void VisitObjCAtSynchronizedStmt(const ObjCAtSynchronizedStmt *S,
ExplodedNode *Pred, ExplodedNodeSet &Dst);
+ void VisitObjCPropertyRefExpr(const ObjCPropertyRefExpr *E,
+ ExplodedNode *Pred, ExplodedNodeSet &Dst);
+
/// Transfer function logic for computing the lvalue of an Objective-C ivar.
void VisitLvalObjCIvarRefExpr(const ObjCIvarRefExpr* DR, ExplodedNode* Pred,
ExplodedNodeSet& Dst);
namespace loc {
-enum Kind { GotoLabelKind, MemRegionKind, ConcreteIntKind };
+enum Kind { GotoLabelKind, MemRegionKind, ConcreteIntKind, ObjCPropRefKind };
class GotoLabel : public Loc {
public:
}
};
+/// \brief Pseudo-location SVal used by the ExprEngine to simulate a "load" or
+/// "store" of an ObjC property for the dot syntax.
+class ObjCPropRef : public Loc {
+public:
+ explicit ObjCPropRef(const ObjCPropertyRefExpr *E)
+ : Loc(ObjCPropRefKind, E) {}
+
+ const ObjCPropertyRefExpr *getPropRefExpr() const {
+ return static_cast<const ObjCPropertyRefExpr *>(Data);
+ }
+
+ // Implement isa<T> support.
+ static inline bool classof(const SVal* V) {
+ return V->getBaseKind() == LocKind &&
+ V->getSubKind() == ObjCPropRefKind;
+ }
+
+ static inline bool classof(const Loc* V) {
+ return V->getSubKind() == ObjCPropRefKind;
+ }
+};
+
} // end ento::loc namespace
} // end GR namespace
return V.isUnknownOrUndef() ? V : CastRetrievedVal(V, TR, T);
}
+ case loc::ObjCPropRefKind:
case loc::ConcreteIntKind:
// Support direct accesses to memory. It's up to individual checkers
// to flag an error.
else
os << "function call";
}
- else {
- assert (isa<ObjCMessageExpr>(S));
+ else if (isa<ObjCMessageExpr>(S)) {
os << "Method";
+ } else {
+ os << "Property";
}
if (CurrV.getObjKind() == RetEffect::CF) {
return;
}
+ const char *bugDesc = msg.isPropertySetter() ?
+ "Argument for property setter is an uninitialized value"
+ : "Argument in message expression is an uninitialized value";
// Check for any arguments that are uninitialized/undefined.
- PreVisitProcessArgs(C, CallOrObjCMessage(msg, state),
- "Argument in message expression "
- "is an uninitialized value", BT_msg_arg);
+ PreVisitProcessArgs(C, CallOrObjCMessage(msg, state), bugDesc, BT_msg_arg);
}
bool CallAndMessageChecker::evalNilReceiver(CheckerContext &C,
VisitObjCAtSynchronizedStmt(cast<ObjCAtSynchronizedStmt>(S), Pred, Dst);
break;
+ case Stmt::ObjCPropertyRefExprClass:
+ VisitObjCPropertyRefExpr(cast<ObjCPropertyRefExpr>(S), Pred, Dst);
+ break;
+
// Cases not handled yet; but will handle some day.
case Stmt::DesignatedInitExprClass:
case Stmt::ExtVectorElementExprClass:
case Stmt::ObjCAtTryStmtClass:
case Stmt::ObjCEncodeExprClass:
case Stmt::ObjCIsaExprClass:
- case Stmt::ObjCPropertyRefExprClass:
case Stmt::ObjCProtocolExprClass:
case Stmt::ObjCSelectorExprClass:
case Stmt::ObjCStringLiteralClass:
assert(Builder && "StmtNodeBuilder must be defined.");
+ // Proceed with the store. We use AssignE as the anchor for the PostStore
+ // ProgramPoint if it is non-NULL, and LocationE otherwise.
+ const Expr *StoreE = AssignE ? AssignE : LocationE;
+
+ if (isa<loc::ObjCPropRef>(location)) {
+ loc::ObjCPropRef prop = cast<loc::ObjCPropRef>(location);
+ ExplodedNodeSet src = Pred;
+ return VisitObjCMessage(ObjCPropertySetter(prop.getPropRefExpr(),
+ StoreE, Val), src, Dst);
+ }
+
// Evaluate the location (checks for bad dereferences).
ExplodedNodeSet Tmp;
evalLocation(Tmp, LocationE, Pred, state, location, tag, false);
SaveAndRestore<ProgramPoint::Kind> OldSPointKind(Builder->PointKind,
ProgramPoint::PostStoreKind);
- // Proceed with the store. We use AssignE as the anchor for the PostStore
- // ProgramPoint if it is non-NULL, and LocationE otherwise.
- const Expr *StoreE = AssignE ? AssignE : LocationE;
-
for (ExplodedNodeSet::iterator NI=Tmp.begin(), NE=Tmp.end(); NI!=NE; ++NI)
evalBind(Dst, StoreE, *NI, GetState(*NI), location, Val);
}
const void *tag, QualType LoadTy) {
assert(!isa<NonLoc>(location) && "location cannot be a NonLoc.");
+ if (isa<loc::ObjCPropRef>(location)) {
+ loc::ObjCPropRef prop = cast<loc::ObjCPropRef>(location);
+ ExplodedNodeSet src = Pred;
+ return VisitObjCMessage(ObjCPropertyGetter(prop.getPropRefExpr(), Ex),
+ src, Dst);
+ }
+
// Are we loading from a region? This actually results in two loads; one
// to fetch the address of the referenced value and one to fetch the
// referenced value.
CheckerVisit(CE, Dst, DstTmp3, PostVisitStmtCallback);
}
+//===----------------------------------------------------------------------===//
+// Transfer function: Objective-C dot-syntax to access a property.
+//===----------------------------------------------------------------------===//
+
+void ExprEngine::VisitObjCPropertyRefExpr(const ObjCPropertyRefExpr *Ex,
+ ExplodedNode *Pred,
+ ExplodedNodeSet &Dst) {
+
+ // Visit the base expression, which is needed for computing the lvalue
+ // of the ivar.
+ ExplodedNodeSet dstBase;
+ const Expr *baseExpr = Ex->getBase();
+ Visit(baseExpr, Pred, dstBase);
+
+ ExplodedNodeSet dstPropRef;
+
+ // Using the base, compute the lvalue of the instance variable.
+ for (ExplodedNodeSet::iterator I = dstBase.begin(), E = dstBase.end();
+ I!=E; ++I) {
+ ExplodedNode *nodeBase = *I;
+ const GRState *state = GetState(nodeBase);
+ SVal baseVal = state->getSVal(baseExpr);
+ MakeNode(dstPropRef, Ex, *I, state->BindExpr(Ex, loc::ObjCPropRef(Ex)));
+ }
+
+ Dst.insert(dstPropRef);
+}
+
//===----------------------------------------------------------------------===//
// Transfer function: Objective-C ivar references.
//===----------------------------------------------------------------------===//
ExplodedNodeSet S2;
CheckerVisit(CastE, S2, S1, PreVisitStmtCallback);
- if (CastE->getCastKind() == CK_LValueToRValue) {
+ if (CastE->getCastKind() == CK_LValueToRValue ||
+ CastE->getCastKind() == CK_GetObjCProperty) {
for (ExplodedNodeSet::iterator I = S2.begin(), E = S2.end(); I!=E; ++I) {
ExplodedNode *subExprNode = *I;
const GRState *state = GetState(subExprNode);
if (isa<loc::ConcreteInt>(L)) {
return UnknownVal();
}
+ if (!isa<loc::MemRegionVal>(L)) {
+ return UnknownVal();
+ }
const MemRegion *MR = cast<loc::MemRegionVal>(L).getRegion();
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
+#include "clang/AST/ExprObjC.h"
#include "clang/Basic/IdentifierTable.h"
using namespace clang;
case loc::MemRegionKind:
os << '&' << cast<loc::MemRegionVal>(this)->getRegion()->getString();
break;
+ case loc::ObjCPropRefKind: {
+ const ObjCPropertyRefExpr *E = cast<loc::ObjCPropRef>(this)->getPropRefExpr();
+ os << "objc-prop{";
+ if (E->isSuperReceiver())
+ os << "super.";
+ else if (E->getBase())
+ os << "<base>.";
+
+ if (E->isImplicitProperty())
+ os << E->getImplicitPropertyGetter()->getSelector().getAsString();
+ else
+ os << E->getExplicitProperty()->getName();
+
+ os << "}";
+ break;
+ }
default:
assert(false && "Pretty-printing not implemented for this Loc.");
break;
--- /dev/null
+// RUN: %clang_cc1 -analyze -analyzer-check-objc-mem -analyzer-store=region -verify %s
+
+typedef signed char BOOL;
+typedef unsigned int NSUInteger;
+typedef struct _NSZone NSZone;
+@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator;
+@protocol NSObject - (BOOL)isEqual:(id)object; @end
+@protocol NSCopying - (id)copyWithZone:(NSZone *)zone; @end
+@protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder; @end
+@protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone; @end
+@interface NSObject <NSObject> {}
++(id)alloc;
+-(id)init;
+-(id)autorelease;
+-(id)copy;
+-(id)retain;
+@end
+@interface NSString : NSObject <NSCopying, NSMutableCopying, NSCoding>
+- (NSUInteger)length;
+-(id)initWithFormat:(NSString *)f,...;
+-(BOOL)isEqualToString:(NSString *)s;
++ (id)string;
+@end
+@interface NSNumber : NSObject {}
++(id)alloc;
+-(id)initWithInteger:(int)i;
+@end
+
+// rdar://6946338
+
+@interface Test1 : NSObject {
+ NSString *text;
+}
+-(id)myMethod;
+@property (nonatomic, assign) NSString *text;
+@end
+
+
+@implementation Test1
+
+@synthesize text;
+
+-(id)myMethod {
+ Test1 *cell = [[[Test1 alloc] init] autorelease];
+
+ NSString *string1 = [[NSString alloc] initWithFormat:@"test %f", 0.0]; // expected-warning {{Potential leak}}
+ cell.text = string1;
+
+ return cell;
+}
+
+@end
+
+
+// rdar://8824416
+
+@interface MyNumber : NSObject
+{
+ NSNumber* _myNumber;
+}
+
+- (id)initWithNumber:(NSNumber *)number;
+
+@property (nonatomic, readonly) NSNumber* myNumber;
+@property (nonatomic, readonly) NSNumber* newMyNumber;
+
+@end
+
+@implementation MyNumber
+@synthesize myNumber=_myNumber;
+
+- (id)initWithNumber:(NSNumber *)number
+{
+ self = [super init];
+
+ if ( self )
+ {
+ _myNumber = [number copy];
+ }
+
+ return self;
+}
+
+- (NSNumber*)newMyNumber
+{
+ if ( _myNumber )
+ return [_myNumber retain];
+
+ return [[NSNumber alloc] initWithInteger:1];
+}
+
+- (id)valueForUndefinedKey:(NSString*)key
+{
+ id value = 0;
+
+ if ([key isEqualToString:@"MyIvarNumberAsPropertyOverReleased"])
+ value = self.myNumber; // _myNumber will be over released, since the value returned from self.myNumber is not retained.
+ else if ([key isEqualToString:@"MyIvarNumberAsPropertyOk"])
+ value = [self.myNumber retain]; // this line fixes the over release
+ else if ([key isEqualToString:@"MyIvarNumberAsNewMyNumber"])
+ value = self.newMyNumber; // this one is ok, since value is returned retained
+ else
+ value = [[NSNumber alloc] initWithInteger:0];
+
+ return [value autorelease]; // expected-warning {{Object sent -autorelease too many times}}
+}
+
+@end
+
+NSNumber* numberFromMyNumberProperty(MyNumber* aMyNumber)
+{
+ NSNumber* result = aMyNumber.myNumber;
+
+ return [result autorelease]; // expected-warning {{Object sent -autorelease too many times}}
+}
+
+
+// rdar://6611873
+
+@interface Person : NSObject {
+ NSString *_name;
+}
+@property (retain) NSString * name;
+@end
+
+@implementation Person
+@synthesize name = _name;
+@end
+
+void rdar6611873() {
+ Person *p = [[[Person alloc] init] autorelease];
+
+ p.name = [[NSString string] retain]; // expected-warning {{leak}}
+ p.name = [[NSString alloc] init]; // expected-warning {{leak}}
+}
projects / clang / commitdiff