Newer
Older
Expr** arg_beg, Expr** arg_end,
ExplodedNode<ValueState>* Pred);
virtual void EvalCall(ExplodedNodeSet<ValueState>& Dst,
Ted Kremenek
committed
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
ExplodedNode<ValueState>* Pred);
Ted Kremenek
committed
Ted Kremenek
committed
virtual void EvalObjCMessageExpr(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Engine,
GRStmtNodeBuilder<ValueState>& Builder,
ObjCMessageExpr* ME,
ExplodedNode<ValueState>* Pred);
bool EvalObjCMessageExprAux(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Engine,
GRStmtNodeBuilder<ValueState>& Builder,
ObjCMessageExpr* ME,
ExplodedNode<ValueState>* Pred);
Ted Kremenek
committed
// Stores.
virtual void EvalStore(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Engine,
GRStmtNodeBuilder<ValueState>& Builder,
Expr* E, ExplodedNode<ValueState>* Pred,
ValueState* St, RVal TargetLV, RVal Val);
Ted Kremenek
committed
// End-of-path.
virtual void EvalEndPath(GRExprEngine& Engine,
GREndPathNodeBuilder<ValueState>& Builder);
Ted Kremenek
committed
virtual void EvalDeadSymbols(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Engine,
GRStmtNodeBuilder<ValueState>& Builder,
ExplodedNode<ValueState>* Pred,
Stmt* S,
Ted Kremenek
committed
ValueState* St,
const ValueStateManager::DeadSymbolsTy& Dead);
// Return statements.
virtual void EvalReturn(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Engine,
GRStmtNodeBuilder<ValueState>& Builder,
ReturnStmt* S,
ExplodedNode<ValueState>* Pred);
// Assumptions.
virtual ValueState* EvalAssume(GRExprEngine& Engine, ValueState* St,
RVal Cond, bool Assumption, bool& isFeasible);
Ted Kremenek
committed
// Error iterators.
typedef UseAfterReleasesTy::iterator use_after_iterator;
typedef ReleasesNotOwnedTy::iterator bad_release_iterator;
typedef LeaksTy::iterator leaks_iterator;
Ted Kremenek
committed
use_after_iterator use_after_begin() { return UseAfterReleases.begin(); }
use_after_iterator use_after_end() { return UseAfterReleases.end(); }
Ted Kremenek
committed
bad_release_iterator bad_release_begin() { return ReleasesNotOwned.begin(); }
bad_release_iterator bad_release_end() { return ReleasesNotOwned.end(); }
leaks_iterator leaks_begin() { return Leaks.begin(); }
leaks_iterator leaks_end() { return Leaks.end(); }
};
} // end anonymous namespace
Ted Kremenek
committed
void CFRefCount::BindingsPrinter::PrintCheckerState(std::ostream& Out,
void* State, const char* nl,
const char* sep) {
RefBindings B((RefBindings::TreeTy*) State);
if (State)
Out << sep << nl;
for (RefBindings::iterator I=B.begin(), E=B.end(); I!=E; ++I) {
Out << (*I).first << " : ";
(*I).second.print(Out);
Out << nl;
}
}
static inline ArgEffect GetArgE(RetainSummary* Summ, unsigned idx) {
Ted Kremenek
committed
return Summ ? Summ->getArg(idx) : MayEscape;
static inline RetEffect GetRetEffect(RetainSummary* Summ) {
return Summ ? Summ->getRetEffect() : RetEffect::MakeNoRet();
static inline ArgEffect GetReceiverE(RetainSummary* Summ) {
return Summ ? Summ->getReceiverEffect() : DoNothing;
}
void CFRefCount::ProcessNonLeakError(ExplodedNodeSet<ValueState>& Dst,
GRStmtNodeBuilder<ValueState>& Builder,
Expr* NodeExpr, Expr* ErrorExpr,
ExplodedNode<ValueState>* Pred,
ValueState* St,
RefVal::Kind hasErr, SymbolID Sym) {
Builder.BuildSinks = true;
GRExprEngine::NodeTy* N = Builder.MakeNode(Dst, NodeExpr, Pred, St);
if (!N) return;
switch (hasErr) {
default: assert(false);
case RefVal::ErrorUseAfterRelease:
UseAfterReleases[N] = std::make_pair(ErrorExpr, Sym);
break;
case RefVal::ErrorReleaseNotOwned:
ReleasesNotOwned[N] = std::make_pair(ErrorExpr, Sym);
break;
}
}
void CFRefCount::EvalSummary(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
Expr* Ex,
Expr* Receiver,
RetainSummary* Summ,
Expr** arg_beg, Expr** arg_end,
ExplodedNode<ValueState>* Pred) {
Ted Kremenek
committed
// Get the state.
ValueStateManager& StateMgr = Eng.getStateManager();
ValueState* St = Builder.GetState(Pred);
// Evaluate the effect of the arguments.
ValueState StVals = *St;
RefVal::Kind hasErr = (RefVal::Kind) 0;
unsigned idx = 0;
Expr* ErrorExpr = NULL;
SymbolID ErrorSym = 0;
for (Expr **I = arg_beg, **E = arg_end; I != E; ++I, ++idx) {
RVal V = StateMgr.GetRVal(St, *I);
if (isa<lval::SymbolVal>(V)) {
SymbolID Sym = cast<lval::SymbolVal>(V).getSymbol();
RefBindings B = GetRefBindings(StVals);
if (RefBindings::TreeTy* T = B.SlimFind(Sym)) {
B = Update(B, Sym, T->getValue().second, GetArgE(Summ, idx), hasErr);
SetRefBindings(StVals, B);
if (hasErr) {
ErrorExpr = *I;
ErrorSym = T->getValue().first;
break;
}
else if (isa<LVal>(V)) {
// Nuke all arguments passed by reference.
StateMgr.Unbind(StVals, cast<LVal>(V));
else if (isa<nonlval::LValAsInteger>(V))
StateMgr.Unbind(StVals, cast<nonlval::LValAsInteger>(V).getLVal());
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
// Evaluate the effect on the message receiver.
if (!ErrorExpr && Receiver) {
RVal V = StateMgr.GetRVal(St, Receiver);
if (isa<lval::SymbolVal>(V)) {
SymbolID Sym = cast<lval::SymbolVal>(V).getSymbol();
RefBindings B = GetRefBindings(StVals);
if (RefBindings::TreeTy* T = B.SlimFind(Sym)) {
B = Update(B, Sym, T->getValue().second, GetReceiverE(Summ), hasErr);
SetRefBindings(StVals, B);
if (hasErr) {
ErrorExpr = Receiver;
ErrorSym = T->getValue().first;
}
}
}
}
// Get the persistent state.
St = StateMgr.getPersistentState(StVals);
if (hasErr) {
ProcessNonLeakError(Dst, Builder, Ex, ErrorExpr, Pred, St,
hasErr, ErrorSym);
// Finally, consult the summary for the return value.
RetEffect RE = GetRetEffect(Summ);
switch (RE.getKind()) {
default:
assert (false && "Unhandled RetEffect."); break;
Ted Kremenek
committed
case RetEffect::NoRet:
// Make up a symbol for the return value (not reference counted).
// FIXME: This is basically copy-and-paste from GRSimpleVals. We
// should compose behavior, not copy it.
if (Ex->getType() != Eng.getContext().VoidTy) {
unsigned Count = Builder.getCurrentBlockCount();
SymbolID Sym = Eng.getSymbolManager().getConjuredSymbol(Ex, Count);
Ted Kremenek
committed
RVal X = LVal::IsLValType(Ex->getType())
? cast<RVal>(lval::SymbolVal(Sym))
: cast<RVal>(nonlval::SymbolVal(Sym));
St = StateMgr.SetRVal(St, Ex, X, Eng.getCFG().isBlkExpr(Ex), false);
Ted Kremenek
committed
break;
case RetEffect::Alias: {
unsigned idx = RE.getValue();
assert ((arg_end - arg_beg) >= 0);
assert (idx < (unsigned) (arg_end - arg_beg));
RVal V = StateMgr.GetRVal(St, arg_beg[idx]);
St = StateMgr.SetRVal(St, Ex, V, Eng.getCFG().isBlkExpr(Ex), false);
break;
}
case RetEffect::ReceiverAlias: {
assert (Receiver);
RVal V = StateMgr.GetRVal(St, Receiver);
St = StateMgr.SetRVal(St, Ex, V, Eng.getCFG().isBlkExpr(Ex), false);
break;
}
case RetEffect::OwnedSymbol: {
unsigned Count = Builder.getCurrentBlockCount();
SymbolID Sym = Eng.getSymbolManager().getConjuredSymbol(Ex, Count);
ValueState StImpl = *St;
RefBindings B = GetRefBindings(StImpl);
SetRefBindings(StImpl, RefBFactory.Add(B, Sym, RefVal::makeOwned()));
St = StateMgr.SetRVal(StateMgr.getPersistentState(StImpl),
Ex, lval::SymbolVal(Sym),
Eng.getCFG().isBlkExpr(Ex), false);
break;
}
case RetEffect::NotOwnedSymbol: {
unsigned Count = Builder.getCurrentBlockCount();
SymbolID Sym = Eng.getSymbolManager().getConjuredSymbol(Ex, Count);
ValueState StImpl = *St;
RefBindings B = GetRefBindings(StImpl);
SetRefBindings(StImpl, RefBFactory.Add(B, Sym, RefVal::makeNotOwned()));
St = StateMgr.SetRVal(StateMgr.getPersistentState(StImpl),
Ex, lval::SymbolVal(Sym),
Eng.getCFG().isBlkExpr(Ex), false);
break;
}
}
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
Builder.MakeNode(Dst, Ex, Pred, St);
}
void CFRefCount::EvalCall(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
CallExpr* CE, RVal L,
ExplodedNode<ValueState>* Pred) {
RetainSummary* Summ = NULL;
// Get the summary.
if (isa<lval::FuncVal>(L)) {
lval::FuncVal FV = cast<lval::FuncVal>(L);
FunctionDecl* FD = FV.getDecl();
Summ = Summaries.getSummary(FD, Eng.getContext());
}
EvalSummary(Dst, Eng, Builder, CE, 0, Summ,
CE->arg_begin(), CE->arg_end(), Pred);
Ted Kremenek
committed
}
Ted Kremenek
committed
void CFRefCount::EvalObjCMessageExpr(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
ObjCMessageExpr* ME,
ExplodedNode<ValueState>* Pred) {
RetainSummary* Summ;
Ted Kremenek
committed
if (ME->getReceiver())
Ted Kremenek
committed
Summ = Summaries.getMethodSummary(ME);
else
Summ = Summaries.getInstanceMethodSummary(ME->getClassName(),
ME->getSelector());
EvalSummary(Dst, Eng, Builder, ME, ME->getReceiver(), Summ,
ME->arg_begin(), ME->arg_end(), Pred);
Ted Kremenek
committed
}
Ted Kremenek
committed
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
// Stores.
void CFRefCount::EvalStore(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
Expr* E, ExplodedNode<ValueState>* Pred,
ValueState* St, RVal TargetLV, RVal Val) {
// Check if we have a binding for "Val" and if we are storing it to something
// we don't understand or otherwise the value "escapes" the function.
if (!isa<lval::SymbolVal>(Val))
return;
// Are we storing to something that causes the value to "escape"?
bool escapes = false;
if (!isa<lval::DeclVal>(TargetLV))
escapes = true;
else
escapes = cast<lval::DeclVal>(TargetLV).getDecl()->hasGlobalStorage();
if (!escapes)
return;
SymbolID Sym = cast<lval::SymbolVal>(Val).getSymbol();
RefBindings B = GetRefBindings(*St);
RefBindings::TreeTy* T = B.SlimFind(Sym);
if (!T)
return;
// Nuke the binding.
St = NukeBinding(Eng.getStateManager(), St, Sym);
Ted Kremenek
committed
// Hand of the remaining logic to the parent implementation.
GRSimpleVals::EvalStore(Dst, Eng, Builder, E, Pred, St, TargetLV, Val);
}
ValueState* CFRefCount::NukeBinding(ValueStateManager& VMgr, ValueState* St,
SymbolID sid) {
ValueState StImpl = *St;
RefBindings B = GetRefBindings(StImpl);
StImpl.CheckerState = RefBFactory.Remove(B, sid).getRoot();
return VMgr.getPersistentState(StImpl);
}
Ted Kremenek
committed
// End-of-path.
ValueState* CFRefCount::HandleSymbolDeath(ValueStateManager& VMgr,
ValueState* St, SymbolID sid,
RefVal V, bool& hasLeak) {
hasLeak = V.isOwned() ||
((V.isNotOwned() || V.isReturnedOwned()) && V.getCount() > 0);
if (!hasLeak)
return NukeBinding(VMgr, St, sid);
RefBindings B = GetRefBindings(*St);
ValueState StImpl = *St;
Ted Kremenek
committed
RefBFactory.Add(B, sid, RefVal::makeLeak(V.getCount())).getRoot();
return VMgr.getPersistentState(StImpl);
}
void CFRefCount::EvalEndPath(GRExprEngine& Eng,
Ted Kremenek
committed
GREndPathNodeBuilder<ValueState>& Builder) {
ValueState* St = Builder.getState();
RefBindings B = GetRefBindings(*St);
Ted Kremenek
committed
llvm::SmallVector<SymbolID, 10> Leaked;
Ted Kremenek
committed
for (RefBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) {
bool hasLeak = false;
Ted Kremenek
committed
St = HandleSymbolDeath(Eng.getStateManager(), St,
(*I).first, (*I).second, hasLeak);
if (hasLeak) Leaked.push_back((*I).first);
}
Ted Kremenek
committed
if (Leaked.empty())
return;
ExplodedNode<ValueState>* N = Builder.MakeNode(St);
Ted Kremenek
committed
Ted Kremenek
committed
if (!N)
Ted Kremenek
committed
return;
std::vector<SymbolID>*& LeaksAtNode = Leaks[N];
assert (!LeaksAtNode);
LeaksAtNode = new std::vector<SymbolID>();
for (llvm::SmallVector<SymbolID, 10>::iterator I=Leaked.begin(),
E = Leaked.end(); I != E; ++I)
(*LeaksAtNode).push_back(*I);
Ted Kremenek
committed
}
Ted Kremenek
committed
// Dead symbols.
void CFRefCount::EvalDeadSymbols(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
ExplodedNode<ValueState>* Pred,
Stmt* S,
Ted Kremenek
committed
ValueState* St,
const ValueStateManager::DeadSymbolsTy& Dead) {
Ted Kremenek
committed
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
// FIXME: a lot of copy-and-paste from EvalEndPath. Refactor.
RefBindings B = GetRefBindings(*St);
llvm::SmallVector<SymbolID, 10> Leaked;
for (ValueStateManager::DeadSymbolsTy::const_iterator
I=Dead.begin(), E=Dead.end(); I!=E; ++I) {
RefBindings::TreeTy* T = B.SlimFind(*I);
if (!T)
continue;
bool hasLeak = false;
St = HandleSymbolDeath(Eng.getStateManager(), St,
*I, T->getValue().second, hasLeak);
if (hasLeak) Leaked.push_back(*I);
}
if (Leaked.empty())
return;
ExplodedNode<ValueState>* N = Builder.MakeNode(Dst, S, Pred, St);
if (!N)
return;
std::vector<SymbolID>*& LeaksAtNode = Leaks[N];
assert (!LeaksAtNode);
LeaksAtNode = new std::vector<SymbolID>();
for (llvm::SmallVector<SymbolID, 10>::iterator I=Leaked.begin(),
E = Leaked.end(); I != E; ++I)
(*LeaksAtNode).push_back(*I);
}
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
// Return statements.
void CFRefCount::EvalReturn(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
ReturnStmt* S,
ExplodedNode<ValueState>* Pred) {
Expr* RetE = S->getRetValue();
if (!RetE) return;
ValueStateManager& StateMgr = Eng.getStateManager();
ValueState* St = Builder.GetState(Pred);
RVal V = StateMgr.GetRVal(St, RetE);
if (!isa<lval::SymbolVal>(V))
return;
// Get the reference count binding (if any).
SymbolID Sym = cast<lval::SymbolVal>(V).getSymbol();
RefBindings B = GetRefBindings(*St);
RefBindings::TreeTy* T = B.SlimFind(Sym);
if (!T)
return;
// Change the reference count.
RefVal X = T->getValue().second;
switch (X.getKind()) {
case RefVal::Owned: {
unsigned cnt = X.getCount();
Ted Kremenek
committed
assert (cnt > 0);
X = RefVal::makeReturnedOwned(cnt - 1);
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
break;
}
case RefVal::NotOwned: {
unsigned cnt = X.getCount();
X = cnt ? RefVal::makeReturnedOwned(cnt - 1)
: RefVal::makeReturnedNotOwned();
break;
}
default:
return;
}
// Update the binding.
ValueState StImpl = *St;
StImpl.CheckerState = RefBFactory.Add(B, Sym, X).getRoot();
Builder.MakeNode(Dst, S, Pred, StateMgr.getPersistentState(StImpl));
}
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
// Assumptions.
ValueState* CFRefCount::EvalAssume(GRExprEngine& Eng, ValueState* St,
RVal Cond, bool Assumption,
bool& isFeasible) {
// FIXME: We may add to the interface of EvalAssume the list of symbols
// whose assumptions have changed. For now we just iterate through the
// bindings and check if any of the tracked symbols are NULL. This isn't
// too bad since the number of symbols we will track in practice are
// probably small and EvalAssume is only called at branches and a few
// other places.
RefBindings B = GetRefBindings(*St);
if (B.isEmpty())
return St;
bool changed = false;
for (RefBindings::iterator I=B.begin(), E=B.end(); I!=E; ++I) {
// Check if the symbol is null (or equal to any constant).
// If this is the case, stop tracking the symbol.
if (St->getSymVal(I.getKey())) {
changed = true;
B = RefBFactory.Remove(B, I.getKey());
}
}
if (!changed)
return St;
ValueState StImpl = *St;
StImpl.CheckerState = B.getRoot();
return Eng.getStateManager().getPersistentState(StImpl);
}
CFRefCount::RefBindings CFRefCount::Update(RefBindings B, SymbolID sym,
RefVal V, ArgEffect E,
RefVal::Kind& hasErr) {
// FIXME: This dispatch can potentially be sped up by unifiying it into
// a single switch statement. Opt for simplicity for now.
switch (E) {
default:
assert (false && "Unhandled CFRef transition.");
Ted Kremenek
committed
case MayEscape:
if (V.getKind() == RefVal::Owned) {
V = RefVal::makeNotOwned(V.getCount());
break;
}
// Fall-through.
case DoNothing:
if (!isGCEnabled() && V.getKind() == RefVal::Released) {
V = RefVal::makeUseAfterRelease();
hasErr = V.getKind();
break;
}
return B;
case StopTracking:
return RefBFactory.Remove(B, sym);
case IncRef:
switch (V.getKind()) {
default:
assert(false);
case RefVal::Owned:
Ted Kremenek
committed
V = RefVal::makeOwned(V.getCount()+1);
break;
case RefVal::NotOwned:
V = RefVal::makeNotOwned(V.getCount()+1);
break;
case RefVal::Released:
if (isGCEnabled())
V = RefVal::makeOwned();
else {
V = RefVal::makeUseAfterRelease();
hasErr = V.getKind();
}
break;
}
Ted Kremenek
committed
break;
case DecRef:
switch (V.getKind()) {
default:
assert (false);
case RefVal::Owned: {
unsigned Count = V.getCount();
Ted Kremenek
committed
V = Count > 1 ? RefVal::makeOwned(Count - 1) : RefVal::makeReleased();
break;
}
unsigned Count = V.getCount();
if (Count > 0)
V = RefVal::makeNotOwned(Count - 1);
else {
V = RefVal::makeReleaseNotOwned();
hasErr = V.getKind();
break;
case RefVal::Released:
V = RefVal::makeUseAfterRelease();
hasErr = V.getKind();
break;
}
Ted Kremenek
committed
break;
}
return RefBFactory.Add(B, sym, V);
Ted Kremenek
committed
//===----------------------------------------------------------------------===//
// Error reporting.
Ted Kremenek
committed
//===----------------------------------------------------------------------===//
namespace {
//===-------------===//
// Bug Descriptions. //
//===-------------===//
class VISIBILITY_HIDDEN CFRefBug : public BugTypeCacheLocation {
protected:
CFRefCount& TF;
public:
CFRefBug(CFRefCount& tf) : TF(tf) {}
CFRefCount& getTF() { return TF; }
const CFRefCount& getTF() const { return TF; }
Ted Kremenek
committed
virtual bool isLeak() const { return false; }
};
class VISIBILITY_HIDDEN UseAfterRelease : public CFRefBug {
public:
UseAfterRelease(CFRefCount& tf) : CFRefBug(tf) {}
virtual const char* getName() const {
}
virtual const char* getDescription() const {
return "Reference-counted object is used"
" after it is released.";
}
virtual void EmitWarnings(BugReporter& BR);
};
class VISIBILITY_HIDDEN BadRelease : public CFRefBug {
public:
BadRelease(CFRefCount& tf) : CFRefBug(tf) {}
virtual const char* getName() const {
}
virtual const char* getDescription() const {
return "Incorrect decrement of the reference count of a "
"The object is not owned at this point by the caller.";
}
virtual void EmitWarnings(BugReporter& BR);
};
class VISIBILITY_HIDDEN Leak : public CFRefBug {
public:
Leak(CFRefCount& tf) : CFRefBug(tf) {}
virtual const char* getName() const {
if (getTF().isGCEnabled())
return "Memory Leak (GC)";
if (getTF().getLangOptions().getGCMode() == LangOptions::HybridGC)
return "Memory Leak (Hybrid MM, non-GC)";
assert (getTF().getLangOptions().getGCMode() == LangOptions::NonGC);
return "Memory Leak";
}
virtual const char* getDescription() const {
}
virtual void EmitWarnings(BugReporter& BR);
virtual void GetErrorNodes(std::vector<ExplodedNode<ValueState>*>& Nodes);
Ted Kremenek
committed
virtual bool isLeak() const { return true; }
virtual bool isCached(BugReport& R);
};
//===---------===//
// Bug Reports. //
//===---------===//
class VISIBILITY_HIDDEN CFRefReport : public RangedBugReport {
SymbolID Sym;
public:
CFRefReport(CFRefBug& D, ExplodedNode<ValueState> *n, SymbolID sym)
: RangedBugReport(D, n), Sym(sym) {}
virtual ~CFRefReport() {}
CFRefBug& getBugType() {
return (CFRefBug&) RangedBugReport::getBugType();
}
const CFRefBug& getBugType() const {
return (const CFRefBug&) RangedBugReport::getBugType();
}
virtual void getRanges(BugReporter& BR, const SourceRange*& beg,
const SourceRange*& end) {
if (!getBugType().isLeak())
RangedBugReport::getRanges(BR, beg, end);
else {
beg = 0;
end = 0;
}
}
SymbolID getSymbol() const { return Sym; }
Ted Kremenek
committed
virtual PathDiagnosticPiece* getEndPath(BugReporter& BR,
ExplodedNode<ValueState>* N);
virtual std::pair<const char**,const char**> getExtraDescriptiveText();
virtual PathDiagnosticPiece* VisitNode(ExplodedNode<ValueState>* N,
ExplodedNode<ValueState>* PrevN,
ExplodedGraph<ValueState>& G,
BugReporter& BR);
};
} // end anonymous namespace
void CFRefCount::RegisterChecks(GRExprEngine& Eng) {
Ted Kremenek
committed
if (EmitStandardWarnings) GRSimpleVals::RegisterChecks(Eng);
Eng.Register(new UseAfterRelease(*this));
Eng.Register(new BadRelease(*this));
Eng.Register(new Leak(*this));
}
static const char* Msgs[] = {
"Code is compiled in garbage collection only mode" // GC only
" (the bug occurs with garbage collection enabled).",
"Code is compiled without garbage collection.", // No GC.
"Code is compiled for use with and without garbage collection (GC)."
" The bug occurs with GC enabled.", // Hybrid, with GC.
"Code is compiled for use with and without garbage collection (GC)."
" The bug occurs in non-GC mode." // Hyrbird, without GC/
};
std::pair<const char**,const char**> CFRefReport::getExtraDescriptiveText() {
CFRefCount& TF = static_cast<CFRefBug&>(getBugType()).getTF();
switch (TF.getLangOptions().getGCMode()) {
default:
assert(false);
case LangOptions::GCOnly:
assert (TF.isGCEnabled());
return std::make_pair(&Msgs[0], &Msgs[0]+1);
case LangOptions::NonGC:
assert (!TF.isGCEnabled());
return std::make_pair(&Msgs[1], &Msgs[1]+1);
case LangOptions::HybridGC:
if (TF.isGCEnabled())
return std::make_pair(&Msgs[2], &Msgs[2]+1);
else
return std::make_pair(&Msgs[3], &Msgs[3]+1);
}
}
PathDiagnosticPiece* CFRefReport::VisitNode(ExplodedNode<ValueState>* N,
ExplodedNode<ValueState>* PrevN,
ExplodedGraph<ValueState>& G,
BugReporter& BR) {
// Check if the type state has changed.
ValueState* PrevSt = PrevN->getState();
ValueState* CurrSt = N->getState();
CFRefCount::RefBindings PrevB = CFRefCount::GetRefBindings(*PrevSt);
CFRefCount::RefBindings CurrB = CFRefCount::GetRefBindings(*CurrSt);
CFRefCount::RefBindings::TreeTy* PrevT = PrevB.SlimFind(Sym);
CFRefCount::RefBindings::TreeTy* CurrT = CurrB.SlimFind(Sym);
if (!CurrT)
return NULL;
const char* Msg = NULL;
RefVal CurrV = CurrB.SlimFind(Sym)->getValue().second;
Stmt* S = cast<PostStmt>(N->getLocation()).getStmt();
if (CurrV.isOwned()) {
if (isa<CallExpr>(S))
Msg = "Function call returns an object with a +1 retain count"
" (owning reference).";
else {
assert (isa<ObjCMessageExpr>(S));
Msg = "Method returns an object with a +1 retain count"
" (owning reference).";
}
}
else {
assert (CurrV.isNotOwned());
if (isa<CallExpr>(S))
Msg = "Function call returns an object with a +0 retain count"
" (non-owning reference).";
else {
assert (isa<ObjCMessageExpr>(S));
Msg = "Method returns an object with a +0 retain count"
" (non-owning reference).";
}
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
FullSourceLoc Pos(S->getLocStart(), BR.getContext().getSourceManager());
PathDiagnosticPiece* P = new PathDiagnosticPiece(Pos, Msg);
if (Expr* Exp = dyn_cast<Expr>(S))
P->addRange(Exp->getSourceRange());
return P;
}
// Determine if the typestate has changed.
RefVal PrevV = PrevB.SlimFind(Sym)->getValue().second;
if (PrevV == CurrV)
return NULL;
// The typestate has changed.
std::ostringstream os;
switch (CurrV.getKind()) {
case RefVal::Owned:
case RefVal::NotOwned:
Ted Kremenek
committed
if (PrevV.getCount() == CurrV.getCount())
return 0;
if (PrevV.getCount() > CurrV.getCount())
os << "Reference count decremented.";
else
os << "Reference count incremented.";
Ted Kremenek
committed
if (unsigned Count = CurrV.getCount()) {
Msg = os.str().c_str();
break;
case RefVal::Released:
Msg = "Object released.";
break;
case RefVal::ReturnedOwned:
Msg = "Object returned to caller as owning reference (single retain count"
" transferred to caller).";
break;
case RefVal::ReturnedNotOwned:
Msg = "Object returned to caller with a +0 (non-owning) retain count.";
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
break;
default:
return NULL;
}
Stmt* S = cast<PostStmt>(N->getLocation()).getStmt();
FullSourceLoc Pos(S->getLocStart(), BR.getContext().getSourceManager());
PathDiagnosticPiece* P = new PathDiagnosticPiece(Pos, Msg);
// Add the range by scanning the children of the statement for any bindings
// to Sym.
ValueStateManager& VSM = BR.getEngine().getStateManager();
for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I!=E; ++I)
if (Expr* Exp = dyn_cast_or_null<Expr>(*I)) {
RVal X = VSM.GetRVal(CurrSt, Exp);
if (lval::SymbolVal* SV = dyn_cast<lval::SymbolVal>(&X))
if (SV->getSymbol() == Sym) {
P->addRange(Exp->getSourceRange()); break;
}
}
return P;
}
static std::pair<ExplodedNode<ValueState>*,VarDecl*>
GetAllocationSite(ExplodedNode<ValueState>* N, SymbolID Sym) {
Ted Kremenek
committed
Ted Kremenek
committed
ExplodedNode<ValueState>* Last = N;
// Find the first node that referred to the tracked symbol. We also
// try and find the first VarDecl the value was stored to.
VarDecl* FirstDecl = 0;
Ted Kremenek
committed
while (N) {
ValueState* St = N->getState();
RefBindings B = RefBindings((RefBindings::TreeTy*) St->CheckerState);
RefBindings::TreeTy* T = B.SlimFind(Sym);
if (!T)
Ted Kremenek
committed
break;
VarDecl* VD = 0;
// Determine if there is an LVal binding to the symbol.
for (ValueState::vb_iterator I=St->vb_begin(), E=St->vb_end(); I!=E; ++I) {
if (!isa<lval::SymbolVal>(I->second) // Is the value a symbol?
|| cast<lval::SymbolVal>(I->second).getSymbol() != Sym)
continue;