void ObjCLoopChecker::checkPostObjCMessage(const ObjCMethodCall &M,
CheckerContext &C) const {
if (!M.isInstanceMessage())
return;
const ObjCInterfaceDecl *ClassID = M.getReceiverInterface();
if (!ClassID)
return;
FoundationClass Class = findKnownClass(ClassID);
if (Class != FC_NSDictionary &&
Class != FC_NSArray &&
Class != FC_NSSet)
return;
SymbolRef ContainerS = M.getReceiverSVal().getAsSymbol();
if (!ContainerS)
return;
// If we are processing a call to "count", get the symbolic value returned by
// a call to "count" and add it to the map.
if (!isCollectionCountMethod(M, C))
return;
const Expr *MsgExpr = M.getOriginExpr();
SymbolRef CountS = C.getSVal(MsgExpr).getAsSymbol();
if (CountS) {
ProgramStateRef State = C.getState();
C.getSymbolManager().addSymbolDependency(ContainerS, CountS);
State = State->set<ContainerCountMap>(ContainerS, CountS);
C.addTransition(State);
}
return;
}
void NSAutoreleasePoolChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const {
if (!msg.isInstanceMessage())
return;
const ObjCInterfaceDecl *OD = msg.getReceiverInterface();
if (!OD)
return;
if (!OD->getIdentifier()->isStr("NSAutoreleasePool"))
return;
if (releaseS.isNull())
releaseS = GetNullarySelector("release", C.getASTContext());
// Sending 'release' message?
if (msg.getSelector() != releaseS)
return;
if (!BT)
BT.reset(new BugType("Use -drain instead of -release",
"API Upgrade (Apple)"));
ExplodedNode *N = C.addTransition();
if (!N) {
assert(0);
return;
}
BugReport *Report = new BugReport(*BT, "Use -drain instead of -release when "
"using NSAutoreleasePool and garbage collection", N);
Report->addRange(msg.getSourceRange());
C.emitReport(Report);
}
void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const {
const ObjCInterfaceDecl *ID = msg.getReceiverInterface();
if (!ID)
return;
if (findKnownClass(ID) == FC_NSString) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
// FIXME: This is going to be really slow doing these checks with
// lexical comparisons.
std::string NameStr = S.getAsString();
StringRef Name(NameStr);
assert(!Name.empty());
// FIXME: Checking for initWithFormat: will not work in most cases
// yet because [NSString alloc] returns id, not NSString*. We will
// need support for tracking expected-type information in the analyzer
// to find these errors.
if (Name == "caseInsensitiveCompare:" ||
Name == "compare:" ||
Name == "compare:options:" ||
Name == "compare:options:range:" ||
Name == "compare:options:range:locale:" ||
Name == "componentsSeparatedByCharactersInSet:" ||
Name == "initWithFormat:") {
if (isNil(msg.getArgSVal(0)))
WarnNilArg(C, msg, 0);
}
}
}
void NoReturnFunctionChecker::checkPostObjCMessage(const ObjCMethodCall &Msg,
CheckerContext &C) const {
// Check if the method is annotated with analyzer_noreturn.
if (const ObjCMethodDecl *MD = Msg.getDecl()) {
MD = MD->getCanonicalDecl();
if (MD->hasAttr<AnalyzerNoReturnAttr>()) {
C.generateSink();
return;
}
}
// HACK: This entire check is to handle two messages in the Cocoa frameworks:
// -[NSAssertionHandler
// handleFailureInMethod:object:file:lineNumber:description:]
// -[NSAssertionHandler
// handleFailureInFunction:file:lineNumber:description:]
// Eventually these should be annotated with __attribute__((noreturn)).
// Because ObjC messages use dynamic dispatch, it is not generally safe to
// assume certain methods can't return. In cases where it is definitely valid,
// see if you can mark the methods noreturn or analyzer_noreturn instead of
// adding more explicit checks to this method.
if (!Msg.isInstanceMessage())
return;
const ObjCInterfaceDecl *Receiver = Msg.getReceiverInterface();
if (!Receiver)
return;
if (!Receiver->getIdentifier()->isStr("NSAssertionHandler"))
return;
Selector Sel = Msg.getSelector();
switch (Sel.getNumArgs()) {
default:
return;
case 4:
lazyInitKeywordSelector(HandleFailureInFunctionSel, C.getASTContext(),
"handleFailureInFunction", "file", "lineNumber",
"description", nullptr);
if (Sel != HandleFailureInFunctionSel)
return;
break;
case 5:
lazyInitKeywordSelector(HandleFailureInMethodSel, C.getASTContext(),
"handleFailureInMethod", "object", "file",
"lineNumber", "description", nullptr);
if (Sel != HandleFailureInMethodSel)
return;
break;
}
// If we got here, it's one of the messages we care about.
C.generateSink();
}
void ObjCNonNilReturnValueChecker::checkPostObjCMessage(const ObjCMethodCall &M,
CheckerContext &C)
const {
ProgramStateRef State = C.getState();
if (!Initialized) {
ASTContext &Ctx = C.getASTContext();
ObjectAtIndex = GetUnarySelector("objectAtIndex", Ctx);
ObjectAtIndexedSubscript = GetUnarySelector("objectAtIndexedSubscript", Ctx);
NullSelector = GetNullarySelector("null", Ctx);
}
// Check the receiver type.
if (const ObjCInterfaceDecl *Interface = M.getReceiverInterface()) {
// Assume that object returned from '[self init]' or '[super init]' is not
// 'nil' if we are processing an inlined function/method.
//
// A defensive callee will (and should) check if the object returned by
// '[super init]' is 'nil' before doing it's own initialization. However,
// since 'nil' is rarely returned in practice, we should not warn when the
// caller to the defensive constructor uses the object in contexts where
// 'nil' is not accepted.
if (!C.inTopFrame() && M.getDecl() &&
M.getDecl()->getMethodFamily() == OMF_init &&
M.isReceiverSelfOrSuper()) {
State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
}
FoundationClass Cl = findKnownClass(Interface);
// Objects returned from
// [NSArray|NSOrderedSet]::[ObjectAtIndex|ObjectAtIndexedSubscript]
// are never 'nil'.
if (Cl == FC_NSArray || Cl == FC_NSOrderedSet) {
Selector Sel = M.getSelector();
if (Sel == ObjectAtIndex || Sel == ObjectAtIndexedSubscript) {
// Go ahead and assume the value is non-nil.
State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
}
}
// Objects returned from [NSNull null] are not nil.
if (Cl == FC_NSNull) {
if (M.getSelector() == NullSelector) {
// Go ahead and assume the value is non-nil.
State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
}
}
}
C.addTransition(State);
}
/// isVariadicMessage - Returns whether the given message is a variadic message,
/// where all arguments must be Objective-C types.
bool
VariadicMethodTypeChecker::isVariadicMessage(const ObjCMethodCall &msg) const {
const ObjCMethodDecl *MD = msg.getDecl();
if (!MD || !MD->isVariadic() || isa<ObjCProtocolDecl>(MD->getDeclContext()))
return false;
Selector S = msg.getSelector();
if (msg.isInstanceMessage()) {
// FIXME: Ideally we'd look at the receiver interface here, but that's not
// useful for init, because alloc returns 'id'. In theory, this could lead
// to false positives, for example if there existed a class that had an
// initWithObjects: implementation that does accept non-Objective-C pointer
// types, but the chance of that happening is pretty small compared to the
// gains that this analysis gives.
const ObjCInterfaceDecl *Class = MD->getClassInterface();
switch (findKnownClass(Class)) {
case FC_NSArray:
case FC_NSOrderedSet:
case FC_NSSet:
return S == initWithObjectsS;
case FC_NSDictionary:
return S == initWithObjectsAndKeysS;
default:
return false;
}
} else {
const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
switch (findKnownClass(Class)) {
case FC_NSArray:
return S == arrayWithObjectsS;
case FC_NSOrderedSet:
return S == orderedSetWithObjectsS;
case FC_NSSet:
return S == setWithObjectsS;
case FC_NSDictionary:
return S == dictionaryWithObjectsAndKeysS;
default:
return false;
}
}
}
void NoReturnSubprogramChecker::checkPostObjCMessage(const ObjCMethodCall &Msg,
CheckerContext &C) const {
// HACK: This entire check is to handle two messages in the Cocoa frameworks:
// -[NSAssertionHandler
// handleFailureInMethod:object:file:lineNumber:description:]
// -[NSAssertionHandler
// handleFailureInSubprogram:file:lineNumber:description:]
// Eventually these should be annotated with __attribute__((noreturn)).
// Because ObjC messages use dynamic dispatch, it is not generally safe to
// assume certain methods can't return. In cases where it is definitely valid,
// see if you can mark the methods noreturn or analyzer_noreturn instead of
// adding more explicit checks to this method.
if (!Msg.isInstanceMessage())
return;
const ObjCInterfaceDecl *Receiver = Msg.getReceiverInterface();
if (!Receiver)
return;
if (!Receiver->getIdentifier()->isStr("NSAssertionHandler"))
return;
Selector Sel = Msg.getSelector();
switch (Sel.getNumArgs()) {
default:
return;
case 4:
if (!isMultiArgSelector(&Sel, "handleFailureInSubprogram", "file",
"lineNumber", "description", NULL))
return;
break;
case 5:
if (!isMultiArgSelector(&Sel, "handleFailureInMethod", "object", "file",
"lineNumber", "description", NULL))
return;
break;
}
// If we got here, it's one of the messages we care about.
C.generateSink();
}
void ClassReleaseChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const {
if (!BT) {
BT.reset(new APIMisuse(
this, "message incorrectly sent to class instead of class instance"));
ASTContext &Ctx = C.getASTContext();
releaseS = GetNullarySelector("release", Ctx);
retainS = GetNullarySelector("retain", Ctx);
autoreleaseS = GetNullarySelector("autorelease", Ctx);
drainS = GetNullarySelector("drain", Ctx);
}
if (msg.isInstanceMessage())
return;
const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
assert(Class);
Selector S = msg.getSelector();
if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS))
return;
if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
SmallString<200> buf;
llvm::raw_svector_ostream os(buf);
os << "The '";
S.print(os);
os << "' message should be sent to instances "
"of class '" << Class->getName()
<< "' and not the class directly";
auto report = llvm::make_unique<BugReport>(*BT, os.str(), N);
report->addRange(msg.getSourceRange());
C.emitReport(std::move(report));
}
}
static StringRef GetReceiverInterfaceName(const ObjCMethodCall &msg) {
if (const ObjCInterfaceDecl *ID = msg.getReceiverInterface())
return ID->getIdentifier()->getName();
return StringRef();
}
void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const {
const ObjCInterfaceDecl *ID = msg.getReceiverInterface();
if (!ID)
return;
FoundationClass Class = findKnownClass(ID);
static const unsigned InvalidArgIndex = UINT_MAX;
unsigned Arg = InvalidArgIndex;
bool CanBeSubscript = false;
if (Class == FC_NSString) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
if (StringSelectors.empty()) {
ASTContext &Ctx = C.getASTContext();
Selector Sels[] = {
getKeywordSelector(Ctx, "caseInsensitiveCompare", nullptr),
getKeywordSelector(Ctx, "compare", nullptr),
getKeywordSelector(Ctx, "compare", "options", nullptr),
getKeywordSelector(Ctx, "compare", "options", "range", nullptr),
getKeywordSelector(Ctx, "compare", "options", "range", "locale",
nullptr),
getKeywordSelector(Ctx, "componentsSeparatedByCharactersInSet",
nullptr),
getKeywordSelector(Ctx, "initWithFormat",
nullptr),
getKeywordSelector(Ctx, "localizedCaseInsensitiveCompare", nullptr),
getKeywordSelector(Ctx, "localizedCompare", nullptr),
getKeywordSelector(Ctx, "localizedStandardCompare", nullptr),
};
for (Selector KnownSel : Sels)
StringSelectors[KnownSel] = 0;
}
auto I = StringSelectors.find(S);
if (I == StringSelectors.end())
return;
Arg = I->second;
} else if (Class == FC_NSArray) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
if (ArrayWithObjectSel.isNull()) {
ASTContext &Ctx = C.getASTContext();
ArrayWithObjectSel = getKeywordSelector(Ctx, "arrayWithObject", nullptr);
AddObjectSel = getKeywordSelector(Ctx, "addObject", nullptr);
InsertObjectAtIndexSel =
getKeywordSelector(Ctx, "insertObject", "atIndex", nullptr);
ReplaceObjectAtIndexWithObjectSel =
getKeywordSelector(Ctx, "replaceObjectAtIndex", "withObject", nullptr);
SetObjectAtIndexedSubscriptSel =
getKeywordSelector(Ctx, "setObject", "atIndexedSubscript", nullptr);
ArrayByAddingObjectSel =
getKeywordSelector(Ctx, "arrayByAddingObject", nullptr);
}
if (S == ArrayWithObjectSel || S == AddObjectSel ||
S == InsertObjectAtIndexSel || S == ArrayByAddingObjectSel) {
Arg = 0;
} else if (S == SetObjectAtIndexedSubscriptSel) {
Arg = 0;
CanBeSubscript = true;
} else if (S == ReplaceObjectAtIndexWithObjectSel) {
Arg = 1;
}
} else if (Class == FC_NSDictionary) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
if (DictionaryWithObjectForKeySel.isNull()) {
ASTContext &Ctx = C.getASTContext();
DictionaryWithObjectForKeySel =
getKeywordSelector(Ctx, "dictionaryWithObject", "forKey", nullptr);
SetObjectForKeySel =
getKeywordSelector(Ctx, "setObject", "forKey", nullptr);
SetObjectForKeyedSubscriptSel =
getKeywordSelector(Ctx, "setObject", "forKeyedSubscript", nullptr);
RemoveObjectForKeySel =
getKeywordSelector(Ctx, "removeObjectForKey", nullptr);
}
if (S == DictionaryWithObjectForKeySel || S == SetObjectForKeySel) {
Arg = 0;
warnIfNilArg(C, msg, /* Arg */1, Class);
} else if (S == SetObjectForKeyedSubscriptSel) {
CanBeSubscript = true;
Arg = 0;
warnIfNilArg(C, msg, /* Arg */1, Class, CanBeSubscript);
} else if (S == RemoveObjectForKeySel) {
Arg = 0;
}
}
// If argument is '0', report a warning.
if ((Arg != InvalidArgIndex))
warnIfNilArg(C, msg, Arg, Class, CanBeSubscript);
}
void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const {
const ObjCInterfaceDecl *ID = msg.getReceiverInterface();
if (!ID)
return;
FoundationClass Class = findKnownClass(ID);
static const unsigned InvalidArgIndex = UINT_MAX;
unsigned Arg = InvalidArgIndex;
bool CanBeSubscript = false;
if (Class == FC_NSString) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
// FIXME: This is going to be really slow doing these checks with
// lexical comparisons.
std::string NameStr = S.getAsString();
StringRef Name(NameStr);
assert(!Name.empty());
// FIXME: Checking for initWithFormat: will not work in most cases
// yet because [NSString alloc] returns id, not NSString*. We will
// need support for tracking expected-type information in the analyzer
// to find these errors.
if (Name == "caseInsensitiveCompare:" ||
Name == "compare:" ||
Name == "compare:options:" ||
Name == "compare:options:range:" ||
Name == "compare:options:range:locale:" ||
Name == "componentsSeparatedByCharactersInSet:" ||
Name == "initWithFormat:") {
Arg = 0;
}
} else if (Class == FC_NSArray) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
if (S.getNameForSlot(0).equals("addObject")) {
Arg = 0;
} else if (S.getNameForSlot(0).equals("insertObject") &&
S.getNameForSlot(1).equals("atIndex")) {
Arg = 0;
} else if (S.getNameForSlot(0).equals("replaceObjectAtIndex") &&
S.getNameForSlot(1).equals("withObject")) {
Arg = 1;
} else if (S.getNameForSlot(0).equals("setObject") &&
S.getNameForSlot(1).equals("atIndexedSubscript")) {
Arg = 0;
CanBeSubscript = true;
} else if (S.getNameForSlot(0).equals("arrayByAddingObject")) {
Arg = 0;
}
} else if (Class == FC_NSDictionary) {
Selector S = msg.getSelector();
if (S.isUnarySelector())
return;
if (S.getNameForSlot(0).equals("dictionaryWithObject") &&
S.getNameForSlot(1).equals("forKey")) {
Arg = 0;
WarnIfNilArg(C, msg, /* Arg */1, Class);
} else if (S.getNameForSlot(0).equals("setObject") &&
S.getNameForSlot(1).equals("forKey")) {
Arg = 0;
WarnIfNilArg(C, msg, /* Arg */1, Class);
} else if (S.getNameForSlot(0).equals("setObject") &&
S.getNameForSlot(1).equals("forKeyedSubscript")) {
CanBeSubscript = true;
Arg = 0;
WarnIfNilArg(C, msg, /* Arg */1, Class, CanBeSubscript);
} else if (S.getNameForSlot(0).equals("removeObjectForKey")) {
Arg = 0;
}
}
// If argument is '0', report a warning.
if ((Arg != InvalidArgIndex))
WarnIfNilArg(C, msg, Arg, Class, CanBeSubscript);
}
//FIXME: Consider other methods than setObject like dictionaryWithObjectsAndKeys
/// Process call to NSMutableArray:setObject:forKey:
void iOSAppSecInsecureKeyChainStorageChecker::checkPreObjCMessage
(const ObjCMethodCall &M, CheckerContext &C) const
{
MSEC_DEBUG_FUNC("redwud:","ENTER") ;
do
{
const ObjCInterfaceDecl *pRxInterface = M.getReceiverInterface() ;
if ( !pRxInterface )
{
break ;
}
ASTContext &Ctx = C.getASTContext() ;
Selector selCurr = M.getSelector() ;
initIdentifierInfo( Ctx ) ;
//TODO: Check this with property, this might not work on it
//NSMutableDictionary
if ( pRxInterface ->getIdentifier() != m_piiNSMutableDictionary )
{
break ;
}
//setObject
IdentifierInfo *piiSetObject = selCurr.getIdentifierInfoForSlot(0) ;
if ( piiSetObject != m_piiSetObject )
{
break ;
}
//forKey
IdentifierInfo *piiForKey = selCurr.getIdentifierInfoForSlot(1) ;
if ( piiForKey != m_piiForKey )
{
break ;
}
// MSEC_DEBUG("redwud: ", "'" << selCurr.getAsString() << "' num args: " << selCurr.getNumArgs() ) ;
if ( selCurr.getNumArgs() != 2 )
{
// Unlikely to be of concerned
break ;
}
ProgramStateRef pProgState = C.getState() ;
const LocationContext *pLCtx = C.getLocationContext() ;
//Get the value for "aKey" parameter (2nd)
// Checking this first because checking the first parameter takes a bit longer
const Expr *pKeyExpr = M.getArgExpr(1) ;
SVal argValKey = pProgState ->getSVal( pKeyExpr, pLCtx ) ;
if ( !CMSecCommon::isSValContains( argValKey, "kSecAttrAccessible" ) )
{
// Not of concern
break ;
}
//Get the value for "anObject" parameter (1st)
const Expr *pObjExpr = M.getArgExpr(0) ;
SVal argValAnObject = pProgState ->getSVal( pObjExpr, pLCtx ) ;
//Get receiver as symbol, should be used in either condition
SymbolRef pSymQuery = M.getReceiverSVal().getAsSymbol() ;
if ( !pSymQuery )
{
// redwud: Can't save empty receiver symbol,
// so there is no point of moving on,
// there must be something wrong with this
break ;
}
//Idea: if [query] is currently being tracked change it to different status, e.g. secure
// if not tracked add new secure state
bool bInsecureObject = isInsecureObject( argValAnObject ) ;
pProgState = pProgState ->set <StreamMap>( pSymQuery, bInsecureObject ?
KeyChainState::getNotSecure() : KeyChainState::getSecure() ) ;
// Add transition of state
//redwud: it seems that the states are transitioned at some point
C.addTransition( pProgState ) ;
MSEC_DEBUG( "redwud: ", "Finish checking!" ) ;
} while (_PASSING_) ;
MSEC_DEBUG_FUNC("redwud:","EXIT") ;
}
