Newer
Older
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
isRetain = true;
else if (S != ReleaseSelector)
return true;
// We have "Retain" or "Release". Get the reference binding.
ValueStateManager& StateMgr = Eng.getStateManager();
ValueState* St = Builder.GetState(Pred);
RVal V = StateMgr.GetRVal(St, Receiver);
if (!isa<lval::SymbolVal>(V))
return true;
SymbolID Sym = cast<lval::SymbolVal>(V).getSymbol();
RefBindings B = GetRefBindings(*St);
RefBindings::TreeTy* T = B.SlimFind(Sym);
if (!T)
return true;
RefVal::Kind hasErr = (RefVal::Kind) 0;
B = Update(B, Sym, T->getValue().second, isRetain ? IncRef : DecRef, hasErr);
// Create a new state with the updated bindings.
ValueState StVals = *St;
SetRefBindings(StVals, B);
St = StateMgr.getPersistentState(StVals);
// Create an error node if it exists.
if (hasErr)
ProcessNonLeakError(Dst, Builder, ME, Receiver, Pred, St, hasErr);
else
Builder.MakeNode(Dst, ME, Pred, St);
return false;
Ted Kremenek
committed
}
Ted Kremenek
committed
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
// Stores.
void CFRefCount::EvalStore(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
Expr* E, ExplodedNode<ValueState>* Pred,
ValueState* St, RVal TargetLV, RVal Val) {
// Check if we have a binding for "Val" and if we are storing it to something
// we don't understand or otherwise the value "escapes" the function.
if (!isa<lval::SymbolVal>(Val))
return;
// Are we storing to something that causes the value to "escape"?
bool escapes = false;
if (!isa<lval::DeclVal>(TargetLV))
escapes = true;
else
escapes = cast<lval::DeclVal>(TargetLV).getDecl()->hasGlobalStorage();
if (!escapes)
return;
SymbolID Sym = cast<lval::SymbolVal>(Val).getSymbol();
RefBindings B = GetRefBindings(*St);
RefBindings::TreeTy* T = B.SlimFind(Sym);
if (!T)
return;
// Nuke the binding.
St = NukeBinding(Eng.getStateManager(), St, Sym);
Ted Kremenek
committed
// Hand of the remaining logic to the parent implementation.
GRSimpleVals::EvalStore(Dst, Eng, Builder, E, Pred, St, TargetLV, Val);
}
ValueState* CFRefCount::NukeBinding(ValueStateManager& VMgr, ValueState* St,
SymbolID sid) {
ValueState StImpl = *St;
RefBindings B = GetRefBindings(StImpl);
StImpl.CheckerState = RefBFactory.Remove(B, sid).getRoot();
return VMgr.getPersistentState(StImpl);
}
Ted Kremenek
committed
// End-of-path.
ValueState* CFRefCount::HandleSymbolDeath(ValueStateManager& VMgr,
ValueState* St, SymbolID sid,
RefVal V, bool& hasLeak) {
hasLeak = V.isOwned() ||
((V.isNotOwned() || V.isReturnedOwned()) && V.getCount() > 0);
if (!hasLeak)
return NukeBinding(VMgr, St, sid);
RefBindings B = GetRefBindings(*St);
ValueState StImpl = *St;
StImpl.CheckerState = RefBFactory.Add(B, sid, RefVal::makeLeak()).getRoot();
return VMgr.getPersistentState(StImpl);
}
void CFRefCount::EvalEndPath(GRExprEngine& Eng,
Ted Kremenek
committed
GREndPathNodeBuilder<ValueState>& Builder) {
ValueState* St = Builder.getState();
RefBindings B = GetRefBindings(*St);
Ted Kremenek
committed
llvm::SmallVector<SymbolID, 10> Leaked;
Ted Kremenek
committed
for (RefBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) {
bool hasLeak = false;
Ted Kremenek
committed
St = HandleSymbolDeath(Eng.getStateManager(), St,
(*I).first, (*I).second, hasLeak);
if (hasLeak) Leaked.push_back((*I).first);
}
ExplodedNode<ValueState>* N = Builder.MakeNode(St);
for (llvm::SmallVector<SymbolID, 10>::iterator I=Leaked.begin(),
E = Leaked.end(); I != E; ++I)
Leaks.push_back(std::make_pair(*I, N));
Ted Kremenek
committed
}
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
// Return statements.
void CFRefCount::EvalReturn(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
ReturnStmt* S,
ExplodedNode<ValueState>* Pred) {
Expr* RetE = S->getRetValue();
if (!RetE) return;
ValueStateManager& StateMgr = Eng.getStateManager();
ValueState* St = Builder.GetState(Pred);
RVal V = StateMgr.GetRVal(St, RetE);
if (!isa<lval::SymbolVal>(V))
return;
// Get the reference count binding (if any).
SymbolID Sym = cast<lval::SymbolVal>(V).getSymbol();
RefBindings B = GetRefBindings(*St);
RefBindings::TreeTy* T = B.SlimFind(Sym);
if (!T)
return;
// Change the reference count.
RefVal X = T->getValue().second;
switch (X.getKind()) {
case RefVal::Owned: {
unsigned cnt = X.getCount();
X = RefVal::makeReturnedOwned(cnt);
break;
}
case RefVal::NotOwned: {
unsigned cnt = X.getCount();
X = cnt ? RefVal::makeReturnedOwned(cnt - 1)
: RefVal::makeReturnedNotOwned();
break;
}
default:
// None of the error states should be possible at this point.
// A symbol could not have been leaked (yet) if we are returning it
// (and thus it is still live), and the other errors are hard errors.
assert(false);
return;
}
// Update the binding.
ValueState StImpl = *St;
StImpl.CheckerState = RefBFactory.Add(B, Sym, X).getRoot();
Builder.MakeNode(Dst, S, Pred, StateMgr.getPersistentState(StImpl));
}
CFRefCount::RefBindings CFRefCount::Update(RefBindings B, SymbolID sym,
RefVal V, ArgEffect E,
RefVal::Kind& hasErr) {
// FIXME: This dispatch can potentially be sped up by unifiying it into
// a single switch statement. Opt for simplicity for now.
switch (E) {
default:
assert (false && "Unhandled CFRef transition.");
case DoNothing:
if (V.getKind() == RefVal::Released) {
V = RefVal::makeUseAfterRelease();
hasErr = V.getKind();
break;
}
return B;
case IncRef:
switch (V.getKind()) {
default:
assert(false);
case RefVal::Owned:
Ted Kremenek
committed
V = RefVal::makeOwned(V.getCount()+1);
break;
case RefVal::NotOwned:
V = RefVal::makeNotOwned(V.getCount()+1);
break;
case RefVal::Released:
V = RefVal::makeUseAfterRelease();
hasErr = V.getKind();
break;
}
Ted Kremenek
committed
break;
case DecRef:
switch (V.getKind()) {
default:
assert (false);
case RefVal::Owned: {
unsigned Count = V.getCount();
V = Count > 0 ? RefVal::makeOwned(Count - 1) : RefVal::makeReleased();
break;
}
unsigned Count = V.getCount();
if (Count > 0)
V = RefVal::makeNotOwned(Count - 1);
else {
V = RefVal::makeReleaseNotOwned();
hasErr = V.getKind();
break;
case RefVal::Released:
V = RefVal::makeUseAfterRelease();
hasErr = V.getKind();
break;
}
Ted Kremenek
committed
break;
}
return RefBFactory.Add(B, sym, V);
Ted Kremenek
committed
//===----------------------------------------------------------------------===//
// Error reporting.
Ted Kremenek
committed
//===----------------------------------------------------------------------===//
void UseAfterRelease::EmitWarnings(BugReporter& BR) {
Ted Kremenek
committed
for (CFRefCount::use_after_iterator I = TF.use_after_begin(),
E = TF.use_after_end(); I != E; ++I) {
Ted Kremenek
committed
RangedBugReport report(*this, I->first);
report.addRange(I->second->getSourceRange());
BR.EmitWarning(report);
Ted Kremenek
committed
}
}
void BadRelease::EmitWarnings(BugReporter& BR) {
Ted Kremenek
committed
for (CFRefCount::bad_release_iterator I = TF.bad_release_begin(),
E = TF.bad_release_end(); I != E; ++I) {
Ted Kremenek
committed
RangedBugReport report(*this, I->first);
report.addRange(I->second->getSourceRange());
BR.EmitWarning(report);
}
}
Ted Kremenek
committed
void Leak::EmitWarnings(BugReporter& BR) {
for (CFRefCount::leaks_iterator I = TF.leaks_begin(),
E = TF.leaks_end(); I != E; ++I) {
BugReport report(*this, I->second);
BR.EmitWarning(report);
}
}
//===----------------------------------------------------------------------===//
// Transfer function creation for external clients.
//===----------------------------------------------------------------------===//
GRTransferFuncs* clang::MakeCFRefCountTF(ASTContext& Ctx) {
return new CFRefCount(Ctx);
}