This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
include/clang/StaticAnalyzer/Core/PathSensitive/
-
clang/
-
StaticAnalyzer/
-
Core/
-
PathSensitive/
-
CallEvent.h
-
DynamicType.h
-
DynamicTypeInfo.h
-
ProgramState.h
-
lib/StaticAnalyzer/
-
StaticAnalyzer/
-
Checkers/
-
CastValueChecker.cpp
25/30
DynamicTypePropagation.cpp
-
ObjCSuperDeallocChecker.cpp
-
Core/
3/4
CallEvent.cpp
5/8
DynamicType.cpp
-
ProgramState.cpp
-
test/Analysis/
-
Analysis/
-
cast-value-state-dump.cpp
-
class-object-state-dump.m
-
inlining/
-
InlineObjCClassMethod.m
-
ObjCDynTypePopagation.m
-
retain-release-inline.m

Differential D78286

[analyzer] Track runtime types represented by Obj-C Class objects
ClosedPublic

Authored by vsavchenko on Apr 16 2020, 2:47 AM.

Download Raw Diff

Details

Reviewers

NoQ
dcoughlin

Commits

rG239c53b72b18: [analyzer] Track runtime types represented by Obj-C Class objects

Summary

Objective-C Class objects can be used to do a dynamic dispatch on
class methods. The analyzer had a few places where we tried to overcome
the dynamic nature of it and still guess the actual function that
is being called. That was done mostly using some simple heuristics
covering the most widespread cases (e.g. [[self class] classmethod]).
This solution introduces a way to track types represented by Class
objects and work with that instead of direct AST matching.

rdar://problem/50739539

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

vsavchenko created this revision.Apr 16 2020, 2:47 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 16 2020, 2:47 AM

Herald added subscribers: cfe-commits, ASDenysPetrov, martong and 9 others. · View Herald Transcript

Harbormaster failed remote builds in B53535: Diff 257997!Apr 16 2020, 2:49 AM

Fix unfinished comment

Harbormaster failed remote builds in B53539: Diff 258003!Apr 16 2020, 3:23 AM

NoQ added inline comments.Apr 16 2020, 3:42 AM

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
135	Let's explain what `true` means here, i.e. `/Precise=/true`.
163	I suspect that `self`, unlike `this`, can be reassigned in the middle of the method.
164–165	That's a good place for `const auto *`.
208–211	When exactly does this situation happen? Can we predict it during pattern-matching instead of patching it up after the fact?
229–230	This needs to be filled in for the new trait as well! It's very important :3
336–337	Looks like a missed word somewhere.
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
37	I'd rather word this as "pointed-to type".

vsavchenko marked 6 inline comments as done.Apr 16 2020, 3:53 AM

vsavchenko added inline comments.

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
135	Sure
163	That's true, and we didn't account for that in here. I'll try to make a test on that (and maybe re-order how we handle these cases a bit
164–165	Right, didn't pay much attention to this moved code
229–230	Whoops! I forgot! Good catch!
336–337	OK, I'll try to re-write to make it more clear
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
37	Sure

Fix issues pointed by @NoQ.

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
229–230	But it looks like that info was not removed from the state neither for dynamic types, nor for dynamic casts (see the diff)

Harbormaster failed remote builds in B53574: Diff 258065!Apr 16 2020, 8:54 AM

NoQ added inline comments.Apr 20 2020, 3:26 AM

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
113	`static`?
134	These comments will never be parsed by doxygen, i don't think those `\code` thingies are needed here. Or is it some editor/IDE-specific thingies that i'm not educated about?
193	Why are we discarding `CanBeSubClassed` here?
198	I believe this is pretty much always the case. At least whenever `getInstanceReceiver()` is available. Another exception seem to be when `ReceiverSVal` is an `UnknownVal` (in this case `self` is going to be `SymbolRegionValue` because it's never set in the Store), but that's it. I inferred this by looking at `ObjCMethodCall::getInitialStackFrameContents()`. I think we should have used `getSelfSVal()` to begin with.
921	I don't think this line of code does anything. (time for some `LLVM_NODISCARD`???)
clang/lib/StaticAnalyzer/Core/CallEvent.cpp
1200–1207	Before i forget: Stuff that's shared across analyses usually lives in `AnalysisConsumer`. Cf. `FunctionSummaries`. This is the intended way of avoiding globals in such cases.
1287–1313	Wait, how do we get a decl here that's anyhow relevant if the compiler doesn't even know that it's a class method?
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
85–87	My favorite idiom for this stuff so far: const DynamicTypeInfo DTI = State->get<DynamicClassObjectMap>(Sym); return DTI ? DTI : {}; (not sure `?:` will typecheck correctly in case of `{}` though)
146	Feel free to rename `isLiveRegion` instead if it helps :)

vsavchenko marked 7 inline comments as done.Apr 20 2020, 4:04 AM

vsavchenko added inline comments.

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
113	It is all inside of `anonymous` namespace, so no need in putting static here.
134	No, you are correct. It's more like a matter of habit and consistent look of the comment. I would anyway prefer to somehow tell the reader that this is a snippet. It can be with a more or less familiar way of doing it. (I've seen a good amount of doxygen-style comments for `static` functions in the project, I guess similar logic applies to those as well)
193	Good point, we should propagate it further
198	I believe this is pretty much always the case. I didn't quite get what you mean by that
921	Whoops, that's true!
clang/lib/StaticAnalyzer/Core/CallEvent.cpp
1200–1207	We can re-do it in a separate commit I guess.
1287–1313	Compiler knows it, but still marks it as an instance method (because technically `self` is an object).

NoQ added inline comments.Apr 20 2020, 4:33 AM

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
198	What i'm trying to say is that `C.getSVal(RecE)` and `Message.getSelfSVal()` and `Message.getReceiverSVal()` are basically the same `SVal`. It shouldn't be necessary to check both or check whether they're the same; you must have meant to check for something else, probably something purely syntactic. I inferred this by looking at ObjCMethodCall::getInitialStackFrameContents(). Wait, so it's only true for inlined methods. For non-inlined methods `getSelfSVal()` will be unknown :/

vsavchenko marked an inline comment as done.Apr 20 2020, 5:25 AM

vsavchenko added inline comments.

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
198	Yeah, that might be a bit extraneous to do it with `SVal`s, but this code for sure does its job (it is definitely not a redundant check). `getSelfSVal()` returns receiver of the function containing the call and not the call itself. So, it does check if we the receiver of the message is `self`. I changed it to this way of doing things because it is consistent with how the same thing is done in `getRuntimeDefinition`.

NoQ added inline comments.Apr 20 2020, 7:29 AM

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
198	`getSelfSVal()` returns receiver of the function containing the call and not the call itself 😱 looks broken to me.

NoQ added inline comments.Apr 20 2020, 10:05 AM

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
198	Let's rename `getSelfSVal()` so that it screamed that it's the callee's self as opposed to the caller's self, and explain in a long comment why do we even care about the caller's self. I.e., that we heuristically assume that if a class method jumps into another class method on the same class object, it's going to be devirtualized to the same class. Which isn't always the case, hence !Precise.

Fix review remarks

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
198	I don't really think that it's a good idea to mix these two worlds: world one - interface function that allows to get an `SVal` for `self` of the containing method. It does exactly this, for no specific reason. I'm on board with renaming, but we need to come up with an appropriate name that describes what it gives and not why. world two - use-case of this interface method that tries to figure out the type of the receiver (for devirtualization purposes or not). So, the comment can be only here. I agree, I can add more explanation about what we are doing in this particular piece of code, but it won't make any sense to add this (or similar) comment for `getSelfSVal()`.
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
85–87	Yep, initializer lists are not allowed in ternary operators.
146	Unfortunately, it is named a bit differently for a reason, - compiler couldn't decide which function to use `bool isLive(const MemRegion region)` or `bool isLive(const VarRegion VR, bool includeStoreBindings = false) const` for a call `isLive(VarRegion )` (even though it's pretty obvious). Splitting `isLive` for `VarRegion` into two functions doesn't seem like an easy one. The only option I can see is the introduction of `isLiveImpl` (not very pretty in a header file) and two functions `isLive(const VarRegion) const` and `isLiveIncludingStoreBindings(const VarRegion *) const`.

Harbormaster failed remote builds in B54266: Diff 259314!Apr 22 2020, 9:46 AM

Let's land this, I guess? Fantastic work!

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
198	Ideally i'd detach `getSelfSVal()` from `CallEvent` entirely. Like, it doesn't even depend on the call site, why would it be part of `CallEvent` to begin with? This additionally takes care of world one. so that it screamed that it's the callee's self as opposed to the caller's self Mmm, the opposite, of course. `getCallerSelfSVal()`?
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
146	Or rename `isLive(const VarRegion *, bool includeStoreBindings)`? (I suspect this function should really be private anyway)

This revision is now accepted and ready to land.Apr 23 2020, 7:07 AM

Let's land this, I guess? Fantastic work!

Thanks :-)

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
198	Where do you think it should be? My vote goes to location context.
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
146	I don't know about that, it doesn't seem like a good change. I think that all of them should be `isLive`

NoQ added inline comments.Apr 23 2020, 8:17 AM

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
198	As of now `LocationContext` is an entity so low-level that it doesn't even live in `libStaticAnalyzer*`, so it can't be made aware of `SVal`s. Given that it's basically a Store lookup, i'd recommend putting it into `ProgramState`. I.e., `State->getSelfSVal(LCtx);`.

Move getSelfSVal from CallEvent to ProgramState

Harbormaster failed remote builds in B54941: Diff 260580!Apr 28 2020, 4:15 AM

Perfect! Please get yourself some commit access already -__-

Closed by commit rG239c53b72b18: [analyzer] Track runtime types represented by Obj-C Class objects (authored by vsavchenko). · Explain WhyApr 29 2020, 3:43 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

clang/

include/

clang/

StaticAnalyzer/

Core/

PathSensitive/

3 lines

18 lines

2 lines

3 lines

lib/

StaticAnalyzer/

Checkers/

CastValueChecker.cpp

8 lines

DynamicTypePropagation.cpp

230 lines

ObjCSuperDeallocChecker.cpp

7 lines

Core/

CallEvent.cpp

225 lines

DynamicType.cpp

206 lines

ProgramState.cpp

7 lines

test/

Analysis/

cast-value-state-dump.cpp

2 lines

class-object-state-dump.m

38 lines

inlining/

InlineObjCClassMethod.m

145 lines

ObjCDynTypePopagation.m

65 lines

retain-release-inline.m

45 lines

Diff 260877

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

Show First 20 Lines • Show All 1,109 Lines • ▼ Show 20 Lines	Selector getSelector() const {
return getOriginExpr()->getSelector();		return getOriginExpr()->getSelector();
}		}

SourceRange getSourceRange() const override;		SourceRange getSourceRange() const override;

/// Returns the value of the receiver at the time of this call.		/// Returns the value of the receiver at the time of this call.
SVal getReceiverSVal() const;		SVal getReceiverSVal() const;

/// Return the value of 'self' if available.
SVal getSelfSVal() const;

/// Get the interface for the receiver.		/// Get the interface for the receiver.
///		///
/// This works whether this is an instance message or a class message.		/// This works whether this is an instance message or a class message.
/// However, it currently just uses the static type of the receiver.		/// However, it currently just uses the static type of the receiver.
const ObjCInterfaceDecl *getReceiverInterface() const {		const ObjCInterfaceDecl *getReceiverInterface() const {
return getOriginExpr()->getReceiverInterface();		return getOriginExpr()->getReceiverInterface();
}		}

▲ Show 20 Lines • Show All 296 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h

	Show All 30 Lines

	/// Get dynamic type information for the region \p MR.			/// Get dynamic type information for the region \p MR.
	DynamicTypeInfo getDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR);			DynamicTypeInfo getDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR);

	/// Get raw dynamic type information for the region \p MR.			/// Get raw dynamic type information for the region \p MR.
	const DynamicTypeInfo *getRawDynamicTypeInfo(ProgramStateRef State,			const DynamicTypeInfo *getRawDynamicTypeInfo(ProgramStateRef State,
	const MemRegion *MR);			const MemRegion *MR);

				/// Get dynamic type information stored in a class object represented by \p Sym.
				DynamicTypeInfo getClassObjectDynamicTypeInfo(ProgramStateRef State,
				SymbolRef Sym);

	/// Get dynamic cast information from \p CastFromTy to \p CastToTy of \p MR.			/// Get dynamic cast information from \p CastFromTy to \p CastToTy of \p MR.
	const DynamicCastInfo *getDynamicCastInfo(ProgramStateRef State,			const DynamicCastInfo *getDynamicCastInfo(ProgramStateRef State,
	const MemRegion *MR,			const MemRegion *MR,
	QualType CastFromTy,			QualType CastFromTy,
	QualType CastToTy);			QualType CastToTy);

	/// Set dynamic type information of the region; return the new state.			/// Set dynamic type information of the region; return the new state.
	ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,			ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
	DynamicTypeInfo NewTy);			DynamicTypeInfo NewTy);

	/// Set dynamic type information of the region; return the new state.			/// Set dynamic type information of the region; return the new state.
	ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,			ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
	QualType NewTy, bool CanBeSubClassed = true);			QualType NewTy, bool CanBeSubClassed = true);

				/// Set constraint on a type contained in a class object; return the new state.
				ProgramStateRef setClassObjectDynamicTypeInfo(ProgramStateRef State,
				SymbolRef Sym,
				DynamicTypeInfo NewTy);

				/// Set constraint on a type contained in a class object; return the new state.
				ProgramStateRef setClassObjectDynamicTypeInfo(ProgramStateRef State,
				SymbolRef Sym, QualType NewTy,
				bool CanBeSubClassed = true);

	/// Set dynamic type and cast information of the region; return the new state.			/// Set dynamic type and cast information of the region; return the new state.
	ProgramStateRef setDynamicTypeAndCastInfo(ProgramStateRef State,			ProgramStateRef setDynamicTypeAndCastInfo(ProgramStateRef State,
	const MemRegion *MR,			const MemRegion *MR,
	QualType CastFromTy,			QualType CastFromTy,
	QualType CastToTy,			QualType CastToTy,
	bool IsCastSucceeds);			bool IsCastSucceeds);

	/// Removes the dead type informations from \p State.			/// Removes the dead type informations from \p State.
	ProgramStateRef removeDeadTypes(ProgramStateRef State, SymbolReaper &SR);			ProgramStateRef removeDeadTypes(ProgramStateRef State, SymbolReaper &SR);

	/// Removes the dead cast informations from \p State.			/// Removes the dead cast informations from \p State.
	ProgramStateRef removeDeadCasts(ProgramStateRef State, SymbolReaper &SR);			ProgramStateRef removeDeadCasts(ProgramStateRef State, SymbolReaper &SR);

				/// Removes the dead Class object type informations from \p State.
				ProgramStateRef removeDeadClassObjectTypes(ProgramStateRef State,
				SymbolReaper &SR);

	void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State,			void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State,
	const char *NL = "\n", unsigned int Space = 0,			const char *NL = "\n", unsigned int Space = 0,
	bool IsDot = false);			bool IsDot = false);

	} // namespace ento			} // namespace ento
	} // namespace clang			} // namespace clang

	#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPE_H			#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPE_H

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h

Show All 27 Lines	public:
bool canBeASubClass() const { return CanBeASubClass; }		bool canBeASubClass() const { return CanBeASubClass; }

/// Returns true if the dynamic type info is available.		/// Returns true if the dynamic type info is available.
bool isValid() const { return !DynTy.isNull(); }		bool isValid() const { return !DynTy.isNull(); }

/// Returns the currently inferred upper bound on the runtime type.		/// Returns the currently inferred upper bound on the runtime type.
QualType getType() const { return DynTy; }		QualType getType() const { return DynTy; }

		operator bool() const { return isValid(); }

bool operator==(const DynamicTypeInfo &RHS) const {		bool operator==(const DynamicTypeInfo &RHS) const {
return DynTy == RHS.DynTy && CanBeASubClass == RHS.CanBeASubClass;		return DynTy == RHS.DynTy && CanBeASubClass == RHS.CanBeASubClass;
}		}

void Profile(llvm::FoldingSetNodeID &ID) const {		void Profile(llvm::FoldingSetNodeID &ID) const {
ID.Add(DynTy);		ID.Add(DynTy);
ID.AddBoolean(CanBeASubClass);		ID.AddBoolean(CanBeASubClass);
}		}
Show All 10 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

Show First 20 Lines • Show All 292 Lines • ▼ Show 20 Lines	invalidateRegions(ArrayRef<SVal> Regions, const Expr *E,
const CallEvent *Call = nullptr,		const CallEvent *Call = nullptr,
RegionAndSymbolInvalidationTraits *ITraits = nullptr) const;		RegionAndSymbolInvalidationTraits *ITraits = nullptr) const;

/// enterStackFrame - Returns the state for entry to the given stack frame,		/// enterStackFrame - Returns the state for entry to the given stack frame,
/// preserving the current state.		/// preserving the current state.
LLVM_NODISCARD ProgramStateRef enterStackFrame(		LLVM_NODISCARD ProgramStateRef enterStackFrame(
const CallEvent &Call, const StackFrameContext *CalleeCtx) const;		const CallEvent &Call, const StackFrameContext *CalleeCtx) const;

		/// Return the value of 'self' if available in the given context.
		SVal getSelfSVal(const LocationContext *LC) const;

/// Get the lvalue for a base class object reference.		/// Get the lvalue for a base class object reference.
Loc getLValue(const CXXBaseSpecifier &BaseSpec, const SubRegion *Super) const;		Loc getLValue(const CXXBaseSpecifier &BaseSpec, const SubRegion *Super) const;

/// Get the lvalue for a base class object reference.		/// Get the lvalue for a base class object reference.
Loc getLValue(const CXXRecordDecl BaseClass, const SubRegion Super,		Loc getLValue(const CXXRecordDecl BaseClass, const SubRegion Super,
bool IsVirtual) const;		bool IsVirtual) const;

/// Get the lvalue for a variable reference.		/// Get the lvalue for a variable reference.
▲ Show 20 Lines • Show All 571 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp

Show All 24 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
#include "llvm/ADT/Optional.h"		#include "llvm/ADT/Optional.h"
#include <utility>		#include <utility>

using namespace clang;		using namespace clang;
using namespace ento;		using namespace ento;

namespace {		namespace {
class CastValueChecker : public Checker<eval::Call> {		class CastValueChecker : public Checker<check::DeadSymbols, eval::Call> {
enum class CallKind { Function, Method, InstanceOf };		enum class CallKind { Function, Method, InstanceOf };

using CastCheck =		using CastCheck =
std::function<void(const CastValueChecker *, const CallEvent &Call,		std::function<void(const CastValueChecker *, const CallEvent &Call,
DefinedOrUnknownSVal, CheckerContext &)>;		DefinedOrUnknownSVal, CheckerContext &)>;

public:		public:
// We have five cases to evaluate a cast:		// We have five cases to evaluate a cast:
// 1) The parameter is non-null, the return value is non-null.		// 1) The parameter is non-null, the return value is non-null.
// 2) The parameter is non-null, the return value is null.		// 2) The parameter is non-null, the return value is null.
// 3) The parameter is null, the return value is null.		// 3) The parameter is null, the return value is null.
// cast: 1; dyn_cast: 1, 2; cast_or_null: 1, 3; dyn_cast_or_null: 1, 2, 3.		// cast: 1; dyn_cast: 1, 2; cast_or_null: 1, 3; dyn_cast_or_null: 1, 2, 3.
//		//
// 4) castAs: Has no parameter, the return value is non-null.		// 4) castAs: Has no parameter, the return value is non-null.
// 5) getAs: Has no parameter, the return value is null or non-null.		// 5) getAs: Has no parameter, the return value is null or non-null.
//		//
// We have two cases to check the parameter is an instance of the given type.		// We have two cases to check the parameter is an instance of the given type.
// 1) isa: The parameter is non-null, returns boolean.		// 1) isa: The parameter is non-null, returns boolean.
// 2) isa_and_nonnull: The parameter is null or non-null, returns boolean.		// 2) isa_and_nonnull: The parameter is null or non-null, returns boolean.
bool evalCall(const CallEvent &Call, CheckerContext &C) const;		bool evalCall(const CallEvent &Call, CheckerContext &C) const;
		void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;

private:		private:
// These are known in the LLVM project. The pairs are in the following form:		// These are known in the LLVM project. The pairs are in the following form:
// {{{namespace, call}, argument-count}, {callback, kind}}		// {{{namespace, call}, argument-count}, {callback, kind}}
const CallDescriptionMap<std::pair<CastCheck, CallKind>> CDM = {		const CallDescriptionMap<std::pair<CastCheck, CallKind>> CDM = {
{{{"llvm", "cast"}, 1},		{{{"llvm", "cast"}, 1},
{&CastValueChecker::evalCast, CallKind::Function}},		{&CastValueChecker::evalCast, CallKind::Function}},
{{{"llvm", "dyn_cast"}, 1},		{{{"llvm", "dyn_cast"}, 1},
▲ Show 20 Lines • Show All 365 Lines • ▼ Show 20 Lines	bool CastValueChecker::evalCall(const CallEvent &Call,

if (!DV)		if (!DV)
return false;		return false;

Check(this, Call, *DV, C);		Check(this, Call, *DV, C);
return true;		return true;
}		}

		void CastValueChecker::checkDeadSymbols(SymbolReaper &SR,
		CheckerContext &C) const {
		C.addTransition(removeDeadCasts(C.getState(), SR));
		}

void ento::registerCastValueChecker(CheckerManager &Mgr) {		void ento::registerCastValueChecker(CheckerManager &Mgr) {
Mgr.registerChecker<CastValueChecker>();		Mgr.registerChecker<CastValueChecker>();
}		}

bool ento::shouldRegisterCastValueChecker(const CheckerManager &mgr) {		bool ento::shouldRegisterCastValueChecker(const CheckerManager &mgr) {
return true;		return true;
}		}

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp

Show First 20 Lines • Show All 103 Lines • ▼ Show 20 Lines	public:
void checkPostStmt(const CXXNewExpr *NewE, CheckerContext &C) const;		void checkPostStmt(const CXXNewExpr *NewE, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;		void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;		void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;		void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;

/// This value is set to true, when the Generics checker is turned on.		/// This value is set to true, when the Generics checker is turned on.
DefaultBool CheckGenerics;		DefaultBool CheckGenerics;
};		};

		bool isObjCClassType(QualType Type) {
		NoQUnsubmitted Not Done Reply Inline Actions `static`? NoQ: `static`?
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions It is all inside of `anonymous` namespace, so no need in putting static here. vsavchenko: It is all inside of `anonymous` namespace, so no need in putting static here.
		if (const auto *PointerType = dyn_cast<ObjCObjectPointerType>(Type)) {
		return PointerType->getObjectType()->isObjCClass();
		}
		return false;
		}

		struct RuntimeType {
		const ObjCObjectType *Type = nullptr;
		bool Precise = false;

		operator bool() const { return Type != nullptr; }
		};

		RuntimeType inferReceiverType(const ObjCMethodCall &Message,
		CheckerContext &C) {
		const ObjCMessageExpr *MessageExpr = Message.getOriginExpr();

		// Check if we can statically infer the actual type precisely.
		//
		// 1. Class is written directly in the message:
		// \code
		NoQUnsubmitted Not Done Reply Inline Actions These comments will never be parsed by doxygen, i don't think those `\code` thingies are needed here. Or is it some editor/IDE-specific thingies that i'm not educated about? NoQ: These comments will never be parsed by doxygen, i don't think those `\code` thingies are needed…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions No, you are correct. It's more like a matter of habit and consistent look of the comment. I would anyway prefer to somehow tell the reader that this is a snippet. It can be with a more or less familiar way of doing it. (I've seen a good amount of doxygen-style comments for `static` functions in the project, I guess similar logic applies to those as well) vsavchenko: No, you are correct. It's more like a matter of habit and consistent look of the comment. I…
		// [ActualClass classMethod];
		NoQUnsubmitted Done Reply Inline Actions Let's explain what `true` means here, i.e. `/Precise=/true`. NoQ: Let's explain what `true` means here, i.e. `/Precise=/true`.
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Sure vsavchenko: Sure
		// \endcode
		if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Class) {
		return {MessageExpr->getClassReceiver()->getAs<ObjCObjectType>(),
		/Precise=/true};
		}

		// 2. Receiver is 'super' from a class method (a.k.a 'super' is a
		// class object).
		// \code
		// [super classMethod];
		// \endcode
		if (MessageExpr->getReceiverKind() == ObjCMessageExpr::SuperClass) {
		return {MessageExpr->getSuperType()->getAs<ObjCObjectType>(),
		/Precise=/true};
		}

		// 3. Receiver is 'super' from an instance method (a.k.a 'super' is an
		// instance of a super class).
		// \code
		// [super instanceMethod];
		// \encode
		if (MessageExpr->getReceiverKind() == ObjCMessageExpr::SuperInstance) {
		if (const auto *ObjTy =
		MessageExpr->getSuperType()->getAs<ObjCObjectPointerType>())
		return {ObjTy->getObjectType(), /Precise=/true};
		}

		const Expr *RecE = MessageExpr->getInstanceReceiver();
		NoQUnsubmitted Done Reply Inline Actions I suspect that `self`, unlike `this`, can be reassigned in the middle of the method. NoQ: I suspect that `self`, unlike `this`, can be reassigned in the middle of the method.
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions That's true, and we didn't account for that in here. I'll try to make a test on that (and maybe re-order how we handle these cases a bit vsavchenko: That's true, and we didn't account for that in here. I'll try to make a test on that (and maybe…

		if (!RecE)
		NoQUnsubmitted Done Reply Inline Actions That's a good place for `const auto `. NoQ:* That's a good place for `const auto *`.
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Right, didn't pay much attention to this moved code vsavchenko: Right, didn't pay much attention to this moved code
		return {};

		// Otherwise, let's try to get type information from our estimations of
		// runtime types.
		QualType InferredType;
		SVal ReceiverSVal = C.getSVal(RecE);
		ProgramStateRef State = C.getState();

		if (const MemRegion *ReceiverRegion = ReceiverSVal.getAsRegion()) {
		if (DynamicTypeInfo DTI = getDynamicTypeInfo(State, ReceiverRegion)) {
		InferredType = DTI.getType().getCanonicalType();
		}
		}

		if (SymbolRef ReceiverSymbol = ReceiverSVal.getAsSymbol()) {
		if (InferredType.isNull()) {
		InferredType = ReceiverSymbol->getType();
		}

		// If receiver is a Class object, we want to figure out the type it
		// represents.
		if (isObjCClassType(InferredType)) {
		// We actually might have some info on what type is contained in there.
		if (DynamicTypeInfo DTI =
		getClassObjectDynamicTypeInfo(State, ReceiverSymbol)) {

		// Types in Class objects can be ONLY Objective-C types
		return {cast<ObjCObjectType>(DTI.getType()), !DTI.canBeASubClass()};
		NoQUnsubmitted Done Reply Inline Actions Why are we discarding `CanBeSubClassed` here? NoQ: Why are we discarding `CanBeSubClassed` here?
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Good point, we should propagate it further vsavchenko: Good point, we should propagate it further
		}

		SVal SelfSVal = State->getSelfSVal(C.getLocationContext());

		// Another way we can guess what is in Class object, is when it is a
		NoQUnsubmitted Done Reply Inline Actions I believe this is pretty much always the case. At least whenever `getInstanceReceiver()` is available. Another exception seem to be when `ReceiverSVal` is an `UnknownVal` (in this case `self` is going to be `SymbolRegionValue` because it's never set in the Store), but that's it. I inferred this by looking at `ObjCMethodCall::getInitialStackFrameContents()`. I think we should have used `getSelfSVal()` to begin with. NoQ: I believe this is pretty much always the case. At least whenever `getInstanceReceiver()` is…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions I believe this is pretty much always the case. I didn't quite get what you mean by that vsavchenko: > I believe this is pretty much always the case. I didn't quite get what you mean by that
		NoQUnsubmitted Done Reply Inline Actions What i'm trying to say is that `C.getSVal(RecE)` and `Message.getSelfSVal()` and `Message.getReceiverSVal()` are basically the same `SVal`. It shouldn't be necessary to check both or check whether they're the same; you must have meant to check for something else, probably something purely syntactic. I inferred this by looking at ObjCMethodCall::getInitialStackFrameContents(). Wait, so it's only true for inlined methods. For non-inlined methods `getSelfSVal()` will be unknown :/ NoQ: What i'm trying to say is that `C.getSVal(RecE)` and `Message.getSelfSVal()` and `Message.
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Yeah, that might be a bit extraneous to do it with `SVal`s, but this code for sure does its job (it is definitely not a redundant check). `getSelfSVal()` returns receiver of the function containing the call and not the call itself. So, it does check if we the receiver of the message is `self`. I changed it to this way of doing things because it is consistent with how the same thing is done in `getRuntimeDefinition`. vsavchenko: Yeah, that might be a bit extraneous to do it with `SVal`s, but this code for sure does its job…
		NoQUnsubmitted Done Reply Inline Actions `getSelfSVal()` returns receiver of the function containing the call and not the call itself 😱 looks broken to me. NoQ: > `getSelfSVal()` returns receiver of the function containing the call and not the call itself…
		NoQUnsubmitted Not Done Reply Inline Actions Let's rename `getSelfSVal()` so that it screamed that it's the callee's self as opposed to the caller's self, and explain in a long comment why do we even care about the caller's self. I.e., that we heuristically assume that if a class method jumps into another class method on the same class object, it's going to be devirtualized to the same class. Which isn't always the case, hence !Precise. NoQ: Let's rename `getSelfSVal()` so that it screamed that it's the callee's self as opposed to the…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions I don't really think that it's a good idea to mix these two worlds: world one - interface function that allows to get an `SVal` for `self` of the containing method. It does exactly this, for no specific reason. I'm on board with renaming, but we need to come up with an appropriate name that describes what it gives and not why. world two - use-case of this interface method that tries to figure out the type of the receiver (for devirtualization purposes or not). So, the comment can be only here. I agree, I can add more explanation about what we are doing in this particular piece of code, but it won't make any sense to add this (or similar) comment for `getSelfSVal()`. vsavchenko: I don't really think that it's a good idea to mix these two worlds: - world one…
		NoQUnsubmitted Not Done Reply Inline Actions Ideally i'd detach `getSelfSVal()` from `CallEvent` entirely. Like, it doesn't even depend on the call site, why would it be part of `CallEvent` to begin with? This additionally takes care of world one. so that it screamed that it's the callee's self as opposed to the caller's self Mmm, the opposite, of course. `getCallerSelfSVal()`? NoQ: Ideally i'd detach `getSelfSVal()` from `CallEvent` entirely. Like, it doesn't even depend on…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Where do you think it should be? My vote goes to location context. vsavchenko: Where do you think it should be? My vote goes to location context.
		NoQUnsubmitted Not Done Reply Inline Actions As of now `LocationContext` is an entity so low-level that it doesn't even live in `libStaticAnalyzer`, so it can't be made aware of `SVal`s. Given that it's basically a Store lookup, i'd recommend putting it into `ProgramState`. I.e., `State->getSelfSVal(LCtx);`. NoQ:* As of now `LocationContext` is an entity so low-level that it doesn't even live in…
		// 'self' variable of the current class method.
		if (ReceiverSVal == SelfSVal) {
		// In this case, we should return the type of the enclosing class
		// declaration.
		if (const ObjCMethodDecl *MD =
		dyn_cast<ObjCMethodDecl>(C.getStackFrame()->getDecl()))
		if (const ObjCObjectType *ObjTy = dyn_cast<ObjCObjectType>(
		MD->getClassInterface()->getTypeForDecl()))
		return {ObjTy};
		}
		}
		}

		NoQUnsubmitted Done Reply Inline Actions When exactly does this situation happen? Can we predict it during pattern-matching instead of patching it up after the fact? NoQ: When exactly does this situation happen? Can we predict it during pattern-matching instead of…
		// Unfortunately, it seems like we have no idea what that type is.
		if (InferredType.isNull()) {
		return {};
		}

		// We can end up here if we got some dynamic type info and the
		// receiver is not one of the known Class objects.
		if (const auto *ReceiverInferredType =
		dyn_cast<ObjCObjectPointerType>(InferredType)) {
		return {ReceiverInferredType->getObjectType()};
		}

		// Any other type (like 'Class') is not really useful at this point.
		return {};
		}
} // end anonymous namespace		} // end anonymous namespace

void DynamicTypePropagation::checkDeadSymbols(SymbolReaper &SR,		void DynamicTypePropagation::checkDeadSymbols(SymbolReaper &SR,
CheckerContext &C) const {		CheckerContext &C) const {
		NoQUnsubmitted Done Reply Inline Actions This needs to be filled in for the new trait as well! It's very important :3 NoQ: This needs to be filled in for the new trait as well! It's very important :3
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Whoops! I forgot! Good catch! vsavchenko: Whoops! I forgot! Good catch!
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions But it looks like that info was not removed from the state neither for dynamic types, nor for dynamic casts (see the diff) vsavchenko: But it looks like that info was not removed from the state neither for dynamic types, nor…
ProgramStateRef State = removeDeadTypes(C.getState(), SR);		ProgramStateRef State = removeDeadTypes(C.getState(), SR);
		State = removeDeadClassObjectTypes(State, SR);

MostSpecializedTypeArgsMapTy TyArgMap =		MostSpecializedTypeArgsMapTy TyArgMap =
State->get<MostSpecializedTypeArgsMap>();		State->get<MostSpecializedTypeArgsMap>();
for (MostSpecializedTypeArgsMapTy::iterator I = TyArgMap.begin(),		for (MostSpecializedTypeArgsMapTy::iterator I = TyArgMap.begin(),
E = TyArgMap.end();		E = TyArgMap.end();
I != E; ++I) {		I != E; ++I) {
if (SR.isDead(I->first)) {		if (SR.isDead(I->first)) {
State = State->remove<MostSpecializedTypeArgsMap>(I->first);		State = State->remove<MostSpecializedTypeArgsMap>(I->first);
▲ Show 20 Lines • Show All 79 Lines • ▼ Show 20 Lines	if (D && D->hasRelatedResultType()) {
break;		break;

// We assume that the type of the object returned by alloc and new are the		// We assume that the type of the object returned by alloc and new are the
// pointer to the object of the class specified in the receiver of the		// pointer to the object of the class specified in the receiver of the
// message.		// message.
case OMF_alloc:		case OMF_alloc:
case OMF_new: {		case OMF_new: {
// Get the type of object that will get created.		// Get the type of object that will get created.
const ObjCMessageExpr *MsgE = Msg->getOriginExpr();		RuntimeType ObjTy = inferReceiverType(*Msg, C);
const ObjCObjectType *ObjTy = getObjectTypeForAllocAndNew(MsgE, C);
if (!ObjTy)		if (!ObjTy)
return;		return;

QualType DynResTy =		QualType DynResTy =
C.getASTContext().getObjCObjectPointerType(QualType(ObjTy, 0));		C.getASTContext().getObjCObjectPointerType(QualType(ObjTy.Type, 0));
		// We used to assume that whatever type we got from inferring the
		// type is actually precise (and it is not exactly correct).
		// A big portion of the existing behavior depends on that assumption
		NoQUnsubmitted Done Reply Inline Actions Looks like a missed word somewhere. NoQ: Looks like a missed word somewhere.
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions OK, I'll try to re-write to make it more clear vsavchenko: OK, I'll try to re-write to make it more clear
		// (e.g. certain inlining won't take place). For this reason, we don't
		// use ObjTy.Precise flag here.
		//
		// TODO: We should mitigate this problem some time in the future
		// and replace hardcoded 'false' with '!ObjTy.Precise'.
C.addTransition(setDynamicTypeInfo(State, RetReg, DynResTy, false));		C.addTransition(setDynamicTypeInfo(State, RetReg, DynResTy, false));
break;		break;
}		}
case OMF_init: {		case OMF_init: {
// Assume, the result of the init method has the same dynamic type as		// Assume, the result of the init method has the same dynamic type as
// the receiver and propagate the dynamic type info.		// the receiver and propagate the dynamic type info.
const MemRegion *RecReg = Msg->getReceiverSVal().getAsRegion();		const MemRegion *RecReg = Msg->getReceiverSVal().getAsRegion();
if (!RecReg)		if (!RecReg)
▲ Show 20 Lines • Show All 72 Lines • ▼ Show 20 Lines	void DynamicTypePropagation::checkPostStmt(const CXXNewExpr *NewE,
const MemRegion *MR = C.getSVal(NewE).getAsRegion();		const MemRegion *MR = C.getSVal(NewE).getAsRegion();
if (!MR)		if (!MR)
return;		return;

C.addTransition(setDynamicTypeInfo(C.getState(), MR, NewE->getType(),		C.addTransition(setDynamicTypeInfo(C.getState(), MR, NewE->getType(),
/CanBeSubClassed=/false));		/CanBeSubClassed=/false));
}		}

const ObjCObjectType *
DynamicTypePropagation::getObjectTypeForAllocAndNew(const ObjCMessageExpr *MsgE,
CheckerContext &C) const {
if (MsgE->getReceiverKind() == ObjCMessageExpr::Class) {
if (const ObjCObjectType *ObjTy
= MsgE->getClassReceiver()->getAs<ObjCObjectType>())
return ObjTy;
}

if (MsgE->getReceiverKind() == ObjCMessageExpr::SuperClass) {
if (const ObjCObjectType *ObjTy
= MsgE->getSuperType()->getAs<ObjCObjectType>())
return ObjTy;
}

const Expr *RecE = MsgE->getInstanceReceiver();
if (!RecE)
return nullptr;

RecE= RecE->IgnoreParenImpCasts();
if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(RecE)) {
const StackFrameContext *SFCtx = C.getStackFrame();
// Are we calling [self alloc]? If this is self, get the type of the
// enclosing ObjC class.
if (DRE->getDecl() == SFCtx->getSelfDecl()) {
if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(SFCtx->getDecl()))
if (const ObjCObjectType *ObjTy =
dyn_cast<ObjCObjectType>(MD->getClassInterface()->getTypeForDecl()))
return ObjTy;
}
}
return nullptr;
}

// Return a better dynamic type if one can be derived from the cast.		// Return a better dynamic type if one can be derived from the cast.
// Compare the current dynamic type of the region and the new type to which we		// Compare the current dynamic type of the region and the new type to which we
// are casting. If the new type is lower in the inheritance hierarchy, pick it.		// are casting. If the new type is lower in the inheritance hierarchy, pick it.
const ObjCObjectPointerType *		const ObjCObjectPointerType *
DynamicTypePropagation::getBetterObjCType(const Expr *CastE,		DynamicTypePropagation::getBetterObjCType(const Expr *CastE,
CheckerContext &C) const {		CheckerContext &C) const {
const MemRegion *ToR = C.getSVal(CastE).getAsRegion();		const MemRegion *ToR = C.getSVal(CastE).getAsRegion();
assert(ToR);		assert(ToR);
▲ Show 20 Lines • Show All 468 Lines • ▼ Show 20 Lines	void DynamicTypePropagation::checkPostObjCMessage(const ObjCMethodCall &M,
const ObjCMessageExpr *MessageExpr = M.getOriginExpr();		const ObjCMessageExpr *MessageExpr = M.getOriginExpr();

SymbolRef RetSym = M.getReturnValue().getAsSymbol();		SymbolRef RetSym = M.getReturnValue().getAsSymbol();
if (!RetSym)		if (!RetSym)
return;		return;

Selector Sel = MessageExpr->getSelector();		Selector Sel = MessageExpr->getSelector();
ProgramStateRef State = C.getState();		ProgramStateRef State = C.getState();
// Inference for class variables.
// We are only interested in cases where the class method is invoked on a
// class. This method is provided by the runtime and available on all classes.
if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Class &&
Sel.getAsString() == "class") {
QualType ReceiverType = MessageExpr->getClassReceiver();
const auto *ReceiverClassType = ReceiverType->castAs<ObjCObjectType>();
if (!ReceiverClassType->isSpecialized())
return;

		// Here we try to propagate information on Class objects.
		if (Sel.getAsString() == "class") {
		// We try to figure out the type from the receiver of the 'class' message.
		if (RuntimeType ReceiverRuntimeType = inferReceiverType(M, C)) {

		ReceiverRuntimeType.Type->getSuperClassType();
		NoQUnsubmitted Done Reply Inline Actions I don't think this line of code does anything. (time for some `LLVM_NODISCARD`???) NoQ: I don't think this line of code does anything. (time for some `LLVM_NODISCARD`???)
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Whoops, that's true! vsavchenko: Whoops, that's true!
		QualType ReceiverClassType(ReceiverRuntimeType.Type, 0);

		// We want to consider only precise information on generics.
		if (ReceiverRuntimeType.Type->isSpecialized() &&
		ReceiverRuntimeType.Precise) {
QualType ReceiverClassPointerType =		QualType ReceiverClassPointerType =
C.getASTContext().getObjCObjectPointerType(		C.getASTContext().getObjCObjectPointerType(ReceiverClassType);
QualType(ReceiverClassType, 0));
const auto *InferredType =		const auto *InferredType =
ReceiverClassPointerType->castAs<ObjCObjectPointerType>();		ReceiverClassPointerType->castAs<ObjCObjectPointerType>();

State = State->set<MostSpecializedTypeArgsMap>(RetSym, InferredType);		State = State->set<MostSpecializedTypeArgsMap>(RetSym, InferredType);
		}

		// Constrain the resulting class object to the inferred type.
		State = setClassObjectDynamicTypeInfo(State, RetSym, ReceiverClassType,
		!ReceiverRuntimeType.Precise);

C.addTransition(State);		C.addTransition(State);
return;		return;
}		}
		}

		if (Sel.getAsString() == "superclass") {
		// We try to figure out the type from the receiver of the 'superclass'
		// message.
		if (RuntimeType ReceiverRuntimeType = inferReceiverType(M, C)) {

		// Result type would be a super class of the receiver's type.
		QualType ReceiversSuperClass =
		ReceiverRuntimeType.Type->getSuperClassType();

		// Check if it really had super class.
		//
		// TODO: we can probably pay closer attention to cases when the class
		// object can be 'nil' as the result of such message.
		if (!ReceiversSuperClass.isNull()) {
		// Constrain the resulting class object to the inferred type.
		State = setClassObjectDynamicTypeInfo(
		State, RetSym, ReceiversSuperClass, !ReceiverRuntimeType.Precise);

		C.addTransition(State);
		}
		return;
		}
		}

// Tracking for return types.		// Tracking for return types.
SymbolRef RecSym = M.getReceiverSVal().getAsSymbol();		SymbolRef RecSym = M.getReceiverSVal().getAsSymbol();
if (!RecSym)		if (!RecSym)
return;		return;

const ObjCObjectPointerType const TrackedType =		const ObjCObjectPointerType const TrackedType =
State->get<MostSpecializedTypeArgsMap>(RecSym);		State->get<MostSpecializedTypeArgsMap>(RecSym);
▲ Show 20 Lines • Show All 143 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/ObjCSuperDeallocChecker.cpp

	Show First 20 Lines • Show All 110 Lines • ▼ Show 20 Lines

	void ObjCSuperDeallocChecker::checkPostObjCMessage(const ObjCMethodCall &M,			void ObjCSuperDeallocChecker::checkPostObjCMessage(const ObjCMethodCall &M,
	CheckerContext &C) const {			CheckerContext &C) const {
	// Check for [super dealloc] method call.			// Check for [super dealloc] method call.
	if (!isSuperDeallocMessage(M))			if (!isSuperDeallocMessage(M))
	return;			return;

	ProgramStateRef State = C.getState();			ProgramStateRef State = C.getState();
	SymbolRef ReceiverSymbol = M.getSelfSVal().getAsSymbol();			const LocationContext *LC = C.getLocationContext();
	assert(ReceiverSymbol && "No receiver symbol at call to [super dealloc]?");			SymbolRef SelfSymbol = State->getSelfSVal(LC).getAsSymbol();
				assert(SelfSymbol && "No receiver symbol at call to [super dealloc]?");

	// We add this transition in checkPostObjCMessage to avoid warning when			// We add this transition in checkPostObjCMessage to avoid warning when
	// we inline a call to [super dealloc] where the inlined call itself			// we inline a call to [super dealloc] where the inlined call itself
	// calls [super dealloc].			// calls [super dealloc].
	State = State->add<CalledSuperDealloc>(ReceiverSymbol);			State = State->add<CalledSuperDealloc>(SelfSymbol);
	C.addTransition(State);			C.addTransition(State);
	}			}

	void ObjCSuperDeallocChecker::checkLocation(SVal L, bool IsLoad, const Stmt *S,			void ObjCSuperDeallocChecker::checkLocation(SVal L, bool IsLoad, const Stmt *S,
	CheckerContext &C) const {			CheckerContext &C) const {
	SymbolRef BaseSym = L.getLocSymbolInBase();			SymbolRef BaseSym = L.getLocSymbolInBase();
	if (!BaseSym)			if (!BaseSym)
	return;			return;
	▲ Show 20 Lines • Show All 156 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 Lines • Show All 966 Lines • ▼ Show 20 Lines	if (const ObjCIvarDecl *PropIvar = PropDecl->getPropertyIvarDecl()) {
}		}
return;		return;
}		}
}		}

Values.push_back(getReceiverSVal());		Values.push_back(getReceiverSVal());
}		}

SVal ObjCMethodCall::getSelfSVal() const {
const LocationContext *LCtx = getLocationContext();
const ImplicitParamDecl *SelfDecl = LCtx->getSelfDecl();
if (!SelfDecl)
return SVal();
return getState()->getSVal(getState()->getRegion(SelfDecl, LCtx));
}

SVal ObjCMethodCall::getReceiverSVal() const {		SVal ObjCMethodCall::getReceiverSVal() const {
// FIXME: Is this the best way to handle class receivers?		// FIXME: Is this the best way to handle class receivers?
if (!isInstanceMessage())		if (!isInstanceMessage())
return UnknownVal();		return UnknownVal();

if (const Expr *RecE = getOriginExpr()->getInstanceReceiver())		if (const Expr *RecE = getOriginExpr()->getInstanceReceiver())
return getSVal(RecE);		return getSVal(RecE);

// An instance message with no expression means we are sending to super.		// An instance message with no expression means we are sending to super.
// In this case the object reference is the same as 'self'.		// In this case the object reference is the same as 'self'.
assert(getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance);		assert(getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance);
SVal SelfVal = getSelfSVal();		SVal SelfVal = getState()->getSelfSVal(getLocationContext());
assert(SelfVal.isValid() && "Calling super but not in ObjC method");		assert(SelfVal.isValid() && "Calling super but not in ObjC method");
return SelfVal;		return SelfVal;
}		}

bool ObjCMethodCall::isReceiverSelfOrSuper() const {		bool ObjCMethodCall::isReceiverSelfOrSuper() const {
if (getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance \|\|		if (getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance \|\|
getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperClass)		getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperClass)
return true;		return true;

if (!isInstanceMessage())		if (!isInstanceMessage())
return false;		return false;

SVal RecVal = getSVal(getOriginExpr()->getInstanceReceiver());		SVal RecVal = getSVal(getOriginExpr()->getInstanceReceiver());
		SVal SelfVal = getState()->getSelfSVal(getLocationContext());

return (RecVal == getSelfSVal());		return (RecVal == SelfVal);
}		}

SourceRange ObjCMethodCall::getSourceRange() const {		SourceRange ObjCMethodCall::getSourceRange() const {
switch (getMessageKind()) {		switch (getMessageKind()) {
case OCM_Message:		case OCM_Message:
return getOriginExpr()->getSourceRange();		return getOriginExpr()->getSourceRange();
case OCM_PropertyAccess:		case OCM_PropertyAccess:
case OCM_Subscript:		case OCM_Subscript:
▲ Show 20 Lines • Show All 150 Lines • ▼ Show 20 Lines	static const ObjCMethodDecl findDefiningRedecl(const ObjCMethodDecl MD) {
if (!MD->hasBody()) {		if (!MD->hasBody()) {
for (auto I : MD->redecls())		for (auto I : MD->redecls())
if (I->hasBody())		if (I->hasBody())
MD = cast<ObjCMethodDecl>(I);		MD = cast<ObjCMethodDecl>(I);
}		}
return MD;		return MD;
}		}

static bool isCallToSelfClass(const ObjCMessageExpr *ME) {		struct PrivateMethodKey {
const Expr* InstRec = ME->getInstanceReceiver();		const ObjCInterfaceDecl *Interface;
if (!InstRec)		Selector LookupSelector;
return false;		bool IsClassMethod;
const auto *InstRecIg = dyn_cast<DeclRefExpr>(InstRec->IgnoreParenImpCasts());		};

// Check that receiver is called 'self'.		template <> struct llvm::DenseMapInfo<PrivateMethodKey> {
if (!InstRecIg \|\| !InstRecIg->getFoundDecl() \|\|		using InterfaceInfo = DenseMapInfo<const ObjCInterfaceDecl *>;
!InstRecIg->getFoundDecl()->getName().equals("self"))		using SelectorInfo = DenseMapInfo<Selector>;
return false;

// Check that the method name is 'class'.		static inline PrivateMethodKey getEmptyKey() {
if (ME->getSelector().getNumArgs() != 0 \|\|		return {InterfaceInfo::getEmptyKey(), SelectorInfo::getEmptyKey(), false};
!ME->getSelector().getNameForSlot(0).equals("class"))		}
return false;

return true;		static inline PrivateMethodKey getTombstoneKey() {
		return {InterfaceInfo::getTombstoneKey(), SelectorInfo::getTombstoneKey(),
		true};
		}

		static unsigned getHashValue(const PrivateMethodKey &Key) {
		return llvm::hash_combine(
		llvm::hash_code(InterfaceInfo::getHashValue(Key.Interface)),
		llvm::hash_code(SelectorInfo::getHashValue(Key.LookupSelector)),
		Key.IsClassMethod);
		}

		static bool isEqual(const PrivateMethodKey &LHS,
		const PrivateMethodKey &RHS) {
		return InterfaceInfo::isEqual(LHS.Interface, RHS.Interface) &&
		SelectorInfo::isEqual(LHS.LookupSelector, RHS.LookupSelector) &&
		LHS.IsClassMethod == RHS.IsClassMethod;
		}
		};

		const ObjCMethodDecl *
		lookupRuntimeDefinition(const ObjCInterfaceDecl *Interface,
		Selector LookupSelector, bool InstanceMethod) {
		// Repeatedly calling lookupPrivateMethod() is expensive, especially
		// when in many cases it returns null. We cache the results so
		NoQUnsubmitted Not Done Reply Inline Actions Before i forget: Stuff that's shared across analyses usually lives in `AnalysisConsumer`. Cf. `FunctionSummaries`. This is the intended way of avoiding globals in such cases. NoQ: Before i forget: Stuff that's shared across analyses usually lives in `AnalysisConsumer`. Cf.
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions We can re-do it in a separate commit I guess. vsavchenko: We can re-do it in a separate commit I guess.
		// that repeated queries on the same ObjCIntefaceDecl and Selector
		// don't incur the same cost. On some test cases, we can see the
		// same query being issued thousands of times.
		//
		// NOTE: This cache is essentially a "global" variable, but it
		// only gets lazily created when we get here. The value of the
		// cache probably comes from it being global across ExprEngines,
		// where the same queries may get issued. If we are worried about
		// concurrency, or possibly loading/unloading ASTs, etc., we may
		// need to revisit this someday. In terms of memory, this table
		// stays around until clang quits, which also may be bad if we
		// need to release memory.
		using PrivateMethodCache =
		llvm::DenseMap<PrivateMethodKey, Optional<const ObjCMethodDecl *>>;

		static PrivateMethodCache PMC;
		Optional<const ObjCMethodDecl *> &Val =
		PMC[{Interface, LookupSelector, InstanceMethod}];

		// Query lookupPrivateMethod() if the cache does not hit.
		if (!Val.hasValue()) {
		Val = Interface->lookupPrivateMethod(LookupSelector, InstanceMethod);

		if (!*Val) {
		// Query 'lookupMethod' as a backup.
		Val = Interface->lookupMethod(LookupSelector, InstanceMethod);
		}
		}

		return Val.getValue();
}		}

RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const {		RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const {
const ObjCMessageExpr *E = getOriginExpr();		const ObjCMessageExpr *E = getOriginExpr();
assert(E);		assert(E);
Selector Sel = E->getSelector();		Selector Sel = E->getSelector();

if (E->isInstanceMessage()) {		if (E->isInstanceMessage()) {
// Find the receiver type.		// Find the receiver type.
const ObjCObjectPointerType *ReceiverT = nullptr;		const ObjCObjectType *ReceiverT = nullptr;
bool CanBeSubClassed = false;		bool CanBeSubClassed = false;
		bool LookingForInstanceMethod = true;
QualType SupersType = E->getSuperType();		QualType SupersType = E->getSuperType();
const MemRegion *Receiver = nullptr;		const MemRegion *Receiver = nullptr;

if (!SupersType.isNull()) {		if (!SupersType.isNull()) {
// The receiver is guaranteed to be 'super' in this case.		// The receiver is guaranteed to be 'super' in this case.
// Super always means the type of immediate predecessor to the method		// Super always means the type of immediate predecessor to the method
// where the call occurs.		// where the call occurs.
ReceiverT = cast<ObjCObjectPointerType>(SupersType);		ReceiverT = cast<ObjCObjectPointerType>(SupersType)->getObjectType();
} else {		} else {
Receiver = getReceiverSVal().getAsRegion();		Receiver = getReceiverSVal().getAsRegion();
if (!Receiver)		if (!Receiver)
return {};		return {};

DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver);		DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver);
if (!DTI.isValid()) {		if (!DTI.isValid()) {
assert(isa<AllocaRegion>(Receiver) &&		assert(isa<AllocaRegion>(Receiver) &&
"Unhandled untyped region class!");		"Unhandled untyped region class!");
return {};		return {};
}		}

QualType DynType = DTI.getType();		QualType DynType = DTI.getType();
CanBeSubClassed = DTI.canBeASubClass();		CanBeSubClassed = DTI.canBeASubClass();
ReceiverT = dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType());

if (ReceiverT && CanBeSubClassed)		const auto *ReceiverDynT =
if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl())		dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType());
if (!canBeOverridenInSubclass(IDecl, Sel))
CanBeSubClassed = false;
}

// Handle special cases of '[self classMethod]' and		if (ReceiverDynT) {
// '[[self class] classMethod]', which are treated by the compiler as		ReceiverT = ReceiverDynT->getObjectType();
// instance (not class) messages. We will statically dispatch to those.
if (auto *PT = dyn_cast_or_null<ObjCObjectPointerType>(ReceiverT)) {
// For [self classMethod], return the compiler visible declaration.
if (PT->getObjectType()->isObjCClass() &&
Receiver == getSelfSVal().getAsRegion())
return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl()));

// Similarly, handle [[self class] classMethod].		// It can be actually class methods called with Class object as a
// TODO: We are currently doing a syntactic match for this pattern with is		// receiver. This type of messages is treated by the compiler as
// limiting as the test cases in Analysis/inlining/InlineObjCClassMethod.m		// instance (not class).
// shows. A better way would be to associate the meta type with the symbol		if (ReceiverT->isObjCClass()) {
// using the dynamic type info tracking and use it here. We can add a new
// SVal for ObjC 'Class' values that know what interface declaration they		SVal SelfVal = getState()->getSelfSVal(getLocationContext());
// come from. Then 'self' in a class method would be filled in with		// For [self classMethod], return compiler visible declaration.
// something meaningful in ObjCMethodCall::getReceiverSVal() and we could		if (Receiver == SelfVal.getAsRegion()) {
// do proper dynamic dispatch for class methods just like we do for
// instance methods now.
if (E->getInstanceReceiver())
if (const auto *M = dyn_cast<ObjCMessageExpr>(E->getInstanceReceiver()))
if (isCallToSelfClass(M))
return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl()));		return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl()));
}		}

// Lookup the instance method implementation.		// Otherwise, let's check if we know something about the type
if (ReceiverT)		// inside of this class object.
if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl()) {		if (SymbolRef ReceiverSym = getReceiverSVal().getAsSymbol()) {
// Repeatedly calling lookupPrivateMethod() is expensive, especially		DynamicTypeInfo DTI =
// when in many cases it returns null. We cache the results so		getClassObjectDynamicTypeInfo(getState(), ReceiverSym);
// that repeated queries on the same ObjCIntefaceDecl and Selector		if (DTI.isValid()) {
// don't incur the same cost. On some test cases, we can see the		// Let's use this type for lookup.
// same query being issued thousands of times.		ReceiverT =
//		cast<ObjCObjectType>(DTI.getType().getCanonicalType());
// NOTE: This cache is essentially a "global" variable, but it
// only gets lazily created when we get here. The value of the
// cache probably comes from it being global across ExprEngines,
// where the same queries may get issued. If we are worried about
// concurrency, or possibly loading/unloading ASTs, etc., we may
// need to revisit this someday. In terms of memory, this table
// stays around until clang quits, which also may be bad if we
// need to release memory.
using PrivateMethodKey = std::pair<const ObjCInterfaceDecl *, Selector>;
using PrivateMethodCache =
llvm::DenseMap<PrivateMethodKey, Optional<const ObjCMethodDecl *>>;

static PrivateMethodCache PMC;
Optional<const ObjCMethodDecl *> &Val = PMC[std::make_pair(IDecl, Sel)];

// Query lookupPrivateMethod() if the cache does not hit.
if (!Val.hasValue()) {
Val = IDecl->lookupPrivateMethod(Sel);

// If the method is a property accessor, we should try to "inline" it		CanBeSubClassed = DTI.canBeASubClass();
// even if we don't actually have an implementation.		// And it should be a class method instead.
if (!*Val)		LookingForInstanceMethod = false;
if (const ObjCMethodDecl *CompileTimeMD = E->getMethodDecl())		}
if (CompileTimeMD->isPropertyAccessor()) {
if (!CompileTimeMD->getSelfDecl() &&
isa<ObjCCategoryDecl>(CompileTimeMD->getDeclContext())) {
// If the method is an accessor in a category, and it doesn't
// have a self declaration, first
// try to find the method in a class extension. This
// works around a bug in Sema where multiple accessors
// are synthesized for properties in class
// extensions that are redeclared in a category and the
// the implicit parameters are not filled in for
// the method on the category.
// This ensures we find the accessor in the extension, which
// has the implicit parameters filled in.
auto *ID = CompileTimeMD->getClassInterface();
for (auto *CatDecl : ID->visible_extensions()) {
Val = CatDecl->getMethod(Sel,
CompileTimeMD->isInstanceMethod());
if (*Val)
break;
}		}
}		}
if (!*Val)
Val = IDecl->lookupInstanceMethod(Sel);		if (CanBeSubClassed)
		if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterface())
		// Even if `DynamicTypeInfo` told us that it can be
		// not necessarily this type, but its descendants, we still want
		// to check again if this selector can be actually overridden.
		CanBeSubClassed = canBeOverridenInSubclass(IDecl, Sel);
}		}
		NoQUnsubmitted Done Reply Inline Actions Wait, how do we get a decl here that's anyhow relevant if the compiler doesn't even know that it's a class method? NoQ: Wait, how do we get a decl here that's anyhow relevant if the compiler doesn't even know that…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Compiler knows it, but still marks it as an instance method (because technically `self` is an object). vsavchenko: Compiler knows it, but still marks it as an instance method (because technically `self` is an…
}		}

const ObjCMethodDecl *MD = Val.getValue();		// Lookup the instance method implementation.
		if (ReceiverT)
		if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterface()) {
		const ObjCMethodDecl *MD =
		lookupRuntimeDefinition(IDecl, Sel, LookingForInstanceMethod);

if (MD && !MD->hasBody())		if (MD && !MD->hasBody())
MD = MD->getCanonicalDecl();		MD = MD->getCanonicalDecl();

if (CanBeSubClassed)		if (CanBeSubClassed)
return RuntimeDefinition(MD, Receiver);		return RuntimeDefinition(MD, Receiver);
else		else
return RuntimeDefinition(MD, nullptr);		return RuntimeDefinition(MD, nullptr);
}		}
} else {		} else {
// This is a class method.		// This is a class method.
// If we have type info for the receiver class, we are calling via		// If we have type info for the receiver class, we are calling via
▲ Show 20 Lines • Show All 125 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/DynamicType.cpp

Show All 28 Lines

/// A set factory of dynamic cast informations.		/// A set factory of dynamic cast informations.
REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(CastSet, clang::ento::DynamicCastInfo)		REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(CastSet, clang::ento::DynamicCastInfo)

/// A map from symbols to cast informations.		/// A map from symbols to cast informations.
REGISTER_MAP_WITH_PROGRAMSTATE(DynamicCastMap, const clang::ento::MemRegion *,		REGISTER_MAP_WITH_PROGRAMSTATE(DynamicCastMap, const clang::ento::MemRegion *,
CastSet)		CastSet)

		// A map from Class object symbols to the most likely pointed-to type.
		NoQUnsubmitted Done Reply Inline Actions I'd rather word this as "pointed-to type". NoQ: I'd rather word this as "pointed-to type".
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Sure vsavchenko: Sure
		REGISTER_MAP_WITH_PROGRAMSTATE(DynamicClassObjectMap, clang::ento::SymbolRef,
		clang::ento::DynamicTypeInfo)

namespace clang {		namespace clang {
namespace ento {		namespace ento {

DynamicTypeInfo getDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR) {		DynamicTypeInfo getDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR) {
MR = MR->StripCasts();		MR = MR->StripCasts();

// Look up the dynamic type in the GDM.		// Look up the dynamic type in the GDM.
if (const DynamicTypeInfo *DTI = State->get<DynamicTypeMap>(MR))		if (const DynamicTypeInfo *DTI = State->get<DynamicTypeMap>(MR))
Show All 26 Lines	const DynamicCastInfo *getDynamicCastInfo(ProgramStateRef State,

for (const DynamicCastInfo &Cast : *Lookup)		for (const DynamicCastInfo &Cast : *Lookup)
if (Cast.equals(CastFromTy, CastToTy))		if (Cast.equals(CastFromTy, CastToTy))
return &Cast;		return &Cast;

return nullptr;		return nullptr;
}		}

		DynamicTypeInfo getClassObjectDynamicTypeInfo(ProgramStateRef State,
		SymbolRef Sym) {
		const DynamicTypeInfo *DTI = State->get<DynamicClassObjectMap>(Sym);
		return DTI ? *DTI : DynamicTypeInfo{};
		}
		NoQUnsubmitted Not Done Reply Inline Actions My favorite idiom for this stuff so far: const DynamicTypeInfo DTI = State->get<DynamicClassObjectMap>(Sym); return DTI ? DTI : {}; (not sure `?:` will typecheck correctly in case of `{}` though) NoQ: My favorite idiom for this stuff so far: ```lang=c++ const DynamicTypeInfo *DTI = State…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Yep, initializer lists are not allowed in ternary operators. vsavchenko: Yep, initializer lists are not allowed in ternary operators.

ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,		ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
DynamicTypeInfo NewTy) {		DynamicTypeInfo NewTy) {
State = State->set<DynamicTypeMap>(MR->StripCasts(), NewTy);		State = State->set<DynamicTypeMap>(MR->StripCasts(), NewTy);
assert(State);		assert(State);
return State;		return State;
}		}

ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,		ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
Show All 26 Lines	ProgramStateRef setDynamicTypeAndCastInfo(ProgramStateRef State,

Set = F.add(Set, {CastFromTy, CastToTy, ResultKind});		Set = F.add(Set, {CastFromTy, CastToTy, ResultKind});
State = State->set<DynamicCastMap>(MR, Set);		State = State->set<DynamicCastMap>(MR, Set);

assert(State);		assert(State);
return State;		return State;
}		}

		ProgramStateRef setClassObjectDynamicTypeInfo(ProgramStateRef State,
		SymbolRef Sym,
		DynamicTypeInfo NewTy) {
		State = State->set<DynamicClassObjectMap>(Sym, NewTy);
		return State;
		}

		ProgramStateRef setClassObjectDynamicTypeInfo(ProgramStateRef State,
		SymbolRef Sym, QualType NewTy,
		bool CanBeSubClassed) {
		return setClassObjectDynamicTypeInfo(State, Sym,
		DynamicTypeInfo(NewTy, CanBeSubClassed));
		}

		static bool isLive(SymbolReaper &SR, const MemRegion *MR) {
		return SR.isLiveRegion(MR);
		NoQUnsubmitted Not Done Reply Inline Actions Feel free to rename `isLiveRegion` instead if it helps :) NoQ: Feel free to rename `isLiveRegion` instead if it helps :)
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Unfortunately, it is named a bit differently for a reason, - compiler couldn't decide which function to use `bool isLive(const MemRegion region)` or `bool isLive(const VarRegion VR, bool includeStoreBindings = false) const` for a call `isLive(VarRegion )` (even though it's pretty obvious). Splitting `isLive` for `VarRegion` into two functions doesn't seem like an easy one. The only option I can see is the introduction of `isLiveImpl` (not very pretty in a header file) and two functions `isLive(const VarRegion) const` and `isLiveIncludingStoreBindings(const VarRegion ) const`. vsavchenko:* Unfortunately, it is named a bit differently for a reason, - compiler couldn't decide which…
		NoQUnsubmitted Not Done Reply Inline Actions Or rename `isLive(const VarRegion , bool includeStoreBindings)`? (I suspect this function should really be private anyway) NoQ:* Or rename `isLive(const VarRegion *, bool includeStoreBindings)`? (I suspect this function…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions I don't know about that, it doesn't seem like a good change. I think that all of them should be `isLive` vsavchenko: I don't know about that, it doesn't seem like a good change. I think that all of them should be…
		}

		static bool isLive(SymbolReaper &SR, SymbolRef Sym) { return SR.isLive(Sym); }

template <typename MapTy>		template <typename MapTy>
ProgramStateRef removeDead(ProgramStateRef State, const MapTy &Map,		static ProgramStateRef removeDeadImpl(ProgramStateRef State, SymbolReaper &SR) {
SymbolReaper &SR) {		const auto &Map = State->get<MapTy>();

for (const auto &Elem : Map)		for (const auto &Elem : Map)
if (!SR.isLiveRegion(Elem.first))		if (!isLive(SR, Elem.first))
State = State->remove<DynamicCastMap>(Elem.first);		State = State->remove<MapTy>(Elem.first);

return State;		return State;
}		}

ProgramStateRef removeDeadTypes(ProgramStateRef State, SymbolReaper &SR) {		ProgramStateRef removeDeadTypes(ProgramStateRef State, SymbolReaper &SR) {
return removeDead(State, State->get<DynamicTypeMap>(), SR);		return removeDeadImpl<DynamicTypeMap>(State, SR);
}		}

ProgramStateRef removeDeadCasts(ProgramStateRef State, SymbolReaper &SR) {		ProgramStateRef removeDeadCasts(ProgramStateRef State, SymbolReaper &SR) {
return removeDead(State, State->get<DynamicCastMap>(), SR);		return removeDeadImpl<DynamicCastMap>(State, SR);
}		}

static void printDynamicTypesJson(raw_ostream &Out, ProgramStateRef State,		ProgramStateRef removeDeadClassObjectTypes(ProgramStateRef State,
const char *NL, unsigned int Space,		SymbolReaper &SR) {
bool IsDot) {		return removeDeadImpl<DynamicClassObjectMap>(State, SR);
Indent(Out, Space, IsDot) << "\"dynamic_types\": ";		}

const DynamicTypeMapTy &Map = State->get<DynamicTypeMap>();		//===----------------------------------------------------------------------===//
if (Map.isEmpty()) {		// Implementation of the 'printer-to-JSON' function
Out << "null," << NL;		//===----------------------------------------------------------------------===//
return;
		static raw_ostream &printJson(const MemRegion *Region, raw_ostream &Out,
		const char *NL, unsigned int Space, bool IsDot) {
		return Out << "\"region\": \"" << Region << "\"";
}		}

++Space;		static raw_ostream &printJson(const SymExpr *Symbol, raw_ostream &Out,
Out << '[' << NL;		const char *NL, unsigned int Space, bool IsDot) {
for (DynamicTypeMapTy::iterator I = Map.begin(); I != Map.end(); ++I) {		return Out << "\"symbol\": \"" << Symbol << "\"";
const MemRegion *MR = I->first;		}
const DynamicTypeInfo &DTI = I->second;
Indent(Out, Space, IsDot)		static raw_ostream &printJson(const DynamicTypeInfo &DTI, raw_ostream &Out,
<< "{ \"region\": \"" << MR << "\", \"dyn_type\": ";		const char *NL, unsigned int Space, bool IsDot) {
		Out << "\"dyn_type\": ";
if (!DTI.isValid()) {		if (!DTI.isValid()) {
Out << "null";		Out << "null";
} else {		} else {
Out << '\"' << DTI.getType()->getPointeeType().getAsString()		QualType ToPrint = DTI.getType();
<< "\", \"sub_classable\": "		if (ToPrint->isAnyPointerType())
		ToPrint = ToPrint->getPointeeType();

		Out << '\"' << ToPrint.getAsString() << "\", \"sub_classable\": "
<< (DTI.canBeASubClass() ? "true" : "false");		<< (DTI.canBeASubClass() ? "true" : "false");
}		}
Out << " }";		return Out;

if (std::next(I) != Map.end())
Out << ',';
Out << NL;
}		}

--Space;		static raw_ostream &printJson(const DynamicCastInfo &DCI, raw_ostream &Out,
Indent(Out, Space, IsDot) << "]," << NL;		const char *NL, unsigned int Space, bool IsDot) {
		return Out << "\"from\": \"" << DCI.from().getAsString() << "\", \"to\": \""
		<< DCI.to().getAsString() << "\", \"kind\": \""
		<< (DCI.succeeds() ? "success" : "fail") << "\"";
}		}

static void printDynamicCastsJson(raw_ostream &Out, ProgramStateRef State,		template <class T, class U>
const char *NL, unsigned int Space,		static raw_ostream &printJson(const std::pair<T, U> &Pair, raw_ostream &Out,
bool IsDot) {		const char *NL, unsigned int Space, bool IsDot) {
Indent(Out, Space, IsDot) << "\"dynamic_casts\": ";		printJson(Pair.first, Out, NL, Space, IsDot) << ", ";
		return printJson(Pair.second, Out, NL, Space, IsDot);
		}

const DynamicCastMapTy &Map = State->get<DynamicCastMap>();		template <class ContainerTy>
if (Map.isEmpty()) {		static raw_ostream &printJsonContainer(const ContainerTy &Container,
Out << "null," << NL;		raw_ostream &Out, const char *NL,
return;		unsigned int Space, bool IsDot) {
		if (Container.isEmpty()) {
		return Out << "null";
}		}

++Space;		++Space;
Out << '[' << NL;		Out << '[' << NL;
for (DynamicCastMapTy::iterator I = Map.begin(); I != Map.end(); ++I) {		for (auto I = Container.begin(); I != Container.end(); ++I) {
const MemRegion *MR = I->first;		const auto &Element = *I;
const CastSet &Set = I->second;

Indent(Out, Space, IsDot) << "{ \"region\": \"" << MR << "\", \"casts\": ";		Indent(Out, Space, IsDot) << "{ ";
if (Set.isEmpty()) {		printJson(Element, Out, NL, Space, IsDot) << " }";
Out << "null ";
} else {
++Space;
Out << '[' << NL;
for (CastSet::iterator SI = Set.begin(); SI != Set.end(); ++SI) {
Indent(Out, Space, IsDot)
<< "{ \"from\": \"" << SI->from().getAsString() << "\", \"to\": \""
<< SI->to().getAsString() << "\", \"kind\": \""
<< (SI->succeeds() ? "success" : "fail") << "\" }";

if (std::next(SI) != Set.end())		if (std::next(I) != Container.end())
Out << ',';		Out << ',';
Out << NL;		Out << NL;
}		}

--Space;		--Space;
Indent(Out, Space, IsDot) << ']';		return Indent(Out, Space, IsDot) << "]";
}		}
Out << '}';

if (std::next(I) != Map.end())		static raw_ostream &printJson(const CastSet &Set, raw_ostream &Out,
Out << ',';		const char *NL, unsigned int Space, bool IsDot) {
Out << NL;		Out << "\"casts\": ";
		return printJsonContainer(Set, Out, NL, Space, IsDot);
}		}

--Space;		template <class MapTy>
Indent(Out, Space, IsDot) << "]," << NL;		static void printJsonImpl(raw_ostream &Out, ProgramStateRef State,
		const char Name, const char NL, unsigned int Space,
		bool IsDot, bool PrintEvenIfEmpty = true) {
		const auto &Map = State->get<MapTy>();
		if (Map.isEmpty() && !PrintEvenIfEmpty)
		return;

		Indent(Out, Space, IsDot) << "\"" << Name << "\": ";
		printJsonContainer(Map, Out, NL, Space, IsDot) << "," << NL;
		}

		static void printDynamicTypesJson(raw_ostream &Out, ProgramStateRef State,
		const char *NL, unsigned int Space,
		bool IsDot) {
		printJsonImpl<DynamicTypeMap>(Out, State, "dynamic_types", NL, Space, IsDot);
		}

		static void printDynamicCastsJson(raw_ostream &Out, ProgramStateRef State,
		const char *NL, unsigned int Space,
		bool IsDot) {
		printJsonImpl<DynamicCastMap>(Out, State, "dynamic_casts", NL, Space, IsDot);
		}

		static void printClassObjectDynamicTypesJson(raw_ostream &Out,
		ProgramStateRef State,
		const char *NL, unsigned int Space,
		bool IsDot) {
		// Let's print Class object type information only if we have something
		// meaningful to print.
		printJsonImpl<DynamicClassObjectMap>(Out, State, "class_object_types", NL,
		Space, IsDot,
		/PrintEvenIfEmpty=/false);
}		}

void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State,		void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State,
const char *NL, unsigned int Space, bool IsDot) {		const char *NL, unsigned int Space, bool IsDot) {
printDynamicTypesJson(Out, State, NL, Space, IsDot);		printDynamicTypesJson(Out, State, NL, Space, IsDot);
printDynamicCastsJson(Out, State, NL, Space, IsDot);		printDynamicCastsJson(Out, State, NL, Space, IsDot);
		printClassObjectDynamicTypesJson(Out, State, NL, Space, IsDot);
}		}

} // namespace ento		} // namespace ento
} // namespace clang		} // namespace clang

clang/lib/StaticAnalyzer/Core/ProgramState.cpp

	Show First 20 Lines • Show All 234 Lines • ▼ Show 20 Lines
	ProgramStateRef			ProgramStateRef
	ProgramState::enterStackFrame(const CallEvent &Call,			ProgramState::enterStackFrame(const CallEvent &Call,
	const StackFrameContext *CalleeCtx) const {			const StackFrameContext *CalleeCtx) const {
	const StoreRef &NewStore =			const StoreRef &NewStore =
	getStateManager().StoreMgr->enterStackFrame(getStore(), Call, CalleeCtx);			getStateManager().StoreMgr->enterStackFrame(getStore(), Call, CalleeCtx);
	return makeWithStore(NewStore);			return makeWithStore(NewStore);
	}			}

				SVal ProgramState::getSelfSVal(const LocationContext *LCtx) const {
				const ImplicitParamDecl *SelfDecl = LCtx->getSelfDecl();
				if (!SelfDecl)
				return SVal();
				return getSVal(getRegion(SelfDecl, LCtx));
				}

	SVal ProgramState::getSValAsScalarOrLoc(const MemRegion *R) const {			SVal ProgramState::getSValAsScalarOrLoc(const MemRegion *R) const {
	// We only want to do fetches from regions that we can actually bind			// We only want to do fetches from regions that we can actually bind
	// values. For example, SymbolicRegions of type 'id<...>' cannot			// values. For example, SymbolicRegions of type 'id<...>' cannot
	// have direct bindings (but their can be bindings on their subregions).			// have direct bindings (but their can be bindings on their subregions).
	if (!R->isBoundable())			if (!R->isBoundable())
	return UnknownVal();			return UnknownVal();

	if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R)) {			if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R)) {
	▲ Show 20 Lines • Show All 394 Lines • Show Last 20 Lines

clang/test/Analysis/cast-value-state-dump.cpp

Show All 31 Lines	void evalNonNullParamNonNullReturn(const Shape *S) {

// CHECK: "dynamic_types": [		// CHECK: "dynamic_types": [
// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape * S>}", "dyn_type": "const class clang::Circle", "sub_classable": true }		// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape * S>}", "dyn_type": "const class clang::Circle", "sub_classable": true }
// CHECK-NEXT: ],		// CHECK-NEXT: ],
// CHECK-NEXT: "dynamic_casts": [		// CHECK-NEXT: "dynamic_casts": [
// CHECK: { "region": "SymRegion{reg_$0<const struct clang::Shape * S>}", "casts": [		// CHECK: { "region": "SymRegion{reg_$0<const struct clang::Shape * S>}", "casts": [
// CHECK-NEXT: { "from": "const struct clang::Shape ", "to": "const class clang::Circle ", "kind": "success" },		// CHECK-NEXT: { "from": "const struct clang::Shape ", "to": "const class clang::Circle ", "kind": "success" },
// CHECK-NEXT: { "from": "const struct clang::Shape ", "to": "const class clang::Square ", "kind": "fail" }		// CHECK-NEXT: { "from": "const struct clang::Shape ", "to": "const class clang::Square ", "kind": "fail" }
// CHECK-NEXT: ]}		// CHECK-NEXT: ] }

(void)(1 / !C);		(void)(1 / !C);
// expected-note@-1 {{'C' is non-null}}		// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}		// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}		// expected-warning@-3 {{Division by zero}}
}		}

clang/test/Analysis/class-object-state-dump.m

This file was added.

				// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection \
				// RUN: -verify %s 2>&1 \| FileCheck %s

				// expected-no-diagnostics

				void clang_analyzer_printState();

				@interface NSObject {
				}
				+ (id)alloc;
				+ (Class)class;
				- (id)init;
				- (Class)class;
				@end

				@interface Parent : NSObject
				@end
				@interface Child : Parent
				@end

				void foo(id A, id B);

				@implementation Child
				+ (void)test {
				id ClassAsID = [self class];
				id Object = [[ClassAsID alloc] init];
				Class TheSameClass = [Object class];

				clang_analyzer_printState();
				// CHECK: "class_object_types": [
				// CHECK-NEXT: { "symbol": "conj_$[[#]]{Class, LC[[#]], S[[#]], #[[#]]}", "dyn_type": "Child", "sub_classable": true },
				// CHECK-NEXT: { "symbol": "conj_$[[#]]{Class, LC[[#]], S[[#]], #[[#]]}", "dyn_type": "Child", "sub_classable": true }
				// CHECK-NEXT: ]

				// Let's make sure that the information is not GC'd away.
				foo(ClassAsID, TheSameClass);
				}
				@end

clang/test/Analysis/inlining/InlineObjCClassMethod.m

// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -analyzer-config ipa=dynamic-bifurcate -verify -analyzer-config eagerly-assume=false %s		// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -analyzer-config ipa=dynamic-bifurcate -verify -analyzer-config eagerly-assume=false %s

void clang_analyzer_checkInlined(int);		void clang_analyzer_checkInlined(int);
void clang_analyzer_eval(int);		void clang_analyzer_eval(int);

// Test inlining of ObjC class methods.		// Test inlining of ObjC class methods.

typedef signed char BOOL;		typedef signed char BOOL;
		#define YES ((BOOL)1)
		#define NO ((BOOL)0)
typedef struct objc_class *Class;		typedef struct objc_class *Class;
typedef struct objc_object {		typedef struct objc_object {
Class isa;		Class isa;
} *id;		} * id;
@protocol NSObject - (BOOL)isEqual:(id)object; @end		@protocol NSObject
		- (BOOL)isEqual:(id)object;
		@end
@interface NSObject <NSObject> {}		@interface NSObject <NSObject> {}
+(id)alloc;		+ (id)alloc;
		+ (Class)class;
		+ (Class)superclass;
-(id)init;		- (id)init;
-(id)autorelease;		- (id)autorelease;
-(id)copy;		- (id)copy;
- (Class)class;		- (Class)class;
		- (instancetype)self;
-(id)retain;		- (id)retain;
@end		@end

// Vanila: ObjC class method is called by name.		// Vanila: ObjC class method is called by name.
@interface MyParent : NSObject		@interface MyParent : NSObject
+ (int)getInt;		+ (int)getInt;
@end		@end
@interface MyClass : MyParent		@interface MyClass : MyParent
+ (int)getInt;		+ (int)getInt;
▲ Show 20 Lines • Show All 99 Lines • ▼ Show 20 Lines	+ (int)testClassVariableByUnknownVarDecl: (Class)cl {
int y = [cl getInt];		int y = [cl getInt];
return 3/y; // no-warning		return 3/y; // no-warning
}		}
+ (int)getInt {		+ (int)getInt {
return 0;		return 0;
}		}
@end		@end


// False negative.
// ObjC class method call through a decl with a known type.		// ObjC class method call through a decl with a known type.
// We should be able to track the type of currentClass and inline this call.
// Note, [self class] could be a subclass. Do we still want to inline here?		// Note, [self class] could be a subclass. Do we still want to inline here?
@interface MyClassKT : NSObject		@interface MyClassKT : NSObject
@end		@end
@interface MyClassKT (MyCatKT)		@interface MyClassKT (MyCatKT)
+ (int)getInt;		+ (int)getInt;
@end		@end
@implementation MyClassKT (MyCatKT)		@implementation MyClassKT (MyCatKT)
+ (int)getInt {		+ (int)getInt {
return 0;		return 0;
}		}
@end		@end
@implementation MyClassKT		@implementation MyClassKT
- (int)testClassMethodByKnownVarDecl {		- (int)testClassMethodByKnownVarDecl {
Class currentClass = [self class];		Class currentClass = [self class];
int y = [currentClass getInt];		int y = [currentClass getInt];
return 5/y; // Would be great to get a warning here.		return 5 / y; // expected-warning{{Division by zero}}
}		}
@end		@end

// Another false negative due to us not reasoning about self, which in this		// Another false negative due to us not reasoning about self, which in this
// case points to the object of the class in the call site and should be equal		// case points to the object of the class in the call site and should be equal
// to [MyParent class].		// to [MyParent class].
@interface MyParentSelf : NSObject		@interface MyParentSelf : NSObject
+ (int)testSelf;		+ (int)testSelf;
▲ Show 20 Lines • Show All 71 Lines • ▼ Show 20 Lines
@end		@end

@interface SelfClassTestParent : NSObject		@interface SelfClassTestParent : NSObject
-(unsigned)returns10;		-(unsigned)returns10;
+(unsigned)returns20;		+(unsigned)returns20;
+(unsigned)returns30;		+(unsigned)returns30;
@end		@end

@implementation SelfClassTestParent
-(unsigned)returns10 { return 100; }
+(unsigned)returns20 { return 100; }
+(unsigned)returns30 { return 100; }
@end

@interface SelfClassTest : SelfClassTestParent		@interface SelfClassTest : SelfClassTestParent
-(unsigned)returns10;		- (unsigned)returns10;
+(unsigned)returns20;		+ (unsigned)returns20;
+(unsigned)returns30;		+ (unsigned)returns30;
@end		@end

		@implementation SelfClassTestParent
		- (unsigned)returns10 {
		return 100;
		}
		+ (unsigned)returns20 {
		return 100;
		}
		+ (unsigned)returns30 {
		return 100;
		}

		- (void)testSelfReassignment {
		// Check that we didn't hardcode type for self.
		self = [[[SelfClassTest class] alloc] init];
		Class actuallyChildClass = [self class];
		unsigned result = [actuallyChildClass returns30];
		clang_analyzer_eval(result == 30); // expected-warning{{TRUE}}
		}
		@end

@implementation SelfClassTest		@implementation SelfClassTest
-(unsigned)returns10 { return 10; }		- (unsigned)returns10 {
+(unsigned)returns20 { return 20; }		return 10;
+(unsigned)returns30 { return 30; }		}
		+ (unsigned)returns20 {
		return 20;
		}
		+ (unsigned)returns30 {
		return 30;
		}
		+ (BOOL)isClass {
		return YES;
		}
		- (BOOL)isClass {
		return NO;
		}
		+ (SelfClassTest *)create {
		return [[self alloc] init];
		}
+(void)classMethod {		+ (void)classMethod {
unsigned result1 = [self returns20];		unsigned result1 = [self returns20];
clang_analyzer_eval(result1 == 20); // expected-warning{{TRUE}}		clang_analyzer_eval(result1 == 20); // expected-warning{{TRUE}}

unsigned result2 = [[self class] returns30];		unsigned result2 = [[self class] returns30];
clang_analyzer_eval(result2 == 30); // expected-warning{{TRUE}}		clang_analyzer_eval(result2 == 30); // expected-warning{{TRUE}}

unsigned result3 = [[super class] returns30];		unsigned result3 = [[super class] returns30];
clang_analyzer_eval(result3 == 100); // expected-warning{{UNKNOWN}}		clang_analyzer_eval(result3 == 100); // expected-warning{{TRUE}}

		// Check that class info is propagated with data
		Class class41 = [self class];
		Class class42 = class41;
		unsigned result4 = [class42 returns30];
		clang_analyzer_eval(result4 == 30); // expected-warning{{TRUE}}

		Class class51 = [super class];
		Class class52 = class51;
		unsigned result5 = [class52 returns30];
		clang_analyzer_eval(result5 == 100); // expected-warning{{TRUE}}
}		}
-(void)instanceMethod {		- (void)instanceMethod {
unsigned result0 = [self returns10];		unsigned result0 = [self returns10];
clang_analyzer_eval(result0 == 10); // expected-warning{{TRUE}}		clang_analyzer_eval(result0 == 10); // expected-warning{{TRUE}}

unsigned result2 = [[self class] returns30];		unsigned result2 = [[self class] returns30];
clang_analyzer_eval(result2 == 30); // expected-warning{{TRUE}}		clang_analyzer_eval(result2 == 30); // expected-warning{{TRUE}}

unsigned result3 = [[super class] returns30];		unsigned result3 = [[super class] returns30];
clang_analyzer_eval(result3 == 100); // expected-warning{{UNKNOWN}}		clang_analyzer_eval(result3 == 100); // expected-warning{{TRUE}}

		// Check that class info is propagated with data
		Class class41 = [self class];
		Class class42 = class41;
		unsigned result4 = [class42 returns30];
		clang_analyzer_eval(result4 == 30); // expected-warning{{TRUE}}

		Class class51 = [super class];
		Class class52 = class51;
		unsigned result5 = [class52 returns30];
		clang_analyzer_eval(result5 == 100); // expected-warning{{TRUE}}

		// Check that we inline class methods when class object is a receiver
		Class class6 = [self class];
		BOOL calledClassMethod = [class6 isClass];
		clang_analyzer_eval(calledClassMethod == YES); // expected-warning{{TRUE}}

		// Check that class info is propagated through the 'self' method
		Class class71 = [self class];
		Class class72 = [class71 self];
		unsigned result7 = [class72 returns30];
		clang_analyzer_eval(result7 == 30); // expected-warning{{TRUE}}

		// Check that 'class' and 'super' info from direct invocation of the
		// corresponding class methods is propagated with data
		Class class8 = [SelfClassTest class];
		unsigned result8 = [class8 returns30];
		clang_analyzer_eval(result8 == 30); // expected-warning{{TRUE}}

		Class class9 = [SelfClassTest superclass];
		unsigned result9 = [class9 returns30];
		clang_analyzer_eval(result9 == 100); // expected-warning{{TRUE}}

		// Check that we get class from a propagated type
		SelfClassTestParent *selfAsParent10 = [[SelfClassTest alloc] init];
		Class class10 = [selfAsParent10 class];
		unsigned result10 = [class10 returns30];
		clang_analyzer_eval(result10 == 30); // expected-warning{{TRUE}}

		SelfClassTestParent *selfAsParent11 = [[[self class] alloc] init];
		Class class11 = [selfAsParent11 class];
		unsigned result11 = [class11 returns30];
		clang_analyzer_eval(result11 == 30); // expected-warning{{TRUE}}
}		}
@end		@end

@interface Parent : NSObject		@interface Parent : NSObject
+ (int)a;		+ (int)a;
+ (int)b;		+ (int)b;
@end		@end
@interface Child : Parent		@interface Child : Parent
Show All 30 Lines

clang/test/Analysis/inlining/ObjCDynTypePopagation.m

	// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -analyzer-config ipa=dynamic-bifurcate -verify %s			// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -analyzer-config ipa=dynamic-bifurcate -verify %s

	#include "InlineObjCInstanceMethod.h"			#include "InlineObjCInstanceMethod.h"

	void clang_analyzer_eval(int);			void clang_analyzer_eval(int);

	PublicSubClass2 *getObj();			PublicSubClass2 *getObj();

	@implementation PublicParent			@implementation PublicParent
	- (int) getZeroOverridden {			- (int)getZeroOverridden {
	return 1;			return 1;
	}			}
	- (int) getZero {			- (int)getZero {
	return 0;			return 0;
	}			}
	@end			@end

	@implementation PublicSubClass2			@implementation PublicSubClass2
	- (int) getZeroOverridden {			- (int)getZeroOverridden {
	return 0;			return 0;
	}			}

	/* Test that we get the right type from call to alloc. */			/* Test that we get the right type from call to alloc. */
	+ (void) testAllocSelf {			+ (void)testAllocSelf {
	id a = [self alloc];			id a = [self alloc];
	clang_analyzer_eval([a getZeroOverridden] == 0); // expected-warning{{TRUE}}			clang_analyzer_eval([a getZeroOverridden] == 0); // expected-warning{{TRUE}}
	}			}


	+ (void) testAllocClass {			+ (void)testAllocClass {
	id a = [PublicSubClass2 alloc];			id a = [PublicSubClass2 alloc];
	clang_analyzer_eval([a getZeroOverridden] == 0); // expected-warning{{TRUE}}			clang_analyzer_eval([a getZeroOverridden] == 0); // expected-warning{{TRUE}}
	}			}

	+ (void) testAllocSuperOverriden {			+ (void)testAllocSuperOverriden {
	id a = [super alloc];			id a = [super alloc];
	// Evaluates to 1 in the parent.			// Evaluates to 1 in the parent.
	clang_analyzer_eval([a getZeroOverridden] == 0); // expected-warning{{FALSE}}			clang_analyzer_eval([a getZeroOverridden] == 0); // expected-warning{{FALSE}}
	}			}

	+ (void) testAllocSuper {			+ (void)testAllocSuper {
	id a = [super alloc];			id a = [super alloc];
	clang_analyzer_eval([a getZero] == 0); // expected-warning{{TRUE}}			clang_analyzer_eval([a getZero] == 0); // expected-warning{{TRUE}}
	}			}

	+ (void) testAllocInit {			+ (void)testAllocInit {
	id a = [[self alloc] init];			id a = [[self alloc] init];
	clang_analyzer_eval([a getZeroOverridden] == 0); // expected-warning{{TRUE}}			clang_analyzer_eval([a getZeroOverridden] == 0); // expected-warning{{TRUE}}
	}			}

	+ (void) testNewSelf {			+ (void)testNewSelf {
	id a = [self new];			id a = [self new];
	clang_analyzer_eval([a getZeroOverridden] == 0); // expected-warning{{TRUE}}			clang_analyzer_eval([a getZeroOverridden] == 0); // expected-warning{{TRUE}}
	}			}

	// Casting to parent should not pessimize the dynamic type.			// Casting to parent should not pessimize the dynamic type.
	+ (void) testCastToParent {			+ (void)testCastToParent {
	id a = [[self alloc] init];			id a = [[self alloc] init];
	PublicParent *p = a;			PublicParent *p = a;
	clang_analyzer_eval([p getZeroOverridden] == 0); // expected-warning{{TRUE}}			clang_analyzer_eval([p getZeroOverridden] == 0); // expected-warning{{TRUE}}
	}			}

	// The type of parameter gets used.			// The type of parameter gets used.
	+ (void)testTypeFromParam:(PublicParent*) p {			+ (void)testTypeFromParam:(PublicParent *)p {
	clang_analyzer_eval([p getZero] == 0); // expected-warning{{TRUE}}			clang_analyzer_eval([p getZero] == 0); // expected-warning{{TRUE}}
	}			}

	// Test implicit cast.			// Test implicit cast.
	// Note, in this case, p could also be a subclass of MyParent.			// Note, in this case, p could also be a subclass of MyParent.
	+ (void) testCastFromId:(id) a {			+ (void)testCastFromId:(id)a {
	PublicParent *p = a;			PublicParent *p = a;
	clang_analyzer_eval([p getZero] == 0); // expected-warning{{TRUE}}			clang_analyzer_eval([p getZero] == 0); // expected-warning{{TRUE}}
	}			}
	@end			@end

	// TODO: Would be nice to handle the case of dynamically obtained class info			// TODO: Would be nice to handle the case of dynamically obtained class info
	// as well. We need a MemRegion for class types for this.			// as well. We need a MemRegion for class types for this.
	int testDynamicClass(BOOL coin) {			int testDynamicClass(BOOL coin) {
	Class AllocClass = (coin ? [NSObject class] : [PublicSubClass2 class]);			Class AllocClass = (coin ? [NSObject class] : [PublicSubClass2 class]);
	id x = [[AllocClass alloc] init];			id x = [[AllocClass alloc] init];
	if (coin)			if (coin)
	return [x getZero];			return [x getZero];
	return 1;			return 1;
	}			}

	@interface UserClass : NSObject			@interface UserClass : NSObject
	- (PublicSubClass2 *) _newPublicSubClass2;			- (PublicSubClass2 *)_newPublicSubClass2;
	- (int) getZero;			- (int)getZero;
	- (void) callNew;			- (void)callNew;
	@end			@end

	@implementation UserClass			@implementation UserClass
	- (PublicSubClass2 *) _newPublicSubClass2 {			- (PublicSubClass2 *)_newPublicSubClass2 {
	return [[PublicSubClass2 alloc] init];			return [[PublicSubClass2 alloc] init];
	}			}
	- (int) getZero { return 5; }			- (int)getZero {
				return 5;
				}
	- (void) callNew {			- (void)callNew {
	PublicSubClass2 *x = [self _newPublicSubClass2];			PublicSubClass2 *x = [self _newPublicSubClass2];
	clang_analyzer_eval([x getZero] == 0); //expected-warning{{TRUE}}			clang_analyzer_eval([x getZero] == 0); //expected-warning{{TRUE}}
	}			}
	@end			@end
	No newline at end of file			No newline at end of file

clang/test/Analysis/retain-release-inline.m

	// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -analyzer-checker=core,osx.coreFoundation.CFRetainRelease,osx.cocoa.ClassRelease,osx.cocoa.RetainCount -fblocks -verify %s			// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -analyzer-checker=core,osx.coreFoundation.CFRetainRelease,osx.cocoa.ClassRelease,osx.cocoa.RetainCount -fblocks -verify %s

	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	// The following code is reduced using delta-debugging from Mac OS X headers:			// The following code is reduced using delta-debugging from Mac OS X headers:
	//			//
	// #include <Cocoa/Cocoa.h>			// #include <Cocoa/Cocoa.h>
	// #include <CoreFoundation/CoreFoundation.h>			// #include <CoreFoundation/CoreFoundation.h>
	// #include <DiskArbitration/DiskArbitration.h>			// #include <DiskArbitration/DiskArbitration.h>
	// #include <QuartzCore/QuartzCore.h>			// #include <QuartzCore/QuartzCore.h>
	// #include <Quartz/Quartz.h>			// #include <Quartz/Quartz.h>
	// #include <IOKit/IOKitLib.h>			// #include <IOKit/IOKitLib.h>
	//			//
	// It includes the basic definitions for the test cases below.			// It includes the basic definitions for the test cases below.
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	#define NULL 0			#define NULL 0
				#define nil ((id)0)
	typedef unsigned int __darwin_natural_t;			typedef unsigned int __darwin_natural_t;
	typedef unsigned long uintptr_t;			typedef unsigned long uintptr_t;
	typedef unsigned int uint32_t;			typedef unsigned int uint32_t;
	typedef unsigned long long uint64_t;			typedef unsigned long long uint64_t;
	typedef unsigned int UInt32;			typedef unsigned int UInt32;
	typedef signed long CFIndex;			typedef signed long CFIndex;
	typedef CFIndex CFByteOrder;			typedef CFIndex CFByteOrder;
	typedef struct {			typedef struct {
	CFIndex location;			CFIndex location;
	CFIndex length;			CFIndex length;
	} CFRange;			} CFRange;
	static __inline__ __attribute__((always_inline)) CFRange CFRangeMake(CFIndex loc, CFIndex len) {			static __inline__ __attribute__((always_inline)) CFRange CFRangeMake(CFIndex loc, CFIndex len) {
	CFRange range;			CFRange range;
	range.location = loc;			range.location = loc;
	range.length = len;			range.length = len;
	return range;			return range;
	}			}
	typedef const void * CFTypeRef;			typedef const void * CFTypeRef;
	typedef const struct __CFString * CFStringRef;			typedef const struct __CFString * CFStringRef;
	typedef const struct __CFAllocator * CFAllocatorRef;			typedef const struct __CFAllocator * CFAllocatorRef;
	extern const CFAllocatorRef kCFAllocatorDefault;			extern const CFAllocatorRef kCFAllocatorDefault;
	extern CFTypeRef CFRetain(CFTypeRef cf);			extern CFTypeRef CFRetain(CFTypeRef cf);
	extern void CFRelease(CFTypeRef cf);			extern void CFRelease(CFTypeRef cf);
	typedef struct {			typedef struct {
	▲ Show 20 Lines • Show All 46 Lines • ▼ Show 20 Lines
	@class NSString, Protocol;			@class NSString, Protocol;
	extern void NSLog(NSString *format, ...) __attribute__((format(__NSString__, 1, 2)));			extern void NSLog(NSString *format, ...) __attribute__((format(__NSString__, 1, 2)));
	typedef struct _NSZone NSZone;			typedef struct _NSZone NSZone;
	@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator;			@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator;
	@protocol NSObject			@protocol NSObject
	- (BOOL)isEqual:(id)object;			- (BOOL)isEqual:(id)object;
	- (id)retain;			- (id)retain;
	- (oneway void)release;			- (oneway void)release;
				- (Class)class;
	- (id)autorelease;			- (id)autorelease;
	- (id)init;			- (id)init;
	@end @protocol NSCopying - (id)copyWithZone:(NSZone *)zone;			@end @protocol NSCopying - (id)copyWithZone:(NSZone *)zone;
	@end @protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone;			@end @protocol NSMutableCopying - (id)mutableCopyWithZone:(NSZone *)zone;
	@end @protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder;			@end @protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder;
	@end			@end
	@interface NSObject <NSObject> {}			@interface NSObject <NSObject> {}
	+ (id)allocWithZone:(NSZone *)zone;			+ (id)allocWithZone:(NSZone *)zone;
	+ (id)alloc;			+ (id)alloc;
				+ (Class)class;
	- (void)dealloc;			- (void)dealloc;
	@end			@end
	@interface NSObject (NSCoderMethods)			@interface NSObject (NSCoderMethods)
	- (id)awakeAfterUsingCoder:(NSCoder *)aDecoder;			- (id)awakeAfterUsingCoder:(NSCoder *)aDecoder;
	@end			@end
	extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone);			extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone);
	typedef struct {			typedef struct {
	}			}
	▲ Show 20 Lines • Show All 365 Lines • ▼ Show 20 Lines
	}			}

	- (void)inline_test_reanalyze_as_top_level {			- (void)inline_test_reanalyze_as_top_level {
	id x = [self test_reanalyze_as_top_level];			id x = [self test_reanalyze_as_top_level];
	[x release];			[x release];
	[self test_inline_tiny_when_reanalyzing];			[self test_inline_tiny_when_reanalyzing];
	}			}
	@end			@end

				// Original problem: rdar://problem/50739539
				@interface MyClassThatLeaksDuringInit : NSObject

				+ (MyClassThatLeaksDuringInit *)getAnInstance1;
				+ (MyClassThatLeaksDuringInit *)getAnInstance2;

				@end

				@implementation MyClassThatLeaksDuringInit

				+ (MyClassThatLeaksDuringInit *)getAnInstance1 {
				return [[[MyClassThatLeaksDuringInit alloc] init] autorelease]; // expected-warning{{leak}}
				}

				+ (MyClassThatLeaksDuringInit *)getAnInstance2 {
				return [[[[self class] alloc] init] autorelease]; // expected-warning{{leak}}
				}

				- (instancetype)init {
				if (1) {
				return nil;
				}

				if (nil != (self = [super init])) {
				}
				return self;
				}

				@end

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Track runtime types represented by Obj-C Class objectsClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 260877

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp

clang/lib/StaticAnalyzer/Checkers/ObjCSuperDeallocChecker.cpp

clang/lib/StaticAnalyzer/Core/CallEvent.cpp

clang/lib/StaticAnalyzer/Core/DynamicType.cpp

clang/lib/StaticAnalyzer/Core/ProgramState.cpp

clang/test/Analysis/cast-value-state-dump.cpp

clang/test/Analysis/class-object-state-dump.m

clang/test/Analysis/inlining/InlineObjCClassMethod.m

clang/test/Analysis/inlining/ObjCDynTypePopagation.m

clang/test/Analysis/retain-release-inline.m

[analyzer] Track runtime types represented by Obj-C Class objects
ClosedPublic