CE_CXXAllocator,
CE_BEG_FUNCTION_CALLS = CE_Function,
CE_END_FUNCTION_CALLS = CE_CXXAllocator,
- CE_ObjCMessage,
- CE_ObjCPropertyAccess,
- CE_BEG_OBJC_CALLS = CE_ObjCMessage,
- CE_END_OBJC_CALLS = CE_ObjCPropertyAccess
+ CE_ObjCMessage
};
}
};
+/// \brief Represents the ways an Objective-C message send can occur.
+//
+// Note to maintainers: OCM_Message should always be last, since it does not
+// need to fit in the Data field's low bits.
+enum ObjCMessageKind {
+ OCM_PropertyAccess,
+ OCM_Subscript,
+ OCM_Message
+};
+
/// \brief Represents any expression that calls an Objective-C method.
+///
+/// This includes all of the kinds listed in ObjCMessageKind.
class ObjCMethodCall : public CallEvent {
friend class CallEvent;
-protected:
- ObjCMethodCall(const ObjCMessageExpr *Msg, ProgramStateRef St,
- const LocationContext *LCtx, Kind K)
- : CallEvent(Msg, St, LCtx, K) {}
+ const PseudoObjectExpr *getContainingPseudoObjectExpr() const;
+protected:
void getExtraInvalidatedRegions(RegionList &Regions) const;
QualType getDeclaredResultType() const;
public:
- const ObjCMessageExpr *getOriginExpr() const {
- return cast<ObjCMessageExpr>(CallEvent::getOriginExpr());
+ ObjCMethodCall(const ObjCMessageExpr *Msg, ProgramStateRef St,
+ const LocationContext *LCtx)
+ : CallEvent(Msg, St, LCtx, CE_ObjCMessage) {
+ Data = 0;
}
- Selector getSelector() const {
- return getOriginExpr()->getSelector();
- }
- bool isInstanceMessage() const {
- return getOriginExpr()->isInstanceMessage();
- }
- ObjCMethodFamily getMethodFamily() const {
- return getOriginExpr()->getMethodFamily();
+ const ObjCMessageExpr *getOriginExpr() const {
+ return cast<ObjCMessageExpr>(CallEvent::getOriginExpr());
}
-
const ObjCMethodDecl *getDecl() const {
return getOriginExpr()->getMethodDecl();
}
-
- SourceRange getSourceRange() const {
- return getOriginExpr()->getSourceRange();
- }
unsigned getNumArgs() const {
return getOriginExpr()->getNumArgs();
}
return getOriginExpr()->getArg(Index);
}
+ bool isInstanceMessage() const {
+ return getOriginExpr()->isInstanceMessage();
+ }
+ ObjCMethodFamily getMethodFamily() const {
+ return getOriginExpr()->getMethodFamily();
+ }
+ Selector getSelector() const {
+ return getOriginExpr()->getSelector();
+ }
+
+ SourceRange getSourceRange() const;
+
/// \brief Returns the value of the receiver at the time of this call.
SVal getReceiverSVal() const;
- /// \brief Returns the expression for the receiver of this message if it is
- /// an instance message.
- ///
- /// Returns NULL otherwise.
- /// \sa ObjCMessageExpr::getInstanceReceiver()
- const Expr *getInstanceReceiverExpr() const {
- return getOriginExpr()->getInstanceReceiver();
- }
-
/// \brief Get the interface for the receiver.
///
/// This works whether this is an instance message or a class message.
return getOriginExpr()->getReceiverInterface();
}
- SourceRange getReceiverSourceRange() const {
- return getOriginExpr()->getReceiverRange();
+ ObjCMessageKind getMessageKind() const;
+
+ bool isSetter() const {
+ switch (getMessageKind()) {
+ case OCM_Message:
+ llvm_unreachable("This is not a pseudo-object access!");
+ case OCM_PropertyAccess:
+ return getNumArgs() > 0;
+ case OCM_Subscript:
+ return getNumArgs() > 1;
+ }
+ llvm_unreachable("Unknown message kind");
}
const Decl *getDefinition(bool &IsDynamicDispatch) const {
IsDynamicDispatch = true;
const ObjCMethodDecl *MD = getDecl();
+ if (!MD)
+ return 0;
+
for (Decl::redecl_iterator I = MD->redecls_begin(), E = MD->redecls_end();
I != E; ++I) {
if (cast<ObjCMethodDecl>(*I)->isThisDeclarationADefinition())
return getArgExpr(Index)->getSourceRange();
}
-
param_iterator param_begin(bool UseDefinitionParams = false) const;
param_iterator param_end(bool UseDefinitionParams = false) const;
- static bool classof(const CallEvent *CA) {
- return CA->getKind() >= CE_BEG_OBJC_CALLS &&
- CA->getKind() <= CE_END_OBJC_CALLS;
- }
-};
-
-/// \brief Represents an explicit message send to an Objective-C object.
-///
-/// Example: [obj descriptionWithLocale:locale];
-class ObjCMessageSend : public ObjCMethodCall {
-public:
- ObjCMessageSend(const ObjCMessageExpr *Msg, ProgramStateRef St,
- const LocationContext *LCtx)
- : ObjCMethodCall(Msg, St, LCtx, CE_ObjCMessage) {}
-
static bool classof(const CallEvent *CA) {
return CA->getKind() == CE_ObjCMessage;
}
};
-/// \brief Represents an Objective-C property getter or setter invocation.
-///
-/// Example: obj.prop += 1;
-class ObjCPropertyAccess : public ObjCMethodCall {
-public:
- ObjCPropertyAccess(const ObjCPropertyRefExpr *PE, SourceRange range,
- const ObjCMessageExpr *Msg, const ProgramStateRef St,
- const LocationContext *LCtx)
- : ObjCMethodCall(Msg, St, LCtx, CE_ObjCPropertyAccess) {
- Data = PE;
- }
-
- /// \brief Returns true if this property access is calling the setter method.
- bool isSetter() const {
- return getNumArgs() > 0;
- }
-
- SourceRange getSourceRange() const;
-
- /// \brief Return the property reference part of this access.
- ///
- /// In the expression "obj.prop += 1", the property reference expression is
- /// "obj.prop".
- const ObjCPropertyRefExpr *getPropertyExpr() const {
- return static_cast<const ObjCPropertyRefExpr *>(Data);
- }
-
- static bool classof(const CallEvent *CA) {
- return CA->getKind() == CE_ObjCPropertyAccess;
- }
-};
-
// FIXME: Use a .def or .td file for this.
#define DISPATCH(fn) \
case CE_CXXAllocator: \
return cast<CXXAllocatorCall>(this)->fn(); \
case CE_ObjCMessage: \
- return cast<ObjCMessageSend>(this)->fn(); \
- case CE_ObjCPropertyAccess: \
- return cast<ObjCPropertyAccess>(this)->fn(); \
+ return cast<ObjCMethodCall>(this)->fn(); \
}
#define DISPATCH_ARG(fn, arg) \
case CE_CXXAllocator: \
return cast<CXXAllocatorCall>(this)->fn(arg); \
case CE_ObjCMessage: \
- return cast<ObjCMessageSend>(this)->fn(arg); \
- case CE_ObjCPropertyAccess: \
- return cast<ObjCPropertyAccess>(this)->fn(arg); \
+ return cast<ObjCMethodCall>(this)->fn(arg); \
}
inline void CallEvent::getExtraInvalidatedRegions(RegionList &Regions) const {
mutable OwningPtr<BugType> BT_call_arg;
mutable OwningPtr<BugType> BT_msg_undef;
mutable OwningPtr<BugType> BT_objc_prop_undef;
+ mutable OwningPtr<BugType> BT_objc_subscript_undef;
mutable OwningPtr<BugType> BT_msg_arg;
mutable OwningPtr<BugType> BT_msg_ret;
public:
private:
static bool PreVisitProcessArg(CheckerContext &C, SVal V,
SourceRange argRange, const Expr *argEx,
- const bool checkUninitFields,
- const char *BT_desc, OwningPtr<BugType> &BT);
+ bool IsFirstArgument, bool checkUninitFields,
+ const CallEvent &Call, OwningPtr<BugType> &BT);
static void EmitBadCall(BugType *BT, CheckerContext &C, const CallExpr *CE);
void emitNilReceiverBug(CheckerContext &C, const ObjCMethodCall &msg,
C.EmitReport(R);
}
+StringRef describeUninitializedArgumentInCall(const CallEvent &Call,
+ bool IsFirstArgument) {
+ switch (Call.getKind()) {
+ case CE_ObjCMessage: {
+ const ObjCMethodCall &Msg = cast<ObjCMethodCall>(Call);
+ switch (Msg.getMessageKind()) {
+ case OCM_Message:
+ return "Argument in message expression is an uninitialized value";
+ case OCM_PropertyAccess:
+ assert(Msg.isSetter() && "Getters have no args");
+ return "Argument for property setter is an uninitialized value";
+ case OCM_Subscript:
+ if (Msg.isSetter() && IsFirstArgument)
+ return "Argument for subscript setter is an uninitialized value";
+ return "Subscript index is an uninitialized value";
+ }
+ llvm_unreachable("Unknown message kind.");
+ }
+ case CE_Block:
+ return "Block call argument is an uninitialized value";
+ default:
+ return "Function call argument is an uninitialized value";
+ }
+}
+
bool CallAndMessageChecker::PreVisitProcessArg(CheckerContext &C,
SVal V, SourceRange argRange,
const Expr *argEx,
- const bool checkUninitFields,
- const char *BT_desc,
+ bool IsFirstArgument,
+ bool checkUninitFields,
+ const CallEvent &Call,
OwningPtr<BugType> &BT) {
if (V.isUndef()) {
if (ExplodedNode *N = C.generateSink()) {
LazyInit_BT("Uninitialized argument value", BT);
// Generate a report for this bug.
- BugReport *R = new BugReport(*BT, BT_desc, N);
+ StringRef Desc = describeUninitializedArgumentInCall(Call,
+ IsFirstArgument);
+ BugReport *R = new BugReport(*BT, Desc, N);
R->addRange(argRange);
if (argEx)
R->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N, argEx,
if (F.Find(D->getRegion())) {
if (ExplodedNode *N = C.generateSink()) {
- LazyInit_BT(BT_desc, BT);
+ LazyInit_BT("Uninitialized argument value", BT);
SmallString<512> Str;
llvm::raw_svector_ostream os(Str);
os << "Passed-by-value struct argument contains uninitialized data";
(D && D->getBody()));
OwningPtr<BugType> *BT;
- const char *Desc;
-
- switch (Call.getKind()) {
- case CE_ObjCPropertyAccess:
- BT = &BT_msg_arg;
- // Getters do not have arguments, so we don't need to worry about this.
- Desc = "Argument for property setter is an uninitialized value";
- break;
- case CE_ObjCMessage:
+ if (isa<ObjCMethodCall>(Call))
BT = &BT_msg_arg;
- Desc = "Argument in message expression is an uninitialized value";
- break;
- case CE_Block:
+ else
BT = &BT_call_arg;
- Desc = "Block call argument is an uninitialized value";
- break;
- default:
- BT = &BT_call_arg;
- Desc = "Function call argument is an uninitialized value";
- break;
- }
for (unsigned i = 0, e = Call.getNumArgs(); i != e; ++i)
- if (PreVisitProcessArg(C, Call.getArgSVal(i),
- Call.getArgSourceRange(i), Call.getArgExpr(i),
- checkUninitFields, Desc, *BT))
+ if (PreVisitProcessArg(C, Call.getArgSVal(i), Call.getArgSourceRange(i),
+ Call.getArgExpr(i), /*IsFirstArgument=*/i == 0,
+ checkUninitFields, Call, *BT))
return;
}
if (recVal.isUndef()) {
if (ExplodedNode *N = C.generateSink()) {
BugType *BT = 0;
- if (isa<ObjCPropertyAccess>(msg)) {
- if (!BT_objc_prop_undef)
- BT_objc_prop_undef.reset(new BuiltinBug("Property access on an "
- "uninitialized object pointer"));
- BT = BT_objc_prop_undef.get();
- } else {
+ switch (msg.getMessageKind()) {
+ case OCM_Message:
if (!BT_msg_undef)
BT_msg_undef.reset(new BuiltinBug("Receiver in message expression "
"is an uninitialized value"));
BT = BT_msg_undef.get();
+ break;
+ case OCM_PropertyAccess:
+ if (!BT_objc_prop_undef)
+ BT_objc_prop_undef.reset(new BuiltinBug("Property access on an "
+ "uninitialized object "
+ "pointer"));
+ BT = BT_objc_prop_undef.get();
+ break;
+ case OCM_Subscript:
+ if (!BT_objc_subscript_undef)
+ BT_objc_subscript_undef.reset(new BuiltinBug("Subscript access on an "
+ "uninitialized object "
+ "pointer"));
+ BT = BT_objc_subscript_undef.get();
+ break;
}
+ assert(BT && "Unknown message kind.");
+
BugReport *R = new BugReport(*BT, BT->getName(), N);
- R->addRange(msg.getReceiverSourceRange());
+ const ObjCMessageExpr *ME = msg.getOriginExpr();
+ R->addRange(ME->getReceiverRange());
// FIXME: getTrackNullOrUndefValueVisitor can't handle "super" yet.
- if (const Expr *ReceiverE = msg.getInstanceReceiverExpr())
+ if (const Expr *ReceiverE = ME->getInstanceReceiver())
R->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N,
ReceiverE,
R));
new BuiltinBug("Receiver in message expression is "
"'nil' and returns a garbage value"));
+ const ObjCMessageExpr *ME = msg.getOriginExpr();
+
SmallString<200> buf;
llvm::raw_svector_ostream os(buf);
- os << "The receiver of message '" << msg.getSelector().getAsString()
+ os << "The receiver of message '" << ME->getSelector().getAsString()
<< "' is nil and returns a value of type '";
msg.getResultType().print(os, C.getLangOpts());
os << "' that will be garbage";
BugReport *report = new BugReport(*BT_msg_ret, os.str(), N);
- report->addRange(msg.getReceiverSourceRange());
+ report->addRange(ME->getReceiverRange());
// FIXME: This won't track "self" in messages to super.
- if (const Expr *receiver = msg.getInstanceReceiverExpr()) {
+ if (const Expr *receiver = ME->getInstanceReceiver()) {
report->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N,
receiver,
report));
///
/// This will be called before the analyzer core processes the method call.
/// This is called for any action which produces an Objective-C message send,
- /// including explicit message syntax and property access. See the subclasses
- /// of ObjCMethodCall for more details.
+ /// including explicit message syntax and property access.
///
/// check::PreObjCMessage
void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const {}
case CE_CXXAllocator:
// FIXME: These calls are currently unsupported.
return getPersistentStopSummary();
- case CE_ObjCMessage:
- case CE_ObjCPropertyAccess: {
+ case CE_ObjCMessage: {
const ObjCMethodCall &Msg = cast<ObjCMethodCall>(Call);
if (Msg.isInstanceMessage())
Summ = getInstanceMethodSummary(Msg, State);
isa<CXXBoolLiteralExpr>(E);
}
-static bool isPropertyAccess(const Stmt *S, ParentMap &PM) {
- unsigned maxDepth = 4;
- while (S && maxDepth) {
- if (const PseudoObjectExpr *PO = dyn_cast<PseudoObjectExpr>(S)) {
- if (!isa<ObjCMessageExpr>(PO->getSyntacticForm()))
- return true;
- return false;
- }
- S = PM.getParent(S);
- --maxDepth;
- }
- return false;
-}
-
PathDiagnosticPiece *CFRefReportVisitor::VisitNode(const ExplodedNode *N,
const ExplodedNode *PrevN,
BugReporterContext &BRC,
os << "function call";
}
else {
- assert(isa<ObjCMessageExpr>(S));
- // The message expression may have between written directly or as
- // a property access. Lazily determine which case we are looking at.
- os << (isPropertyAccess(S, N->getParentMap()) ? "Property" : "Method");
+ assert(isa<ObjCMessageExpr>(S));
+ ObjCMethodCall Call(cast<ObjCMessageExpr>(S), CurrSt, LCtx);
+ switch (Call.getMessageKind()) {
+ case OCM_Message:
+ os << "Method";
+ break;
+ case OCM_PropertyAccess:
+ os << "Property";
+ break;
+ case OCM_Subscript:
+ os << "Subscript";
+ break;
+ }
}
if (CurrV.getObjKind() == RetEffect::CF) {
state = updateSymbol(state, Sym, *T, Summ.getReceiverEffect(),
hasErr, C);
if (hasErr) {
- ErrorRange = MsgInvocation->getReceiverSourceRange();
+ ErrorRange = MsgInvocation->getOriginExpr()->getReceiverRange();
ErrorSym = Sym;
}
}
if (!isInstanceMessage())
return UnknownVal();
- if (const Expr *Base = getInstanceReceiverExpr())
+ if (const Expr *Base = getOriginExpr()->getInstanceReceiver())
return getSVal(Base);
// An instance message with no expression means we are sending to super.
return getState()->getSVal(getState()->getRegion(SelfDecl, LCtx));
}
-SourceRange ObjCPropertyAccess::getSourceRange() const {
- const ParentMap &PM = getLocationContext()->getParentMap();
- const ObjCMessageExpr *ME = getOriginExpr();
- const PseudoObjectExpr *PO = cast<PseudoObjectExpr>(PM.getParent(ME));
- return PO->getSourceRange();
+SourceRange ObjCMethodCall::getSourceRange() const {
+ switch (getMessageKind()) {
+ case OCM_Message:
+ return getOriginExpr()->getSourceRange();
+ case OCM_PropertyAccess:
+ case OCM_Subscript:
+ return getContainingPseudoObjectExpr()->getSourceRange();
+ }
+}
+
+typedef llvm::PointerIntPair<const PseudoObjectExpr *, 2> ObjCMessageDataTy;
+
+const PseudoObjectExpr *ObjCMethodCall::getContainingPseudoObjectExpr() const {
+ assert(Data != 0 && "Lazy lookup not yet performed.");
+ assert(getMessageKind() != OCM_Message && "Explicit message send.");
+ return ObjCMessageDataTy::getFromOpaqueValue(Data).getPointer();
+}
+
+ObjCMessageKind ObjCMethodCall::getMessageKind() const {
+ if (Data == 0) {
+ ParentMap &PM = getLocationContext()->getParentMap();
+ const Stmt *S = PM.getParent(getOriginExpr());
+ if (const PseudoObjectExpr *POE = dyn_cast_or_null<PseudoObjectExpr>(S)) {
+ const Expr *Syntactic = POE->getSyntacticForm();
+
+ // This handles the funny case of assigning to the result of a getter.
+ // This can happen if the getter returns a non-const reference.
+ if (const BinaryOperator *BO = dyn_cast<BinaryOperator>(Syntactic))
+ Syntactic = BO->getLHS();
+
+ ObjCMessageKind K;
+ switch (Syntactic->getStmtClass()) {
+ case Stmt::ObjCPropertyRefExprClass:
+ K = OCM_PropertyAccess;
+ break;
+ case Stmt::ObjCSubscriptRefExprClass:
+ K = OCM_Subscript;
+ break;
+ default:
+ // FIXME: Can this ever happen?
+ K = OCM_Message;
+ break;
+ }
+
+ if (K != OCM_Message) {
+ const_cast<ObjCMethodCall *>(this)->Data
+ = ObjCMessageDataTy(POE, K).getOpaqueValue();
+ assert(getMessageKind() == K);
+ return K;
+ }
+ }
+
+ const_cast<ObjCMethodCall *>(this)->Data
+ = ObjCMessageDataTy(0, 1).getOpaqueValue();
+ assert(getMessageKind() == OCM_Message);
+ return OCM_Message;
+ }
+
+ ObjCMessageDataTy Info = ObjCMessageDataTy::getFromOpaqueValue(Data);
+ if (!Info.getPointer())
+ return OCM_Message;
+ return static_cast<ObjCMessageKind>(Info.getInt());
}
case Stmt::ObjCMessageExprClass: {
Bldr.takeNodes(Pred);
- // Is this a property access?
-
- const LocationContext *LCtx = Pred->getLocationContext();
- const ParentMap &PM = LCtx->getParentMap();
- const ObjCMessageExpr *ME = cast<ObjCMessageExpr>(S);
- bool evaluated = false;
-
- if (const PseudoObjectExpr *PO =
- dyn_cast_or_null<PseudoObjectExpr>(PM.getParent(S))) {
- const Expr *syntactic = PO->getSyntacticForm();
-
- // This handles the funny case of assigning to the result of a getter.
- // This can happen if the getter returns a non-const reference.
- if (const BinaryOperator *BO = dyn_cast<BinaryOperator>(syntactic))
- syntactic = BO->getLHS();
-
- if (const ObjCPropertyRefExpr *PR =
- dyn_cast<ObjCPropertyRefExpr>(syntactic)) {
- VisitObjCMessage(ObjCPropertyAccess(PR, PO->getSourceRange(), ME,
- Pred->getState(), LCtx),
- Pred, Dst);
- evaluated = true;
- }
- }
-
- if (!evaluated)
- VisitObjCMessage(ObjCMessageSend(ME, Pred->getState(), LCtx),
- Pred, Dst);
-
+ VisitObjCMessage(ObjCMethodCall(cast<ObjCMessageExpr>(S),
+ Pred->getState(),
+ Pred->getLocationContext()),
+ Pred, Dst);
Bldr.addNodes(Dst);
break;
}
break;
}
case CE_ObjCMessage:
- case CE_ObjCPropertyAccess:
// These always use dynamic dispatch; enabling inlining means assuming
// that a particular method will be called at runtime.
llvm_unreachable("Dynamic dispatch should be handled above.");
--- /dev/null
+// RUN: %clang_cc1 -analyze -analyzer-checker=core,osx.cocoa.RetainCount -analyzer-store=region -verify -Wno-objc-root-class %s
+
+typedef signed char BOOL;
+typedef unsigned int NSUInteger;
+
+@interface NSObject
++(id)alloc;
+-(id)init;
+-(id)autorelease;
+-(id)copy;
+-(id)retain;
+@end
+
+@interface Subscriptable : NSObject
+- (void)setObject:(id)obj atIndexedSubscript:(NSUInteger)index;
+- (id)objectAtIndexedSubscript:(NSUInteger)index;
+
+- (void)setObject:(id)obj forKeyedSubscript:(id)key;
+- (id)objectForKeyedSubscript:(id)key;
+@end
+
+@interface Test : Subscriptable
+@end
+
+@implementation Test
+
+// <rdar://problem/6946338> for subscripting
+- (id)storeDoesNotRetain {
+ Test *cell = [[[Test alloc] init] autorelease];
+
+ NSObject *string1 = [[NSObject alloc] init]; // expected-warning {{Potential leak}}
+ cell[0] = string1;
+ cell[self] = string1;
+ cell[string1] = self;
+
+ return cell;
+}
+
+// <rdar://problem/8824416> for subscripting
+- (id)getDoesNotRetain:(BOOL)keyed {
+ if (keyed)
+ return [self[self] autorelease]; // expected-warning{{Object sent -autorelease too many times}}
+ else
+ return [self[0] autorelease]; // expected-warning{{Object sent -autorelease too many times}}
+}
+
+// <rdar://problem/9241180> for subscripting
+- (id)testUninitializedObject:(BOOL)keyed {
+ Test *o;
+ if (keyed) {
+ if (o[self]) // expected-warning {{Subscript access on an uninitialized object pointer}}
+ return o; // no-warning (sink)
+ } else {
+ if (o[0]) // expected-warning {{Subscript access on an uninitialized object pointer}}
+ return o; // no-warning (sink)
+ }
+ return self;
+}
+
+- (void)testUninitializedArgument:(id)input testCase:(unsigned)testCase {
+ NSUInteger i;
+ id o;
+
+ switch (testCase) {
+ case 0:
+ self[0] = o; // expected-warning {{Argument for subscript setter is an uninitialized value}}
+ break;
+ case 1:
+ self[i] = input; // expected-warning {{Subscript index is an uninitialized value}}
+ break;
+ case 2:
+ (void)self[i]; // expected-warning {{Subscript index is an uninitialized value}}
+ break;
+ case 3:
+ self[input] = o; // expected-warning {{Argument for subscript setter is an uninitialized value}}
+ break;
+ case 4:
+ self[o] = input; // expected-warning {{Subscript index is an uninitialized value}}
+ break;
+ case 5:
+ (void)self[o]; // expected-warning {{Subscript index is an uninitialized value}}
+ break;
+ default:
+ break;
+ }
+
+}
+
+@end
// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-checker=core,osx.coreFoundation.CFRetainRelease,osx.cocoa.ClassRelease,osx.cocoa.RetainCount -analyzer-store=region -analyzer-output=text -verify %s
-// This actually still works after the pseudo-object refactor, it just
-// uses messages that say 'method' instead of 'property'. Ted wanted
-// this xfailed and filed as a bug. rdar://problem/10402993
-
/***
This file is for testing the path-sensitive notes for retain/release errors.
Its goal is to have simple branch coverage of any path-based diagnostics,
@interface Foo : NSObject
- (id)methodWithValue;
@property(retain) id propertyValue;
+
+- (id)objectAtIndexedSubscript:(unsigned)index;
+- (id)objectForKeyedSubscript:(id)key;
@end
typedef struct CFType *CFTypeRef;
return result; // expected-warning{{Object with a +0 retain count returned to caller where a +1 (owning) retain count is expected}} expected-note{{Object returned to caller with a +0 retain count}} expected-note{{Object with a +0 retain count returned to caller where a +1 (owning) retain count is expected}}
}
+- (id)copyViolationIndexedSubscript {
+ id result = self[0]; // expected-note{{Subscript returns an Objective-C object with a +0 retain count}}
+ return result; // expected-warning{{Object with a +0 retain count returned to caller where a +1 (owning) retain count is expected}} expected-note{{Object returned to caller with a +0 retain count}} expected-note{{Object with a +0 retain count returned to caller where a +1 (owning) retain count is expected}}
+}
+
+- (id)copyViolationKeyedSubscript {
+ id result = self[self]; // expected-note{{Subscript returns an Objective-C object with a +0 retain count}}
+ return result; // expected-warning{{Object with a +0 retain count returned to caller where a +1 (owning) retain count is expected}} expected-note{{Object returned to caller with a +0 retain count}} expected-note{{Object with a +0 retain count returned to caller where a +1 (owning) retain count is expected}}
+}
+
- (id)getViolation {
id result = [[Foo alloc] init]; // expected-warning{{leak}} expected-note{{Method returns an Objective-C object with a +1 retain count}}
return result; // expected-note{{Object returned to caller as an owning reference (single retain count transferred to caller)}} expected-note{{Object leaked: object allocated and stored into 'result' is returned from a method whose name ('getViolation') does not start with 'copy', 'mutableCopy', 'alloc' or 'new'. This violates the naming convention rules given in the Memory Management Guide for Cocoa}}
projects / clang / commitdiff