getSetterKind() == ObjCPropertyDecl::Retain);
OS << "The '" << *IvarDecl << "' ivar in '" << *ImplDecl
<< "' was ";
if (PropDecl->getSetterKind() == ObjCPropertyDecl::Retain)
OS << "retained";
else
OS << "copied";
OS << " by a synthesized property but not released"
" before '[super dealloc]'";
std::unique_ptr<BugReport> BR(
new BugReport(*MissingReleaseBugType, OS.str(), ErrNode));
C.emitReport(std::move(BR));
}
if (NewUnreleased.isEmpty()) {
State = State->remove<UnreleasedIvarMap>(SelfSym);
} else {
State = State->set<UnreleasedIvarMap>(SelfSym, NewUnreleased);
}
if (ErrNode) {
C.addTransition(State, ErrNode);
} else if (State != InitialState) {
C.addTransition(State);
}
// Make sure that after checking in the top-most frame the list of
// tracked ivars is empty. This is intended to detect accidental leaks in
// the UnreleasedIvarMap program state.
assert(!LCtx->inTopFrame() || State->get<UnreleasedIvarMap>().isEmpty());
}
