Index: lib/StaticAnalyzer/Checkers/MacOSXAPIChecker.cpp =================================================================== --- lib/StaticAnalyzer/Checkers/MacOSXAPIChecker.cpp +++ lib/StaticAnalyzer/Checkers/MacOSXAPIChecker.cpp @@ -59,7 +59,8 @@ ProgramStateRef state = C.getState(); const MemRegion *R = state->getSVal(CE->getArg(0), C.getLocationContext()).getAsRegion(); - if (!R || !isa(R->getMemorySpace())) + const MemSpaceRegion *RS = R->getMemorySpace(); + if (!R || isa(RS)) return; ExplodedNode *N = C.generateErrorNode(state); @@ -85,7 +86,16 @@ os << "Call to '" << FName << "' uses"; if (const VarRegion *VR = dyn_cast(R)) os << " the local variable '" << VR->getDecl()->getName() << '\''; - else + else if (const ObjCIvarRegion *IVR = dyn_cast(R)) + os << " the instance variable '" << IVR->getDecl()->getName() << '\''; + else if (isa(R->getMemorySpace())) + os << " heap allocated memory"; + else if (isa(R->getMemorySpace())) { + // FIXME: Presence of an IVar region has priority over this branch, because + // ObjC objects are on the heap even if the core doesn't realize this. + // Make core realize that all ObjC objects are on the heap. + return; + } else os << " stack allocated memory"; os << " for the predicate value. Using such transient memory for " "the predicate is potentially dangerous."; Index: test/Analysis/dispatch-once.m =================================================================== --- /dev/null +++ test/Analysis/dispatch-once.m @@ -0,0 +1,63 @@ +// RUN: %clang_cc1 -w -fblocks -analyze -analyzer-checker=core,osx.API,unix.Malloc -verify %s +// RUN: %clang_cc1 -w -fblocks -fobjc-arc -analyze -analyzer-checker=core,osx.API,unix.Malloc -verify %s + +#include "Inputs/system-header-simulator-objc.h" + +typedef unsigned long size_t; +void *calloc(size_t nmemb, size_t size); + +typedef void (^dispatch_block_t)(void); +typedef long dispatch_once_t; +void dispatch_once(dispatch_once_t *predicate, dispatch_block_t block); + +void test_stack() { + dispatch_once_t once; + dispatch_once(&once, ^{}); // expected-warning{{Call to 'dispatch_once' uses the local variable 'once' for the predicate value.}} +} + +void test_static_local() { + static dispatch_once_t once; + dispatch_once(&once, ^{}); // no-warning +} + +void test_heap_var() { + dispatch_once_t *once = calloc(1, sizeof(dispatch_once_t)); + dispatch_once(once, ^{}); // expected-warning{{Call to 'dispatch_once' uses heap allocated memory for the predicate value.}} +} + +void test_external_pointer(dispatch_once_t *once) { + // External pointer does not necessarily point to the heap. + dispatch_once(once, ^{}); // no-warning +} + +typedef struct { + dispatch_once_t once; +} Struct; + +void test_heap_struct() { + Struct *s = calloc(1, sizeof(Struct)); + dispatch_once(&s->once, ^{}); // expected-warning{{Call to 'dispatch_once' uses heap allocated memory for the predicate value.}} +} + +@interface Object : NSObject { +@public + dispatch_once_t once; +} +- (void)test_ivar_from_inside; +@end + +@implementation Object +- (void)test_ivar_from_inside { + dispatch_once(&once, ^{}); // expected-warning{{Call to 'dispatch_once' uses the instance variable 'once' for the predicate value.}} +} +@end + +void test_ivar_from_alloc_init() { + Object *o = [[Object alloc] init]; + dispatch_once(&o->once, ^{}); // expected-warning{{Call to 'dispatch_once' uses the instance variable 'once' for the predicate value.}} +} + +void test_ivar_from_external_obj(Object *o) { + // ObjC object pointer always points to the heap. + dispatch_once(&o->once, ^{}); // expected-warning{{Call to 'dispatch_once' uses the instance variable 'once' for the predicate value.}} +}