This is an archive of the discontinued LLVM Phabricator instance.

Differential D81072

[analyzer] ObjCAutoreleaseWriteChecker: Support explicit autoreleasepools.
ClosedPublic

Authored by NoQ on Jun 3 2020, 2:54 AM.

Details

Reviewers
dcoughlin
vsavchenko
Commits
rG7113271528a4: [analyzer] ObjCAutoreleaseWriteChecker: Support explicit autoreleasepools.
Summary

This ASTMatchers-based checker currently supports only a whitelist of block-enumeration methods which are known to internally clear an autorelease pool. Extend this checker to detect writes within the scope of explicit @autoreleasepool statements.

Patch by Paul Pelzl!
(who can't participate in the discussion for IRL reasons; i'll address comments)

Diff Detail

Event Timeline

NoQ created this revision.Jun 3 2020, 2:54 AM
Herald added subscribers: ASDenysPetrov, martong, Charusso and 8 others. · View Herald TranscriptJun 3 2020, 2:54 AM
vsavchenko added a comment.Jun 3 2020, 3:29 AM

Otherwise, LTGM

clang/lib/StaticAnalyzer/Checkers/ObjCAutoreleaseWriteChecker.cpp
134–165

This looks a bit messy to me, but not critical.

NoQ updated this revision to Diff 268133.Jun 3 2020, 4:17 AM

Break up the huge twine into an old-school stream.

Lowkey change bug category to a standard category. Technically this is indeed a retain count error so the category is appropriate and it shouldn't matter to the user that it is coming from a different checker. But i'm still a bit worried because RetainCountChecker is so iconic to its users that they may be surprised if a new syntactic checker suddenly shows up under this category. Maybe we should make a new category, something like "Memory error (ARC)".

NoQ marked an inline comment as done.Jun 3 2020, 4:17 AM
vsavchenko accepted this revision.Jun 3 2020, 5:05 AM

Awesome, thanks!

This revision is now accepted and ready to land.Jun 3 2020, 5:05 AM
Closed by commit rG7113271528a4: [analyzer] ObjCAutoreleaseWriteChecker: Support explicit autoreleasepools. (authored by Paul Pelzl <ppelzl@apple.com>, committed by dergachev.a). · Explain WhyJun 3 2020, 9:20 AM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptJun 3 2020, 9:20 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
ddkilzer added a subscriber: ddkilzer.Oct 21 2020, 11:45 AM

Thanks for implementing this! For posterity, I wanted to note a couple cases that this checker doesn't catch.

  1. Under ARC, a more general case of assigning to an __autoreleasing variable. (Not sure why anyone would do this, but it's possible to write.)
@implementation MyClass
- (BOOL)myError:(NSError * __strong *)error
{
    NSError __autoreleasing *localError;

    @autoreleasepool {
        localError = [[NSError alloc] init];
    }

    if (error) {
        *error = localError;
        return YES;
    }
    return NO;
}
@end
  1. Under MRR, writing to an autoreleasing out parameter that outlives the autoreleasePool (similar to the issue that is now found under ARC):
@implementation MyClass
- (BOOL)myError:(NSError **)error
{
    @autoreleasepool {
        if (error) {
            *error = [[[NSError alloc] init] autorelease];
            return YES;
        }
    }
    return NO;
}
@end
Herald added a subscriber: steakhal. · View Herald TranscriptOct 21 2020, 11:45 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
61 lines
test/
Analysis/
65 lines

Diff 268230

clang/lib/StaticAnalyzer/Checkers/ObjCAutoreleaseWriteChecker.cpp

Show All 24 Lines
// on exit from the function. // on exit from the function.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/ASTMatchers/ASTMatchFinder.h" #include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "llvm/ADT/Twine.h" #include "llvm/ADT/Twine.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace ast_matchers; using namespace ast_matchers;
namespace { namespace {
const char *ProblematicWriteBind = "problematicwrite"; const char *ProblematicWriteBind = "problematicwrite";
const char *CapturedBind = "capturedbind"; const char *CapturedBind = "capturedbind";
const char *ParamBind = "parambind"; const char *ParamBind = "parambind";
const char *IsMethodBind = "ismethodbind"; const char *IsMethodBind = "ismethodbind";
const char *IsARPBind = "isautoreleasepoolbind";
class ObjCAutoreleaseWriteChecker : public Checker<check::ASTCodeBody> { class ObjCAutoreleaseWriteChecker : public Checker<check::ASTCodeBody> {
public: public:
void checkASTCodeBody(const Decl *D, void checkASTCodeBody(const Decl *D,
AnalysisManager &AM, AnalysisManager &AM,
BugReporter &BR) const; BugReporter &BR) const;
private: private:
std::vector<std::string> SelectorsWithAutoreleasingPool = { std::vector<std::string> SelectorsWithAutoreleasingPool = {
▲ Show 20 LinesShow All 68 Lines▼ Show 20 Lines if (!MarkedStmt) {
assert(MarkedStmt); assert(MarkedStmt);
ActionMsg = "Capture of"; ActionMsg = "Capture of";
IsCapture = true; IsCapture = true;
} }
SourceRange Range = MarkedStmt->getSourceRange(); SourceRange Range = MarkedStmt->getSourceRange();
PathDiagnosticLocation Location = PathDiagnosticLocation::createBegin( PathDiagnosticLocation Location = PathDiagnosticLocation::createBegin(
MarkedStmt, BR.getSourceManager(), ADC); MarkedStmt, BR.getSourceManager(), ADC);
bool IsMethod = Match.getNodeAs<ObjCMethodDecl>(IsMethodBind) != nullptr; bool IsMethod = Match.getNodeAs<ObjCMethodDecl>(IsMethodBind) != nullptr;
const char *Name = IsMethod ? "method" : "function"; const char *FunctionDescription = IsMethod ? "method" : "function";
bool IsARP = Match.getNodeAs<ObjCAutoreleasePoolStmt>(IsARPBind) != nullptr;
llvm::SmallString<128> BugNameBuf;
llvm::raw_svector_ostream BugName(BugNameBuf);
BugName << ActionMsg
<< " autoreleasing out parameter inside autorelease pool";
llvm::SmallString<128> BugMessageBuf;
llvm::raw_svector_ostream BugMessage(BugMessageBuf);
BugMessage << ActionMsg << " autoreleasing out parameter ";
if (IsCapture)
BugMessage << "'" + PVD->getName() + "' ";
BugMessage << "inside ";
if (IsARP)
BugMessage << "locally-scoped autorelease pool;";
else
BugMessage << "autorelease pool that may exit before "
<< FunctionDescription << " returns;";
BugMessage << " consider writing first to a strong local variable"
" declared outside ";
if (IsARP)
BugMessage << "of the autorelease pool";
else
BugMessage << "of the block";
BR.EmitBasicReport( BR.EmitBasicReport(ADC->getDecl(), Checker, BugName.str(),
ADC->getDecl(), Checker, categories::MemoryRefCount, BugMessage.str(), Location,
/*Name=*/(llvm::Twine(ActionMsg)
+ " autoreleasing out parameter inside autorelease pool").str(),
/*BugCategory=*/"Memory",
(llvm::Twine(ActionMsg) + " autoreleasing out parameter " +
(IsCapture ? "'" + PVD->getName() + "'" + " " : "") + "inside " +
"autorelease pool that may exit before " + Name + " returns; consider "
"writing first to a strong local variable declared outside of the block")
.str(),
Location,
Range); Range);
vsavchenkoUnsubmitted
Done
ReplyInline Actions

This looks a bit messy to me, but not critical.

vsavchenko: This looks a bit messy to me, but not critical.
} }
void ObjCAutoreleaseWriteChecker::checkASTCodeBody(const Decl *D, void ObjCAutoreleaseWriteChecker::checkASTCodeBody(const Decl *D,
AnalysisManager &AM, AnalysisManager &AM,
BugReporter &BR) const { BugReporter &BR) const {
auto DoublePointerParamM = auto DoublePointerParamM =
parmVarDecl(hasType(hasCanonicalType(pointerType( parmVarDecl(hasType(hasCanonicalType(pointerType(
Show All 29 Linesvoid ObjCAutoreleaseWriteChecker::checkASTCodeBody(const Decl *D,
auto BlockPassedToMarkedFuncM = stmt(anyOf( auto BlockPassedToMarkedFuncM = stmt(anyOf(
callExpr(allOf( callExpr(allOf(
callsNames(FunctionsWithAutoreleasingPool), WritesOrCapturesInBlockM)), callsNames(FunctionsWithAutoreleasingPool), WritesOrCapturesInBlockM)),
objcMessageExpr(allOf( objcMessageExpr(allOf(
hasAnySelector(toRefs(SelectorsWithAutoreleasingPool)), hasAnySelector(toRefs(SelectorsWithAutoreleasingPool)),
WritesOrCapturesInBlockM)) WritesOrCapturesInBlockM))
)); ));
auto HasParamAndWritesInMarkedFuncM = allOf( // WritesIntoM happens inside an explicit @autoreleasepool.
hasAnyParameter(DoublePointerParamM), auto WritesOrCapturesInPoolM =
forEachDescendant(BlockPassedToMarkedFuncM)); autoreleasePoolStmt(
forEachDescendant(stmt(anyOf(WritesIntoM, CapturedInParamM))))
.bind(IsARPBind);
auto HasParamAndWritesInMarkedFuncM =
allOf(hasAnyParameter(DoublePointerParamM),
anyOf(forEachDescendant(BlockPassedToMarkedFuncM),
forEachDescendant(WritesOrCapturesInPoolM)));
auto MatcherM = decl(anyOf( auto MatcherM = decl(anyOf(
objcMethodDecl(HasParamAndWritesInMarkedFuncM).bind(IsMethodBind), objcMethodDecl(HasParamAndWritesInMarkedFuncM).bind(IsMethodBind),
functionDecl(HasParamAndWritesInMarkedFuncM), functionDecl(HasParamAndWritesInMarkedFuncM),
blockDecl(HasParamAndWritesInMarkedFuncM))); blockDecl(HasParamAndWritesInMarkedFuncM)));
auto Matches = match(MatcherM, *D, AM.getASTContext()); auto Matches = match(MatcherM, *D, AM.getASTContext());
for (BoundNodes Match : Matches) for (BoundNodes Match : Matches)
Show All 10 Lines

clang/test/Analysis/autoreleasewritechecker_test.m

Show First 20 LinesShow All 77 Lines▼ Show 20 Lines
#ifdef ARC #ifdef ARC
@interface I : NSObject @interface I : NSObject
- (BOOL) writeToStrongErrorInBlock:(NSError *__strong *)error; - (BOOL) writeToStrongErrorInBlock:(NSError *__strong *)error;
- (BOOL) writeToErrorInBlock:(NSError *__autoreleasing *)error; - (BOOL) writeToErrorInBlock:(NSError *__autoreleasing *)error;
- (BOOL) writeToLocalErrorInBlock:(NSError **)error; - (BOOL) writeToLocalErrorInBlock:(NSError **)error;
- (BOOL) writeToErrorInBlockMultipleTimes:(NSError *__autoreleasing *)error; - (BOOL) writeToErrorInBlockMultipleTimes:(NSError *__autoreleasing *)error;
- (BOOL) writeToError:(NSError *__autoreleasing *)error; - (BOOL) writeToError:(NSError *__autoreleasing *)error;
- (BOOL) writeToErrorWithDispatchGroup:(NSError *__autoreleasing *)error; - (BOOL) writeToErrorWithDispatchGroup:(NSError *__autoreleasing *)error;
- (BOOL)writeToErrorInAutoreleasePool:(NSError *__autoreleasing *)error;
- (BOOL)writeToStrongErrorInAutoreleasePool:(NSError *__strong *)error;
- (BOOL)writeToLocalErrorInAutoreleasePool:(NSError *__autoreleasing *)error;
- (BOOL)writeToErrorInAutoreleasePoolMultipleTimes:(NSError *__autoreleasing *)error;
@end @end
@implementation I @implementation I
- (BOOL) writeToErrorInBlock:(NSError *__autoreleasing *)error { - (BOOL) writeToErrorInBlock:(NSError *__autoreleasing *)error {
dispatch_semaphore_t sem = dispatch_semaphore_create(0l); dispatch_semaphore_t sem = dispatch_semaphore_create(0l);
dispatch_async(queue, ^{ dispatch_async(queue, ^{
if (error) { if (error) {
▲ Show 20 LinesShow All 63 Lines▼ Show 20 Lines dispatch_async(queue, ^{
dispatch_semaphore_signal(sem); dispatch_semaphore_signal(sem);
}); });
*error = [NSError errorWithDomain:1]; // no-warning *error = [NSError errorWithDomain:1]; // no-warning
dispatch_semaphore_wait(sem, 100); dispatch_semaphore_wait(sem, 100);
return 0; return 0;
} }
- (BOOL)writeToErrorInAutoreleasePool:(NSError *__autoreleasing *)error {
@autoreleasepool {
if (error) {
*error = [NSError errorWithDomain:1]; // expected-warning{{Write to autoreleasing out parameter inside locally-scoped autorelease pool; consider writing first to a strong local variable declared outside of the autorelease pool}}
}
}
return 0;
}
- (BOOL)writeToStrongErrorInAutoreleasePool:(NSError *__strong *)error {
@autoreleasepool {
if (error) {
*error = [NSError errorWithDomain:1]; // no-warning
}
}
return 0;
}
- (BOOL)writeToLocalErrorInAutoreleasePool:(NSError *__autoreleasing *)error {
NSError *localError;
@autoreleasepool {
localError = [NSError errorWithDomain:1]; // no-warning
}
if (error) {
*error = localError; // no-warning
}
return 0;
}
- (BOOL)writeToErrorInAutoreleasePoolMultipleTimes:(NSError *__autoreleasing *)error {
@autoreleasepool {
if (error) {
*error = [NSError errorWithDomain:1]; // expected-warning{{Write to autoreleasing out parameter inside locally-scoped autorelease pool; consider writing first to a strong local variable declared outside of the autorelease pool}}
}
}
if (error) {
*error = [NSError errorWithDomain:1]; // no-warning
}
@autoreleasepool {
if (error) {
*error = [NSError errorWithDomain:1]; // expected-warning{{Write to autoreleasing out parameter inside locally-scoped autorelease pool; consider writing first to a strong local variable declared outside of the autorelease pool}}
*error = [NSError errorWithDomain:1]; // expected-warning{{Write to autoreleasing out parameter inside locally-scoped autorelease pool; consider writing first to a strong local variable declared outside of the autorelease pool}}
}
}
return 0;
}
- (BOOL) writeToError:(NSError *__autoreleasing *)error { - (BOOL) writeToError:(NSError *__autoreleasing *)error {
*error = [NSError errorWithDomain:1]; // no-warning *error = [NSError errorWithDomain:1]; // no-warning
return 0; return 0;
} }
@end @end
BOOL writeToErrorInBlockFromCFunc(NSError *__autoreleasing* error) { BOOL writeToErrorInBlockFromCFunc(NSError *__autoreleasing* error) {
dispatch_semaphore_t sem = dispatch_semaphore_create(0l); dispatch_semaphore_t sem = dispatch_semaphore_create(0l);
dispatch_async(queue, ^{ dispatch_async(queue, ^{
if (error) { if (error) {
*error = [NSError errorWithDomain:1]; // expected-warning{{Write to autoreleasing out parameter inside autorelease pool that may exit before function returns; consider writing first to a strong local variable declared outside of the block}} *error = [NSError errorWithDomain:1]; // expected-warning{{Write to autoreleasing out parameter inside autorelease pool that may exit before function returns; consider writing first to a strong local variable declared outside of the block}}
} }
dispatch_semaphore_signal(sem); dispatch_semaphore_signal(sem);
}); });
dispatch_semaphore_wait(sem, 100); dispatch_semaphore_wait(sem, 100);
return 0; return 0;
} }
BOOL writeIntoErrorInAutoreleasePoolFromCFunc(NSError *__autoreleasing *error) {
@autoreleasepool {
if (error) {
*error = [NSError errorWithDomain:1]; // expected-warning{{Write to autoreleasing out parameter inside locally-scoped autorelease pool; consider writing first to a strong local variable declared outside of the autorelease pool}}
}
}
return 0;
}
BOOL writeToErrorNoWarning(NSError *__autoreleasing* error) { BOOL writeToErrorNoWarning(NSError *__autoreleasing* error) {
*error = [NSError errorWithDomain:1]; // no-warning *error = [NSError errorWithDomain:1]; // no-warning
return 0; return 0;
} }
BOOL writeToErrorWithIterator(NSError *__autoreleasing* error, NSArray *a, NSSet *s, NSDictionary *d, NSIndexSet *i) { [a enumerateObjectsUsingBlock:^{ BOOL writeToErrorWithIterator(NSError *__autoreleasing* error, NSArray *a, NSSet *s, NSDictionary *d, NSIndexSet *i) { [a enumerateObjectsUsingBlock:^{
*error = [NSError errorWithDomain:1]; // expected-warning{{Write to autoreleasing out parameter inside autorelease pool that may exit before function returns; consider writing first to a strong local variable declared outside of the block}} *error = [NSError errorWithDomain:1]; // expected-warning{{Write to autoreleasing out parameter inside autorelease pool that may exit before function returns; consider writing first to a strong local variable declared outside of the block}}
}]; }];
▲ Show 20 LinesShow All 90 LinesShow Last 20 Lines