void ObjCNonNilReturnValueChecker::checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const { ProgramStateRef State = C.getState(); if (!Initialized) { ASTContext &Ctx = C.getASTContext(); ObjectAtIndex = GetUnarySelector("objectAtIndex", Ctx); ObjectAtIndexedSubscript = GetUnarySelector("objectAtIndexedSubscript", Ctx); NullSelector = GetNullarySelector("null", Ctx); } // Check the receiver type. if (const ObjCInterfaceDecl *Interface = M.getReceiverInterface()) { // Assume that object returned from '[self init]' or '[super init]' is not // 'nil' if we are processing an inlined function/method. // // A defensive callee will (and should) check if the object returned by // '[super init]' is 'nil' before doing it's own initialization. However, // since 'nil' is rarely returned in practice, we should not warn when the // caller to the defensive constructor uses the object in contexts where // 'nil' is not accepted. if (!C.inTopFrame() && M.getDecl() && M.getDecl()->getMethodFamily() == OMF_init && M.isReceiverSelfOrSuper()) { State = assumeExprIsNonNull(M.getOriginExpr(), State, C); } FoundationClass Cl = findKnownClass(Interface); // Objects returned from // [NSArray|NSOrderedSet]::[ObjectAtIndex|ObjectAtIndexedSubscript] // are never 'nil'. if (Cl == FC_NSArray || Cl == FC_NSOrderedSet) { Selector Sel = M.getSelector(); if (Sel == ObjectAtIndex || Sel == ObjectAtIndexedSubscript) { // Go ahead and assume the value is non-nil. State = assumeExprIsNonNull(M.getOriginExpr(), State, C); } } // Objects returned from [NSNull null] are not nil. if (Cl == FC_NSNull) { if (M.getSelector() == NullSelector) { // Go ahead and assume the value is non-nil. State = assumeExprIsNonNull(M.getOriginExpr(), State, C); } } } C.addTransition(State); }
void NoReturnFunctionChecker::checkPostObjCMessage(const ObjCMethodCall &Msg, CheckerContext &C) const { // Check if the method is annotated with analyzer_noreturn. if (const ObjCMethodDecl *MD = Msg.getDecl()) { MD = MD->getCanonicalDecl(); if (MD->hasAttr<AnalyzerNoReturnAttr>()) { C.generateSink(); return; } } // HACK: This entire check is to handle two messages in the Cocoa frameworks: // -[NSAssertionHandler // handleFailureInMethod:object:file:lineNumber:description:] // -[NSAssertionHandler // handleFailureInFunction:file:lineNumber:description:] // Eventually these should be annotated with __attribute__((noreturn)). // Because ObjC messages use dynamic dispatch, it is not generally safe to // assume certain methods can't return. In cases where it is definitely valid, // see if you can mark the methods noreturn or analyzer_noreturn instead of // adding more explicit checks to this method. if (!Msg.isInstanceMessage()) return; const ObjCInterfaceDecl *Receiver = Msg.getReceiverInterface(); if (!Receiver) return; if (!Receiver->getIdentifier()->isStr("NSAssertionHandler")) return; Selector Sel = Msg.getSelector(); switch (Sel.getNumArgs()) { default: return; case 4: lazyInitKeywordSelector(HandleFailureInFunctionSel, C.getASTContext(), "handleFailureInFunction", "file", "lineNumber", "description", nullptr); if (Sel != HandleFailureInFunctionSel) return; break; case 5: lazyInitKeywordSelector(HandleFailureInMethodSel, C.getASTContext(), "handleFailureInMethod", "object", "file", "lineNumber", "description", nullptr); if (Sel != HandleFailureInMethodSel) return; break; } // If we got here, it's one of the messages we care about. C.generateSink(); }
/// isVariadicMessage - Returns whether the given message is a variadic message, /// where all arguments must be Objective-C types. bool VariadicMethodTypeChecker::isVariadicMessage(const ObjCMethodCall &msg) const { const ObjCMethodDecl *MD = msg.getDecl(); if (!MD || !MD->isVariadic() || isa<ObjCProtocolDecl>(MD->getDeclContext())) return false; Selector S = msg.getSelector(); if (msg.isInstanceMessage()) { // FIXME: Ideally we'd look at the receiver interface here, but that's not // useful for init, because alloc returns 'id'. In theory, this could lead // to false positives, for example if there existed a class that had an // initWithObjects: implementation that does accept non-Objective-C pointer // types, but the chance of that happening is pretty small compared to the // gains that this analysis gives. const ObjCInterfaceDecl *Class = MD->getClassInterface(); switch (findKnownClass(Class)) { case FC_NSArray: case FC_NSOrderedSet: case FC_NSSet: return S == initWithObjectsS; case FC_NSDictionary: return S == initWithObjectsAndKeysS; default: return false; } } else { const ObjCInterfaceDecl *Class = msg.getReceiverInterface(); switch (findKnownClass(Class)) { case FC_NSArray: return S == arrayWithObjectsS; case FC_NSOrderedSet: return S == orderedSetWithObjectsS; case FC_NSSet: return S == setWithObjectsS; case FC_NSDictionary: return S == dictionaryWithObjectsAndKeysS; default: return false; } } }
/// Calculate the nullability of the result of a message expr based on the /// nullability of the receiver, the nullability of the return value, and the /// constraints. void NullabilityChecker::checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const { auto Decl = M.getDecl(); if (!Decl) return; QualType RetType = Decl->getReturnType(); if (!RetType->isAnyPointerType()) return; ProgramStateRef State = C.getState(); if (State->get<PreconditionViolated>()) return; const MemRegion *ReturnRegion = getTrackRegion(M.getReturnValue()); if (!ReturnRegion) return; auto Interface = Decl->getClassInterface(); auto Name = Interface ? Interface->getName() : ""; // In order to reduce the noise in the diagnostics generated by this checker, // some framework and programming style based heuristics are used. These // heuristics are for Cocoa APIs which have NS prefix. if (Name.startswith("NS")) { // Developers rely on dynamic invariants such as an item should be available // in a collection, or a collection is not empty often. Those invariants can // not be inferred by any static analysis tool. To not to bother the users // with too many false positives, every item retrieval function should be // ignored for collections. The instance methods of dictionaries in Cocoa // are either item retrieval related or not interesting nullability wise. // Using this fact, to keep the code easier to read just ignore the return // value of every instance method of dictionaries. if (M.isInstanceMessage() && Name.find("Dictionary") != StringRef::npos) { State = State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted); C.addTransition(State); return; } // For similar reasons ignore some methods of Cocoa arrays. StringRef FirstSelectorSlot = M.getSelector().getNameForSlot(0); if (Name.find("Array") != StringRef::npos && (FirstSelectorSlot == "firstObject" || FirstSelectorSlot == "lastObject")) { State = State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted); C.addTransition(State); return; } // Encoding related methods of string should not fail when lossless // encodings are used. Using lossless encodings is so frequent that ignoring // this class of methods reduced the emitted diagnostics by about 30% on // some projects (and all of that was false positives). if (Name.find("String") != StringRef::npos) { for (auto Param : M.parameters()) { if (Param->getName() == "encoding") { State = State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted); C.addTransition(State); return; } } } } const ObjCMessageExpr *Message = M.getOriginExpr(); Nullability SelfNullability = getReceiverNullability(M, State); const NullabilityState *NullabilityOfReturn = State->get<NullabilityMap>(ReturnRegion); if (NullabilityOfReturn) { // When we have a nullability tracked for the return value, the nullability // of the expression will be the most nullable of the receiver and the // return value. Nullability RetValTracked = NullabilityOfReturn->getValue(); Nullability ComputedNullab = getMostNullable(RetValTracked, SelfNullability); if (ComputedNullab != RetValTracked && ComputedNullab != Nullability::Unspecified) { const Stmt *NullabilitySource = ComputedNullab == RetValTracked ? NullabilityOfReturn->getNullabilitySource() : Message->getInstanceReceiver(); State = State->set<NullabilityMap>( ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource)); C.addTransition(State); } return; } // No tracked information. Use static type information for return value. Nullability RetNullability = getNullabilityAnnotation(RetType); // Properties might be computed. For this reason the static analyzer creates a // new symbol each time an unknown property is read. To avoid false pozitives // do not treat unknown properties as nullable, even when they explicitly // marked nullable. if (M.getMessageKind() == OCM_PropertyAccess && !C.wasInlined) RetNullability = Nullability::Nonnull; Nullability ComputedNullab = getMostNullable(RetNullability, SelfNullability); if (ComputedNullab == Nullability::Nullable) { const Stmt *NullabilitySource = ComputedNullab == RetNullability ? Message : Message->getInstanceReceiver(); State = State->set<NullabilityMap>( ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource)); C.addTransition(State); } }