This is an archive of the discontinued LLVM Phabricator instance.

Differential D5042

[analyzer] Detect use-after-free scenarios in -dealloc after calling [super dealloc]
Needs ReviewPublic

Authored by ddkilzer on Aug 23 2014, 5:19 PM.

Details

Reviewers
krememek
zaks.anna
jordan_rose
Summary

Use ASTMatchers (with manual matching code for finding calls to [super dealloc]) to detect use-after-free scenarios in the -dealloc method.

Fixes rdar://problem/6953275.

Unresolved issues:

  • Had to add libclangASTMatchers.a to USEDLIBS in tools/clang-check/Makefile and tools/driver/Makefile. Not sure if that's a direction the clang project wants to go.

Diff Detail

Event Timeline

ddkilzer updated this revision to Diff 12884.Aug 23 2014, 5:19 PM
ddkilzer retitled this revision from to [analyzer] Detect use-after-free scenarios in -dealloc after calling [super dealloc].
ddkilzer updated this object.
ddkilzer edited the test plan for this revision. (Show Details)
ddkilzer added reviewers: jordan_rose, krememek.
ddkilzer added a subscriber: Unknown Object (MLST).
ddkilzer added a parent revision: D5023: [analyzer] Fix ObjC Dealloc Checker to operate only on classes with retained properties.Aug 23 2014, 5:19 PM
ddkilzer updated this object.Aug 23 2014, 5:22 PM
ddkilzer updated this object.Aug 23 2014, 5:27 PM
ddkilzer added a comment.Aug 23 2014, 11:17 PM
  • Crash in ASTMatchers running test/Analysis/PR2978.m test, possibly due to invalid code in -dealloc method. Haven't figured out how to make a stand-alone test case yet.

Something is going horribly wrong dereferencing a clang::Stmt * into a const clang::Stmt & in this call:

Finder.match(*S, Ctx);

Changing the pointer type to const clang::Stmt * as passed into the method had no effect. I also tried this to no avail:

const Stmt &SRef = *S;
Finder.match(SRef, Ctx);

Here's an lldb session showing the badness. I know something is going wrong because the value of Node.Aligner in the match() method is the same value as the S pointer (0x000000010a033ce0) prior to the call:

(lldb) run
Process 6895 launched: '/Volumes/Data/clang.git/llvm/Debug+Asserts/bin/clang' (x86_64)
Process 6895 stopped
* thread #1: tid = 0x39e920, 0x00000001010a5250 clang`scan_dealloc_for_self_after_super_dealloc(S=0x000000010a033ce0, Callback=0x00007fff5fbfc410, Ctx=0x000000010a822000) + 624 at CheckObjCDealloc.cpp:70, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x00000001010a5250 clang`scan_dealloc_for_self_after_super_dealloc(S=0x000000010a033ce0, Callback=0x00007fff5fbfc410, Ctx=0x000000010a822000) + 624 at CheckObjCDealloc.cpp:70
   67  	      stmt(hasDescendant(declRefExpr(to(varDecl(hasName("self"))))
   68  	                             .bind("self"))).bind("stmt");
   69  	  Finder.addMatcher(Matcher, &Callback);
-> 70  	  Finder.match(*S, Ctx);
   71  	  if (Callback.FoundMatch())
   72  	    return true;
   73  	
(lldb) p *S
(clang::Stmt) $4 = {
   = {
    Aligner = 0x000000000000008d
    StmtBits = (sClass = 141)
    CompoundStmtBits = (NumStmts = 0)
    ExprBits = {
      ValueKind = 0
      ObjectKind = 0
      TypeDependent = 0
      ValueDependent = 0
      InstantiationDependent = 0
      ContainsUnexpandedParameterPack = 0
    }
    CharacterLiteralBits = (Kind = 0)
    FloatingLiteralBits = (Semantics = 0, IsExact = 0)
    UnaryExprOrTypeTraitExprBits = (Kind = 0, IsType = 0)
    DeclRefExprBits = {
      HasQualifier = 0
      HasTemplateKWAndArgsInfo = 0
      HasFoundDecl = 0
      HadMultipleCandidates = 0
      RefersToEnclosingLocal = 0
    }
    CastExprBits = (Kind = 0, BasePathSize = 0)
    CallExprBits = (NumPreArgs = 0)
    ExprWithCleanupsBits = (NumObjects = 0)
    PseudoObjectExprBits = (NumSubExprs = 0, ResultIndex = 0)
    ObjCIndirectCopyRestoreExprBits = (ShouldCopy = 0)
    InitListExprBits = (HadArrayRangeDesignator = 0)
    TypeTraitExprBits = (Kind = 0, Value = 0, NumArgs = 0)
  }
}
(lldb) p S->getStmtClassName()
(const char *) $5 = 0x00000001044ea946 "ReturnStmt"
(lldb) p (*S).getStmtClassName()
(const char *) $6 = 0x00000001044ea946 "ReturnStmt"
(lldb) s
Process 6895 stopped
* thread #1: tid = 0x39e920, 0x00000001010b0b7a clang`void clang::ast_matchers::MatchFinder::match<clang::Stmt>(this=0x00007fff5fbfbe38, Node=0x000000010a033ce0, Context=0x000000010a822000) + 42 at ASTMatchFinder.h:160, queue = 'com.apple.main-thread', stop reason = step in
    frame #0: 0x00000001010b0b7a clang`void clang::ast_matchers::MatchFinder::match<clang::Stmt>(this=0x00007fff5fbfbe38, Node=0x000000010a033ce0, Context=0x000000010a822000) + 42 at ASTMatchFinder.h:160
   157 	  ///
   158 	  /// @{
   159 	  template <typename T> void match(const T &Node, ASTContext &Context) {
-> 160 	    match(clang::ast_type_traits::DynTypedNode::create(Node), Context);
   161 	  }
   162 	  void match(const clang::ast_type_traits::DynTypedNode &Node,
   163 	             ASTContext &Context);
(lldb) p Node.getStmtClassName()
(const char *) $7 = 0x0000002000000000
(lldb) p Node
(const clang::Stmt) $8 = {
   = {
    Aligner = 0x000000010a033ce0
    StmtBits = (sClass = 224)
    CompoundStmtBits = (NumStmts = 656188)
    ExprBits = {
      ValueKind = 0
      ObjectKind = 3
      TypeDependent = 1
      ValueDependent = 1
      InstantiationDependent = 0
      ContainsUnexpandedParameterPack = 0
    }
    CharacterLiteralBits = (Kind = 3)
    FloatingLiteralBits = (Semantics = 3, IsExact = 0)
    UnaryExprOrTypeTraitExprBits = (Kind = 3, IsType = 0)
    DeclRefExprBits = {
      HasQualifier = 1
      HasTemplateKWAndArgsInfo = 1
      HasFoundDecl = 0
      HadMultipleCandidates = 0
      RefersToEnclosingLocal = 0
    }
    CastExprBits = (Kind = 3, BasePathSize = 40)
    CallExprBits = (NumPreArgs = 1)
    ExprWithCleanupsBits = (NumObjects = 2563)
    PseudoObjectExprBits = (NumSubExprs = 3, ResultIndex = 10)
    ObjCIndirectCopyRestoreExprBits = (ShouldCopy = 1)
    InitListExprBits = (HadArrayRangeDesignator = 1)
    TypeTraitExprBits = (Kind = 3, Value = 0, NumArgs = 5)
  }
}
(lldb)

One thing I can't tell is if make is compiling with the trunk clang I'm building, or whether it's using the clang I have installed with Xcode.

ddkilzer added a comment.Aug 24 2014, 8:39 AM
  • Crash in ASTMatchers running test/Analysis/PR2978.m test, possibly due to invalid code in -dealloc method. Haven't figured out how to make a stand-alone test case yet.

Doh! This was due to a stupid typo that caused infinite recursion:

@@ -74,7 +74,7 @@ static bool scan_dealloc_for_self_after_super_dealloc(
   // Recurse to children.
   for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I != E;
        ++I)
-    if (*I && scan_dealloc_for_self_after_super_dealloc(S, Callback, Ctx))
+    if (*I && scan_dealloc_for_self_after_super_dealloc(*I, Callback, Ctx))
       return true;
 
   return false;

Will post new patch momentarily.

ddkilzer updated this revision to Diff 12885.Aug 24 2014, 8:44 AM

Fix typo in last patch that caused infinite recursion

ddkilzer updated this object.Aug 24 2014, 8:47 AM
ddkilzer updated this revision to Diff 12920.Aug 25 2014, 3:35 PM
ddkilzer updated this object.

Removed unnecessary tree walking code since ASTMatcher is used in scan_dealloc_for_self_after_super_dealloc().

ddkilzer added a reviewer: zaks.anna.Aug 29 2014, 3:56 PM
ddkilzer added a subscriber: zaks.anna.Aug 30 2014, 1:44 AM
ddkilzer updated this revision to Diff 13122.Aug 30 2014, 1:56 AM

Rebase after Diff 13121 was added to D5023.

jordan_rose edited edge metadata.Sep 4 2014, 6:40 PM

Here's an example that won't be caught without at least flow-sensitive analysis:

- (void)dealloc {
  if (!_everInitialized) {
    [super dealloc];
    // should return here, but forgot
  }
  carefullyDisposeOfLazyData(self->_lazilyConstructedData);
  [super dealloc];
}

In this case I think we'll get a double-dealloc warning from the retain-count checker, but even so. Do you think this is worth moving to a path-sensitive model for?

(Also, please make sure you're following the LLVM naming conventions. The function names and m_ member names are the offenders, I think.)

zaks.anna edited edge metadata.Sep 4 2014, 10:34 PM

I agree with Jordan. We would probably want to create a path sensitive check here instead of using the matchers. Another advantage would be that you would get inter procedural analysis (within the same translation unit), so if the dealloc delegates the deallocation to another method whose implementation is within the same TU, you would get the checking as if the callee has been inlined.

(I am not sure if you watched our presentation about writing path sensitive checkers. If not, I highly recommend it. It's called Building a Checker in 24 hours http://www.llvm.org/devmtg/2012-11/)

ddkilzer added a parent revision: D5238: [analyzer] Detect duplicate [super dealloc] calls.Sep 7 2014, 8:15 PM
ddkilzer added a comment.Sep 7 2014, 8:19 PM

I started a path-sensitive checker in D5238 for [super dealloc] calls. Once that lands, I can re-implement these checks using that checker.

I implemented the "duplicate [super dealloc]" check since that seemed the most logical (and simpler) to start with.

Thanks for the tip about the video, Anna! That was a big help.

lib/StaticAnalyzer/Checkers/CheckObjCDealloc.cpp
74–78

And I just realized this code is unnecessary when using the ASTMatcher. Will upload another patch later today.

dcoughlin mentioned this in D5238: [analyzer] Detect duplicate [super dealloc] calls.Feb 9 2016, 6:26 PM

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
142 lines
test/
Analysis/
141 lines
tools/
clang-check/
2 lines
driver/
2 lines

Diff 13122

lib/StaticAnalyzer/Checkers/CheckObjCDealloc.cpp

Show All 12 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ClangSACheckers.h" #include "ClangSACheckers.h"
#include "clang/AST/Attr.h" #include "clang/AST/Attr.h"
#include "clang/AST/DeclObjC.h" #include "clang/AST/DeclObjC.h"
#include "clang/AST/Expr.h" #include "clang/AST/Expr.h"
#include "clang/AST/ExprObjC.h" #include "clang/AST/ExprObjC.h"
#include "clang/ASTMatchers/ASTMatchers.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Basic/LangOptions.h" #include "clang/Basic/LangOptions.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace clang::ast_matchers;
using namespace ento; using namespace ento;
class SuperDeallocUseAfterFreeCallback : public MatchFinder::MatchCallback {
public:
SuperDeallocUseAfterFreeCallback(IdentifierInfo *SelfII)
: FoundSuperDealloc(false), m_FoundMatch(false), m_SelfII(SelfII),
m_Stmt(nullptr) {}
virtual void run(MatchFinder::MatchResult const &Result) {
if (const DeclRefExpr *E =
Result.Nodes.getNodeAs<clang::DeclRefExpr>("self")) {
if (E->getDecl()->getIdentifier() == m_SelfII) {
m_FoundMatch = true;
m_Stmt = Result.Nodes.getNodeAs<clang::Stmt>("stmt");
}
}
}
bool FoundMatch() { return m_FoundMatch; }
const clang::Stmt *Stmt() { return m_Stmt; }
bool FoundSuperDealloc;
private:
bool m_FoundMatch;
IdentifierInfo *m_SelfII;
const clang::Stmt *m_Stmt;
};
static bool scan_dealloc_for_self_after_super_dealloc(
Stmt *S, SuperDeallocUseAfterFreeCallback &Callback, ASTContext &Ctx) {
// Find references to 'self'.
MatchFinder Finder;
StatementMatcher Matcher =
stmt(hasDescendant(declRefExpr(to(varDecl(hasName("self"))))
.bind("self"))).bind("stmt");
Finder.addMatcher(Matcher, &Callback);
Finder.match(*S, Ctx);
return Callback.FoundMatch();
}
static bool
scan_dealloc_for_use_after_free(Stmt *S, Selector Dealloc,
SuperDeallocUseAfterFreeCallback &Callback,
ASTContext &Ctx) {
ddkilzerAuthorUnsubmitted
Not Done
ReplyInline Actions

And I just realized this code is unnecessary when using the ASTMatcher. Will upload another patch later today.

ddkilzer: And I just realized this code is unnecessary when using the ASTMatcher. Will upload another…
// Find [super dealloc] call.
if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(S))
if (ME->getSelector() == Dealloc) {
switch (ME->getReceiverKind()) {
case ObjCMessageExpr::Instance:
break;
case ObjCMessageExpr::SuperInstance: {
Callback.FoundSuperDealloc = true;
break;
}
case ObjCMessageExpr::Class:
break;
case ObjCMessageExpr::SuperClass:
break;
}
}
// Recurse to children.
for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I != E;
++I)
if (Callback.FoundSuperDealloc) {
if (*I && scan_dealloc_for_self_after_super_dealloc(*I, Callback, Ctx))
return true;
} else if (*I &&
scan_dealloc_for_use_after_free(*I, Dealloc, Callback, Ctx)) {
return true;
}
return false;
}
static bool scan_ivar_release(Stmt *S, const ObjCIvarDecl *ID, static bool scan_ivar_release(Stmt *S, const ObjCIvarDecl *ID,
const ObjCPropertyDecl *PD, const ObjCPropertyDecl *PD,
Selector Release, Selector Release,
IdentifierInfo* SelfII, IdentifierInfo* SelfII,
ASTContext &Ctx) { ASTContext &Ctx) {
// [mMyIvar release] // [mMyIvar release]
if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(S)) if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(S))
▲ Show 20 LinesShow All 59 Lines▼ Show 20 Linesstatic bool isSynthesizedWritablePointerProperty(const ObjCPropertyImplDecl *I,
if ((*PD)->isReadOnly()) if ((*PD)->isReadOnly())
return false; return false;
return true; return true;
} }
static void checkObjCDealloc(const CheckerBase *Checker, static void checkObjCDealloc(const CheckerBase *Checker,
const ObjCImplementationDecl *D, const ObjCImplementationDecl *D,
const LangOptions &LOpts, BugReporter &BR) { AnalysisManager &Mgr, BugReporter &BR) {
const LangOptions &LOpts = Mgr.getLangOpts();
assert(LOpts.getGC() != LangOptions::GCOnly); assert(LOpts.getGC() != LangOptions::GCOnly);
assert(!LOpts.ObjCAutoRefCount); assert(!LOpts.ObjCAutoRefCount);
ASTContext &Ctx = BR.getContext(); ASTContext &Ctx = BR.getContext();
const ObjCInterfaceDecl *ID = D->getClassInterface(); const ObjCInterfaceDecl *ID = D->getClassInterface();
// Does the class contain any properties that are retained, synthesized, // Does the class contain any properties that are retained, synthesized,
// writable pointers (or id<...>)? If not, skip the check entirely. // writable pointers (or id<...>)? If not, skip the check entirely.
bool containsRetainedSynthesizedWritablePointerProperty = false; bool containsRetainedSynthesizedWritablePointerProperty = false;
for (const auto *I : D->property_impls()) { for (const auto *I : D->property_impls()) {
const ObjCIvarDecl *ID = nullptr; const ObjCIvarDecl *ID = nullptr;
const ObjCPropertyDecl *PD = nullptr; const ObjCPropertyDecl *PD = nullptr;
if (!isSynthesizedWritablePointerProperty(I, &ID, &PD)) if (!isSynthesizedWritablePointerProperty(I, &ID, &PD))
continue; continue;
// Property must be released if and only if the kind of setter // Property must be released if and only if the kind of setter
// was not 'assign'. // was not 'assign'.
if (PD->getSetterKind() != ObjCPropertyDecl::Assign) { if (PD->getSetterKind() != ObjCPropertyDecl::Assign) {
containsRetainedSynthesizedWritablePointerProperty = true; containsRetainedSynthesizedWritablePointerProperty = true;
break; break;
} }
} }
if (!containsRetainedSynthesizedWritablePointerProperty)
return;
// Determine if the class subclasses NSObject. // Determine if the class subclasses NSObject.
IdentifierInfo* NSObjectII = &Ctx.Idents.get("NSObject"); IdentifierInfo* NSObjectII = &Ctx.Idents.get("NSObject");
IdentifierInfo* SenTestCaseII = &Ctx.Idents.get("SenTestCase"); IdentifierInfo* SenTestCaseII = &Ctx.Idents.get("SenTestCase");
for ( ; ID ; ID = ID->getSuperClass()) { for ( ; ID ; ID = ID->getSuperClass()) {
IdentifierInfo *II = ID->getIdentifier(); IdentifierInfo *II = ID->getIdentifier();
if (II == NSObjectII) if (II == NSObjectII)
Show All 19 Linesstatic void checkObjCDealloc(const CheckerBase *Checker,
for (const auto *I : D->instance_methods()) { for (const auto *I : D->instance_methods()) {
if (I->getSelector() == S) { if (I->getSelector() == S) {
MD = I; MD = I;
break; break;
} }
} }
if (!MD) { // No dealloc found. if (!MD) { // No dealloc found.
if (containsRetainedSynthesizedWritablePointerProperty) {
const char* name = LOpts.getGC() == LangOptions::NonGC const char *name = LOpts.getGC() == LangOptions::NonGC
? "missing -dealloc" ? "missing -dealloc"
: "missing -dealloc (Hybrid MM, non-GC)"; : "missing -dealloc (Hybrid MM, non-GC)";
std::string buf; std::string buf;
llvm::raw_string_ostream os(buf); llvm::raw_string_ostream os(buf);
os << "Objective-C class '" << *D << "' lacks a 'dealloc' instance method"; os << "Objective-C class '" << *D
<< "' lacks a 'dealloc' instance method";
PathDiagnosticLocation DLoc = PathDiagnosticLocation DLoc =
PathDiagnosticLocation::createBegin(D, BR.getSourceManager()); PathDiagnosticLocation::createBegin(D, BR.getSourceManager());
BR.EmitBasicReport(D, Checker, name, categories::CoreFoundationObjectiveC, BR.EmitBasicReport(D, Checker, name, categories::CoreFoundationObjectiveC,
os.str(), DLoc); os.str(), DLoc);
}
return;
}
// Get the "self" identifier
IdentifierInfo *SelfII = &Ctx.Idents.get("self");
// Scan for use of 'self' after [super dealloc].
SuperDeallocUseAfterFreeCallback Callback(SelfII);
if (scan_dealloc_for_use_after_free(MD->getBody(), S, Callback, Ctx)) {
const char *name =
"use-after-free referencing 'self' after [super dealloc]";
std::string buf;
llvm::raw_string_ostream os(buf);
os << "The 'dealloc' instance method in Objective-C class '" << *D
<< "' references 'self' afer a call to [super dealloc], causing"
" a use-after-free memory reference.";
PathDiagnosticLocation StmtLoc = PathDiagnosticLocation::createBegin(
Callback.Stmt(), BR.getSourceManager(), Mgr.getAnalysisDeclContext(MD));
BR.EmitBasicReport(MD, Checker, name, categories::CoreFoundationObjectiveC,
os.str(), StmtLoc);
return; return;
} }
if (!containsRetainedSynthesizedWritablePointerProperty)
return;
// Get the "release" selector. // Get the "release" selector.
IdentifierInfo* RII = &Ctx.Idents.get("release"); IdentifierInfo* RII = &Ctx.Idents.get("release");
Selector RS = Ctx.Selectors.getSelector(0, &RII); Selector RS = Ctx.Selectors.getSelector(0, &RII);
// Get the "self" identifier
IdentifierInfo* SelfII = &Ctx.Idents.get("self");
// Scan for missing and extra releases of ivars used by implementations // Scan for missing and extra releases of ivars used by implementations
// of synthesized properties // of synthesized properties
for (const auto *I : D->property_impls()) { for (const auto *I : D->property_impls()) {
const ObjCIvarDecl *ID = nullptr; const ObjCIvarDecl *ID = nullptr;
const ObjCPropertyDecl *PD = nullptr; const ObjCPropertyDecl *PD = nullptr;
if (!isSynthesizedWritablePointerProperty(I, &ID, &PD)) if (!isSynthesizedWritablePointerProperty(I, &ID, &PD))
continue; continue;
Show All 40 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// ObjCDeallocChecker // ObjCDeallocChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class ObjCDeallocChecker : public Checker< class ObjCDeallocChecker : public Checker<
check::ASTDecl<ObjCImplementationDecl> > { check::ASTDecl<ObjCImplementationDecl> > {
public: public:
void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& mgr, void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager &Mgr,
BugReporter &BR) const { BugReporter &BR) const {
if (mgr.getLangOpts().getGC() == LangOptions::GCOnly || if (Mgr.getLangOpts().getGC() == LangOptions::GCOnly ||
mgr.getLangOpts().ObjCAutoRefCount) Mgr.getLangOpts().ObjCAutoRefCount)
return; return;
checkObjCDealloc(this, cast<ObjCImplementationDecl>(D), mgr.getLangOpts(), checkObjCDealloc(this, cast<ObjCImplementationDecl>(D), Mgr, BR);
BR);
} }
}; };
} }
void ento::registerObjCDeallocChecker(CheckerManager &mgr) { void ento::registerObjCDeallocChecker(CheckerManager &mgr) {
mgr.registerChecker<ObjCDeallocChecker>(); mgr.registerChecker<ObjCDeallocChecker>();
} }

test/Analysis/DeallocUseAfterFreeErrors.m

  • This file was added.
// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.osx.cocoa.Dealloc %s -verify
#define nil ((id)0)
typedef signed char BOOL;
@protocol NSObject
- (instancetype)retain;
- (oneway void)release;
@end
@interface NSObject <NSObject> { }
- (void)dealloc;
- (instancetype)init;
@end
typedef struct objc_selector *SEL;
//===------------------------------------------------------------------------===
// <rdar://problem/6953275>
// Check that 'self' is not referenced after calling '[super dealloc]'.
@interface SuperDeallocThenReleaseIvarClass : NSObject {
NSObject *_ivar;
}
@end
@implementation SuperDeallocThenReleaseIvarClass
- (instancetype)initWithIvar:(NSObject *)ivar {
self = [super init];
if (!self)
return nil;
_ivar = [ivar retain];
return self;
}
- (void)dealloc {
[super dealloc];
[_ivar release]; // expected-warning {{The 'dealloc' instance method in Objective-C class 'SuperDeallocThenReleaseIvarClass' references 'self' afer a call to [super dealloc], causing a use-after-free memory reference}}
}
@end
@interface SuperDeallocThenAssignNilToIvarClass : NSObject {
NSObject *_delegate;
}
@end
@implementation SuperDeallocThenAssignNilToIvarClass
- (instancetype)initWithDelegate:(NSObject *)delegate {
self = [super init];
if (!self)
return nil;
_delegate = delegate;
return self;
}
- (void)dealloc {
[super dealloc];
_delegate = nil; // expected-warning {{The 'dealloc' instance method in Objective-C class 'SuperDeallocThenAssignNilToIvarClass' references 'self' afer a call to [super dealloc], causing a use-after-free memory reference}}
}
@end
@interface SuperDeallocThenReleasePropertyClass : NSObject { }
@property (retain) NSObject *ivar;
@end
@implementation SuperDeallocThenReleasePropertyClass
- (instancetype)initWithProperty:(NSObject *)ivar {
self = [super init];
if (!self)
return nil;
self.ivar = ivar;
return self;
}
- (void)dealloc {
[super dealloc];
self.ivar = nil; // expected-warning {{The 'dealloc' instance method in Objective-C class 'SuperDeallocThenReleasePropertyClass' references 'self' afer a call to [super dealloc], causing a use-after-free memory reference}}
}
@end
@interface SuperDeallocThenAssignNilToPropertyClass : NSObject { }
@property (assign) NSObject *delegate;
@end
@implementation SuperDeallocThenAssignNilToPropertyClass
- (instancetype)initWithDelegate:(NSObject *)delegate {
self = [super init];
if (!self)
return nil;
self.delegate = delegate;
return self;
}
- (void)dealloc {
[super dealloc];
self.delegate = nil; // expected-warning {{The 'dealloc' instance method in Objective-C class 'SuperDeallocThenAssignNilToPropertyClass' references 'self' afer a call to [super dealloc], causing a use-after-free memory reference}}
}
@end
@interface SuperDeallocThenCallInstanceMethodClass : NSObject { }
- (void)_invalidate;
@end
@implementation SuperDeallocThenCallInstanceMethodClass
- (void)_invalidate {
}
- (void)dealloc {
[super dealloc];
[self _invalidate]; // expected-warning {{The 'dealloc' instance method in Objective-C class 'SuperDeallocThenCallInstanceMethodClass' references 'self' afer a call to [super dealloc], causing a use-after-free memory reference}}
}
@end
@interface SuperDeallocThenCallNonObjectiveCMethodClass : NSObject { }
@end
static void _invalidate(NSObject *object) {
(void)object;
}
@implementation SuperDeallocThenCallNonObjectiveCMethodClass
- (void)dealloc {
[super dealloc];
_invalidate(self); // expected-warning {{The 'dealloc' instance method in Objective-C class 'SuperDeallocThenCallNonObjectiveCMethodClass' references 'self' afer a call to [super dealloc], causing a use-after-free memory reference}}
}
@end
@interface TwoSuperDeallocCallsClass : NSObject {
NSObject *_ivar;
}
- (void)_invalidate;
@end
@implementation TwoSuperDeallocCallsClass
- (void)_invalidate {
}
- (void)dealloc {
if (_ivar) {
[_ivar release];
[super dealloc];
return;
}
[super dealloc];
[self _invalidate]; // expected-warning {{The 'dealloc' instance method in Objective-C class 'TwoSuperDeallocCallsClass' references 'self' afer a call to [super dealloc], causing a use-after-free memory reference}}
}
@end

tools/clang-check/Makefile

Show All 14 Lines
TOOL_NO_EXPORTS = 1 TOOL_NO_EXPORTS = 1
include $(CLANG_LEVEL)/../../Makefile.config include $(CLANG_LEVEL)/../../Makefile.config
LINK_COMPONENTS := $(TARGETS_TO_BUILD) asmparser bitreader support mc option LINK_COMPONENTS := $(TARGETS_TO_BUILD) asmparser bitreader support mc option
USEDLIBS = clangFrontend.a clangSerialization.a clangDriver.a \ USEDLIBS = clangFrontend.a clangSerialization.a clangDriver.a \
clangTooling.a clangParse.a clangSema.a \ clangTooling.a clangParse.a clangSema.a \
clangStaticAnalyzerFrontend.a clangStaticAnalyzerCheckers.a \ clangStaticAnalyzerFrontend.a clangStaticAnalyzerCheckers.a \
clangStaticAnalyzerCore.a clangAnalysis.a clangRewriteFrontend.a \ clangStaticAnalyzerCore.a clangAnalysis.a clangRewriteFrontend.a \
clangRewrite.a clangEdit.a clangAST.a clangLex.a clangBasic.a clangRewrite.a clangEdit.a clangAST.a clangASTMatchers.a clangLex.a clangBasic.a
include $(CLANG_LEVEL)/Makefile include $(CLANG_LEVEL)/Makefile

tools/driver/Makefile

Show First 20 LinesShow All 41 Lines▼ Show 20 Lines
USEDLIBS += clangStaticAnalyzerFrontend.a clangStaticAnalyzerCheckers.a \ USEDLIBS += clangStaticAnalyzerFrontend.a clangStaticAnalyzerCheckers.a \
clangStaticAnalyzerCore.a clangStaticAnalyzerCore.a
endif endif
ifeq ($(ENABLE_CLANG_ARCMT),1) ifeq ($(ENABLE_CLANG_ARCMT),1)
USEDLIBS += clangARCMigrate.a USEDLIBS += clangARCMigrate.a
endif endif
USEDLIBS += clangAnalysis.a clangEdit.a clangAST.a clangLex.a clangBasic.a USEDLIBS += clangAnalysis.a clangEdit.a clangAST.a clangASTMatchers.a clangLex.a clangBasic.a
include $(CLANG_LEVEL)/Makefile include $(CLANG_LEVEL)/Makefile
# Set the tool version information values. # Set the tool version information values.
ifeq ($(HOST_OS),Darwin) ifeq ($(HOST_OS),Darwin)
ifdef CLANG_VENDOR ifdef CLANG_VENDOR
TOOL_INFO_NAME := $(CLANG_VENDOR) clang TOOL_INFO_NAME := $(CLANG_VENDOR) clang
else else
Show All 17 Lines