This is an archive of the discontinued LLVM Phabricator instance.

Differential D100839

[analyzer] Adjust the reported variable name in retain count checker
ClosedPublic

Authored by vsavchenko on Apr 20 2021, 3:57 AM.

Details

Reviewers
NoQ
martong
steakhal
xazax.hun
Commits
rG61ae2db2d7a9: [analyzer] Adjust the reported variable name in retain count checker
Summary

When reporting leaks, we try to attach the leaking object to some
variable, so it's easier to understand. Before the patch, we always
tried to use the first variable to store the object in question.
This can get very confusing for the user, if that variable doesn't
contain that object at the moment of the actual leak. In many cases,
the warning is dismissed as false positive and it is effectively a
false positive when we fail to properly explain the warning to the
user.

This patch addresses the bigest issue in cases like this. Now we
check if the variable still contains the leaking symbolic object.
If not, we look for the last variable to actually hold it and use
that variable instead.

Diff Detail

Event Timeline

vsavchenko created this revision.Apr 20 2021, 3:57 AM
Herald added subscribers: steakhal, ASDenysPetrov, martong and 9 others. · View Herald TranscriptApr 20 2021, 3:57 AM
vsavchenko requested review of this revision.Apr 20 2021, 3:57 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 20 2021, 3:57 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B99678: Diff 338807.Apr 20 2021, 4:19 AM
vsavchenko updated this revision to Diff 338835.Apr 20 2021, 5:26 AM

Update comments

vsavchenko added reviewers: NoQ, martong, steakhal, xazax.hun.Apr 20 2021, 5:31 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptApr 20 2021, 5:31 AM
vsavchenko added a parent revision: D100626: [analyzer][NFC] Remove duplicated work from retain count leak report.Apr 20 2021, 5:31 AM
Harbormaster completed remote builds in B99695: Diff 338835.Apr 20 2021, 6:34 AM
vsavchenko added a child revision: D100852: [analyzer] Track leaking object through stores.Apr 20 2021, 7:16 AM
NoQ added a comment.Apr 21 2021, 12:28 AM

This is a major improvement. MallocChecker will have to catch up on that. Hopefully through increased code re-use.

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.cpp
651

I feel semi-irrational urge to add comments whenever NRVO is employed.

967–968

Given that the current state doesn't satisfy the requirement on line 945, this can happen for two reasons:

  1. The symbol was there when the variable died so we simply tracked it back to the last moment of time the variable was alive.
  2. The symbol was there but was overwritten later (and then the variable may have also, but haven't necessarily, died).

Case 2 is bad because we're back in business for reporting the wrong variable; it's still more rare than before the patch but i think the problem remains. Something like this should probably demonstrate it:

void foo() {
  Object *Original = allocate(...);
  Original = allocate();
  Original->release();
}

A potential solution may be to add a check in getAllVarBindingsForSymbol that the first node in which we find our symbol corresponds to a *PurgeDeadSymbols program point. It's a straightforward way to find out whether we're in case 1 or in case 2.

clang/test/Analysis/Inputs/expected-plists/retain-release-path-notes.m.plist
5993

This patch seems to add 3 entirely new warnings here. Why do they suddenly start showing up? Are they good?

vsavchenko added inline comments.Apr 22 2021, 12:50 AM
clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.cpp
651

I know, and I lacked trust in compilers that all of them will do it, but I think things like this should not be commented. It's not part of main the logic and it looks natural, so we can not explain why we did it this way in particular.

967–968

In this situation, we will report on line Original = allocate();, which should probably be a good enough indicator of what analyzer tries to say.
In your example, we have a choice of either not report variable name at all or report Original

clang/test/Analysis/Inputs/expected-plists/retain-release-path-notes.m.plist
5993

Because I added 3 more test cases? 😅

NoQ added inline comments.Apr 25 2021, 11:24 PM
clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.cpp
967–968

I had a look and it looks like all of our UIs are acting up quite a bit on this example. The user ends up completely convinced that it's the current value of Original that's getting leaked, not the original value.

Let's at least add a test and/or a comment? This definitely isn't a regression and the patch is still really good.

clang/test/Analysis/Inputs/expected-plists/retain-release-path-notes.m.plist
5993

Uh-oh ok fair enough :D

vsavchenko updated this revision to Diff 340544.Apr 26 2021, 8:54 AM

Add test for the case when there are no good alternatives

Harbormaster completed remote builds in B100949: Diff 340544.Apr 26 2021, 10:56 AM
vsavchenko marked an inline comment as done.Apr 26 2021, 11:14 AM
NoQ accepted this revision.Apr 26 2021, 8:31 PM

Great, thanks!~

This revision is now accepted and ready to land.Apr 26 2021, 8:31 PM
This revision was landed with ongoing or failed builds.Apr 28 2021, 8:38 AM
Closed by commit rG61ae2db2d7a9: [analyzer] Adjust the reported variable name in retain count checker (authored by vsavchenko). · Explain Why
This revision was automatically updated to reflect the committed changes.
vsavchenko added a commit: rG61ae2db2d7a9: [analyzer] Adjust the reported variable name in retain count checker.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
RetainCountChecker/
13 lines
134 lines
test/
Analysis/
Inputs/
expected-plists/
6 lines
1024 lines
12 lines
12 lines
8 lines
51 lines
4 lines

Diff 338835

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.h

Show First 20 LinesShow All 62 Lines▼ Show 20 Linespublic:
ArrayRef<SourceRange> getRanges() const override { ArrayRef<SourceRange> getRanges() const override {
if (!isLeak) if (!isLeak)
return PathSensitiveBugReport::getRanges(); return PathSensitiveBugReport::getRanges();
return {}; return {};
} }
}; };
class RefLeakReport : public RefCountReport { class RefLeakReport : public RefCountReport {
const MemRegion* AllocBinding; const MemRegion *AllocFirstBinding = nullptr;
const Stmt *AllocStmt; const MemRegion *AllocBindingToReport = nullptr;
const Stmt *AllocStmt = nullptr;
PathDiagnosticLocation Location; PathDiagnosticLocation Location;
// Finds the function declaration where a leak warning for the parameter // Finds the function declaration where a leak warning for the parameter
// 'sym' should be raised. // 'sym' should be raised.
void deriveParamLocation(CheckerContext &Ctx, SymbolRef sym); void deriveParamLocation(CheckerContext &Ctx);
// Finds the location where a leak warning for 'sym' should be raised. // Finds the location where the leaking object is allocated.
void deriveAllocLocation(CheckerContext &Ctx, SymbolRef sym); void deriveAllocLocation(CheckerContext &Ctx);
// Produces description of a leak warning which is printed on the console. // Produces description of a leak warning which is printed on the console.
void createDescription(CheckerContext &Ctx); void createDescription(CheckerContext &Ctx);
// Finds the binding that we should use in a leak warning.
void findBindingToReport(CheckerContext &Ctx, ExplodedNode *Node);
public: public:
RefLeakReport(const RefCountBug &D, const LangOptions &LOpts, ExplodedNode *n, RefLeakReport(const RefCountBug &D, const LangOptions &LOpts, ExplodedNode *n,
SymbolRef sym, CheckerContext &Ctx); SymbolRef sym, CheckerContext &Ctx);
PathDiagnosticLocation getLocation() const override { PathDiagnosticLocation getLocation() const override {
assert(Location.isValid()); assert(Location.isValid());
return Location; return Location;
} }
Show All 11 Lines

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.cpp

// RetainCountDiagnostics.cpp - Checks for leaks and other issues -*- C++ -*--// // RetainCountDiagnostics.cpp - Checks for leaks and other issues -*- C++ -*--//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines diagnostics for RetainCountChecker, which implements // This file defines diagnostics for RetainCountChecker, which implements
// a reference count checker for Core Foundation and Cocoa on (Mac OS X). // a reference count checker for Core Foundation and Cocoa on (Mac OS X).
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "RetainCountDiagnostics.h" #include "RetainCountDiagnostics.h"
#include "RetainCountChecker.h" #include "RetainCountChecker.h"
#include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallVector.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace retaincountchecker; using namespace retaincountchecker;
StringRef RefCountBug::bugTypeToName(RefCountBug::RefCountBugKind BT) { StringRef RefCountBug::bugTypeToName(RefCountBug::RefCountBugKind BT) {
switch (BT) { switch (BT) {
case UseAfterRelease: case UseAfterRelease:
▲ Show 20 LinesShow All 308 Lines▼ Show 20 Linespublic:
PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC, PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
const ExplodedNode *N, const ExplodedNode *N,
PathSensitiveBugReport &BR) override; PathSensitiveBugReport &BR) override;
}; };
class RefLeakReportVisitor : public RefCountReportVisitor { class RefLeakReportVisitor : public RefCountReportVisitor {
public: public:
RefLeakReportVisitor(SymbolRef Sym, const MemRegion *FirstBinding) RefLeakReportVisitor(SymbolRef Sym, const MemRegion *LastBinding)
: RefCountReportVisitor(Sym), FirstBinding(FirstBinding) {} : RefCountReportVisitor(Sym), LastBinding(LastBinding) {}
PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC, PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
const ExplodedNode *N, const ExplodedNode *N,
PathSensitiveBugReport &BR) override; PathSensitiveBugReport &BR) override;
private: private:
const MemRegion *FirstBinding; const MemRegion *LastBinding;
}; };
} // end namespace retaincountchecker } // end namespace retaincountchecker
} // end namespace ento } // end namespace ento
} // end namespace clang } // end namespace clang
/// Find the first node with the parent stack frame. /// Find the first node with the parent stack frame.
▲ Show 20 LinesShow All 252 Lines▼ Show 20 Lines
static Optional<std::string> describeRegion(const MemRegion *MR) { static Optional<std::string> describeRegion(const MemRegion *MR) {
if (const auto *VR = dyn_cast_or_null<VarRegion>(MR)) if (const auto *VR = dyn_cast_or_null<VarRegion>(MR))
return std::string(VR->getDecl()->getName()); return std::string(VR->getDecl()->getName());
// Once we support more storage locations for bindings, // Once we support more storage locations for bindings,
// this would need to be improved. // this would need to be improved.
return None; return None;
} }
using Bindings = llvm::SmallVector<const MemRegion *, 4>;
class VarBindingsCollector : public StoreManager::BindingsHandler {
SymbolRef Sym;
Bindings &Result;
public:
VarBindingsCollector(SymbolRef Sym, Bindings &ToFill)
: Sym(Sym), Result(ToFill) {}
bool HandleBinding(StoreManager &SMgr, Store Store, const MemRegion *R,
SVal Val) override {
SymbolRef SymV = Val.getAsLocSymbol();
if (!SymV || SymV != Sym)
return true;
if (isa<NonParamVarRegion>(R))
Result.push_back(R);
return true;
}
};
Bindings getAllVarBindingsForSymbol(ProgramStateManager &Manager,
const ExplodedNode *Node, SymbolRef Sym) {
Bindings Result;
VarBindingsCollector Collector{Sym, Result};
while (Result.empty() && Node) {
Manager.iterBindings(Node->getState(), Collector);
Node = Node->getFirstPred();
}
return Result;
NoQUnsubmitted
Not Done
ReplyInline Actions

I feel semi-irrational urge to add comments whenever NRVO is employed.

NoQ: I feel semi-irrational urge to add comments whenever NRVO is employed.
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

I know, and I lacked trust in compilers that all of them will do it, but I think things like this should not be commented. It's not part of main the logic and it looks natural, so we can not explain why we did it this way in particular.

vsavchenko: I know, and I lacked trust in compilers that all of them will do it, but I think things like…
}
namespace { namespace {
// Find the first node in the current function context that referred to the // Find the first node in the current function context that referred to the
// tracked symbol and the memory location that value was stored to. Note, the // tracked symbol and the memory location that value was stored to. Note, the
// value is only reported if the allocation occurred in the same function as // value is only reported if the allocation occurred in the same function as
// the leak. The function can also return a location context, which should be // the leak. The function can also return a location context, which should be
// treated as interesting. // treated as interesting.
struct AllocationInfo { struct AllocationInfo {
const ExplodedNode* N; const ExplodedNode* N;
▲ Show 20 LinesShow All 110 Lines▼ Show 20 LinesRefLeakReportVisitor::getEndPath(BugReporterContext &BRC,
PathDiagnosticLocation L = cast<RefLeakReport>(BR).getEndOfPath(); PathDiagnosticLocation L = cast<RefLeakReport>(BR).getEndOfPath();
std::string sbuf; std::string sbuf;
llvm::raw_string_ostream os(sbuf); llvm::raw_string_ostream os(sbuf);
os << "Object leaked: "; os << "Object leaked: ";
Optional<std::string> RegionDescription = describeRegion(FirstBinding); Optional<std::string> RegionDescription = describeRegion(LastBinding);
if (RegionDescription) { if (RegionDescription) {
os << "object allocated and stored into '" << *RegionDescription << '\''; os << "object allocated and stored into '" << *RegionDescription << '\'';
} else { } else {
os << "allocated object of type '" << getPrettyTypeName(Sym->getType()) os << "allocated object of type '" << getPrettyTypeName(Sym->getType())
<< "'"; << "'";
} }
// Get the retain count. // Get the retain count.
const RefVal* RV = getRefBinding(EndN->getState(), Sym); const RefVal *RV = getRefBinding(EndN->getState(), Sym);
assert(RV); assert(RV);
if (RV->getKind() == RefVal::ErrorLeakReturned) { if (RV->getKind() == RefVal::ErrorLeakReturned) {
// FIXME: Per comments in rdar://6320065, "create" only applies to CF // FIXME: Per comments in rdar://6320065, "create" only applies to CF
// objects. Only "copy", "alloc", "retain" and "new" transfer ownership // objects. Only "copy", "alloc", "retain" and "new" transfer ownership
// to the caller for NS objects. // to the caller for NS objects.
const Decl *D = &EndN->getCodeDecl(); const Decl *D = &EndN->getCodeDecl();
Show All 24 Lines if (D->hasAttr<CFReturnsNotRetainedAttr>()) {
os << "whose name ('" << *FD os << "whose name ('" << *FD
<< "') does not contain 'Copy' or 'Create'. This violates the " << "') does not contain 'Copy' or 'Create'. This violates the "
"naming" "naming"
" convention rules given in the Memory Management Guide for " " convention rules given in the Memory Management Guide for "
"Core" "Core"
" Foundation"; " Foundation";
} else if (RV->getObjKind() == ObjKind::OS) { } else if (RV->getObjKind() == ObjKind::OS) {
std::string FuncName = FD->getNameAsString(); std::string FuncName = FD->getNameAsString();
os << "whose name ('" << FuncName os << "whose name ('" << FuncName << "') starts with '"
<< "') starts with '" << StringRef(FuncName).substr(0, 3) << "'"; << StringRef(FuncName).substr(0, 3) << "'";
} }
} }
} }
} else { } else {
os << " is not referenced later in this execution path and has a retain " os << " is not referenced later in this execution path and has a retain "
"count of +" << RV->getCount(); "count of +"
<< RV->getCount();
} }
return std::make_shared<PathDiagnosticEventPiece>(L, os.str()); return std::make_shared<PathDiagnosticEventPiece>(L, os.str());
} }
RefCountReport::RefCountReport(const RefCountBug &D, const LangOptions &LOpts, RefCountReport::RefCountReport(const RefCountBug &D, const LangOptions &LOpts,
ExplodedNode *n, SymbolRef sym, bool isLeak) ExplodedNode *n, SymbolRef sym, bool isLeak)
: PathSensitiveBugReport(D, D.getDescription(), n), Sym(sym), : PathSensitiveBugReport(D, D.getDescription(), n), Sym(sym),
isLeak(isLeak) { isLeak(isLeak) {
if (!isLeak) if (!isLeak)
addVisitor(std::make_unique<RefCountReportVisitor>(sym)); addVisitor(std::make_unique<RefCountReportVisitor>(sym));
} }
RefCountReport::RefCountReport(const RefCountBug &D, const LangOptions &LOpts, RefCountReport::RefCountReport(const RefCountBug &D, const LangOptions &LOpts,
ExplodedNode *n, SymbolRef sym, ExplodedNode *n, SymbolRef sym,
StringRef endText) StringRef endText)
: PathSensitiveBugReport(D, D.getDescription(), endText, n) { : PathSensitiveBugReport(D, D.getDescription(), endText, n) {
addVisitor(std::make_unique<RefCountReportVisitor>(sym)); addVisitor(std::make_unique<RefCountReportVisitor>(sym));
} }
void RefLeakReport::deriveParamLocation(CheckerContext &Ctx, SymbolRef sym) { void RefLeakReport::deriveParamLocation(CheckerContext &Ctx) {
const SourceManager& SMgr = Ctx.getSourceManager(); const SourceManager &SMgr = Ctx.getSourceManager();
if (!sym->getOriginRegion()) if (!Sym->getOriginRegion())
return; return;
auto *Region = dyn_cast<DeclRegion>(sym->getOriginRegion()); auto *Region = dyn_cast<DeclRegion>(Sym->getOriginRegion());
Lint: Pre-merge checks
Inline Actions

clang-tidy: warning: 'auto *Region' can be declared as 'const auto *Region' [llvm-qualified-auto]
not useful

Lint: Pre-merge checks: clang-tidy: warning: 'auto *Region' can be declared as 'const auto *Region' [llvm-qualified…
if (Region) { if (Region) {
const Decl *PDecl = Region->getDecl(); const Decl *PDecl = Region->getDecl();
if (PDecl && isa<ParmVarDecl>(PDecl)) { if (isa_and_nonnull<ParmVarDecl>(PDecl)) {
PathDiagnosticLocation ParamLocation = PathDiagnosticLocation ParamLocation =
PathDiagnosticLocation::create(PDecl, SMgr); PathDiagnosticLocation::create(PDecl, SMgr);
Location = ParamLocation; Location = ParamLocation;
UniqueingLocation = ParamLocation; UniqueingLocation = ParamLocation;
UniqueingDecl = Ctx.getLocationContext()->getDecl(); UniqueingDecl = Ctx.getLocationContext()->getDecl();
} }
} }
} }
void RefLeakReport::deriveAllocLocation(CheckerContext &Ctx, void RefLeakReport::deriveAllocLocation(CheckerContext &Ctx) {
SymbolRef sym) {
// Most bug reports are cached at the location where they occurred. // Most bug reports are cached at the location where they occurred.
// With leaks, we want to unique them by the location where they were // With leaks, we want to unique them by the location where they were
// allocated, and only report a single path. To do this, we need to find // allocated, and only report a single path. To do this, we need to find
// the allocation site of a piece of tracked memory, which we do via a // the allocation site of a piece of tracked memory, which we do via a
// call to GetAllocationSite. This will walk the ExplodedGraph backwards. // call to GetAllocationSite. This will walk the ExplodedGraph backwards.
// Note that this is *not* the trimmed graph; we are guaranteed, however, // Note that this is *not* the trimmed graph; we are guaranteed, however,
// that all ancestor nodes that represent the allocation site have the // that all ancestor nodes that represent the allocation site have the
// same SourceLocation. // same SourceLocation.
const ExplodedNode *AllocNode = nullptr; const ExplodedNode *AllocNode = nullptr;
const SourceManager& SMgr = Ctx.getSourceManager(); const SourceManager &SMgr = Ctx.getSourceManager();
AllocationInfo AllocI = AllocationInfo AllocI =
GetAllocationSite(Ctx.getStateManager(), getErrorNode(), sym); GetAllocationSite(Ctx.getStateManager(), getErrorNode(), Sym);
AllocNode = AllocI.N; AllocNode = AllocI.N;
AllocBinding = AllocI.R; AllocFirstBinding = AllocI.R;
markInteresting(AllocI.InterestingMethodContext); markInteresting(AllocI.InterestingMethodContext);
// Get the SourceLocation for the allocation site. // Get the SourceLocation for the allocation site.
// FIXME: This will crash the analyzer if an allocation comes from an // FIXME: This will crash the analyzer if an allocation comes from an
// implicit call (ex: a destructor call). // implicit call (ex: a destructor call).
// (Currently there are no such allocations in Cocoa, though.) // (Currently there are no such allocations in Cocoa, though.)
AllocStmt = AllocNode->getStmtForDiagnostics(); AllocStmt = AllocNode->getStmtForDiagnostics();
if (!AllocStmt) { if (!AllocStmt) {
AllocBinding = nullptr; AllocFirstBinding = nullptr;
return; return;
} }
PathDiagnosticLocation AllocLocation = PathDiagnosticLocation AllocLocation = PathDiagnosticLocation::createBegin(
PathDiagnosticLocation::createBegin(AllocStmt, SMgr, AllocStmt, SMgr, AllocNode->getLocationContext());
AllocNode->getLocationContext());
Location = AllocLocation; Location = AllocLocation;
// Set uniqieing info, which will be used for unique the bug reports. The // Set uniqieing info, which will be used for unique the bug reports. The
// leaks should be uniqued on the allocation site. // leaks should be uniqued on the allocation site.
UniqueingLocation = AllocLocation; UniqueingLocation = AllocLocation;
UniqueingDecl = AllocNode->getLocationContext()->getDecl(); UniqueingDecl = AllocNode->getLocationContext()->getDecl();
} }
void RefLeakReport::createDescription(CheckerContext &Ctx) { void RefLeakReport::createDescription(CheckerContext &Ctx) {
assert(Location.isValid() && UniqueingDecl && UniqueingLocation.isValid()); assert(Location.isValid() && UniqueingDecl && UniqueingLocation.isValid());
Description.clear(); Description.clear();
llvm::raw_string_ostream os(Description); llvm::raw_string_ostream os(Description);
os << "Potential leak of an object"; os << "Potential leak of an object";
Optional<std::string> RegionDescription = describeRegion(AllocBinding); Optional<std::string> RegionDescription =
describeRegion(AllocBindingToReport);
if (RegionDescription) { if (RegionDescription) {
os << " stored into '" << *RegionDescription << '\''; os << " stored into '" << *RegionDescription << '\'';
} else { } else {
// If we can't figure out the name, just supply the type information. // If we can't figure out the name, just supply the type information.
os << " of type '" << getPrettyTypeName(Sym->getType()) << "'"; os << " of type '" << getPrettyTypeName(Sym->getType()) << "'";
} }
} }
void RefLeakReport::findBindingToReport(CheckerContext &Ctx,
ExplodedNode *Node) {
if (!AllocFirstBinding)
// If we don't have any bindings, we won't be able to find any
// better binding to report.
return;
// If the original region still contains the leaking symbol...
if (Node->getState()->getSVal(AllocFirstBinding).getAsSymbol() == Sym) {
// ...it is the best binding to report.
AllocBindingToReport = AllocFirstBinding;
return;
}
// At this point, we know that the original region doesn't contain the leaking
// when the actual leak happens. It means that it can be confusing for the
// user to see such description in the message.
//
// Let's consider the following example:
// Object *Original = allocate(...);
// Object *New = Original;
// Original = allocate(...);
// Original->release();
//
// Complaining about a leaking object "stored into Original" might cause a
// rightful confusion because 'Original' is actually released.
// We should complain about 'New' instead.
Bindings AllVarBindings =
getAllVarBindingsForSymbol(Ctx.getStateManager(), Node, Sym);
// While looking for the last var bindings, we can still find
// `AllocFirstBinding` to be one of them. In situations like this,
NoQUnsubmitted
Not Done
ReplyInline Actions

Given that the current state doesn't satisfy the requirement on line 945, this can happen for two reasons:

  1. The symbol was there when the variable died so we simply tracked it back to the last moment of time the variable was alive.
  2. The symbol was there but was overwritten later (and then the variable may have also, but haven't necessarily, died).

Case 2 is bad because we're back in business for reporting the wrong variable; it's still more rare than before the patch but i think the problem remains. Something like this should probably demonstrate it:

void foo() {
  Object *Original = allocate(...);
  Original = allocate();
  Original->release();
}

A potential solution may be to add a check in getAllVarBindingsForSymbol that the first node in which we find our symbol corresponds to a *PurgeDeadSymbols program point. It's a straightforward way to find out whether we're in case 1 or in case 2.

NoQ: Given that the current state doesn't satisfy the requirement on line 945, this can happen for…
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

In this situation, we will report on line Original = allocate();, which should probably be a good enough indicator of what analyzer tries to say.
In your example, we have a choice of either not report variable name at all or report Original

vsavchenko: In this situation, we will report on line `Original = allocate();`, which should probably be a…
NoQUnsubmitted
Done
ReplyInline Actions

I had a look and it looks like all of our UIs are acting up quite a bit on this example. The user ends up completely convinced that it's the current value of Original that's getting leaked, not the original value.

Let's at least add a test and/or a comment? This definitely isn't a regression and the patch is still really good.

NoQ: I had a look and it looks like all of our UIs are acting up quite a bit on this example. The…
// it would still be the easiest case to explain to our users.
if (!AllVarBindings.empty() &&
llvm::count(AllVarBindings, AllocFirstBinding) == 0)
// Let's pick one of them at random (if there is something to pick from).
AllocBindingToReport = AllVarBindings[0];
else
AllocBindingToReport = AllocFirstBinding;
}
RefLeakReport::RefLeakReport(const RefCountBug &D, const LangOptions &LOpts, RefLeakReport::RefLeakReport(const RefCountBug &D, const LangOptions &LOpts,
ExplodedNode *N, SymbolRef Sym, ExplodedNode *N, SymbolRef Sym,
CheckerContext &Ctx) CheckerContext &Ctx)
: RefCountReport(D, LOpts, N, Sym, /*isLeak=*/true) { : RefCountReport(D, LOpts, N, Sym, /*isLeak=*/true) {
deriveAllocLocation(Ctx, Sym); deriveAllocLocation(Ctx);
if (!AllocBinding) findBindingToReport(Ctx, N);
deriveParamLocation(Ctx, Sym);
if (!AllocFirstBinding)
deriveParamLocation(Ctx);
createDescription(Ctx); createDescription(Ctx);
addVisitor(std::make_unique<RefLeakReportVisitor>(Sym, AllocBinding)); addVisitor(std::make_unique<RefLeakReportVisitor>(Sym, AllocBindingToReport));
} }

clang/test/Analysis/Inputs/expected-plists/edges-new.mm.plist

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 21,940 Lines▼ Show 20 Lines <array>
<key>location</key> <key>location</key>
<dict> <dict>
<key>line</key><integer>568</integer> <key>line</key><integer>568</integer>
<key>col</key><integer>1</integer> <key>col</key><integer>1</integer>
<key>file</key><integer>0</integer> <key>file</key><integer>0</integer>
</dict> </dict>
<key>depth</key><integer>0</integer> <key>depth</key><integer>0</integer>
<key>extended_message</key> <key>extended_message</key>
<string>Object leaked: object allocated and stored into &apos;foo&apos; is not referenced later in this execution path and has a retain count of +1</string> <string>Object leaked: object allocated and stored into &apos;garply&apos; is not referenced later in this execution path and has a retain count of +1</string>
<key>message</key> <key>message</key>
<string>Object leaked: object allocated and stored into &apos;foo&apos; is not referenced later in this execution path and has a retain count of +1</string> <string>Object leaked: object allocated and stored into &apos;garply&apos; is not referenced later in this execution path and has a retain count of +1</string>
</dict> </dict>
</array> </array>
<key>description</key><string>Potential leak of an object stored into &apos;foo&apos;</string> <key>description</key><string>Potential leak of an object stored into &apos;garply&apos;</string>
<key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string> <key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string>
<key>type</key><string>Leak</string> <key>type</key><string>Leak</string>
<key>check_name</key><string>osx.cocoa.RetainCount</string> <key>check_name</key><string>osx.cocoa.RetainCount</string>
<!-- This hash is experimental and going to change! --> <!-- This hash is experimental and going to change! -->
<key>issue_hash_content_of_line_in_context</key><string>5616a7601faa1a8c2ac56fa1b595b172</string> <key>issue_hash_content_of_line_in_context</key><string>5616a7601faa1a8c2ac56fa1b595b172</string>
<key>issue_context_kind</key><string>function</string> <key>issue_context_kind</key><string>function</string>
<key>issue_context</key><string>longLines</string> <key>issue_context</key><string>longLines</string>
<key>issue_hash_function_offset</key><string>1</string> <key>issue_hash_function_offset</key><string>1</string>
▲ Show 20 LinesShow All 459 LinesShow Last 20 Lines

clang/test/Analysis/Inputs/expected-plists/retain-release-path-notes.m.plist

Show First 20 LinesShow All 5,006 Lines▼ Show 20 Lines <array>
<integer>259</integer> <integer>259</integer>
<integer>260</integer> <integer>260</integer>
<integer>261</integer> <integer>261</integer>
<integer>262</integer> <integer>262</integer>
<integer>263</integer> <integer>263</integer>
</array> </array>
</dict> </dict>
</dict> </dict>
<dict>
<key>path</key>
<array>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>4</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>37</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>0</integer>
<key>extended_message</key>
<string>Calling &apos;initY&apos;</string>
<key>message</key>
<string>Calling &apos;initY&apos;</string>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>214</integer>
<key>col</key><integer>1</integer>
<key>file</key><integer>0</integer>
</dict>
<key>depth</key><integer>1</integer>
<key>extended_message</key>
<string>Entered call from &apos;testLeakAliasSimple&apos;</string>
<key>message</key>
<string>Entered call from &apos;testLeakAliasSimple&apos;</string>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>214</integer>
<key>col</key><integer>1</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>214</integer>
<key>col</key><integer>1</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>6</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>10</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>10</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>21</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>1</integer>
<key>extended_message</key>
<string>Method returns an instance of MyObj with a +1 retain count</string>
<key>message</key>
<string>Method returns an instance of MyObj with a +1 retain count</string>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>6</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>216</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>216</integer>
<key>col</key><integer>8</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>37</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>0</integer>
<key>extended_message</key>
<string>Returning from &apos;initY&apos;</string>
<key>message</key>
<string>Returning from &apos;initY&apos;</string>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>4</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>337</integer>
<key>col</key><integer>4</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>342</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>342</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>342</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>342</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>342</integer>
<key>col</key><integer>20</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>0</integer>
<key>extended_message</key>
<string>Object leaked: object allocated and stored into &apos;New&apos; is not referenced later in this execution path and has a retain count of +1</string>
<key>message</key>
<string>Object leaked: object allocated and stored into &apos;New&apos; is not referenced later in this execution path and has a retain count of +1</string>
</dict>
</array>
<key>description</key><string>Potential leak of an object stored into &apos;New&apos;</string>
<key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string>
<key>type</key><string>Leak</string>
<key>check_name</key><string>osx.cocoa.RetainCount</string>
<!-- This hash is experimental and going to change! -->
<key>issue_hash_content_of_line_in_context</key><string>c6578d694dd90a2f586f52c9b53042c3</string>
<key>issue_context_kind</key><string>Objective-C method</string>
<key>issue_context</key><string>testLeakAliasSimple</string>
<key>issue_hash_function_offset</key><string>1</string>
<key>location</key>
<dict>
<key>line</key><integer>342</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ExecutedLines</key>
<dict>
<key>0</key>
<array>
<integer>214</integer>
<integer>215</integer>
<integer>216</integer>
<integer>219</integer>
<integer>220</integer>
<integer>221</integer>
<integer>336</integer>
<integer>337</integer>
<integer>339</integer>
<integer>340</integer>
<integer>341</integer>
<integer>342</integer>
</array>
</dict>
</dict>
<dict>
<key>path</key>
<array>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>4</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>37</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>0</integer>
<key>extended_message</key>
<string>Calling &apos;initY&apos;</string>
<key>message</key>
<string>Calling &apos;initY&apos;</string>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>214</integer>
<key>col</key><integer>1</integer>
<key>file</key><integer>0</integer>
</dict>
<key>depth</key><integer>1</integer>
<key>extended_message</key>
<string>Entered call from &apos;testLeakAliasChain&apos;</string>
<key>message</key>
<string>Entered call from &apos;testLeakAliasChain&apos;</string>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>214</integer>
<key>col</key><integer>1</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>214</integer>
<key>col</key><integer>1</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>6</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>10</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>10</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>21</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>1</integer>
<key>extended_message</key>
<string>Method returns an instance of MyObj with a +1 retain count</string>
<key>message</key>
<string>Method returns an instance of MyObj with a +1 retain count</string>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>6</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>216</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>216</integer>
<key>col</key><integer>8</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>37</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>0</integer>
<key>extended_message</key>
<string>Returning from &apos;initY&apos;</string>
<key>message</key>
<string>Returning from &apos;initY&apos;</string>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>4</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>347</integer>
<key>col</key><integer>4</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>353</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>353</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>353</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>353</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>353</integer>
<key>col</key><integer>20</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>0</integer>
<key>extended_message</key>
<string>Object leaked: object allocated and stored into &apos;New&apos; is not referenced later in this execution path and has a retain count of +1</string>
<key>message</key>
<string>Object leaked: object allocated and stored into &apos;New&apos; is not referenced later in this execution path and has a retain count of +1</string>
</dict>
</array>
<key>description</key><string>Potential leak of an object stored into &apos;New&apos;</string>
<key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string>
<key>type</key><string>Leak</string>
<key>check_name</key><string>osx.cocoa.RetainCount</string>
<!-- This hash is experimental and going to change! -->
<key>issue_hash_content_of_line_in_context</key><string>076457f7cf482449386f129554f48f68</string>
<key>issue_context_kind</key><string>Objective-C method</string>
<key>issue_context</key><string>testLeakAliasChain</string>
<key>issue_hash_function_offset</key><string>1</string>
<key>location</key>
<dict>
<key>line</key><integer>353</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ExecutedLines</key>
<dict>
<key>0</key>
<array>
<integer>214</integer>
<integer>215</integer>
<integer>216</integer>
<integer>219</integer>
<integer>220</integer>
<integer>221</integer>
<integer>346</integer>
<integer>347</integer>
<integer>349</integer>
<integer>350</integer>
<integer>351</integer>
<integer>352</integer>
<integer>353</integer>
</array>
</dict>
</dict>
<dict>
<key>path</key>
<array>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>4</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>37</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>0</integer>
<key>extended_message</key>
<string>Calling &apos;initY&apos;</string>
<key>message</key>
<string>Calling &apos;initY&apos;</string>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>214</integer>
<key>col</key><integer>1</integer>
<key>file</key><integer>0</integer>
</dict>
<key>depth</key><integer>1</integer>
<key>extended_message</key>
<string>Entered call from &apos;testLeakAliasDeathInExpr&apos;</string>
<key>message</key>
<string>Entered call from &apos;testLeakAliasDeathInExpr&apos;</string>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>214</integer>
<key>col</key><integer>1</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>214</integer>
<key>col</key><integer>1</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>6</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>10</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>10</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>21</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>1</integer>
<key>extended_message</key>
<string>Method returns an instance of MyObj with a +1 retain count</string>
<key>message</key>
<string>Method returns an instance of MyObj with a +1 retain count</string>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>215</integer>
<key>col</key><integer>6</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>216</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>216</integer>
<key>col</key><integer>8</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>37</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>0</integer>
<key>extended_message</key>
<string>Returning from &apos;initY&apos;</string>
<key>message</key>
<string>Returning from &apos;initY&apos;</string>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>17</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>4</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>371</integer>
<key>col</key><integer>4</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>376</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>376</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>event</string>
<key>location</key>
<dict>
<key>line</key><integer>376</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>376</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>376</integer>
<key>col</key><integer>20</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>depth</key><integer>0</integer>
<key>extended_message</key>
<string>Object leaked: object allocated and stored into &apos;New&apos; is not referenced later in this execution path and has a retain count of +1</string>
<key>message</key>
<string>Object leaked: object allocated and stored into &apos;New&apos; is not referenced later in this execution path and has a retain count of +1</string>
NoQUnsubmitted
Not Done
ReplyInline Actions

This patch seems to add 3 entirely new warnings here. Why do they suddenly start showing up? Are they good?

NoQ: This patch seems to add 3 entirely new warnings here. Why do they suddenly start showing up?
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

Because I added 3 more test cases? 😅

vsavchenko: Because I added 3 more test cases? 😅
NoQUnsubmitted
Not Done
ReplyInline Actions

Uh-oh ok fair enough :D

NoQ: Uh-oh ok fair enough :D
</dict>
</array>
<key>description</key><string>Potential leak of an object stored into &apos;New&apos;</string>
<key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string>
<key>type</key><string>Leak</string>
<key>check_name</key><string>osx.cocoa.RetainCount</string>
<!-- This hash is experimental and going to change! -->
<key>issue_hash_content_of_line_in_context</key><string>1ead75ff85eb09fa93374d0083f531e5</string>
<key>issue_context_kind</key><string>Objective-C method</string>
<key>issue_context</key><string>testLeakAliasDeathInExpr</string>
<key>issue_hash_function_offset</key><string>1</string>
<key>location</key>
<dict>
<key>line</key><integer>376</integer>
<key>col</key><integer>3</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ExecutedLines</key>
<dict>
<key>0</key>
<array>
<integer>214</integer>
<integer>215</integer>
<integer>216</integer>
<integer>219</integer>
<integer>220</integer>
<integer>221</integer>
<integer>357</integer>
<integer>358</integer>
<integer>359</integer>
<integer>360</integer>
<integer>363</integer>
<integer>364</integer>
<integer>365</integer>
<integer>366</integer>
<integer>367</integer>
<integer>370</integer>
<integer>371</integer>
<integer>373</integer>
<integer>374</integer>
<integer>375</integer>
<integer>376</integer>
</array>
</dict>
</dict>
</array> </array>
<key>files</key> <key>files</key>
<array> <array>
</array> </array>
</dict> </dict>
</plist> </plist>

clang/test/Analysis/Inputs/expected-plists/retain-release.m.objc.plist

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 25,401 Lines▼ Show 20 Lines <array>
<key>location</key> <key>location</key>
<dict> <dict>
<key>line</key><integer>2288</integer> <key>line</key><integer>2288</integer>
<key>col</key><integer>1</integer> <key>col</key><integer>1</integer>
<key>file</key><integer>0</integer> <key>file</key><integer>0</integer>
</dict> </dict>
<key>depth</key><integer>0</integer> <key>depth</key><integer>0</integer>
<key>extended_message</key> <key>extended_message</key>
<string>Object leaked: object allocated and stored into &apos;obj&apos; is not referenced later in this execution path and has a retain count of +1</string> <string>Object leaked: object allocated and stored into &apos;second&apos; is not referenced later in this execution path and has a retain count of +1</string>
<key>message</key> <key>message</key>
<string>Object leaked: object allocated and stored into &apos;obj&apos; is not referenced later in this execution path and has a retain count of +1</string> <string>Object leaked: object allocated and stored into &apos;second&apos; is not referenced later in this execution path and has a retain count of +1</string>
</dict> </dict>
</array> </array>
<key>description</key><string>Potential leak of an object stored into &apos;obj&apos;</string> <key>description</key><string>Potential leak of an object stored into &apos;second&apos;</string>
<key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string> <key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string>
<key>type</key><string>Leak</string> <key>type</key><string>Leak</string>
<key>check_name</key><string>osx.cocoa.RetainCount</string> <key>check_name</key><string>osx.cocoa.RetainCount</string>
<!-- This hash is experimental and going to change! --> <!-- This hash is experimental and going to change! -->
<key>issue_hash_content_of_line_in_context</key><string>7986c4b7fb29301c109343dfe4155202</string> <key>issue_hash_content_of_line_in_context</key><string>7986c4b7fb29301c109343dfe4155202</string>
<key>issue_context_kind</key><string>function</string> <key>issue_context_kind</key><string>function</string>
<key>issue_context</key><string>testAutoreleaseReturnsInput</string> <key>issue_context</key><string>testAutoreleaseReturnsInput</string>
<key>issue_hash_function_offset</key><string>2</string> <key>issue_hash_function_offset</key><string>2</string>
▲ Show 20 LinesShow All 236 Lines▼ Show 20 Lines <array>
<key>location</key> <key>location</key>
<dict> <dict>
<key>line</key><integer>2308</integer> <key>line</key><integer>2308</integer>
<key>col</key><integer>1</integer> <key>col</key><integer>1</integer>
<key>file</key><integer>0</integer> <key>file</key><integer>0</integer>
</dict> </dict>
<key>depth</key><integer>0</integer> <key>depth</key><integer>0</integer>
<key>extended_message</key> <key>extended_message</key>
<string>Object leaked: object allocated and stored into &apos;arr&apos; is not referenced later in this execution path and has a retain count of +1</string> <string>Object leaked: object allocated and stored into &apos;alias&apos; is not referenced later in this execution path and has a retain count of +1</string>
<key>message</key> <key>message</key>
<string>Object leaked: object allocated and stored into &apos;arr&apos; is not referenced later in this execution path and has a retain count of +1</string> <string>Object leaked: object allocated and stored into &apos;alias&apos; is not referenced later in this execution path and has a retain count of +1</string>
</dict> </dict>
</array> </array>
<key>description</key><string>Potential leak of an object stored into &apos;arr&apos;</string> <key>description</key><string>Potential leak of an object stored into &apos;alias&apos;</string>
<key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string> <key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string>
<key>type</key><string>Leak</string> <key>type</key><string>Leak</string>
<key>check_name</key><string>osx.cocoa.RetainCount</string> <key>check_name</key><string>osx.cocoa.RetainCount</string>
<!-- This hash is experimental and going to change! --> <!-- This hash is experimental and going to change! -->
<key>issue_hash_content_of_line_in_context</key><string>2e0dbfdf379acf2f09e46db47d753e8a</string> <key>issue_hash_content_of_line_in_context</key><string>2e0dbfdf379acf2f09e46db47d753e8a</string>
<key>issue_context_kind</key><string>function</string> <key>issue_context_kind</key><string>function</string>
<key>issue_context</key><string>autoreleaseReturningTypedObject</string> <key>issue_context</key><string>autoreleaseReturningTypedObject</string>
<key>issue_hash_function_offset</key><string>1</string> <key>issue_hash_function_offset</key><string>1</string>
▲ Show 20 LinesShow All 554 LinesShow Last 20 Lines

clang/test/Analysis/Inputs/expected-plists/retain-release.m.objcpp.plist

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 25,470 Lines▼ Show 20 Lines <array>
<key>location</key> <key>location</key>
<dict> <dict>
<key>line</key><integer>2288</integer> <key>line</key><integer>2288</integer>
<key>col</key><integer>1</integer> <key>col</key><integer>1</integer>
<key>file</key><integer>0</integer> <key>file</key><integer>0</integer>
</dict> </dict>
<key>depth</key><integer>0</integer> <key>depth</key><integer>0</integer>
<key>extended_message</key> <key>extended_message</key>
<string>Object leaked: object allocated and stored into &apos;obj&apos; is not referenced later in this execution path and has a retain count of +1</string> <string>Object leaked: object allocated and stored into &apos;second&apos; is not referenced later in this execution path and has a retain count of +1</string>
<key>message</key> <key>message</key>
<string>Object leaked: object allocated and stored into &apos;obj&apos; is not referenced later in this execution path and has a retain count of +1</string> <string>Object leaked: object allocated and stored into &apos;second&apos; is not referenced later in this execution path and has a retain count of +1</string>
</dict> </dict>
</array> </array>
<key>description</key><string>Potential leak of an object stored into &apos;obj&apos;</string> <key>description</key><string>Potential leak of an object stored into &apos;second&apos;</string>
<key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string> <key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string>
<key>type</key><string>Leak</string> <key>type</key><string>Leak</string>
<key>check_name</key><string>osx.cocoa.RetainCount</string> <key>check_name</key><string>osx.cocoa.RetainCount</string>
<!-- This hash is experimental and going to change! --> <!-- This hash is experimental and going to change! -->
<key>issue_hash_content_of_line_in_context</key><string>7986c4b7fb29301c109343dfe4155202</string> <key>issue_hash_content_of_line_in_context</key><string>7986c4b7fb29301c109343dfe4155202</string>
<key>issue_context_kind</key><string>function</string> <key>issue_context_kind</key><string>function</string>
<key>issue_context</key><string>testAutoreleaseReturnsInput</string> <key>issue_context</key><string>testAutoreleaseReturnsInput</string>
<key>issue_hash_function_offset</key><string>2</string> <key>issue_hash_function_offset</key><string>2</string>
▲ Show 20 LinesShow All 236 Lines▼ Show 20 Lines <array>
<key>location</key> <key>location</key>
<dict> <dict>
<key>line</key><integer>2308</integer> <key>line</key><integer>2308</integer>
<key>col</key><integer>1</integer> <key>col</key><integer>1</integer>
<key>file</key><integer>0</integer> <key>file</key><integer>0</integer>
</dict> </dict>
<key>depth</key><integer>0</integer> <key>depth</key><integer>0</integer>
<key>extended_message</key> <key>extended_message</key>
<string>Object leaked: object allocated and stored into &apos;arr&apos; is not referenced later in this execution path and has a retain count of +1</string> <string>Object leaked: object allocated and stored into &apos;alias&apos; is not referenced later in this execution path and has a retain count of +1</string>
<key>message</key> <key>message</key>
<string>Object leaked: object allocated and stored into &apos;arr&apos; is not referenced later in this execution path and has a retain count of +1</string> <string>Object leaked: object allocated and stored into &apos;alias&apos; is not referenced later in this execution path and has a retain count of +1</string>
</dict> </dict>
</array> </array>
<key>description</key><string>Potential leak of an object stored into &apos;arr&apos;</string> <key>description</key><string>Potential leak of an object stored into &apos;alias&apos;</string>
<key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string> <key>category</key><string>Memory (Core Foundation/Objective-C/OSObject)</string>
<key>type</key><string>Leak</string> <key>type</key><string>Leak</string>
<key>check_name</key><string>osx.cocoa.RetainCount</string> <key>check_name</key><string>osx.cocoa.RetainCount</string>
<!-- This hash is experimental and going to change! --> <!-- This hash is experimental and going to change! -->
<key>issue_hash_content_of_line_in_context</key><string>2e0dbfdf379acf2f09e46db47d753e8a</string> <key>issue_hash_content_of_line_in_context</key><string>2e0dbfdf379acf2f09e46db47d753e8a</string>
<key>issue_context_kind</key><string>function</string> <key>issue_context_kind</key><string>function</string>
<key>issue_context</key><string>autoreleaseReturningTypedObject</string> <key>issue_context</key><string>autoreleaseReturningTypedObject</string>
<key>issue_hash_function_offset</key><string>1</string> <key>issue_hash_function_offset</key><string>1</string>
▲ Show 20 LinesShow All 554 LinesShow Last 20 Lines

clang/test/Analysis/osobject-retain-release.cpp

Show First 20 LinesShow All 635 Lines▼ Show 20 Lines // expected-note@-6{{Returning from '~smart_ptr'}}
obj->release(); // expected-warning{{Reference-counted object is used after it is released}} obj->release(); // expected-warning{{Reference-counted object is used after it is released}}
// expected-note@-1{{Reference-counted object is used after it is released}} // expected-note@-1{{Reference-counted object is used after it is released}}
} }
void test_smart_ptr_leak() { void test_smart_ptr_leak() {
OSObject *obj = new OSObject; // expected-note{{Operator 'new' returns an OSObject of type 'OSObject' with a +1 retain count}} OSObject *obj = new OSObject; // expected-note{{Operator 'new' returns an OSObject of type 'OSObject' with a +1 retain count}}
{ {
OSObjectPtr p(obj); // expected-note{{Calling constructor for 'smart_ptr<OSObject>'}} OSObjectPtr p(obj); // expected-note{{Calling constructor for 'smart_ptr<OSObject>'}}
// expected-note@-1{{Returning from constructor for 'smart_ptr<OSObject>'}} // expected-note@-1{{Returning from constructor for 'smart_ptr<OSObject>'}}
// expected-note@os_smart_ptr.h:13{{Field 'pointer' is non-null}} // expected-note@os_smart_ptr.h:13{{Field 'pointer' is non-null}}
// expected-note@os_smart_ptr.h:13{{Taking true branch}} // expected-note@os_smart_ptr.h:13{{Taking true branch}}
// expected-note@os_smart_ptr.h:14{{Calling 'smart_ptr::_retain'}} // expected-note@os_smart_ptr.h:14{{Calling 'smart_ptr::_retain'}}
// expected-note@os_smart_ptr.h:71{{Reference count incremented. The object now has a +2 retain count}} // expected-note@os_smart_ptr.h:71{{Reference count incremented. The object now has a +2 retain count}}
// expected-note@os_smart_ptr.h:14{{Returning from 'smart_ptr::_retain'}} // expected-note@os_smart_ptr.h:14{{Returning from 'smart_ptr::_retain'}}
} // expected-note{{Calling '~smart_ptr'}} } // expected-note{{Calling '~smart_ptr'}}
// expected-note@os_smart_ptr.h:35{{Field 'pointer' is non-null}} // expected-note@os_smart_ptr.h:35{{Field 'pointer' is non-null}}
// expected-note@os_smart_ptr.h:35{{Taking true branch}} // expected-note@os_smart_ptr.h:35{{Taking true branch}}
// expected-note@os_smart_ptr.h:36{{Calling 'smart_ptr::_release'}} // expected-note@os_smart_ptr.h:36{{Calling 'smart_ptr::_release'}}
// expected-note@os_smart_ptr.h:76{{Reference count decremented. The object now has a +1 retain count}} // expected-note@os_smart_ptr.h:76{{Reference count decremented. The object now has a +1 retain count}}
// expected-note@os_smart_ptr.h:36{{Returning from 'smart_ptr::_release'}} // expected-note@os_smart_ptr.h:36{{Returning from 'smart_ptr::_release'}}
// expected-note@-6{{Returning from '~smart_ptr'}} // expected-note@-6{{Returning from '~smart_ptr'}}
} // expected-warning{{Potential leak of an object stored into 'obj'}} } // expected-warning{{Potential leak of an object stored into 'p'}}
// expected-note@-1{{Object leaked: object allocated and stored into 'obj' is not referenced later in this execution path and has a retain count of +1}} // expected-note@-1{{Object leaked: object allocated and stored into 'p' is not referenced later in this execution path and has a retain count of +1}}
void test_smart_ptr_no_leak() { void test_smart_ptr_no_leak() {
OSObject *obj = new OSObject; OSObject *obj = new OSObject;
{ {
OSObjectPtr p(obj); OSObjectPtr p(obj);
} }
obj->release(); obj->release();
} }
▲ Show 20 LinesShow All 90 LinesShow Last 20 Lines

clang/test/Analysis/retain-release-path-notes.m

Show First 20 LinesShow All 206 Lines▼ Show 20 Lines-(id)initX {
if (Cond) // expected-note {{Assuming 'Cond' is not equal to 0}} if (Cond) // expected-note {{Assuming 'Cond' is not equal to 0}}
// expected-note@-1{{Taking true branch}} // expected-note@-1{{Taking true branch}}
return 0; return 0;
self = [super init]; self = [super init];
return self; return self;
} }
-(id)initY { -(id)initY {
self = [super init]; //expected-note {{Method returns an instance of MyObj with a +1 retain count}} self = [super init]; // expected-note 4 {{Method returns an instance of MyObj with a +1 retain count}}
return self; return self;
} }
-(id)initZ { -(id)initZ {
self = [super init]; self = [super init];
return self; return self;
} }
▲ Show 20 LinesShow All 98 Lines▼ Show 20 Lines- (void)testOverreleaseIvarOnlyAutorelease {
[_ivarOnly release]; // FIXME-note {{Reference count decremented}} [_ivarOnly release]; // FIXME-note {{Reference count decremented}}
[_ivarOnly autorelease]; // FIXME-note {{Object autoreleased}} [_ivarOnly autorelease]; // FIXME-note {{Object autoreleased}}
[_ivarOnly autorelease]; // FIXME-note {{Object autoreleased}} [_ivarOnly autorelease]; // FIXME-note {{Object autoreleased}}
// FIXME-note@+1 {{Object was autoreleased 2 times but the object has a +0 retain count}} // FIXME-note@+1 {{Object was autoreleased 2 times but the object has a +0 retain count}}
} // FIXME-warning{{Object autoreleased too many times}} } // FIXME-warning{{Object autoreleased too many times}}
@end @end
int seed();
@interface LeakReassignmentTests : MyObj
@end
@implementation LeakReassignmentTests
+(void)testLeakAliasSimple {
id Original = [[MyObj alloc] initY]; // expected-note {{Calling 'initY'}}
// expected-note@-1 {{Returning from 'initY'}}
id New = Original;
Original = [[MyObj alloc] initZ];
(void)New;
[Original release]; // expected-warning {{Potential leak of an object stored into 'New'}}
// expected-note@-1 {{Object leaked: object allocated and stored into 'New' is not referenced later in this execution path and has a retain count of +1}}
}
+(void)testLeakAliasChain {
id Original = [[MyObj alloc] initY]; // expected-note {{Calling 'initY'}}
// expected-note@-1 {{Returning from 'initY'}}
id Intermediate = Original;
id New = Intermediate;
Original = [[MyObj alloc] initZ];
(void)New;
[Original release]; // expected-warning {{Potential leak of an object stored into 'New'}}
// expected-note@-1 {{Object leaked: object allocated and stored into 'New' is not referenced later in this execution path and has a retain count of +1}}
}
+(void)log:(id)Obj with:(int)Num {
Num *= 42;
if (Obj )
Num /= 2;
}
+(int)calculate {
int x = 10;
int y = 25;
x += y * x + seed();
return y - x * y;
}
+(void)testLeakAliasDeathInExpr {
id Original = [[MyObj alloc] initY]; // expected-note {{Calling 'initY'}}
// expected-note@-1 {{Returning from 'initY'}}
id New = Original;
Original = [[MyObj alloc] initZ];
[self log:New with:[self calculate]];
[Original release]; // expected-warning {{Potential leak of an object stored into 'New'}}
// expected-note@-1 {{Object leaked: object allocated and stored into 'New' is not referenced later in this execution path and has a retain count of +1}}
}
@end

clang/test/Analysis/retain-release.m

Show First 20 LinesShow All 2,276 Lines▼ Show 20 Linesvoid useAfterRelease() {
CFRelease(obj); CFRelease(obj);
extern void useCF(CFTypeRef); extern void useCF(CFTypeRef);
useCF(obj); // expected-warning{{Reference-counted object is used after it is released}} useCF(obj); // expected-warning{{Reference-counted object is used after it is released}}
} }
void testAutoreleaseReturnsInput() { void testAutoreleaseReturnsInput() {
extern CFTypeRef CFCreateSomething(); extern CFTypeRef CFCreateSomething();
CFTypeRef obj = CFCreateSomething(); // expected-warning{{Potential leak of an object stored into 'obj'}} CFTypeRef obj = CFCreateSomething(); // expected-warning{{Potential leak of an object stored into 'second'}}
CFTypeRef second = CFAutorelease(obj); CFTypeRef second = CFAutorelease(obj);
CFRetain(second); CFRetain(second);
} }
CFTypeRef testAutoreleaseReturnsInputSilent() { CFTypeRef testAutoreleaseReturnsInputSilent() {
extern CFTypeRef CFCreateSomething(); extern CFTypeRef CFCreateSomething();
CFTypeRef obj = CFCreateSomething(); CFTypeRef obj = CFCreateSomething();
CFTypeRef alias = CFAutorelease(obj); CFTypeRef alias = CFAutorelease(obj);
CFRetain(alias); CFRetain(alias);
CFRelease(obj); CFRelease(obj);
return obj; // no-warning return obj; // no-warning
} }
void autoreleaseTypedObject() { void autoreleaseTypedObject() {
CFArrayRef arr = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); CFArrayRef arr = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks);
CFAutorelease((CFTypeRef)arr); // no-warning CFAutorelease((CFTypeRef)arr); // no-warning
} }
void autoreleaseReturningTypedObject() { void autoreleaseReturningTypedObject() {
CFArrayRef arr = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); // expected-warning{{Potential leak of an object stored into 'arr'}} CFArrayRef arr = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); // expected-warning{{Potential leak of an object stored into 'alias'}}
CFArrayRef alias = (CFArrayRef)CFAutorelease((CFTypeRef)arr); CFArrayRef alias = (CFArrayRef)CFAutorelease((CFTypeRef)arr);
CFRetain(alias); CFRetain(alias);
} }
CFArrayRef autoreleaseReturningTypedObjectSilent() { CFArrayRef autoreleaseReturningTypedObjectSilent() {
CFArrayRef arr = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks); CFArrayRef arr = CFArrayCreateMutable(0, 10, &kCFTypeArrayCallBacks);
CFArrayRef alias = (CFArrayRef)CFAutorelease((CFTypeRef)arr); CFArrayRef alias = (CFArrayRef)CFAutorelease((CFTypeRef)arr);
CFRetain(alias); CFRetain(alias);
▲ Show 20 LinesShow All 87 LinesShow Last 20 Lines