void FunctionChecker::checkASTDecl(const FunctionDecl *FD, AnalysisManager &mgr, BugReporter &BR) const {
if (FD->hasAttr<CMSThreadSafeAttr>())
return;
if (FD->isInExternCContext()) {
std::string buf;
std::string dname = FD->getQualifiedNameAsString();
if (dname.compare(dname.size() - 1, 1, "_") == 0) {
llvm::raw_string_ostream os(buf);
os << "function '" << dname
<< "' is in an extern \"C\" context and most likely accesses or modifies fortran variables in a "
"'COMMONBLOCK'.\n";
clang::ento::PathDiagnosticLocation::createBegin(FD, BR.getSourceManager());
// BR.EmitBasicReport(FD, "COMMONBLOCK variable accessed or modified","ThreadSafety",os.str(), FDLoc);
std::string ostring = "function '" + dname + "' static variable 'COMMONBLOCK'.\n";
std::string tname = "function-checker.txt.unsorted";
support::writeLog(ostring, tname);
}
}
const char *sfile = BR.getSourceManager().getPresumedLoc(FD->getLocation()).getFilename();
if (!support::isCmsLocalFile(sfile))
return;
std::string fname(sfile);
if (!support::isInterestingLocation(fname))
return;
if (FD->doesThisDeclarationHaveABody()) {
FWalker walker(this, BR, mgr.getAnalysisDeclContext(FD));
walker.Visit(FD->getBody());
}
}
/// An AST check that diagnose when the class requires a -dealloc method and
/// is missing one.
void ObjCDeallocChecker::checkASTDecl(const ObjCImplementationDecl *D,
AnalysisManager &Mgr,
BugReporter &BR) const {
assert(Mgr.getLangOpts().getGC() != LangOptions::GCOnly);
assert(!Mgr.getLangOpts().ObjCAutoRefCount);
initIdentifierInfoAndSelectors(Mgr.getASTContext());
const ObjCInterfaceDecl *ID = D->getClassInterface();
// If the class is known to have a lifecycle with a separate teardown method
// then it may not require a -dealloc method.
if (classHasSeparateTeardown(ID))
return;
// Does the class contain any synthesized properties that are retainable?
// If not, skip the check entirely.
const ObjCPropertyImplDecl *PropImplRequiringRelease = nullptr;
bool HasOthers = false;
for (const auto *I : D->property_impls()) {
if (getDeallocReleaseRequirement(I) == ReleaseRequirement::MustRelease) {
if (!PropImplRequiringRelease)
PropImplRequiringRelease = I;
else {
HasOthers = true;
break;
}
}
}
if (!PropImplRequiringRelease)
return;
const ObjCMethodDecl *MD = nullptr;
// Scan the instance methods for "dealloc".
for (const auto *I : D->instance_methods()) {
if (I->getSelector() == DeallocSel) {
MD = I;
break;
}
}
if (!MD) { // No dealloc found.
const char* Name = "Missing -dealloc";
std::string Buf;
llvm::raw_string_ostream OS(Buf);
OS << "'" << *D << "' lacks a 'dealloc' instance method but "
<< "must release '" << *PropImplRequiringRelease->getPropertyIvarDecl()
<< "'";
if (HasOthers)
OS << " and others";
PathDiagnosticLocation DLoc =
PathDiagnosticLocation::createBegin(D, BR.getSourceManager());
BR.EmitBasicReport(D, this, Name, categories::CoreFoundationObjectiveC,
OS.str(), DLoc);
return;
}
}
// OutputPossibleOverflows - We've found a possible overflow earlier,
// now check whether Body might contain a comparison which might be
// preventing the overflow.
// This doesn't do flow analysis, range analysis, or points-to analysis; it's
// just a dumb "is there a comparison" scan. The aim here is to
// detect the most blatent cases of overflow and educate the
// programmer.
void MallocOverflowSecurityChecker::OutputPossibleOverflows(
llvm::SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const Decl *D, BugReporter &BR, AnalysisManager &mgr) const {
// By far the most common case: nothing to check.
if (PossibleMallocOverflows.empty())
return;
// Delete any possible overflows which have a comparison.
CheckOverflowOps c(PossibleMallocOverflows, BR.getContext());
c.Visit(mgr.getAnalysisContext(D)->getBody());
// Output warnings for all overflows that are left.
for (CheckOverflowOps::theVecType::iterator
i = PossibleMallocOverflows.begin(),
e = PossibleMallocOverflows.end();
i != e;
++i) {
SourceRange R = i->mulop->getSourceRange();
BR.EmitBasicReport("MallocOverflowSecurityChecker",
"the computation of the size of the memory allocation may overflow",
PathDiagnosticLocation::createOperatorLoc(i->mulop,
BR.getSourceManager()),
&R, 1);
}
}
void NSErrorMethodChecker::checkASTDecl(const ObjCMethodDecl *D,
AnalysisManager &mgr,
BugReporter &BR) const {
if (!D->isThisDeclarationADefinition())
return;
if (!D->getReturnType()->isVoidType())
return;
if (!II)
II = &D->getASTContext().Idents.get("NSError");
bool hasNSError = false;
for (const auto *I : D->params()) {
if (IsNSError(I->getType(), II)) {
hasNSError = true;
break;
}
}
if (hasNSError) {
const char *err = "Method accepting NSError** "
"should have a non-void return value to indicate whether or not an "
"error occurred";
PathDiagnosticLocation L =
PathDiagnosticLocation::create(D, BR.getSourceManager());
BR.EmitBasicReport(D, this, "Bad return type when passing NSError**",
"Coding conventions (Apple)", err, L);
}
}
void CFErrorFunctionChecker::checkASTDecl(const FunctionDecl *D,
AnalysisManager &mgr,
BugReporter &BR) const {
if (!D->doesThisDeclarationHaveABody())
return;
if (!D->getReturnType()->isVoidType())
return;
if (!II)
II = &D->getASTContext().Idents.get("CFErrorRef");
bool hasCFError = false;
for (auto I : D->params()) {
if (IsCFError(I->getType(), II)) {
hasCFError = true;
break;
}
}
if (hasCFError) {
const char *err = "Function accepting CFErrorRef* "
"should have a non-void return value to indicate whether or not an "
"error occurred";
PathDiagnosticLocation L =
PathDiagnosticLocation::create(D, BR.getSourceManager());
BR.EmitBasicReport(D, this, "Bad return type when passing CFErrorRef*",
"Coding conventions (Apple)", err, L);
}
}
void clang::CheckObjCUnusedIvar(ObjCImplementationDecl* D, BugReporter& BR) {
ObjCInterfaceDecl* ID = D->getClassInterface();
IvarUsageMap M;
ASTContext &Ctx = BR.getContext();
// Iterate over the ivars.
for (ObjCInterfaceDecl::ivar_iterator I=ID->ivar_begin(), E=ID->ivar_end();
I!=E; ++I) {
ObjCIvarDecl* ID = *I;
// Ignore ivars that aren't private.
if (ID->getAccessControl() != ObjCIvarDecl::Private)
continue;
// Skip IB Outlets.
if (ID->getAttr<IBOutletAttr>())
continue;
M[ID] = Unused;
}
if (M.empty())
return;
// Now scan the methods for accesses.
for (ObjCImplementationDecl::instmeth_iterator I = D->instmeth_begin(Ctx),
E = D->instmeth_end(Ctx); I!=E; ++I)
Scan(M, (*I)->getBody(Ctx));
// Scan for @synthesized property methods that act as setters/getters
// to an ivar.
for (ObjCImplementationDecl::propimpl_iterator I = D->propimpl_begin(Ctx),
E = D->propimpl_end(Ctx); I!=E; ++I)
Scan(M, *I);
// Find ivars that are unused.
for (IvarUsageMap::iterator I = M.begin(), E = M.end(); I!=E; ++I)
if (I->second == Unused) {
std::ostringstream os;
os << "Instance variable '" << I->first->getNameAsString()
<< "' in class '" << ID->getNameAsString()
<< "' is never used by the methods in its @implementation "
"(although it may be used by category methods).";
BR.EmitBasicReport("Unused instance variable", "Optimization",
os.str().c_str(), I->first->getLocation());
}
}
void ObjCSuperCallChecker::checkASTDecl(const ObjCImplementationDecl *D,
AnalysisManager &Mgr,
BugReporter &BR) const {
ASTContext &Ctx = BR.getContext();
// We need to initialize the selector table once.
if (!IsInitialized)
initializeSelectors(Ctx);
// Find out whether this class has a superclass that we are supposed to check.
StringRef SuperclassName;
if (!isCheckableClass(D, SuperclassName))
return;
// Iterate over all instance methods.
for (auto *MD : D->instance_methods()) {
Selector S = MD->getSelector();
// Find out whether this is a selector that we want to check.
if (!SelectorsForClass[SuperclassName].count(S))
continue;
// Check if the method calls its superclass implementation.
if (MD->getBody())
{
FindSuperCallVisitor Visitor(S);
Visitor.TraverseDecl(MD);
// It doesn't call super, emit a diagnostic.
if (!Visitor.DoesCallSuper) {
PathDiagnosticLocation DLoc =
PathDiagnosticLocation::createEnd(MD->getBody(),
BR.getSourceManager(),
Mgr.getAnalysisDeclContext(D));
const char *Name = "Missing call to superclass";
SmallString<320> Buf;
llvm::raw_svector_ostream os(Buf);
os << "The '" << S.getAsString()
<< "' instance method in " << SuperclassName.str() << " subclass '"
<< *D << "' is missing a [super " << S.getAsString() << "] call";
BR.EmitBasicReport(MD, this, Name, categories::CoreFoundationObjectiveC,
os.str(), DLoc);
}
}
}
}
void DanglingDelegateChecker::checkASTDecl(const ObjCImplDecl *implDecl, AnalysisManager& manager, BugReporter &bugReporter) const {
const NamedDecl *namedDecl = dyn_cast<NamedDecl>(implDecl);
if (!namedDecl) {
assert(false);
return;
}
std::string name = namedDecl->getNameAsString();
// obtain the map of facts for the current class implementation, possibly a new one
ObjCImplFacts &facts = _implFacts[name];
for (ObjCImplDecl::method_iterator it = implDecl->meth_begin(), end = implDecl->meth_end();
it != end; ++it) {
FactFinder factFinder(*it, facts);
factFinder.VisitMethodDecl();
Stmt *body = (*it)->getBody();
if (body) {
factFinder.Visit(body);
}
}
PathDiagnosticLocation pLoc(implDecl->getLocation(), bugReporter.getSourceManager());
const std::function<void(StringRef)> emitBug([implDecl, &pLoc, &bugReporter, this](StringRef str) {
bugReporter.EmitBasicReport(implDecl,
this,
"Leaking unsafe reference to self",
"Memory error (Facebook)",
str,
pLoc);
});
// The default dealloc in ARC mode does not clear delegates.
if (!facts._hasDealloc && manager.getLangOpts().ObjCAutoRefCount) {
const StringSet emptySet;
for (auto it = facts._ivarFactsMap.begin(), end = facts._ivarFactsMap.end(); it != end; it++) {
verifyAndReportDangerousProperties(it->second._mayStoreSelfInUnsafeProperty,
emptySet,
it->first->getNameAsString(),
it->first->getType(),
"ARC-generated dealloc",
emitBug);
}
}
}
void iOSAppSecAbusingURLSchemesChecker::checkASTDecl(const ObjCImplementationDecl *pImplDecl, AnalysisManager &rMgr, BugReporter &rBR) const
{
MSEC_DEBUG_FUNC( "redwud: ", "ENTER" ) ;
ASTContext &Ctx = rBR.getContext() ;
do
{
initIdentifierInfo( Ctx ) ;
const ObjCInterfaceDecl *pIfDecl = CMSecCommon::isSupportedProtocol( pImplDecl ->getClassInterface(), m_piiUIApplicationDelegate ) ;
if ( !pIfDecl )
{
MSEC_DEBUG( "redwud: ", "!pIfDecl" ) ;
break ;
}
//Pitfall: This should be instance method
for ( ObjCImplementationDecl::instmeth_iterator pItem = pImplDecl ->instmeth_begin()
, pEndItem = pImplDecl ->instmeth_end();
pItem != pEndItem;
++pItem )
{
checkASTDecl( (*pItem), rMgr, rBR ) ;
}
} while (_PASSING_) ;
MSEC_DEBUG_FUNC( "redwud: ", "EXIT" ) ;
}
void NSErrorChecker::FlushReports(BugReporter& BR) {
// Get the analysis engine and the exploded analysis graph.
ExplodedGraph& G = Eng.getGraph();
// Get the ASTContext, which is useful for querying type information.
ASTContext &Ctx = BR.getContext();
QualType ResultTy;
llvm::SmallVector<VarDecl*, 5> ErrorParams;
if (const ObjCMethodDecl* MD = dyn_cast<ObjCMethodDecl>(&CodeDecl))
CheckSignature(*MD, ResultTy, ErrorParams);
else if (const FunctionDecl* FD = dyn_cast<FunctionDecl>(&CodeDecl))
CheckSignature(*FD, ResultTy, ErrorParams);
else
return;
if (ErrorParams.empty())
return;
if (ResultTy == Ctx.VoidTy) EmitRetTyWarning(BR, CodeDecl);
for (ExplodedGraph::roots_iterator RI=G.roots_begin(), RE=G.roots_end();
RI!=RE; ++RI) {
// Scan the parameters for an implicit null dereference.
for (llvm::SmallVectorImpl<VarDecl*>::iterator I=ErrorParams.begin(),
E=ErrorParams.end(); I!=E; ++I)
CheckParamDeref(*I, (*RI)->getLocationContext(), (*RI)->getState(), BR);
}
}
void clang::CheckDeadStores(CFG &cfg, LiveVariables &L, ParentMap &pmap,
BugReporter& BR) {
FindEscaped FS(&cfg);
FS.getCFG().VisitBlockStmts(FS);
DeadStoreObs A(BR.getContext(), BR, pmap, FS.Escaped);
L.runOnAllBlocks(cfg, &A);
}
static void CompareReturnTypes(const ObjCMethodDecl *MethDerived,
const ObjCMethodDecl *MethAncestor,
BugReporter &BR, ASTContext &Ctx,
const ObjCImplementationDecl *ID) {
QualType ResDerived = MethDerived->getResultType();
QualType ResAncestor = MethAncestor->getResultType();
if (!AreTypesCompatible(ResDerived, ResAncestor, Ctx)) {
std::string sbuf;
llvm::raw_string_ostream os(sbuf);
os << "The Objective-C class '"
<< MethDerived->getClassInterface()
<< "', which is derived from class '"
<< MethAncestor->getClassInterface()
<< "', defines the instance method '"
<< MethDerived->getSelector().getAsString()
<< "' whose return type is '"
<< ResDerived.getAsString()
<< "'. A method with the same name (same selector) is also defined in "
"class '"
<< MethAncestor->getClassInterface()
<< "' and has a return type of '"
<< ResAncestor.getAsString()
<< "'. These two types are incompatible, and may result in undefined "
"behavior for clients of these classes.";
BR.EmitBasicReport("Incompatible instance method return type",
os.str(), MethDerived->getLocStart());
}
}
void ThrUnsafeFCallChecker::checkASTDecl(const CXXMethodDecl *MD, AnalysisManager& mgr,
BugReporter &BR) const {
const SourceManager &SM = BR.getSourceManager();
PathDiagnosticLocation DLoc =PathDiagnosticLocation::createBegin( MD, SM );
if ( SM.isInSystemHeader(DLoc.asLocation()) || SM.isInExternCSystemHeader(DLoc.asLocation()) ) return;
if (!MD->doesThisDeclarationHaveABody()) return;
clangcms::TUFWalker walker(this,BR, mgr.getAnalysisDeclContext(MD));
walker.Visit(MD->getBody());
return;
}
void iOSAppSecLeakingWebCachesChecker::checkASTDecl(const ObjCMethodDecl *pMD, AnalysisManager &rMgr, BugReporter &rBR) const
{
MSEC_DEBUG_FUNC( "redwud: ", "ENTER (Method)" ) ;
do
{
if ( !pMD )
{
break ;
}
Selector S = pMD ->getSelector() ;
//There is no point of checking if you can't report it
if ( !m_pInsecureInstBugType )
{
MSEC_DEBUG("redwud: ","Reporting will fail!" ) ;
break ;
}
// connection:
if ( S.getIdentifierInfoForSlot( 0 ) != m_piiConnection)
{
//MSEC_DEBUG("redwud: ","!connection: " << S.getAsString() ) ;
break ;
}
ASTContext &Ctx = rBR.getContext() ;
// Two arguments
if ( S.getNumArgs() != 2 )
{
break ;
}
// willCacheResponse:
if ( S.getIdentifierInfoForSlot(1) != m_piiWillCacheResponse )
{
break ;
}
//Note: Intentionally made it common for both
if ( !checkWillCacheResponse( pMD, Ctx ) )
{
break ;
}
CMSecCommon::reportInsecureInstance( *m_pInsecureInstBugType
, m_szReportDesc, rBR, pMD ) ;
} while(_PASSING_) ;
MSEC_DEBUG_FUNC( "redwud: ", "EXIT (Method)" ) ;
}
void FunctionChecker::checkASTDecl(const CXXMethodDecl *MD, AnalysisManager& mgr,
BugReporter &BR) const {
if ( MD->hasAttr<CMSThreadSafeAttr>()) return;
const char *sfile=BR.getSourceManager().getPresumedLoc(MD->getLocation()).getFilename();
if (!support::isCmsLocalFile(sfile)) return;
std::string fname(sfile);
if ( fname.find("/test/") != std::string::npos) return;
if (!MD->doesThisDeclarationHaveABody()) return;
FWalker walker(BR, mgr.getAnalysisDeclContext(MD));
walker.Visit(MD->getBody());
return;
}
void getByChecker::checkASTDecl(const FunctionTemplateDecl *TD, AnalysisManager &mgr, BugReporter &BR) const {
const clang::SourceManager &SM = BR.getSourceManager();
clang::ento::PathDiagnosticLocation DLoc = clang::ento::PathDiagnosticLocation::createBegin(TD, SM);
if (SM.isInSystemHeader(DLoc.asLocation()) || SM.isInExternCSystemHeader(DLoc.asLocation()))
return;
for (auto I = TD->spec_begin(), E = TD->spec_end(); I != E; ++I) {
if (I->doesThisDeclarationHaveABody()) {
clangcms::Walker walker(this, BR, mgr.getAnalysisDeclContext(*I));
walker.Visit(I->getBody());
}
}
return;
}
void ento::CheckObjCInstMethSignature(const ObjCImplementationDecl* ID,
BugReporter& BR) {
const ObjCInterfaceDecl* D = ID->getClassInterface();
const ObjCInterfaceDecl* C = D->getSuperClass();
if (!C)
return;
ASTContext& Ctx = BR.getContext();
// Build a DenseMap of the methods for quick querying.
typedef llvm::DenseMap<Selector,ObjCMethodDecl*> MapTy;
MapTy IMeths;
unsigned NumMethods = 0;
for (ObjCImplementationDecl::instmeth_iterator I=ID->instmeth_begin(),
E=ID->instmeth_end(); I!=E; ++I) {
ObjCMethodDecl* M = *I;
IMeths[M->getSelector()] = M;
++NumMethods;
}
// Now recurse the class hierarchy chain looking for methods with the
// same signatures.
while (C && NumMethods) {
for (ObjCInterfaceDecl::instmeth_iterator I=C->instmeth_begin(),
E=C->instmeth_end(); I!=E; ++I) {
ObjCMethodDecl* M = *I;
Selector S = M->getSelector();
MapTy::iterator MI = IMeths.find(S);
if (MI == IMeths.end() || MI->second == 0)
continue;
--NumMethods;
ObjCMethodDecl* MethDerived = MI->second;
MI->second = 0;
CompareReturnTypes(MethDerived, M, BR, Ctx, ID);
}
C = C->getSuperClass();
}
}
void FunctionChecker::checkASTDecl(const FunctionTemplateDecl *TD, AnalysisManager &mgr, BugReporter &BR) const {
if (TD->hasAttr<CMSThreadSafeAttr>())
return;
const char *sfile = BR.getSourceManager().getPresumedLoc(TD->getLocation()).getFilename();
if (!support::isCmsLocalFile(sfile))
return;
std::string fname(sfile);
if (!support::isInterestingLocation(fname))
return;
for (auto I = TD->spec_begin(), E = TD->spec_end(); I != E; ++I) {
if (I->doesThisDeclarationHaveABody()) {
FWalker walker(this, BR, mgr.getAnalysisDeclContext(*I));
walker.Visit(I->getBody());
}
}
return;
}
void FunctionChecker::checkASTDecl(const FunctionTemplateDecl *TD, AnalysisManager& mgr,
BugReporter &BR) const {
if ( TD->hasAttr<CMSThreadSafeAttr>()) return;
const char *sfile=BR.getSourceManager().getPresumedLoc(TD->getLocation ()).getFilename();
if (!support::isCmsLocalFile(sfile)) return;
std::string fname(sfile);
if ( fname.find("/test/") != std::string::npos) return;
for (FunctionTemplateDecl::spec_iterator I = const_cast<clang::FunctionTemplateDecl *>(TD)->spec_begin(),
E = const_cast<clang::FunctionTemplateDecl *>(TD)->spec_end(); I != E; ++I)
{
if (I->doesThisDeclarationHaveABody()) {
FWalker walker(BR, mgr.getAnalysisDeclContext(*I));
walker.Visit(I->getBody());
}
}
return;
}
void NSErrorChecker::CheckParamDeref(const VarDecl *Param,
const LocationContext *LC,
const GRState *rootState,
BugReporter& BR) {
SVal ParamL = rootState->getLValue(Param, LC);
const MemRegion* ParamR = cast<loc::MemRegionVal>(ParamL).getRegionAs<VarRegion>();
assert (ParamR && "Parameters always have VarRegions.");
SVal ParamSVal = rootState->getSVal(ParamR);
// FIXME: For now assume that ParamSVal is symbolic. We need to generalize
// this later.
SymbolRef ParamSym = ParamSVal.getAsLocSymbol();
if (!ParamSym)
return;
// Iterate over the implicit-null dereferences.
ExplodedNode *const* I, *const* E;
llvm::tie(I, E) = GetImplicitNullDereferences(Eng);
for ( ; I != E; ++I) {
const GRState *state = (*I)->getState();
SVal location = state->getSVal((*I)->getLocationAs<StmtPoint>()->getStmt());
if (location.getAsSymbol() != ParamSym)
continue;
// Emit an error.
std::string sbuf;
llvm::raw_string_ostream os(sbuf);
os << "Potential null dereference. According to coding standards ";
if (isNSErrorWarning)
os << "in 'Creating and Returning NSError Objects' the parameter '";
else
os << "documented in CoreFoundation/CFError.h the parameter '";
os << Param << "' may be null.";
BugReport *report = new BugReport(*this, os.str(), *I);
// FIXME: Notable symbols are now part of the report. We should
// add support for notable symbols in BugReport.
// BR.addNotableSymbol(SV->getSymbol());
BR.EmitReport(report);
}
}
void CloneChecker::reportClones(
BugReporter &BR, AnalysisManager &Mgr,
std::vector<CloneDetector::CloneGroup> &CloneGroups) const {
if (!BT_Exact)
BT_Exact.reset(new BugType(this, "Exact code clone", "Code clone"));
for (const CloneDetector::CloneGroup &Group : CloneGroups) {
// We group the clones by printing the first as a warning and all others
// as a note.
auto R = llvm::make_unique<BugReport>(*BT_Exact, "Duplicate code detected",
makeLocation(Group.front(), Mgr));
R->addRange(Group.front().getSourceRange());
for (unsigned i = 1; i < Group.size(); ++i)
R->addNote("Similar code here", makeLocation(Group[i], Mgr),
Group[i].getSourceRange());
BR.emitReport(std::move(R));
}
}
void FunctionChecker::checkASTDecl(const FunctionDecl *FD, AnalysisManager& mgr,
BugReporter &BR) const {
if ( FD->hasAttr<CMSThreadSafeAttr>()) return;
if (FD-> isInExternCContext()) {
std::string buf;
std::string dname = FD->getQualifiedNameAsString();
if ( dname.compare(dname.size()-1,1,"_") != 0 ) return;
llvm::raw_string_ostream os(buf);
os << "function '"<< dname << "' is in an extern \"C\" context and most likely accesses or modifies fortran variables in a 'COMMONBLOCK'.\n";
clang::ento::PathDiagnosticLocation FDLoc = clang::ento::PathDiagnosticLocation::createBegin(FD, BR.getSourceManager());
BR.EmitBasicReport(FD, "FunctionChecker : COMMONBLOCK variable accessed or modified","ThreadSafety",os.str(), FDLoc);
std::string ostring = "function '" + dname + "' static variable 'COMMONBLOCK'.\n";
const char * pPath = std::getenv("LOCALRT");
std::string tname = "";
if ( pPath != NULL ) tname += std::string(pPath);
tname+="/tmp/function-checker.txt.unsorted";
std::ofstream file(tname.c_str(),std::ios::app);
file<<ostring;
}
}
void NSErrorChecker::EmitRetTyWarning(BugReporter& BR, const Decl& CodeDecl) {
std::string sbuf;
llvm::raw_string_ostream os(sbuf);
if (isa<ObjCMethodDecl>(CodeDecl))
os << "Method";
else
os << "Function";
os << " accepting ";
os << (isNSErrorWarning ? "NSError**" : "CFErrorRef*");
os << " should have a non-void return value to indicate whether or not an "
"error occurred";
BR.EmitBasicReport(isNSErrorWarning
? "Bad return type when passing NSError**"
: "Bad return type when passing CFError*",
getCategory(), os.str(),
CodeDecl.getLocation());
}
void AnalyzerStatsChecker::checkEndAnalysis(ExplodedGraph &G,
BugReporter &B,
ExprEngine &Eng) const {
const CFG *C = 0;
const SourceManager &SM = B.getSourceManager();
llvm::SmallPtrSet<const CFGBlock*, 256> reachable;
// Root node should have the location context of the top most function.
const ExplodedNode *GraphRoot = *G.roots_begin();
const LocationContext *LC = GraphRoot->getLocation().getLocationContext();
const Decl *D = LC->getDecl();
// Iterate over the exploded graph.
for (ExplodedGraph::node_iterator I = G.nodes_begin();
I != G.nodes_end(); ++I) {
const ProgramPoint &P = I->getLocation();
// Only check the coverage in the top level function (optimization).
if (D != P.getLocationContext()->getDecl())
continue;
if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) {
const CFGBlock *CB = BE->getBlock();
reachable.insert(CB);
}
}
// Get the CFG and the Decl of this block.
C = LC->getCFG();
unsigned total = 0, unreachable = 0;
// Find CFGBlocks that were not covered by any node
for (CFG::const_iterator I = C->begin(); I != C->end(); ++I) {
const CFGBlock *CB = *I;
++total;
// Check if the block is unreachable
if (!reachable.count(CB)) {
++unreachable;
}
}
// We never 'reach' the entry block, so correct the unreachable count
unreachable--;
// There is no BlockEntrance corresponding to the exit block as well, so
// assume it is reached as well.
unreachable--;
// Generate the warning string
SmallString<128> buf;
llvm::raw_svector_ostream output(buf);
PresumedLoc Loc = SM.getPresumedLoc(D->getLocation());
if (!Loc.isValid())
return;
if (isa<FunctionDecl>(D) || isa<ObjCMethodDecl>(D)) {
const NamedDecl *ND = cast<NamedDecl>(D);
output << *ND;
}
else if (isa<BlockDecl>(D)) {
output << "block(line:" << Loc.getLine() << ":col:" << Loc.getColumn();
}
NumBlocksUnreachable += unreachable;
NumBlocks += total;
std::string NameOfRootFunction = output.str();
output << " -> Total CFGBlocks: " << total << " | Unreachable CFGBlocks: "
<< unreachable << " | Exhausted Block: "
<< (Eng.wasBlocksExhausted() ? "yes" : "no")
<< " | Empty WorkList: "
<< (Eng.hasEmptyWorkList() ? "yes" : "no");
B.EmitBasicReport(D, "Analyzer Statistics", "Internal Statistics",
output.str(), PathDiagnosticLocation(D, SM));
// Emit warning for each block we bailed out on.
typedef CoreEngine::BlocksExhausted::const_iterator ExhaustedIterator;
const CoreEngine &CE = Eng.getCoreEngine();
for (ExhaustedIterator I = CE.blocks_exhausted_begin(),
E = CE.blocks_exhausted_end(); I != E; ++I) {
const BlockEdge &BE = I->first;
const CFGBlock *Exit = BE.getDst();
const CFGElement &CE = Exit->front();
if (const CFGStmt *CS = dyn_cast<CFGStmt>(&CE)) {
SmallString<128> bufI;
llvm::raw_svector_ostream outputI(bufI);
outputI << "(" << NameOfRootFunction << ")" <<
": The analyzer generated a sink at this point";
B.EmitBasicReport(D, "Sink Point", "Internal Statistics", outputI.str(),
PathDiagnosticLocation::createBegin(CS->getStmt(),
SM, LC));
}
}
}
void ObjCSuperCallChecker::checkASTDecl(const ObjCImplementationDecl *D,
AnalysisManager &Mgr,
BugReporter &BR) const {
ASTContext &Ctx = BR.getContext();
if (!isUIViewControllerSubclass(Ctx, D))
return;
const char *SelectorNames[] =
{"addChildViewController", "viewDidAppear", "viewDidDisappear",
"viewWillAppear", "viewWillDisappear", "removeFromParentViewController",
"didReceiveMemoryWarning", "viewDidUnload", "viewWillUnload",
"viewDidLoad"};
const unsigned SelectorArgumentCounts[] =
{1, 1, 1, 1, 1, 0, 0, 0, 0, 0};
const size_t SelectorCount = llvm::array_lengthof(SelectorNames);
assert(llvm::array_lengthof(SelectorArgumentCounts) == SelectorCount);
// Fill the Selectors SmallSet with all selectors we want to check.
llvm::SmallSet<Selector, 16> Selectors;
for (size_t i = 0; i < SelectorCount; i++) {
unsigned ArgumentCount = SelectorArgumentCounts[i];
const char *SelectorCString = SelectorNames[i];
// Get the selector.
IdentifierInfo *II = &Ctx.Idents.get(SelectorCString);
Selectors.insert(Ctx.Selectors.getSelector(ArgumentCount, &II));
}
// Iterate over all instance methods.
for (ObjCImplementationDecl::instmeth_iterator I = D->instmeth_begin(),
E = D->instmeth_end();
I != E; ++I) {
Selector S = (*I)->getSelector();
// Find out whether this is a selector that we want to check.
if (!Selectors.count(S))
continue;
ObjCMethodDecl *MD = *I;
// Check if the method calls its superclass implementation.
if (MD->getBody())
{
FindSuperCallVisitor Visitor(S);
Visitor.TraverseDecl(MD);
// It doesn't call super, emit a diagnostic.
if (!Visitor.DoesCallSuper) {
PathDiagnosticLocation DLoc =
PathDiagnosticLocation::createEnd(MD->getBody(),
BR.getSourceManager(),
Mgr.getAnalysisDeclContext(D));
const char *Name = "Missing call to superclass";
SmallString<256> Buf;
llvm::raw_svector_ostream os(Buf);
os << "The '" << S.getAsString()
<< "' instance method in UIViewController subclass '" << *D
<< "' is missing a [super " << S.getAsString() << "] call";
BR.EmitBasicReport(MD, Name, categories::CoreFoundationObjectiveC,
os.str(), DLoc);
}
}
}
}
void UnreachableCodeChecker::checkEndAnalysis(ExplodedGraph &G,
BugReporter &B,
ExprEngine &Eng) const {
CFGBlocksSet reachable, visited;
if (Eng.hasWorkRemaining())
return;
const Decl *D = nullptr;
CFG *C = nullptr;
ParentMap *PM = nullptr;
const LocationContext *LC = nullptr;
// Iterate over ExplodedGraph
for (ExplodedGraph::node_iterator I = G.nodes_begin(), E = G.nodes_end();
I != E; ++I) {
const ProgramPoint &P = I->getLocation();
LC = P.getLocationContext();
if (!LC->inTopFrame())
continue;
if (!D)
D = LC->getAnalysisDeclContext()->getDecl();
// Save the CFG if we don't have it already
if (!C)
C = LC->getAnalysisDeclContext()->getUnoptimizedCFG();
if (!PM)
PM = &LC->getParentMap();
if (Optional<BlockEntrance> BE = P.getAs<BlockEntrance>()) {
const CFGBlock *CB = BE->getBlock();
reachable.insert(CB->getBlockID());
}
}
// Bail out if we didn't get the CFG or the ParentMap.
if (!D || !C || !PM)
return;
// Don't do anything for template instantiations. Proving that code
// in a template instantiation is unreachable means proving that it is
// unreachable in all instantiations.
if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
if (FD->isTemplateInstantiation())
return;
// Find CFGBlocks that were not covered by any node
for (CFG::const_iterator I = C->begin(), E = C->end(); I != E; ++I) {
const CFGBlock *CB = *I;
// Check if the block is unreachable
if (reachable.count(CB->getBlockID()))
continue;
// Check if the block is empty (an artificial block)
if (isEmptyCFGBlock(CB))
continue;
// Find the entry points for this block
if (!visited.count(CB->getBlockID()))
FindUnreachableEntryPoints(CB, reachable, visited);
// This block may have been pruned; check if we still want to report it
if (reachable.count(CB->getBlockID()))
continue;
// Check for false positives
if (isInvalidPath(CB, *PM))
continue;
// It is good practice to always have a "default" label in a "switch", even
// if we should never get there. It can be used to detect errors, for
// instance. Unreachable code directly under a "default" label is therefore
// likely to be a false positive.
if (const Stmt *label = CB->getLabel())
if (label->getStmtClass() == Stmt::DefaultStmtClass)
continue;
// Special case for __builtin_unreachable.
// FIXME: This should be extended to include other unreachable markers,
// such as llvm_unreachable.
if (!CB->empty()) {
bool foundUnreachable = false;
for (CFGBlock::const_iterator ci = CB->begin(), ce = CB->end();
ci != ce; ++ci) {
if (Optional<CFGStmt> S = (*ci).getAs<CFGStmt>())
if (const CallExpr *CE = dyn_cast<CallExpr>(S->getStmt())) {
if (CE->getBuiltinCallee() == Builtin::BI__builtin_unreachable ||
CE->isBuiltinAssumeFalse(Eng.getContext())) {
foundUnreachable = true;
break;
}
}
}
if (foundUnreachable)
continue;
}
// We found a block that wasn't covered - find the statement to report
SourceRange SR;
PathDiagnosticLocation DL;
SourceLocation SL;
if (const Stmt *S = getUnreachableStmt(CB)) {
// In macros, 'do {...} while (0)' is often used. Don't warn about the
// condition 0 when it is unreachable.
if (S->getBeginLoc().isMacroID())
if (const auto *I = dyn_cast<IntegerLiteral>(S))
if (I->getValue() == 0ULL)
if (const Stmt *Parent = PM->getParent(S))
if (isa<DoStmt>(Parent))
continue;
SR = S->getSourceRange();
DL = PathDiagnosticLocation::createBegin(S, B.getSourceManager(), LC);
SL = DL.asLocation();
if (SR.isInvalid() || !SL.isValid())
continue;
}
else
continue;
// Check if the SourceLocation is in a system header
const SourceManager &SM = B.getSourceManager();
if (SM.isInSystemHeader(SL) || SM.isInExternCSystemHeader(SL))
continue;
B.EmitBasicReport(D, this, "Unreachable code", "Dead code",
"This statement is never executed", DL, SR);
}
}
static void checkObjCDealloc(const ObjCImplementationDecl *D,
const LangOptions& LOpts, BugReporter& BR) {
assert (LOpts.getGC() != LangOptions::GCOnly);
ASTContext &Ctx = BR.getContext();
const ObjCInterfaceDecl *ID = D->getClassInterface();
// Does the class contain any ivars that are pointers (or id<...>)?
// If not, skip the check entirely.
// NOTE: This is motivated by PR 2517:
// http://llvm.org/bugs/show_bug.cgi?id=2517
bool containsPointerIvar = false;
for (ObjCInterfaceDecl::ivar_iterator I=ID->ivar_begin(), E=ID->ivar_end();
I!=E; ++I) {
ObjCIvarDecl *ID = *I;
QualType T = ID->getType();
if (!T->isObjCObjectPointerType() ||
ID->getAttr<IBOutletAttr>() || // Skip IBOutlets.
ID->getAttr<IBOutletCollectionAttr>()) // Skip IBOutletCollections.
continue;
containsPointerIvar = true;
break;
}
if (!containsPointerIvar)
return;
// Determine if the class subclasses NSObject.
IdentifierInfo* NSObjectII = &Ctx.Idents.get("NSObject");
IdentifierInfo* SenTestCaseII = &Ctx.Idents.get("SenTestCase");
for ( ; ID ; ID = ID->getSuperClass()) {
IdentifierInfo *II = ID->getIdentifier();
if (II == NSObjectII)
break;
// FIXME: For now, ignore classes that subclass SenTestCase, as these don't
// need to implement -dealloc. They implement tear down in another way,
// which we should try and catch later.
// http://llvm.org/bugs/show_bug.cgi?id=3187
if (II == SenTestCaseII)
return;
}
if (!ID)
return;
// Get the "dealloc" selector.
IdentifierInfo* II = &Ctx.Idents.get("dealloc");
Selector S = Ctx.Selectors.getSelector(0, &II);
ObjCMethodDecl *MD = 0;
// Scan the instance methods for "dealloc".
for (ObjCImplementationDecl::instmeth_iterator I = D->instmeth_begin(),
E = D->instmeth_end(); I!=E; ++I) {
if ((*I)->getSelector() == S) {
MD = *I;
break;
}
}
PathDiagnosticLocation DLoc =
PathDiagnosticLocation::createBegin(D, BR.getSourceManager());
if (!MD) { // No dealloc found.
const char* name = LOpts.getGC() == LangOptions::NonGC
? "missing -dealloc"
: "missing -dealloc (Hybrid MM, non-GC)";
std::string buf;
llvm::raw_string_ostream os(buf);
os << "Objective-C class '" << *D << "' lacks a 'dealloc' instance method";
BR.EmitBasicReport(D, name, categories::CoreFoundationObjectiveC,
os.str(), DLoc);
return;
}
// dealloc found. Scan for missing [super dealloc].
if (MD->getBody() && !scan_dealloc(MD->getBody(), S)) {
const char* name = LOpts.getGC() == LangOptions::NonGC
? "missing [super dealloc]"
: "missing [super dealloc] (Hybrid MM, non-GC)";
std::string buf;
llvm::raw_string_ostream os(buf);
os << "The 'dealloc' instance method in Objective-C class '" << *D
<< "' does not send a 'dealloc' message to its super class"
" (missing [super dealloc])";
BR.EmitBasicReport(MD, name, categories::CoreFoundationObjectiveC,
os.str(), DLoc);
return;
}
// Get the "release" selector.
IdentifierInfo* RII = &Ctx.Idents.get("release");
Selector RS = Ctx.Selectors.getSelector(0, &RII);
// Get the "self" identifier
IdentifierInfo* SelfII = &Ctx.Idents.get("self");
// Scan for missing and extra releases of ivars used by implementations
// of synthesized properties
for (ObjCImplementationDecl::propimpl_iterator I = D->propimpl_begin(),
E = D->propimpl_end(); I!=E; ++I) {
// We can only check the synthesized properties
if (I->getPropertyImplementation() != ObjCPropertyImplDecl::Synthesize)
continue;
ObjCIvarDecl *ID = I->getPropertyIvarDecl();
if (!ID)
continue;
QualType T = ID->getType();
if (!T->isObjCObjectPointerType()) // Skip non-pointer ivars
continue;
const ObjCPropertyDecl *PD = I->getPropertyDecl();
if (!PD)
continue;
// ivars cannot be set via read-only properties, so we'll skip them
if (PD->isReadOnly())
continue;
// ivar must be released if and only if the kind of setter was not 'assign'
bool requiresRelease = PD->getSetterKind() != ObjCPropertyDecl::Assign;
if (scan_ivar_release(MD->getBody(), ID, PD, RS, SelfII, Ctx)
!= requiresRelease) {
const char *name = 0;
std::string buf;
llvm::raw_string_ostream os(buf);
if (requiresRelease) {
name = LOpts.getGC() == LangOptions::NonGC
? "missing ivar release (leak)"
: "missing ivar release (Hybrid MM, non-GC)";
os << "The '" << *ID
<< "' instance variable was retained by a synthesized property but "
"wasn't released in 'dealloc'";
} else {
name = LOpts.getGC() == LangOptions::NonGC
? "extra ivar release (use-after-release)"
: "extra ivar release (Hybrid MM, non-GC)";
os << "The '" << *ID
<< "' instance variable was not retained by a synthesized property "
"but was released in 'dealloc'";
}
PathDiagnosticLocation SDLoc =
PathDiagnosticLocation::createBegin(*I, BR.getSourceManager());
BR.EmitBasicReport(MD, name, categories::CoreFoundationObjectiveC,
os.str(), SDLoc);
}
}
}
void UnreachableCodeChecker::checkEndAnalysis(ExplodedGraph &G,
BugReporter &B,
ExprEngine &Eng) const {
CFGBlocksSet reachable, visited;
if (Eng.hasWorkRemaining())
return;
CFG *C = 0;
ParentMap *PM = 0;
// Iterate over ExplodedGraph
for (ExplodedGraph::node_iterator I = G.nodes_begin(), E = G.nodes_end();
I != E; ++I) {
const ProgramPoint &P = I->getLocation();
const LocationContext *LC = P.getLocationContext();
// Save the CFG if we don't have it already
if (!C)
C = LC->getAnalysisContext()->getUnoptimizedCFG();
if (!PM)
PM = &LC->getParentMap();
if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) {
const CFGBlock *CB = BE->getBlock();
reachable.insert(CB->getBlockID());
}
}
// Bail out if we didn't get the CFG or the ParentMap.
if (!C || !PM)
return;
ASTContext &Ctx = B.getContext();
// Find CFGBlocks that were not covered by any node
for (CFG::const_iterator I = C->begin(), E = C->end(); I != E; ++I) {
const CFGBlock *CB = *I;
// Check if the block is unreachable
if (reachable.count(CB->getBlockID()))
continue;
// Check if the block is empty (an artificial block)
if (isEmptyCFGBlock(CB))
continue;
// Find the entry points for this block
if (!visited.count(CB->getBlockID()))
FindUnreachableEntryPoints(CB, reachable, visited);
// This block may have been pruned; check if we still want to report it
if (reachable.count(CB->getBlockID()))
continue;
// Check for false positives
if (CB->size() > 0 && isInvalidPath(CB, *PM))
continue;
// Special case for __builtin_unreachable.
// FIXME: This should be extended to include other unreachable markers,
// such as llvm_unreachable.
if (!CB->empty()) {
CFGElement First = CB->front();
if (const CFGStmt *S = First.getAs<CFGStmt>()) {
if (const CallExpr *CE = dyn_cast<CallExpr>(S->getStmt())) {
if (CE->isBuiltinCall(Ctx) == Builtin::BI__builtin_unreachable)
continue;
}
}
}
// We found a block that wasn't covered - find the statement to report
SourceRange SR;
SourceLocation SL;
if (const Stmt *S = getUnreachableStmt(CB)) {
SR = S->getSourceRange();
SL = S->getLocStart();
if (SR.isInvalid() || SL.isInvalid())
continue;
}
else
continue;
// Check if the SourceLocation is in a system header
const SourceManager &SM = B.getSourceManager();
if (SM.isInSystemHeader(SL) || SM.isInExternCSystemHeader(SL))
continue;
B.EmitBasicReport("Unreachable code", "Dead code", "This statement is never"
" executed", SL, SR);
}
}
static void checkObjCUnusedIvar(const ObjCImplementationDecl *D,
BugReporter &BR) {
const ObjCInterfaceDecl *ID = D->getClassInterface();
IvarUsageMap M;
// Iterate over the ivars.
for (ObjCInterfaceDecl::ivar_iterator I=ID->ivar_begin(),
E=ID->ivar_end(); I!=E; ++I) {
const ObjCIvarDecl *ID = *I;
// Ignore ivars that...
// (a) aren't private
// (b) explicitly marked unused
// (c) are iboutlets
// (d) are unnamed bitfields
if (ID->getAccessControl() != ObjCIvarDecl::Private ||
ID->getAttr<UnusedAttr>() || ID->getAttr<IBOutletAttr>() ||
ID->getAttr<IBOutletCollectionAttr>() ||
ID->isUnnamedBitfield())
continue;
M[ID] = Unused;
}
if (M.empty())
return;
// Now scan the implementation declaration.
Scan(M, D);
// Any potentially unused ivars?
bool hasUnused = false;
for (IvarUsageMap::iterator I = M.begin(), E = M.end(); I!=E; ++I)
if (I->second == Unused) {
hasUnused = true;
break;
}
if (!hasUnused)
return;
// We found some potentially unused ivars. Scan the entire translation unit
// for functions inside the @implementation that reference these ivars.
// FIXME: In the future hopefully we can just use the lexical DeclContext
// to go from the ObjCImplementationDecl to the lexically "nested"
// C functions.
SourceManager &SM = BR.getSourceManager();
Scan(M, D->getDeclContext(), SM.getFileID(D->getLocation()), SM);
// Find ivars that are unused.
for (IvarUsageMap::iterator I = M.begin(), E = M.end(); I!=E; ++I)
if (I->second == Unused) {
std::string sbuf;
llvm::raw_string_ostream os(sbuf);
os << "Instance variable '" << *I->first << "' in class '" << *ID
<< "' is never used by the methods in its @implementation "
"(although it may be used by category methods).";
PathDiagnosticLocation L =
PathDiagnosticLocation::create(I->first, BR.getSourceManager());
BR.EmitBasicReport(D, "Unused instance variable", "Optimization",
os.str(), L);
}
}
void IdempotentOperationChecker::checkEndAnalysis(ExplodedGraph &G,
BugReporter &BR,
ExprEngine &Eng) const {
BugType *BT = new BugType("Idempotent operation", "Dead code");
// Iterate over the hash to see if we have any paths with definite
// idempotent operations.
for (AssumptionMap::const_iterator i = hash.begin(); i != hash.end(); ++i) {
// Unpack the hash contents
const BinaryOperatorData &Data = i->second;
const Assumption &A = Data.assumption;
const ExplodedNodeSet &ES = Data.explodedNodes;
// If there are no nodes accosted with the expression, nothing to report.
// FIXME: This is possible because the checker does part of processing in
// checkPreStmt and part in checkPostStmt.
if (ES.begin() == ES.end())
continue;
const BinaryOperator *B = i->first;
if (A == Impossible)
continue;
// If the analyzer did not finish, check to see if we can still emit this
// warning
if (Eng.hasWorkRemaining()) {
// If we can trace back
AnalysisDeclContext *AC = (*ES.begin())->getLocationContext()
->getAnalysisDeclContext();
if (!pathWasCompletelyAnalyzed(AC,
AC->getCFGStmtMap()->getBlock(B),
Eng.getCoreEngine()))
continue;
}
// Select the error message and SourceRanges to report.
llvm::SmallString<128> buf;
llvm::raw_svector_ostream os(buf);
bool LHSRelevant = false, RHSRelevant = false;
switch (A) {
case Equal:
LHSRelevant = true;
RHSRelevant = true;
if (B->getOpcode() == BO_Assign)
os << "Assigned value is always the same as the existing value";
else
os << "Both operands to '" << B->getOpcodeStr()
<< "' always have the same value";
break;
case LHSis1:
LHSRelevant = true;
os << "The left operand to '" << B->getOpcodeStr() << "' is always 1";
break;
case RHSis1:
RHSRelevant = true;
os << "The right operand to '" << B->getOpcodeStr() << "' is always 1";
break;
case LHSis0:
LHSRelevant = true;
os << "The left operand to '" << B->getOpcodeStr() << "' is always 0";
break;
case RHSis0:
RHSRelevant = true;
os << "The right operand to '" << B->getOpcodeStr() << "' is always 0";
break;
case Possible:
llvm_unreachable("Operation was never marked with an assumption");
case Impossible:
llvm_unreachable(0);
}
// Add a report for each ExplodedNode
for (ExplodedNodeSet::iterator I = ES.begin(), E = ES.end(); I != E; ++I) {
BugReport *report = new BugReport(*BT, os.str(), *I);
// Add source ranges and visitor hooks
if (LHSRelevant) {
const Expr *LHS = i->first->getLHS();
report->addRange(LHS->getSourceRange());
FindLastStoreBRVisitor::registerStatementVarDecls(*report, LHS);
}
if (RHSRelevant) {
const Expr *RHS = i->first->getRHS();
report->addRange(i->first->getRHS()->getSourceRange());
FindLastStoreBRVisitor::registerStatementVarDecls(*report, RHS);
}
BR.EmitReport(report);
}
}
hash.clear();
}
