1 //== BasicObjCFoundationChecks.cpp - Simple Apple-Foundation checks -*- C++ -*--
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file defines BasicObjCFoundationChecks, a class that encapsulates
11 // a set of simple checks to run on Objective-C code using Apple's Foundation
14 //===----------------------------------------------------------------------===//
16 #include "ClangSACheckers.h"
17 #include "clang/Analysis/DomainSpecific/CocoaConventions.h"
18 #include "clang/StaticAnalyzer/Core/Checker.h"
19 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
22 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
23 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
24 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
25 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
26 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
27 #include "clang/AST/DeclObjC.h"
28 #include "clang/AST/Expr.h"
29 #include "clang/AST/ExprObjC.h"
30 #include "clang/AST/StmtObjC.h"
31 #include "clang/AST/ASTContext.h"
32 #include "llvm/ADT/SmallString.h"
33 #include "llvm/ADT/StringMap.h"
35 using namespace clang;
39 class APIMisuse : public BugType {
41 APIMisuse(const char* name) : BugType(name, "API Misuse (Apple)") {}
43 } // end anonymous namespace
45 //===----------------------------------------------------------------------===//
47 //===----------------------------------------------------------------------===//
49 static StringRef GetReceiverInterfaceName(const ObjCMethodCall &msg) {
50 if (const ObjCInterfaceDecl *ID = msg.getReceiverInterface())
51 return ID->getIdentifier()->getName();
55 enum FoundationClass {
65 static FoundationClass findKnownClass(const ObjCInterfaceDecl *ID) {
66 static llvm::StringMap<FoundationClass> Classes;
67 if (Classes.empty()) {
68 Classes["NSArray"] = FC_NSArray;
69 Classes["NSDictionary"] = FC_NSDictionary;
70 Classes["NSEnumerator"] = FC_NSEnumerator;
71 Classes["NSOrderedSet"] = FC_NSOrderedSet;
72 Classes["NSSet"] = FC_NSSet;
73 Classes["NSString"] = FC_NSString;
76 // FIXME: Should we cache this at all?
77 FoundationClass result = Classes.lookup(ID->getIdentifier()->getName());
78 if (result == FC_None)
79 if (const ObjCInterfaceDecl *Super = ID->getSuperClass())
80 return findKnownClass(Super);
85 static inline bool isNil(SVal X) {
86 return isa<loc::ConcreteInt>(X);
89 //===----------------------------------------------------------------------===//
90 // NilArgChecker - Check for prohibited nil arguments to ObjC method calls.
91 //===----------------------------------------------------------------------===//
94 class NilArgChecker : public Checker<check::PreObjCMessage> {
95 mutable OwningPtr<APIMisuse> BT;
97 void WarnNilArg(CheckerContext &C,
98 const ObjCMethodCall &msg, unsigned Arg) const;
101 void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
105 void NilArgChecker::WarnNilArg(CheckerContext &C,
106 const ObjCMethodCall &msg,
107 unsigned int Arg) const
110 BT.reset(new APIMisuse("nil argument"));
112 if (ExplodedNode *N = C.generateSink()) {
113 SmallString<128> sbuf;
114 llvm::raw_svector_ostream os(sbuf);
115 os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '"
116 << msg.getSelector().getAsString() << "' cannot be nil";
118 BugReport *R = new BugReport(*BT, os.str(), N);
119 R->addRange(msg.getArgSourceRange(Arg));
124 void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
125 CheckerContext &C) const {
126 const ObjCInterfaceDecl *ID = msg.getReceiverInterface();
130 if (findKnownClass(ID) == FC_NSString) {
131 Selector S = msg.getSelector();
133 if (S.isUnarySelector())
136 // FIXME: This is going to be really slow doing these checks with
137 // lexical comparisons.
139 std::string NameStr = S.getAsString();
140 StringRef Name(NameStr);
141 assert(!Name.empty());
143 // FIXME: Checking for initWithFormat: will not work in most cases
144 // yet because [NSString alloc] returns id, not NSString*. We will
145 // need support for tracking expected-type information in the analyzer
146 // to find these errors.
147 if (Name == "caseInsensitiveCompare:" ||
148 Name == "compare:" ||
149 Name == "compare:options:" ||
150 Name == "compare:options:range:" ||
151 Name == "compare:options:range:locale:" ||
152 Name == "componentsSeparatedByCharactersInSet:" ||
153 Name == "initWithFormat:") {
154 if (isNil(msg.getArgSVal(0)))
155 WarnNilArg(C, msg, 0);
160 //===----------------------------------------------------------------------===//
162 //===----------------------------------------------------------------------===//
165 class CFNumberCreateChecker : public Checker< check::PreStmt<CallExpr> > {
166 mutable OwningPtr<APIMisuse> BT;
167 mutable IdentifierInfo* II;
169 CFNumberCreateChecker() : II(0) {}
171 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
174 void EmitError(const TypedRegion* R, const Expr *Ex,
175 uint64_t SourceSize, uint64_t TargetSize, uint64_t NumberKind);
177 } // end anonymous namespace
180 kCFNumberSInt8Type = 1,
181 kCFNumberSInt16Type = 2,
182 kCFNumberSInt32Type = 3,
183 kCFNumberSInt64Type = 4,
184 kCFNumberFloat32Type = 5,
185 kCFNumberFloat64Type = 6,
186 kCFNumberCharType = 7,
187 kCFNumberShortType = 8,
188 kCFNumberIntType = 9,
189 kCFNumberLongType = 10,
190 kCFNumberLongLongType = 11,
191 kCFNumberFloatType = 12,
192 kCFNumberDoubleType = 13,
193 kCFNumberCFIndexType = 14,
194 kCFNumberNSIntegerType = 15,
195 kCFNumberCGFloatType = 16
204 Optional() : IsKnown(false), Val(0) {}
205 Optional(const T& val) : IsKnown(true), Val(val) {}
207 bool isKnown() const { return IsKnown; }
209 const T& getValue() const {
214 operator const T&() const {
220 static Optional<uint64_t> GetCFNumberSize(ASTContext &Ctx, uint64_t i) {
221 static const unsigned char FixedSize[] = { 8, 16, 32, 64, 32, 64 };
223 if (i < kCFNumberCharType)
224 return FixedSize[i-1];
229 case kCFNumberCharType: T = Ctx.CharTy; break;
230 case kCFNumberShortType: T = Ctx.ShortTy; break;
231 case kCFNumberIntType: T = Ctx.IntTy; break;
232 case kCFNumberLongType: T = Ctx.LongTy; break;
233 case kCFNumberLongLongType: T = Ctx.LongLongTy; break;
234 case kCFNumberFloatType: T = Ctx.FloatTy; break;
235 case kCFNumberDoubleType: T = Ctx.DoubleTy; break;
236 case kCFNumberCFIndexType:
237 case kCFNumberNSIntegerType:
238 case kCFNumberCGFloatType:
239 // FIXME: We need a way to map from names to Type*.
241 return Optional<uint64_t>();
244 return Ctx.getTypeSize(T);
248 static const char* GetCFNumberTypeStr(uint64_t i) {
249 static const char* Names[] = {
250 "kCFNumberSInt8Type",
251 "kCFNumberSInt16Type",
252 "kCFNumberSInt32Type",
253 "kCFNumberSInt64Type",
254 "kCFNumberFloat32Type",
255 "kCFNumberFloat64Type",
257 "kCFNumberShortType",
260 "kCFNumberLongLongType",
261 "kCFNumberFloatType",
262 "kCFNumberDoubleType",
263 "kCFNumberCFIndexType",
264 "kCFNumberNSIntegerType",
265 "kCFNumberCGFloatType"
268 return i <= kCFNumberCGFloatType ? Names[i-1] : "Invalid CFNumberType";
272 void CFNumberCreateChecker::checkPreStmt(const CallExpr *CE,
273 CheckerContext &C) const {
274 ProgramStateRef state = C.getState();
275 const FunctionDecl *FD = C.getCalleeDecl(CE);
279 ASTContext &Ctx = C.getASTContext();
281 II = &Ctx.Idents.get("CFNumberCreate");
283 if (FD->getIdentifier() != II || CE->getNumArgs() != 3)
286 // Get the value of the "theType" argument.
287 const LocationContext *LCtx = C.getLocationContext();
288 SVal TheTypeVal = state->getSVal(CE->getArg(1), LCtx);
290 // FIXME: We really should allow ranges of valid theType values, and
291 // bifurcate the state appropriately.
292 nonloc::ConcreteInt* V = dyn_cast<nonloc::ConcreteInt>(&TheTypeVal);
296 uint64_t NumberKind = V->getValue().getLimitedValue();
297 Optional<uint64_t> TargetSize = GetCFNumberSize(Ctx, NumberKind);
299 // FIXME: In some cases we can emit an error.
300 if (!TargetSize.isKnown())
303 // Look at the value of the integer being passed by reference. Essentially
304 // we want to catch cases where the value passed in is not equal to the
305 // size of the type being created.
306 SVal TheValueExpr = state->getSVal(CE->getArg(2), LCtx);
308 // FIXME: Eventually we should handle arbitrary locations. We can do this
309 // by having an enhanced memory model that does low-level typing.
310 loc::MemRegionVal* LV = dyn_cast<loc::MemRegionVal>(&TheValueExpr);
314 const TypedValueRegion* R = dyn_cast<TypedValueRegion>(LV->stripCasts());
318 QualType T = Ctx.getCanonicalType(R->getValueType());
320 // FIXME: If the pointee isn't an integer type, should we flag a warning?
321 // People can do weird stuff with pointers.
323 if (!T->isIntegerType())
326 uint64_t SourceSize = Ctx.getTypeSize(T);
328 // CHECK: is SourceSize == TargetSize
329 if (SourceSize == TargetSize)
332 // Generate an error. Only generate a sink if 'SourceSize < TargetSize';
333 // otherwise generate a regular node.
335 // FIXME: We can actually create an abstract "CFNumber" object that has
336 // the bits initialized to the provided values.
338 if (ExplodedNode *N = SourceSize < TargetSize ? C.generateSink()
339 : C.addTransition()) {
340 SmallString<128> sbuf;
341 llvm::raw_svector_ostream os(sbuf);
343 os << (SourceSize == 8 ? "An " : "A ")
344 << SourceSize << " bit integer is used to initialize a CFNumber "
345 "object that represents "
346 << (TargetSize == 8 ? "an " : "a ")
347 << TargetSize << " bit integer. ";
349 if (SourceSize < TargetSize)
350 os << (TargetSize - SourceSize)
351 << " bits of the CFNumber value will be garbage." ;
353 os << (SourceSize - TargetSize)
354 << " bits of the input integer will be lost.";
357 BT.reset(new APIMisuse("Bad use of CFNumberCreate"));
359 BugReport *report = new BugReport(*BT, os.str(), N);
360 report->addRange(CE->getArg(2)->getSourceRange());
361 C.emitReport(report);
365 //===----------------------------------------------------------------------===//
366 // CFRetain/CFRelease/CFMakeCollectable checking for null arguments.
367 //===----------------------------------------------------------------------===//
370 class CFRetainReleaseChecker : public Checker< check::PreStmt<CallExpr> > {
371 mutable OwningPtr<APIMisuse> BT;
372 mutable IdentifierInfo *Retain, *Release, *MakeCollectable;
374 CFRetainReleaseChecker(): Retain(0), Release(0), MakeCollectable(0) {}
375 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
377 } // end anonymous namespace
380 void CFRetainReleaseChecker::checkPreStmt(const CallExpr *CE,
381 CheckerContext &C) const {
382 // If the CallExpr doesn't have exactly 1 argument just give up checking.
383 if (CE->getNumArgs() != 1)
386 ProgramStateRef state = C.getState();
387 const FunctionDecl *FD = C.getCalleeDecl(CE);
392 ASTContext &Ctx = C.getASTContext();
393 Retain = &Ctx.Idents.get("CFRetain");
394 Release = &Ctx.Idents.get("CFRelease");
395 MakeCollectable = &Ctx.Idents.get("CFMakeCollectable");
397 new APIMisuse("null passed to CFRetain/CFRelease/CFMakeCollectable"));
400 // Check if we called CFRetain/CFRelease/CFMakeCollectable.
401 const IdentifierInfo *FuncII = FD->getIdentifier();
402 if (!(FuncII == Retain || FuncII == Release || FuncII == MakeCollectable))
405 // FIXME: The rest of this just checks that the argument is non-null.
406 // It should probably be refactored and combined with AttrNonNullChecker.
408 // Get the argument's value.
409 const Expr *Arg = CE->getArg(0);
410 SVal ArgVal = state->getSVal(Arg, C.getLocationContext());
411 DefinedSVal *DefArgVal = dyn_cast<DefinedSVal>(&ArgVal);
416 SValBuilder &svalBuilder = C.getSValBuilder();
417 DefinedSVal zero = cast<DefinedSVal>(svalBuilder.makeZeroVal(Arg->getType()));
419 // Make an expression asserting that they're equal.
420 DefinedOrUnknownSVal ArgIsNull = svalBuilder.evalEQ(state, zero, *DefArgVal);
423 ProgramStateRef stateTrue, stateFalse;
424 llvm::tie(stateTrue, stateFalse) = state->assume(ArgIsNull);
426 if (stateTrue && !stateFalse) {
427 ExplodedNode *N = C.generateSink(stateTrue);
431 const char *description;
432 if (FuncII == Retain)
433 description = "Null pointer argument in call to CFRetain";
434 else if (FuncII == Release)
435 description = "Null pointer argument in call to CFRelease";
436 else if (FuncII == MakeCollectable)
437 description = "Null pointer argument in call to CFMakeCollectable";
439 llvm_unreachable("impossible case");
441 BugReport *report = new BugReport(*BT, description, N);
442 report->addRange(Arg->getSourceRange());
443 bugreporter::trackNullOrUndefValue(N, Arg, *report);
444 C.emitReport(report);
448 // From here on, we know the argument is non-null.
449 C.addTransition(stateFalse);
452 //===----------------------------------------------------------------------===//
453 // Check for sending 'retain', 'release', or 'autorelease' directly to a Class.
454 //===----------------------------------------------------------------------===//
457 class ClassReleaseChecker : public Checker<check::PreObjCMessage> {
458 mutable Selector releaseS;
459 mutable Selector retainS;
460 mutable Selector autoreleaseS;
461 mutable Selector drainS;
462 mutable OwningPtr<BugType> BT;
465 void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
469 void ClassReleaseChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
470 CheckerContext &C) const {
473 BT.reset(new APIMisuse("message incorrectly sent to class instead of class "
476 ASTContext &Ctx = C.getASTContext();
477 releaseS = GetNullarySelector("release", Ctx);
478 retainS = GetNullarySelector("retain", Ctx);
479 autoreleaseS = GetNullarySelector("autorelease", Ctx);
480 drainS = GetNullarySelector("drain", Ctx);
483 if (msg.isInstanceMessage())
485 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
488 Selector S = msg.getSelector();
489 if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS))
492 if (ExplodedNode *N = C.addTransition()) {
493 SmallString<200> buf;
494 llvm::raw_svector_ostream os(buf);
496 os << "The '" << S.getAsString() << "' message should be sent to instances "
497 "of class '" << Class->getName()
498 << "' and not the class directly";
500 BugReport *report = new BugReport(*BT, os.str(), N);
501 report->addRange(msg.getSourceRange());
502 C.emitReport(report);
506 //===----------------------------------------------------------------------===//
507 // Check for passing non-Objective-C types to variadic methods that expect
508 // only Objective-C types.
509 //===----------------------------------------------------------------------===//
512 class VariadicMethodTypeChecker : public Checker<check::PreObjCMessage> {
513 mutable Selector arrayWithObjectsS;
514 mutable Selector dictionaryWithObjectsAndKeysS;
515 mutable Selector setWithObjectsS;
516 mutable Selector orderedSetWithObjectsS;
517 mutable Selector initWithObjectsS;
518 mutable Selector initWithObjectsAndKeysS;
519 mutable OwningPtr<BugType> BT;
521 bool isVariadicMessage(const ObjCMethodCall &msg) const;
524 void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
528 /// isVariadicMessage - Returns whether the given message is a variadic message,
529 /// where all arguments must be Objective-C types.
531 VariadicMethodTypeChecker::isVariadicMessage(const ObjCMethodCall &msg) const {
532 const ObjCMethodDecl *MD = msg.getDecl();
534 if (!MD || !MD->isVariadic() || isa<ObjCProtocolDecl>(MD->getDeclContext()))
537 Selector S = msg.getSelector();
539 if (msg.isInstanceMessage()) {
540 // FIXME: Ideally we'd look at the receiver interface here, but that's not
541 // useful for init, because alloc returns 'id'. In theory, this could lead
542 // to false positives, for example if there existed a class that had an
543 // initWithObjects: implementation that does accept non-Objective-C pointer
544 // types, but the chance of that happening is pretty small compared to the
545 // gains that this analysis gives.
546 const ObjCInterfaceDecl *Class = MD->getClassInterface();
548 switch (findKnownClass(Class)) {
550 case FC_NSOrderedSet:
552 return S == initWithObjectsS;
553 case FC_NSDictionary:
554 return S == initWithObjectsAndKeysS;
559 const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
561 switch (findKnownClass(Class)) {
563 return S == arrayWithObjectsS;
564 case FC_NSOrderedSet:
565 return S == orderedSetWithObjectsS;
567 return S == setWithObjectsS;
568 case FC_NSDictionary:
569 return S == dictionaryWithObjectsAndKeysS;
576 void VariadicMethodTypeChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
577 CheckerContext &C) const {
579 BT.reset(new APIMisuse("Arguments passed to variadic method aren't all "
580 "Objective-C pointer types"));
582 ASTContext &Ctx = C.getASTContext();
583 arrayWithObjectsS = GetUnarySelector("arrayWithObjects", Ctx);
584 dictionaryWithObjectsAndKeysS =
585 GetUnarySelector("dictionaryWithObjectsAndKeys", Ctx);
586 setWithObjectsS = GetUnarySelector("setWithObjects", Ctx);
587 orderedSetWithObjectsS = GetUnarySelector("orderedSetWithObjects", Ctx);
589 initWithObjectsS = GetUnarySelector("initWithObjects", Ctx);
590 initWithObjectsAndKeysS = GetUnarySelector("initWithObjectsAndKeys", Ctx);
593 if (!isVariadicMessage(msg))
596 // We are not interested in the selector arguments since they have
597 // well-defined types, so the compiler will issue a warning for them.
598 unsigned variadicArgsBegin = msg.getSelector().getNumArgs();
600 // We're not interested in the last argument since it has to be nil or the
601 // compiler would have issued a warning for it elsewhere.
602 unsigned variadicArgsEnd = msg.getNumArgs() - 1;
604 if (variadicArgsEnd <= variadicArgsBegin)
607 // Verify that all arguments have Objective-C types.
608 llvm::Optional<ExplodedNode*> errorNode;
609 ProgramStateRef state = C.getState();
611 for (unsigned I = variadicArgsBegin; I != variadicArgsEnd; ++I) {
612 QualType ArgTy = msg.getArgExpr(I)->getType();
613 if (ArgTy->isObjCObjectPointerType())
616 // Block pointers are treaded as Objective-C pointers.
617 if (ArgTy->isBlockPointerType())
620 // Ignore pointer constants.
621 if (isa<loc::ConcreteInt>(msg.getArgSVal(I)))
624 // Ignore pointer types annotated with 'NSObject' attribute.
625 if (C.getASTContext().isObjCNSObjectType(ArgTy))
628 // Ignore CF references, which can be toll-free bridged.
629 if (coreFoundation::isCFObjectRef(ArgTy))
632 // Generate only one error node to use for all bug reports.
633 if (!errorNode.hasValue())
634 errorNode = C.addTransition();
636 if (!errorNode.getValue())
639 SmallString<128> sbuf;
640 llvm::raw_svector_ostream os(sbuf);
642 StringRef TypeName = GetReceiverInterfaceName(msg);
643 if (!TypeName.empty())
644 os << "Argument to '" << TypeName << "' method '";
646 os << "Argument to method '";
648 os << msg.getSelector().getAsString()
649 << "' should be an Objective-C pointer type, not '";
650 ArgTy.print(os, C.getLangOpts());
653 BugReport *R = new BugReport(*BT, os.str(), errorNode.getValue());
654 R->addRange(msg.getArgSourceRange(I));
659 //===----------------------------------------------------------------------===//
660 // Improves the modeling of loops over Cocoa collections.
661 //===----------------------------------------------------------------------===//
664 class ObjCLoopChecker
665 : public Checker<check::PostStmt<ObjCForCollectionStmt> > {
668 void checkPostStmt(const ObjCForCollectionStmt *FCS, CheckerContext &C) const;
672 static bool isKnownNonNilCollectionType(QualType T) {
673 const ObjCObjectPointerType *PT = T->getAs<ObjCObjectPointerType>();
677 const ObjCInterfaceDecl *ID = PT->getInterfaceDecl();
681 switch (findKnownClass(ID)) {
683 case FC_NSDictionary:
684 case FC_NSEnumerator:
685 case FC_NSOrderedSet:
693 void ObjCLoopChecker::checkPostStmt(const ObjCForCollectionStmt *FCS,
694 CheckerContext &C) const {
695 ProgramStateRef State = C.getState();
697 // Check if this is the branch for the end of the loop.
698 SVal CollectionSentinel = State->getSVal(FCS, C.getLocationContext());
699 if (CollectionSentinel.isZeroConstant())
702 // See if the collection is one where we /know/ the elements are non-nil.
703 const Expr *Collection = FCS->getCollection();
704 if (!isKnownNonNilCollectionType(Collection->getType()))
707 // FIXME: Copied from ExprEngineObjC.
708 const Stmt *Element = FCS->getElement();
710 if (const DeclStmt *DS = dyn_cast<DeclStmt>(Element)) {
711 const VarDecl *ElemDecl = cast<VarDecl>(DS->getSingleDecl());
712 assert(ElemDecl->getInit() == 0);
713 ElementVar = State->getLValue(ElemDecl, C.getLocationContext());
715 ElementVar = State->getSVal(Element, C.getLocationContext());
718 if (!isa<Loc>(ElementVar))
721 // Go ahead and assume the value is non-nil.
722 SVal Val = State->getSVal(cast<Loc>(ElementVar));
723 State = State->assume(cast<DefinedOrUnknownSVal>(Val), true);
724 C.addTransition(State);
728 /// \class ObjCNonNilReturnValueChecker
729 /// \brief The checker restricts the return values of APIs known to
730 /// never (or almost never) return 'nil'.
731 class ObjCNonNilReturnValueChecker
732 : public Checker<check::PostObjCMessage> {
733 mutable bool Initialized;
734 mutable Selector ObjectAtIndex;
735 mutable Selector ObjectAtIndexedSubscript;
738 ObjCNonNilReturnValueChecker() : Initialized(false) {}
739 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
743 static ProgramStateRef assumeExprIsNonNull(const Expr *NonNullExpr,
744 ProgramStateRef State,
746 SVal Val = State->getSVal(NonNullExpr, C.getLocationContext());
747 if (DefinedOrUnknownSVal *DV = dyn_cast<DefinedOrUnknownSVal>(&Val))
748 return State->assume(*DV, true);
752 void ObjCNonNilReturnValueChecker::checkPostObjCMessage(const ObjCMethodCall &M,
755 ProgramStateRef State = C.getState();
758 ASTContext &Ctx = C.getASTContext();
759 ObjectAtIndex = GetUnarySelector("objectAtIndex", Ctx);
760 ObjectAtIndexedSubscript = GetUnarySelector("objectAtIndexedSubscript", Ctx);
763 // Check the receiver type.
764 if (const ObjCInterfaceDecl *Interface = M.getReceiverInterface()) {
766 // Assume that object returned from '[self init]' or '[super init]' is not
767 // 'nil' if we are processing an inlined function/method.
769 // A defensive callee will (and should) check if the object returned by
770 // '[super init]' is 'nil' before doing it's own initialization. However,
771 // since 'nil' is rarely returned in practice, we should not warn when the
772 // caller to the defensive constructor uses the object in contexts where
773 // 'nil' is not accepted.
774 if (!C.inTopFrame() && M.getDecl() &&
775 M.getDecl()->getMethodFamily() == OMF_init &&
776 M.isReceiverSelfOrSuper()) {
777 State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
780 // Objects returned from
781 // [NSArray|NSOrderedSet]::[ObjectAtIndex|ObjectAtIndexedSubscript]
783 FoundationClass Cl = findKnownClass(Interface);
784 if (Cl == FC_NSArray || Cl == FC_NSOrderedSet) {
785 Selector Sel = M.getSelector();
786 if (Sel == ObjectAtIndex || Sel == ObjectAtIndexedSubscript) {
787 // Go ahead and assume the value is non-nil.
788 State = assumeExprIsNonNull(M.getOriginExpr(), State, C);
792 C.addTransition(State);
795 //===----------------------------------------------------------------------===//
796 // Check registration.
797 //===----------------------------------------------------------------------===//
799 void ento::registerNilArgChecker(CheckerManager &mgr) {
800 mgr.registerChecker<NilArgChecker>();
803 void ento::registerCFNumberCreateChecker(CheckerManager &mgr) {
804 mgr.registerChecker<CFNumberCreateChecker>();
807 void ento::registerCFRetainReleaseChecker(CheckerManager &mgr) {
808 mgr.registerChecker<CFRetainReleaseChecker>();
811 void ento::registerClassReleaseChecker(CheckerManager &mgr) {
812 mgr.registerChecker<ClassReleaseChecker>();
815 void ento::registerVariadicMethodTypeChecker(CheckerManager &mgr) {
816 mgr.registerChecker<VariadicMethodTypeChecker>();
819 void ento::registerObjCLoopChecker(CheckerManager &mgr) {
820 mgr.registerChecker<ObjCLoopChecker>();
823 void ento::registerObjCNonNilReturnValueChecker(CheckerManager &mgr) {
824 mgr.registerChecker<ObjCNonNilReturnValueChecker>();
projects / FreeBSD / FreeBSD.git / blob