void ObjCSuperCallChecker::checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager &Mgr, BugReporter &BR) const { ASTContext &Ctx = BR.getContext(); // We need to initialize the selector table once. if (!IsInitialized) initializeSelectors(Ctx); // Find out whether this class has a superclass that we are supposed to check. StringRef SuperclassName; if (!isCheckableClass(D, SuperclassName)) return; // Iterate over all instance methods. for (auto *MD : D->instance_methods()) { Selector S = MD->getSelector(); // Find out whether this is a selector that we want to check. if (!SelectorsForClass[SuperclassName].count(S)) continue; // Check if the method calls its superclass implementation. if (MD->getBody()) { FindSuperCallVisitor Visitor(S); Visitor.TraverseDecl(MD); // It doesn't call super, emit a diagnostic. if (!Visitor.DoesCallSuper) { PathDiagnosticLocation DLoc = PathDiagnosticLocation::createEnd(MD->getBody(), BR.getSourceManager(), Mgr.getAnalysisDeclContext(D)); const char *Name = "Missing call to superclass"; SmallString<320> Buf; llvm::raw_svector_ostream os(Buf); os << "The '" << S.getAsString() << "' instance method in " << SuperclassName.str() << " subclass '" << *D << "' is missing a [super " << S.getAsString() << "] call"; BR.EmitBasicReport(MD, this, Name, categories::CoreFoundationObjectiveC, os.str(), DLoc); } } } }
/// \brief Get a printable name for debugging purpose. std::string GlobalSelector::getPrintableName() const { if (isInvalid()) return "<< Invalid >>"; Selector GlobSel = Selector(reinterpret_cast<uintptr_t>(Val)); return GlobSel.getAsString(); }
void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const { const ObjCInterfaceDecl *ID = msg.getReceiverInterface(); if (!ID) return; if (findKnownClass(ID) == FC_NSString) { Selector S = msg.getSelector(); if (S.isUnarySelector()) return; // FIXME: This is going to be really slow doing these checks with // lexical comparisons. std::string NameStr = S.getAsString(); StringRef Name(NameStr); assert(!Name.empty()); // FIXME: Checking for initWithFormat: will not work in most cases // yet because [NSString alloc] returns id, not NSString*. We will // need support for tracking expected-type information in the analyzer // to find these errors. if (Name == "caseInsensitiveCompare:" || Name == "compare:" || Name == "compare:options:" || Name == "compare:options:range:" || Name == "compare:options:range:locale:" || Name == "componentsSeparatedByCharactersInSet:" || Name == "initWithFormat:") { if (isNil(msg.getArgSVal(0))) WarnNilArg(C, msg, 0); } } }
void ClassReleaseChecker::PreVisitObjCMessageExpr(CheckerContext &C, const ObjCMessageExpr *ME) { const IdentifierInfo *ClsName = ME->getClassName(); if (!ClsName) return; Selector S = ME->getSelector(); if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS)) return; if (!BT) BT = new APIMisuse("message incorrectly sent to class instead of class " "instance"); ExplodedNode *N = C.GenerateNode(); if (!N) return; llvm::SmallString<200> buf; llvm::raw_svector_ostream os(buf); os << "The '" << S.getAsString() << "' message should be sent to instances " "of class '" << ClsName->getName() << "' and not the class directly"; RangedBugReport *report = new RangedBugReport(*BT, os.str(), N); report->addRange(ME->getSourceRange()); C.EmitReport(report); }
bool BasicObjCFoundationChecks::AuditNSString(ExplodedNode* N, const ObjCMessageExpr* ME) { Selector S = ME->getSelector(); if (S.isUnarySelector()) return false; // FIXME: This is going to be really slow doing these checks with // lexical comparisons. std::string NameStr = S.getAsString(); llvm::StringRef Name(NameStr); assert(!Name.empty()); // FIXME: Checking for initWithFormat: will not work in most cases // yet because [NSString alloc] returns id, not NSString*. We will // need support for tracking expected-type information in the analyzer // to find these errors. if (Name == "caseInsensitiveCompare:" || Name == "compare:" || Name == "compare:options:" || Name == "compare:options:range:" || Name == "compare:options:range:locale:" || Name == "componentsSeparatedByCharactersInSet:" || Name == "initWithFormat:") return CheckNilArg(N, 0); return false; }
virtual bool VisitObjCMessageExpr(ObjCMessageExpr *E) { if (E->getReceiverKind() == ObjCMessageExpr::Class) { QualType ReceiverType = E->getClassReceiver(); Selector Sel = E->getSelector(); string TypeName = ReceiverType.getAsString(); string SelName = Sel.getAsString(); if (TypeName == "Observer" && SelName == "observerWithTarget:action:") { Expr *Receiver = E->getArg(0)->IgnoreParenCasts(); ObjCSelectorExpr* SelExpr = cast<ObjCSelectorExpr>(E->getArg(1)->IgnoreParenCasts()); Selector Sel = SelExpr->getSelector(); if (const ObjCObjectPointerType *OT = Receiver->getType()->getAs<ObjCObjectPointerType>()) { ObjCInterfaceDecl *decl = OT->getInterfaceDecl(); if (! decl->lookupInstanceMethod(Sel)) { errs() << "Warning: class " << TypeName << " does not implement selector " << Sel.getAsString() << "\n"; SourceLocation Loc = E->getExprLoc(); PresumedLoc PLoc = astContext->getSourceManager().getPresumedLoc(Loc); errs() << "in " << PLoc.getFilename() << " <" << PLoc.getLine() << ":" << PLoc.getColumn() << ">\n"; } } } } return true; }
void ClassReleaseChecker::checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const { if (!BT) { BT.reset(new APIMisuse("message incorrectly sent to class instead of class " "instance")); ASTContext &Ctx = C.getASTContext(); releaseS = GetNullarySelector("release", Ctx); retainS = GetNullarySelector("retain", Ctx); autoreleaseS = GetNullarySelector("autorelease", Ctx); drainS = GetNullarySelector("drain", Ctx); } if (msg.isInstanceMessage()) return; const ObjCInterfaceDecl *Class = msg.getReceiverInterface(); assert(Class); Selector S = msg.getSelector(); if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS)) return; if (ExplodedNode *N = C.addTransition()) { SmallString<200> buf; llvm::raw_svector_ostream os(buf); os << "The '" << S.getAsString() << "' message should be sent to instances " "of class '" << Class->getName() << "' and not the class directly"; BugReport *report = new BugReport(*BT, os.str(), N); report->addRange(msg.getSourceRange()); C.emitReport(report); } }
void NilArgChecker::preVisitObjCMessage(CheckerContext &C, ObjCMessage msg) { const ObjCInterfaceType *ReceiverType = GetReceiverType(msg); if (!ReceiverType) return; if (isNSString(ReceiverType->getDecl()->getIdentifier()->getName())) { Selector S = msg.getSelector(); if (S.isUnarySelector()) return; // FIXME: This is going to be really slow doing these checks with // lexical comparisons. std::string NameStr = S.getAsString(); llvm::StringRef Name(NameStr); assert(!Name.empty()); // FIXME: Checking for initWithFormat: will not work in most cases // yet because [NSString alloc] returns id, not NSString*. We will // need support for tracking expected-type information in the analyzer // to find these errors. if (Name == "caseInsensitiveCompare:" || Name == "compare:" || Name == "compare:options:" || Name == "compare:options:range:" || Name == "compare:options:range:locale:" || Name == "componentsSeparatedByCharactersInSet:" || Name == "initWithFormat:") { if (isNil(msg.getArgSVal(0, C.getState()))) WarnNilArg(C, msg, 0); } } }
void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const { const ObjCInterfaceDecl *ID = msg.getReceiverInterface(); if (!ID) return; FoundationClass Class = findKnownClass(ID); static const unsigned InvalidArgIndex = UINT_MAX; unsigned Arg = InvalidArgIndex; bool CanBeSubscript = false; if (Class == FC_NSString) { Selector S = msg.getSelector(); if (S.isUnarySelector()) return; // FIXME: This is going to be really slow doing these checks with // lexical comparisons. std::string NameStr = S.getAsString(); StringRef Name(NameStr); assert(!Name.empty()); // FIXME: Checking for initWithFormat: will not work in most cases // yet because [NSString alloc] returns id, not NSString*. We will // need support for tracking expected-type information in the analyzer // to find these errors. if (Name == "caseInsensitiveCompare:" || Name == "compare:" || Name == "compare:options:" || Name == "compare:options:range:" || Name == "compare:options:range:locale:" || Name == "componentsSeparatedByCharactersInSet:" || Name == "initWithFormat:") { Arg = 0; } } else if (Class == FC_NSArray) { Selector S = msg.getSelector(); if (S.isUnarySelector()) return; if (S.getNameForSlot(0).equals("addObject")) { Arg = 0; } else if (S.getNameForSlot(0).equals("insertObject") && S.getNameForSlot(1).equals("atIndex")) { Arg = 0; } else if (S.getNameForSlot(0).equals("replaceObjectAtIndex") && S.getNameForSlot(1).equals("withObject")) { Arg = 1; } else if (S.getNameForSlot(0).equals("setObject") && S.getNameForSlot(1).equals("atIndexedSubscript")) { Arg = 0; CanBeSubscript = true; } else if (S.getNameForSlot(0).equals("arrayByAddingObject")) { Arg = 0; } } else if (Class == FC_NSDictionary) { Selector S = msg.getSelector(); if (S.isUnarySelector()) return; if (S.getNameForSlot(0).equals("dictionaryWithObject") && S.getNameForSlot(1).equals("forKey")) { Arg = 0; WarnIfNilArg(C, msg, /* Arg */1, Class); } else if (S.getNameForSlot(0).equals("setObject") && S.getNameForSlot(1).equals("forKey")) { Arg = 0; WarnIfNilArg(C, msg, /* Arg */1, Class); } else if (S.getNameForSlot(0).equals("setObject") && S.getNameForSlot(1).equals("forKeyedSubscript")) { CanBeSubscript = true; Arg = 0; WarnIfNilArg(C, msg, /* Arg */1, Class, CanBeSubscript); } else if (S.getNameForSlot(0).equals("removeObjectForKey")) { Arg = 0; } } // If argument is '0', report a warning. if ((Arg != InvalidArgIndex)) WarnIfNilArg(C, msg, Arg, Class, CanBeSubscript); }
/// This callback is used to infer the types for Class variables. This info is /// used later to validate messages that sent to classes. Class variables are /// initialized with by invoking the 'class' method on a class. /// This method is also used to infer the type information for the return /// types. // TODO: right now it only tracks generic types. Extend this to track every // type in the DynamicTypeMap and diagnose type errors! void DynamicTypePropagation::checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const { const ObjCMessageExpr *MessageExpr = M.getOriginExpr(); SymbolRef RetSym = M.getReturnValue().getAsSymbol(); if (!RetSym) return; Selector Sel = MessageExpr->getSelector(); ProgramStateRef State = C.getState(); // Inference for class variables. // We are only interested in cases where the class method is invoked on a // class. This method is provided by the runtime and available on all classes. if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Class && Sel.getAsString() == "class") { QualType ReceiverType = MessageExpr->getClassReceiver(); const auto *ReceiverClassType = ReceiverType->getAs<ObjCObjectType>(); QualType ReceiverClassPointerType = C.getASTContext().getObjCObjectPointerType( QualType(ReceiverClassType, 0)); if (!ReceiverClassType->isSpecialized()) return; const auto *InferredType = ReceiverClassPointerType->getAs<ObjCObjectPointerType>(); assert(InferredType); State = State->set<MostSpecializedTypeArgsMap>(RetSym, InferredType); C.addTransition(State); return; } // Tracking for return types. SymbolRef RecSym = M.getReceiverSVal().getAsSymbol(); if (!RecSym) return; const ObjCObjectPointerType *const *TrackedType = State->get<MostSpecializedTypeArgsMap>(RecSym); if (!TrackedType) return; ASTContext &ASTCtxt = C.getASTContext(); const ObjCMethodDecl *Method = findMethodDecl(MessageExpr, *TrackedType, ASTCtxt); if (!Method) return; Optional<ArrayRef<QualType>> TypeArgs = (*TrackedType)->getObjCSubstitutions(Method->getDeclContext()); if (!TypeArgs) return; QualType ResultType = getReturnTypeForMethod(Method, *TypeArgs, *TrackedType, ASTCtxt); // The static type is the same as the deduced type. if (ResultType.isNull()) return; const MemRegion *RetRegion = M.getReturnValue().getAsRegion(); ExplodedNode *Pred = C.getPredecessor(); // When there is an entry available for the return symbol in DynamicTypeMap, // the call was inlined, and the information in the DynamicTypeMap is should // be precise. if (RetRegion && !State->get<DynamicTypeMap>(RetRegion)) { // TODO: we have duplicated information in DynamicTypeMap and // MostSpecializedTypeArgsMap. We should only store anything in the later if // the stored data differs from the one stored in the former. State = setDynamicTypeInfo(State, RetRegion, ResultType, /*CanBeSubclass=*/true); Pred = C.addTransition(State); } const auto *ResultPtrType = ResultType->getAs<ObjCObjectPointerType>(); if (!ResultPtrType || ResultPtrType->isUnspecialized()) return; // When the result is a specialized type and it is not tracked yet, track it // for the result symbol. if (!State->get<MostSpecializedTypeArgsMap>(RetSym)) { State = State->set<MostSpecializedTypeArgsMap>(RetSym, ResultPtrType); C.addTransition(State, Pred); } }
void ObjCSuperCallChecker::checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager &Mgr, BugReporter &BR) const { ASTContext &Ctx = BR.getContext(); if (!isUIViewControllerSubclass(Ctx, D)) return; const char *SelectorNames[] = {"addChildViewController", "viewDidAppear", "viewDidDisappear", "viewWillAppear", "viewWillDisappear", "removeFromParentViewController", "didReceiveMemoryWarning", "viewDidUnload", "viewWillUnload", "viewDidLoad"}; const unsigned SelectorArgumentCounts[] = {1, 1, 1, 1, 1, 0, 0, 0, 0, 0}; const size_t SelectorCount = llvm::array_lengthof(SelectorNames); assert(llvm::array_lengthof(SelectorArgumentCounts) == SelectorCount); // Fill the Selectors SmallSet with all selectors we want to check. llvm::SmallSet<Selector, 16> Selectors; for (size_t i = 0; i < SelectorCount; i++) { unsigned ArgumentCount = SelectorArgumentCounts[i]; const char *SelectorCString = SelectorNames[i]; // Get the selector. IdentifierInfo *II = &Ctx.Idents.get(SelectorCString); Selectors.insert(Ctx.Selectors.getSelector(ArgumentCount, &II)); } // Iterate over all instance methods. for (ObjCImplementationDecl::instmeth_iterator I = D->instmeth_begin(), E = D->instmeth_end(); I != E; ++I) { Selector S = (*I)->getSelector(); // Find out whether this is a selector that we want to check. if (!Selectors.count(S)) continue; ObjCMethodDecl *MD = *I; // Check if the method calls its superclass implementation. if (MD->getBody()) { FindSuperCallVisitor Visitor(S); Visitor.TraverseDecl(MD); // It doesn't call super, emit a diagnostic. if (!Visitor.DoesCallSuper) { PathDiagnosticLocation DLoc = PathDiagnosticLocation::createEnd(MD->getBody(), BR.getSourceManager(), Mgr.getAnalysisDeclContext(D)); const char *Name = "Missing call to superclass"; SmallString<256> Buf; llvm::raw_svector_ostream os(Buf); os << "The '" << S.getAsString() << "' instance method in UIViewController subclass '" << *D << "' is missing a [super " << S.getAsString() << "] call"; BR.EmitBasicReport(MD, Name, categories::CoreFoundationObjectiveC, os.str(), DLoc); } } } }
bool BasicObjCFoundationChecks::AuditNSString(ExplodedNode* N, const ObjCMessageExpr* ME) { Selector S = ME->getSelector(); if (S.isUnarySelector()) return false; // FIXME: This is going to be really slow doing these checks with // lexical comparisons. std::string name = S.getAsString(); assert (!name.empty()); const char* cstr = &name[0]; unsigned len = name.size(); switch (len) { default: break; case 8: if (!strcmp(cstr, "compare:")) return CheckNilArg(N, 0); break; case 15: // FIXME: Checking for initWithFormat: will not work in most cases // yet because [NSString alloc] returns id, not NSString*. We will // need support for tracking expected-type information in the analyzer // to find these errors. if (!strcmp(cstr, "initWithFormat:")) return CheckNilArg(N, 0); break; case 16: if (!strcmp(cstr, "compare:options:")) return CheckNilArg(N, 0); break; case 22: if (!strcmp(cstr, "compare:options:range:")) return CheckNilArg(N, 0); break; case 23: if (!strcmp(cstr, "caseInsensitiveCompare:")) return CheckNilArg(N, 0); break; case 29: if (!strcmp(cstr, "compare:options:range:locale:")) return CheckNilArg(N, 0); break; case 37: if (!strcmp(cstr, "componentsSeparatedByCharactersInSet:")) return CheckNilArg(N, 0); break; } return false; }
void WalkAST::VisitObjCMessageExpr(const ObjCMessageExpr *ME) { if (!ME) { return; } const ObjCInterfaceDecl *ID = ME->getReceiverInterface(); if (ID) { StringRef receiverClassName = ID->getIdentifier()->getName(); Selector sel = ME->getSelector(); if (receiverClassName == "NSInvocation" && (sel.getAsString() == "getArgument:atIndex:" || sel.getAsString() == "getReturnValue:")) { const Expr *Arg = ME->getArg(0); if (!Arg) { VisitChildren(ME); return; } QualType T = Arg->IgnoreParenImpCasts()->getType(); const PointerType *PT = T->getAs<PointerType>(); if (!PT) { // there appears to be a type error anyway... VisitChildren(ME); return; } T = PT->getPointeeType(); if (!T->isObjCRetainableType()) { VisitChildren(ME); return; } const AttributedType *AttrType = T->getAs<AttributedType>(); bool passed = false; if (AttrType) { Qualifiers::ObjCLifetime argLifetime = AttrType->getModifiedType().getObjCLifetime(); passed = argLifetime == Qualifiers::OCL_None || argLifetime == Qualifiers::OCL_ExplicitNone; } if (!passed) { SmallString<64> BufName, Buf; llvm::raw_svector_ostream OsName(BufName), Os(Buf); OsName << "Invalid use of '" << receiverClassName << "'" ; Os << "In ARC mode, the first argument to '-[" << receiverClassName << " " << sel.getAsString() << "]' must be declared with __unsafe_unretained to avoid over-release."; PathDiagnosticLocation MELoc = PathDiagnosticLocation::createBegin(ME, BR.getSourceManager(), AC); BR.EmitBasicReport(AC->getDecl(), &Checker, OsName.str(), "Memory error (Facebook)", Os.str(), MELoc); } } } VisitChildren(ME); }