Newer
Older
Ted Kremenek
committed
if (State)
Out << sep << nl;
for (RefBindings::iterator I=B.begin(), E=B.end(); I!=E; ++I) {
Out << (*I).first << " : ";
(*I).second.print(Out);
Out << nl;
}
}
static inline ArgEffect GetArgE(RetainSummary* Summ, unsigned idx) {
return Summ ? Summ->getArg(idx) : DoNothing;
}
static inline RetEffect GetRetEffect(RetainSummary* Summ) {
return Summ ? Summ->getRetEffect() : RetEffect::MakeNoRet();
static inline ArgEffect GetReceiverE(RetainSummary* Summ) {
return Summ ? Summ->getReceiverEffect() : DoNothing;
}
void CFRefCount::ProcessNonLeakError(ExplodedNodeSet<ValueState>& Dst,
GRStmtNodeBuilder<ValueState>& Builder,
Expr* NodeExpr, Expr* ErrorExpr,
ExplodedNode<ValueState>* Pred,
ValueState* St,
RefVal::Kind hasErr, SymbolID Sym) {
Builder.BuildSinks = true;
GRExprEngine::NodeTy* N = Builder.MakeNode(Dst, NodeExpr, Pred, St);
if (!N) return;
switch (hasErr) {
default: assert(false);
case RefVal::ErrorUseAfterRelease:
UseAfterReleases[N] = std::make_pair(ErrorExpr, Sym);
break;
case RefVal::ErrorReleaseNotOwned:
ReleasesNotOwned[N] = std::make_pair(ErrorExpr, Sym);
break;
}
}
void CFRefCount::EvalSummary(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
Expr* Ex,
Expr* Receiver,
RetainSummary* Summ,
Expr** arg_beg, Expr** arg_end,
ExplodedNode<ValueState>* Pred) {
Ted Kremenek
committed
// Get the state.
ValueStateManager& StateMgr = Eng.getStateManager();
ValueState* St = Builder.GetState(Pred);
// Evaluate the effect of the arguments.
ValueState StVals = *St;
RefVal::Kind hasErr = (RefVal::Kind) 0;
unsigned idx = 0;
Expr* ErrorExpr = NULL;
SymbolID ErrorSym = 0;
for (Expr **I = arg_beg, **E = arg_end; I != E; ++I, ++idx) {
RVal V = StateMgr.GetRVal(St, *I);
if (isa<lval::SymbolVal>(V)) {
SymbolID Sym = cast<lval::SymbolVal>(V).getSymbol();
RefBindings B = GetRefBindings(StVals);
if (RefBindings::TreeTy* T = B.SlimFind(Sym)) {
B = Update(B, Sym, T->getValue().second, GetArgE(Summ, idx), hasErr);
SetRefBindings(StVals, B);
if (hasErr) {
ErrorExpr = *I;
ErrorSym = T->getValue().first;
break;
}
else if (isa<LVal>(V)) {
// Nuke all arguments passed by reference.
StateMgr.Unbind(StVals, cast<LVal>(V));
else if (isa<nonlval::LValAsInteger>(V))
StateMgr.Unbind(StVals, cast<nonlval::LValAsInteger>(V).getLVal());
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
// Evaluate the effect on the message receiver.
if (!ErrorExpr && Receiver) {
RVal V = StateMgr.GetRVal(St, Receiver);
if (isa<lval::SymbolVal>(V)) {
SymbolID Sym = cast<lval::SymbolVal>(V).getSymbol();
RefBindings B = GetRefBindings(StVals);
if (RefBindings::TreeTy* T = B.SlimFind(Sym)) {
B = Update(B, Sym, T->getValue().second, GetReceiverE(Summ), hasErr);
SetRefBindings(StVals, B);
if (hasErr) {
ErrorExpr = Receiver;
ErrorSym = T->getValue().first;
}
}
}
}
// Get the persistent state.
St = StateMgr.getPersistentState(StVals);
if (hasErr) {
ProcessNonLeakError(Dst, Builder, Ex, ErrorExpr, Pred, St,
hasErr, ErrorSym);
// Finally, consult the summary for the return value.
RetEffect RE = GetRetEffect(Summ);
switch (RE.getKind()) {
default:
assert (false && "Unhandled RetEffect."); break;
Ted Kremenek
committed
case RetEffect::NoRet:
// Make up a symbol for the return value (not reference counted).
// FIXME: This is basically copy-and-paste from GRSimpleVals. We
// should compose behavior, not copy it.
if (Ex->getType() != Eng.getContext().VoidTy) {
unsigned Count = Builder.getCurrentBlockCount();
SymbolID Sym = Eng.getSymbolManager().getConjuredSymbol(Ex, Count);
RVal X = Ex->getType()->isPointerType()
? cast<RVal>(lval::SymbolVal(Sym))
: cast<RVal>(nonlval::SymbolVal(Sym));
St = StateMgr.SetRVal(St, Ex, X, Eng.getCFG().isBlkExpr(Ex), false);
Ted Kremenek
committed
break;
case RetEffect::Alias: {
unsigned idx = RE.getValue();
assert ((arg_end - arg_beg) >= 0);
assert (idx < (unsigned) (arg_end - arg_beg));
RVal V = StateMgr.GetRVal(St, arg_beg[idx]);
St = StateMgr.SetRVal(St, Ex, V, Eng.getCFG().isBlkExpr(Ex), false);
break;
}
case RetEffect::ReceiverAlias: {
assert (Receiver);
RVal V = StateMgr.GetRVal(St, Receiver);
St = StateMgr.SetRVal(St, Ex, V, Eng.getCFG().isBlkExpr(Ex), false);
break;
}
case RetEffect::OwnedSymbol: {
unsigned Count = Builder.getCurrentBlockCount();
SymbolID Sym = Eng.getSymbolManager().getConjuredSymbol(Ex, Count);
ValueState StImpl = *St;
RefBindings B = GetRefBindings(StImpl);
SetRefBindings(StImpl, RefBFactory.Add(B, Sym, RefVal::makeOwned()));
St = StateMgr.SetRVal(StateMgr.getPersistentState(StImpl),
Ex, lval::SymbolVal(Sym),
Eng.getCFG().isBlkExpr(Ex), false);
break;
}
case RetEffect::NotOwnedSymbol: {
unsigned Count = Builder.getCurrentBlockCount();
SymbolID Sym = Eng.getSymbolManager().getConjuredSymbol(Ex, Count);
ValueState StImpl = *St;
RefBindings B = GetRefBindings(StImpl);
SetRefBindings(StImpl, RefBFactory.Add(B, Sym, RefVal::makeNotOwned()));
St = StateMgr.SetRVal(StateMgr.getPersistentState(StImpl),
Ex, lval::SymbolVal(Sym),
Eng.getCFG().isBlkExpr(Ex), false);
break;
}
}
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
Builder.MakeNode(Dst, Ex, Pred, St);
}
void CFRefCount::EvalCall(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
CallExpr* CE, RVal L,
ExplodedNode<ValueState>* Pred) {
RetainSummary* Summ = NULL;
// Get the summary.
if (isa<lval::FuncVal>(L)) {
lval::FuncVal FV = cast<lval::FuncVal>(L);
FunctionDecl* FD = FV.getDecl();
Summ = Summaries.getSummary(FD, Eng.getContext());
}
EvalSummary(Dst, Eng, Builder, CE, 0, Summ,
CE->arg_begin(), CE->arg_end(), Pred);
Ted Kremenek
committed
}
Ted Kremenek
committed
void CFRefCount::EvalObjCMessageExpr(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
ObjCMessageExpr* ME,
ExplodedNode<ValueState>* Pred) {
RetainSummary* Summ;
Ted Kremenek
committed
if (ME->getReceiver())
Summ = Summaries.getMethodSummary(ME->getSelector());
else
Summ = Summaries.getInstanceMethodSummary(ME->getClassName(),
ME->getSelector());
EvalSummary(Dst, Eng, Builder, ME, ME->getReceiver(), Summ,
ME->arg_begin(), ME->arg_end(), Pred);
Ted Kremenek
committed
}
Ted Kremenek
committed
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
// Stores.
void CFRefCount::EvalStore(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
Expr* E, ExplodedNode<ValueState>* Pred,
ValueState* St, RVal TargetLV, RVal Val) {
// Check if we have a binding for "Val" and if we are storing it to something
// we don't understand or otherwise the value "escapes" the function.
if (!isa<lval::SymbolVal>(Val))
return;
// Are we storing to something that causes the value to "escape"?
bool escapes = false;
if (!isa<lval::DeclVal>(TargetLV))
escapes = true;
else
escapes = cast<lval::DeclVal>(TargetLV).getDecl()->hasGlobalStorage();
if (!escapes)
return;
SymbolID Sym = cast<lval::SymbolVal>(Val).getSymbol();
RefBindings B = GetRefBindings(*St);
RefBindings::TreeTy* T = B.SlimFind(Sym);
if (!T)
return;
// Nuke the binding.
St = NukeBinding(Eng.getStateManager(), St, Sym);
Ted Kremenek
committed
// Hand of the remaining logic to the parent implementation.
GRSimpleVals::EvalStore(Dst, Eng, Builder, E, Pred, St, TargetLV, Val);
}
ValueState* CFRefCount::NukeBinding(ValueStateManager& VMgr, ValueState* St,
SymbolID sid) {
ValueState StImpl = *St;
RefBindings B = GetRefBindings(StImpl);
StImpl.CheckerState = RefBFactory.Remove(B, sid).getRoot();
return VMgr.getPersistentState(StImpl);
}
Ted Kremenek
committed
// End-of-path.
ValueState* CFRefCount::HandleSymbolDeath(ValueStateManager& VMgr,
ValueState* St, SymbolID sid,
RefVal V, bool& hasLeak) {
hasLeak = V.isOwned() ||
((V.isNotOwned() || V.isReturnedOwned()) && V.getCount() > 0);
if (!hasLeak)
return NukeBinding(VMgr, St, sid);
RefBindings B = GetRefBindings(*St);
ValueState StImpl = *St;
StImpl.CheckerState =
RefBFactory.Add(B, sid, RefVal::makeLeak(GetCount(V))).getRoot();
return VMgr.getPersistentState(StImpl);
}
void CFRefCount::EvalEndPath(GRExprEngine& Eng,
Ted Kremenek
committed
GREndPathNodeBuilder<ValueState>& Builder) {
ValueState* St = Builder.getState();
RefBindings B = GetRefBindings(*St);
Ted Kremenek
committed
llvm::SmallVector<SymbolID, 10> Leaked;
Ted Kremenek
committed
for (RefBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) {
bool hasLeak = false;
Ted Kremenek
committed
St = HandleSymbolDeath(Eng.getStateManager(), St,
(*I).first, (*I).second, hasLeak);
if (hasLeak) Leaked.push_back((*I).first);
}
Ted Kremenek
committed
if (Leaked.empty())
return;
ExplodedNode<ValueState>* N = Builder.MakeNode(St);
Ted Kremenek
committed
Ted Kremenek
committed
if (!N)
Ted Kremenek
committed
return;
std::vector<SymbolID>*& LeaksAtNode = Leaks[N];
assert (!LeaksAtNode);
LeaksAtNode = new std::vector<SymbolID>();
for (llvm::SmallVector<SymbolID, 10>::iterator I=Leaked.begin(),
E = Leaked.end(); I != E; ++I)
(*LeaksAtNode).push_back(*I);
Ted Kremenek
committed
}
Ted Kremenek
committed
// Dead symbols.
void CFRefCount::EvalDeadSymbols(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
ExplodedNode<ValueState>* Pred,
Stmt* S,
Ted Kremenek
committed
ValueState* St,
const ValueStateManager::DeadSymbolsTy& Dead) {
Ted Kremenek
committed
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
// FIXME: a lot of copy-and-paste from EvalEndPath. Refactor.
RefBindings B = GetRefBindings(*St);
llvm::SmallVector<SymbolID, 10> Leaked;
for (ValueStateManager::DeadSymbolsTy::const_iterator
I=Dead.begin(), E=Dead.end(); I!=E; ++I) {
RefBindings::TreeTy* T = B.SlimFind(*I);
if (!T)
continue;
bool hasLeak = false;
St = HandleSymbolDeath(Eng.getStateManager(), St,
*I, T->getValue().second, hasLeak);
if (hasLeak) Leaked.push_back(*I);
}
if (Leaked.empty())
return;
ExplodedNode<ValueState>* N = Builder.MakeNode(Dst, S, Pred, St);
if (!N)
return;
std::vector<SymbolID>*& LeaksAtNode = Leaks[N];
assert (!LeaksAtNode);
LeaksAtNode = new std::vector<SymbolID>();
for (llvm::SmallVector<SymbolID, 10>::iterator I=Leaked.begin(),
E = Leaked.end(); I != E; ++I)
(*LeaksAtNode).push_back(*I);
}
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
// Return statements.
void CFRefCount::EvalReturn(ExplodedNodeSet<ValueState>& Dst,
GRExprEngine& Eng,
GRStmtNodeBuilder<ValueState>& Builder,
ReturnStmt* S,
ExplodedNode<ValueState>* Pred) {
Expr* RetE = S->getRetValue();
if (!RetE) return;
ValueStateManager& StateMgr = Eng.getStateManager();
ValueState* St = Builder.GetState(Pred);
RVal V = StateMgr.GetRVal(St, RetE);
if (!isa<lval::SymbolVal>(V))
return;
// Get the reference count binding (if any).
SymbolID Sym = cast<lval::SymbolVal>(V).getSymbol();
RefBindings B = GetRefBindings(*St);
RefBindings::TreeTy* T = B.SlimFind(Sym);
if (!T)
return;
// Change the reference count.
RefVal X = T->getValue().second;
switch (X.getKind()) {
case RefVal::Owned: {
unsigned cnt = X.getCount();
X = RefVal::makeReturnedOwned(cnt);
break;
}
case RefVal::NotOwned: {
unsigned cnt = X.getCount();
X = cnt ? RefVal::makeReturnedOwned(cnt - 1)
: RefVal::makeReturnedNotOwned();
break;
}
default:
return;
}
// Update the binding.
ValueState StImpl = *St;
StImpl.CheckerState = RefBFactory.Add(B, Sym, X).getRoot();
Builder.MakeNode(Dst, S, Pred, StateMgr.getPersistentState(StImpl));
}
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
// Assumptions.
ValueState* CFRefCount::EvalAssume(GRExprEngine& Eng, ValueState* St,
RVal Cond, bool Assumption,
bool& isFeasible) {
// FIXME: We may add to the interface of EvalAssume the list of symbols
// whose assumptions have changed. For now we just iterate through the
// bindings and check if any of the tracked symbols are NULL. This isn't
// too bad since the number of symbols we will track in practice are
// probably small and EvalAssume is only called at branches and a few
// other places.
RefBindings B = GetRefBindings(*St);
if (B.isEmpty())
return St;
bool changed = false;
for (RefBindings::iterator I=B.begin(), E=B.end(); I!=E; ++I) {
// Check if the symbol is null (or equal to any constant).
// If this is the case, stop tracking the symbol.
if (St->getSymVal(I.getKey())) {
changed = true;
B = RefBFactory.Remove(B, I.getKey());
}
}
if (!changed)
return St;
ValueState StImpl = *St;
StImpl.CheckerState = B.getRoot();
return Eng.getStateManager().getPersistentState(StImpl);
}
CFRefCount::RefBindings CFRefCount::Update(RefBindings B, SymbolID sym,
RefVal V, ArgEffect E,
RefVal::Kind& hasErr) {
// FIXME: This dispatch can potentially be sped up by unifiying it into
// a single switch statement. Opt for simplicity for now.
switch (E) {
default:
assert (false && "Unhandled CFRef transition.");
case DoNothing:
if (!isGCEnabled() && V.getKind() == RefVal::Released) {
V = RefVal::makeUseAfterRelease();
hasErr = V.getKind();
break;
}
return B;
case StopTracking:
return RefBFactory.Remove(B, sym);
case IncRef:
switch (V.getKind()) {
default:
assert(false);
case RefVal::Owned:
Ted Kremenek
committed
V = RefVal::makeOwned(V.getCount()+1);
break;
case RefVal::NotOwned:
V = RefVal::makeNotOwned(V.getCount()+1);
break;
case RefVal::Released:
if (isGCEnabled())
V = RefVal::makeOwned();
else {
V = RefVal::makeUseAfterRelease();
hasErr = V.getKind();
}
break;
}
Ted Kremenek
committed
break;
case DecRef:
switch (V.getKind()) {
default:
assert (false);
case RefVal::Owned: {
unsigned Count = V.getCount();
V = Count > 0 ? RefVal::makeOwned(Count - 1) : RefVal::makeReleased();
break;
}
unsigned Count = V.getCount();
if (Count > 0)
V = RefVal::makeNotOwned(Count - 1);
else {
V = RefVal::makeReleaseNotOwned();
hasErr = V.getKind();
break;
case RefVal::Released:
V = RefVal::makeUseAfterRelease();
hasErr = V.getKind();
break;
}
Ted Kremenek
committed
break;
}
return RefBFactory.Add(B, sym, V);
Ted Kremenek
committed
//===----------------------------------------------------------------------===//
// Error reporting.
Ted Kremenek
committed
//===----------------------------------------------------------------------===//
namespace {
//===-------------===//
// Bug Descriptions. //
//===-------------===//
class VISIBILITY_HIDDEN CFRefBug : public BugTypeCacheLocation {
protected:
CFRefCount& TF;
public:
CFRefBug(CFRefCount& tf) : TF(tf) {}
CFRefCount& getTF() { return TF; }
const CFRefCount& getTF() const { return TF; }
Ted Kremenek
committed
virtual bool isLeak() const { return false; }
};
class VISIBILITY_HIDDEN UseAfterRelease : public CFRefBug {
public:
UseAfterRelease(CFRefCount& tf) : CFRefBug(tf) {}
virtual const char* getName() const {
}
virtual const char* getDescription() const {
return "Reference-counted object is used"
" after it is released.";
}
virtual void EmitWarnings(BugReporter& BR);
};
class VISIBILITY_HIDDEN BadRelease : public CFRefBug {
public:
BadRelease(CFRefCount& tf) : CFRefBug(tf) {}
virtual const char* getName() const {
}
virtual const char* getDescription() const {
return "Incorrect decrement of the reference count of a "
"The object is not owned at this point by the caller.";
}
virtual void EmitWarnings(BugReporter& BR);
};
class VISIBILITY_HIDDEN Leak : public CFRefBug {
public:
Leak(CFRefCount& tf) : CFRefBug(tf) {}
virtual const char* getName() const {
return getTF().isGCEnabled() ? "Memory Leak (GC)" : "Memory Leak";
}
virtual const char* getDescription() const {
}
virtual void EmitWarnings(BugReporter& BR);
virtual void GetErrorNodes(std::vector<ExplodedNode<ValueState>*>& Nodes);
Ted Kremenek
committed
virtual bool isLeak() const { return true; }
};
//===---------===//
// Bug Reports. //
//===---------===//
class VISIBILITY_HIDDEN CFRefReport : public RangedBugReport {
SymbolID Sym;
public:
CFRefReport(CFRefBug& D, ExplodedNode<ValueState> *n, SymbolID sym)
: RangedBugReport(D, n), Sym(sym) {}
virtual ~CFRefReport() {}
CFRefBug& getBugType() {
return (CFRefBug&) RangedBugReport::getBugType();
}
const CFRefBug& getBugType() const {
return (const CFRefBug&) RangedBugReport::getBugType();
}
virtual void getRanges(BugReporter& BR, const SourceRange*& beg,
const SourceRange*& end) {
if (!getBugType().isLeak())
RangedBugReport::getRanges(BR, beg, end);
else {
beg = 0;
end = 0;
}
}
Ted Kremenek
committed
virtual PathDiagnosticPiece* getEndPath(BugReporter& BR,
ExplodedNode<ValueState>* N);
virtual std::pair<const char**,const char**> getExtraDescriptiveText();
virtual PathDiagnosticPiece* VisitNode(ExplodedNode<ValueState>* N,
ExplodedNode<ValueState>* PrevN,
ExplodedGraph<ValueState>& G,
BugReporter& BR);
};
} // end anonymous namespace
void CFRefCount::RegisterChecks(GRExprEngine& Eng) {
Ted Kremenek
committed
if (EmitStandardWarnings) GRSimpleVals::RegisterChecks(Eng);
Eng.Register(new UseAfterRelease(*this));
Eng.Register(new BadRelease(*this));
Eng.Register(new Leak(*this));
}
static const char* Msgs[] = {
"Code is compiled in garbage collection only mode" // GC only
" (the bug occurs with garbage collection enabled).",
"Code is compiled without garbage collection.", // No GC.
"Code is compiled for use with and without garbage collection (GC)."
" The bug occurs with GC enabled.", // Hybrid, with GC.
"Code is compiled for use with and without garbage collection (GC)."
" The bug occurs in non-GC mode." // Hyrbird, without GC/
};
std::pair<const char**,const char**> CFRefReport::getExtraDescriptiveText() {
CFRefCount& TF = static_cast<CFRefBug&>(getBugType()).getTF();
switch (TF.getLangOptions().getGCMode()) {
default:
assert(false);
case LangOptions::GCOnly:
assert (TF.isGCEnabled());
return std::make_pair(&Msgs[0], &Msgs[0]+1);
case LangOptions::NonGC:
assert (!TF.isGCEnabled());
return std::make_pair(&Msgs[1], &Msgs[1]+1);
case LangOptions::HybridGC:
if (TF.isGCEnabled())
return std::make_pair(&Msgs[2], &Msgs[2]+1);
else
return std::make_pair(&Msgs[3], &Msgs[3]+1);
}
}
PathDiagnosticPiece* CFRefReport::VisitNode(ExplodedNode<ValueState>* N,
ExplodedNode<ValueState>* PrevN,
ExplodedGraph<ValueState>& G,
BugReporter& BR) {
// Check if the type state has changed.
ValueState* PrevSt = PrevN->getState();
ValueState* CurrSt = N->getState();
CFRefCount::RefBindings PrevB = CFRefCount::GetRefBindings(*PrevSt);
CFRefCount::RefBindings CurrB = CFRefCount::GetRefBindings(*CurrSt);
CFRefCount::RefBindings::TreeTy* PrevT = PrevB.SlimFind(Sym);
CFRefCount::RefBindings::TreeTy* CurrT = CurrB.SlimFind(Sym);
if (!CurrT)
return NULL;
const char* Msg = NULL;
RefVal CurrV = CurrB.SlimFind(Sym)->getValue().second;
Stmt* S = cast<PostStmt>(N->getLocation()).getStmt();
if (CurrV.isOwned()) {
if (isa<CallExpr>(S))
Msg = "Function call returns an object with a +1 retain count"
" (owning reference).";
else {
assert (isa<ObjCMessageExpr>(S));
Msg = "Method returns an object with a +1 retain count"
" (owning reference).";
}
}
else {
assert (CurrV.isNotOwned());
if (isa<CallExpr>(S))
Msg = "Function call returns an object with a +0 retain count"
" (non-owning reference).";
else {
assert (isa<ObjCMessageExpr>(S));
Msg = "Method returns an object with a +0 retain count"
" (non-owning reference).";
}
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
FullSourceLoc Pos(S->getLocStart(), BR.getContext().getSourceManager());
PathDiagnosticPiece* P = new PathDiagnosticPiece(Pos, Msg);
if (Expr* Exp = dyn_cast<Expr>(S))
P->addRange(Exp->getSourceRange());
return P;
}
// Determine if the typestate has changed.
RefVal PrevV = PrevB.SlimFind(Sym)->getValue().second;
if (PrevV == CurrV)
return NULL;
// The typestate has changed.
std::ostringstream os;
switch (CurrV.getKind()) {
case RefVal::Owned:
case RefVal::NotOwned:
assert (PrevV.getKind() == CurrV.getKind());
if (PrevV.getCount() > CurrV.getCount())
os << "Reference count decremented.";
else
os << "Reference count incremented.";
if (unsigned Count = GetCount(CurrV)) {
os << " Object has +" << Count;
Msg = os.str().c_str();
break;
case RefVal::Released:
Msg = "Object released.";
break;
case RefVal::ReturnedOwned:
Msg = "Object returned to caller as owning reference (single retain count"
" transferred to caller).";
break;
case RefVal::ReturnedNotOwned:
Msg = "Object returned to caller with a +0 (non-owning) retain count.";
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
break;
default:
return NULL;
}
Stmt* S = cast<PostStmt>(N->getLocation()).getStmt();
FullSourceLoc Pos(S->getLocStart(), BR.getContext().getSourceManager());
PathDiagnosticPiece* P = new PathDiagnosticPiece(Pos, Msg);
// Add the range by scanning the children of the statement for any bindings
// to Sym.
ValueStateManager& VSM = BR.getEngine().getStateManager();
for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I!=E; ++I)
if (Expr* Exp = dyn_cast_or_null<Expr>(*I)) {
RVal X = VSM.GetRVal(CurrSt, Exp);
if (lval::SymbolVal* SV = dyn_cast<lval::SymbolVal>(&X))
if (SV->getSymbol() == Sym) {
P->addRange(Exp->getSourceRange()); break;
}
}
return P;
}
Ted Kremenek
committed
PathDiagnosticPiece* CFRefReport::getEndPath(BugReporter& BR,
ExplodedNode<ValueState>* EndN) {
Ted Kremenek
committed
if (!getBugType().isLeak())
return RangedBugReport::getEndPath(BR, EndN);
Ted Kremenek
committed
typedef CFRefCount::RefBindings RefBindings;
// Get the retain count.
unsigned long RetCount = 0;
{
ValueState* St = EndN->getState();
RefBindings B = RefBindings((RefBindings::TreeTy*) St->CheckerState);
RefBindings::TreeTy* T = B.SlimFind(Sym);
assert (T);
RetCount = GetCount(T->getValue().second);
}
Ted Kremenek
committed
// We are a leak. Walk up the graph to get to the first node where the
// symbol appeared.
ExplodedNode<ValueState>* N = EndN;
Ted Kremenek
committed
ExplodedNode<ValueState>* Last = N;
// Find the first node that referred to the tracked symbol. We also
// try and find the first VarDecl the value was stored to.
VarDecl* FirstDecl = 0;
Ted Kremenek
committed
while (N) {
ValueState* St = N->getState();
RefBindings B = RefBindings((RefBindings::TreeTy*) St->CheckerState);
RefBindings::TreeTy* T = B.SlimFind(Sym);
if (!T)
Ted Kremenek
committed
break;
VarDecl* VD = 0;
// Determine if there is an LVal binding to the symbol.
for (ValueState::vb_iterator I=St->vb_begin(), E=St->vb_end(); I!=E; ++I) {
if (!isa<lval::SymbolVal>(I->second) // Is the value a symbol?
|| cast<lval::SymbolVal>(I->second).getSymbol() != Sym)
continue;
if (VD) { // Multiple decls map to this symbol.
VD = 0;
break;
}
VD = I->first;
}
if (VD) FirstDecl = VD;
Ted Kremenek
committed
Last = N;
N = N->pred_empty() ? NULL : *(N->pred_begin());
}
// Get the allocate site.
Ted Kremenek
committed
assert (Last);
Stmt* FirstStmt = cast<PostStmt>(Last->getLocation()).getStmt();
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
SourceManager& SMgr = BR.getContext().getSourceManager();
unsigned AllocLine = SMgr.getLogicalLineNumber(FirstStmt->getLocStart());
// Get the leak site. We may have multiple ExplodedNodes (one with the
// leak) that occur on the same line number; if the node with the leak
// has any immediate predecessor nodes with the same line number, find
// any transitive-successors that have a different statement and use that
// line number instead. This avoids emiting a diagnostic like:
//
// // 'y' is leaked.
// int x = foo(y);
//
// instead we want:
//
// int x = foo(y);
// // 'y' is leaked.
Stmt* S = getStmt(BR); // This is the statement where the leak occured.
assert (S);
unsigned EndLine = SMgr.getLogicalLineNumber(S->getLocStart());
// Look in the *trimmed* graph at the immediate predecessor of EndN. Does
// it occur on the same line?
assert (!EndN->pred_empty()); // Not possible to have 0 predecessors.
N = *(EndN->pred_begin());
do {
ProgramPoint P = N->getLocation();
if (!isa<PostStmt>(P))
break;
// Predecessor at same line?
Stmt* SPred = cast<PostStmt>(P).getStmt();
if (SMgr.getLogicalLineNumber(SPred->getLocStart()) != EndLine)
break;
// The predecessor (where the object was not yet leaked) is a statement
// on the same line. Get the first successor statement that appears
// on a different line. For this operation, we can traverse the
// non-trimmed graph.
N = getEndNode(); // This is the node where the leak occured in the
// original graph.
while (!N->succ_empty()) {
N = *(N->succ_begin());
ProgramPoint P = N->getLocation();
if (!isa<PostStmt>(P))
continue;
Stmt* SSucc = cast<PostStmt>(P).getStmt();
if (SMgr.getLogicalLineNumber(SSucc->getLocStart()) != EndLine) {
S = SSucc;
break;
}
}