xref: /freebsd/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/IvarInvalidationChecker.cpp (revision b5a3a89c50671a1ad29e7c43fe15e7b16feac239)
1 //===- IvarInvalidationChecker.cpp ------------------------------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 //  This checker implements annotation driven invalidation checking. If a class
10 //  contains a method annotated with 'objc_instance_variable_invalidator',
11 //  - (void) foo
12 //           __attribute__((annotate("objc_instance_variable_invalidator")));
13 //  all the "ivalidatable" instance variables of this class should be
14 //  invalidated. We call an instance variable ivalidatable if it is an object of
15 //  a class which contains an invalidation method. There could be multiple
16 //  methods annotated with such annotations per class, either one can be used
17 //  to invalidate the ivar. An ivar or property are considered to be
18 //  invalidated if they are being assigned 'nil' or an invalidation method has
19 //  been called on them. An invalidation method should either invalidate all
20 //  the ivars or call another invalidation method (on self).
21 //
22 //  Partial invalidor annotation allows to address cases when ivars are
23 //  invalidated by other methods, which might or might not be called from
24 //  the invalidation method. The checker checks that each invalidation
25 //  method and all the partial methods cumulatively invalidate all ivars.
26 //    __attribute__((annotate("objc_instance_variable_invalidator_partial")));
27 //
28 //===----------------------------------------------------------------------===//
29 
30 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
31 #include "clang/AST/Attr.h"
32 #include "clang/AST/DeclObjC.h"
33 #include "clang/AST/StmtVisitor.h"
34 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
35 #include "clang/StaticAnalyzer/Core/Checker.h"
36 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
37 #include "llvm/ADT/DenseMap.h"
38 #include "llvm/ADT/SetVector.h"
39 #include "llvm/ADT/SmallString.h"
40 
41 using namespace clang;
42 using namespace ento;
43 
44 namespace {
45 struct ChecksFilter {
46   /// Check for missing invalidation method declarations.
47   bool check_MissingInvalidationMethod = false;
48   /// Check that all ivars are invalidated.
49   bool check_InstanceVariableInvalidation = false;
50 
51   CheckerNameRef checkName_MissingInvalidationMethod;
52   CheckerNameRef checkName_InstanceVariableInvalidation;
53 };
54 
55 class IvarInvalidationCheckerImpl {
56   typedef llvm::SmallSetVector<const ObjCMethodDecl*, 2> MethodSet;
57   typedef llvm::DenseMap<const ObjCMethodDecl*,
58                          const ObjCIvarDecl*> MethToIvarMapTy;
59   typedef llvm::DenseMap<const ObjCPropertyDecl*,
60                          const ObjCIvarDecl*> PropToIvarMapTy;
61   typedef llvm::DenseMap<const ObjCIvarDecl*,
62                          const ObjCPropertyDecl*> IvarToPropMapTy;
63 
64   struct InvalidationInfo {
65     /// Has the ivar been invalidated?
66     bool IsInvalidated;
67 
68     /// The methods which can be used to invalidate the ivar.
69     MethodSet InvalidationMethods;
70 
71     InvalidationInfo() : IsInvalidated(false) {}
72     void addInvalidationMethod(const ObjCMethodDecl *MD) {
73       InvalidationMethods.insert(MD);
74     }
75 
76     bool needsInvalidation() const {
77       return !InvalidationMethods.empty();
78     }
79 
80     bool hasMethod(const ObjCMethodDecl *MD) {
81       if (IsInvalidated)
82         return true;
83       for (MethodSet::iterator I = InvalidationMethods.begin(),
84           E = InvalidationMethods.end(); I != E; ++I) {
85         if (*I == MD) {
86           IsInvalidated = true;
87           return true;
88         }
89       }
90       return false;
91     }
92   };
93 
94   typedef llvm::DenseMap<const ObjCIvarDecl*, InvalidationInfo> IvarSet;
95 
96   /// Statement visitor, which walks the method body and flags the ivars
97   /// referenced in it (either directly or via property).
98   class MethodCrawler : public ConstStmtVisitor<MethodCrawler> {
99     /// The set of Ivars which need to be invalidated.
100     IvarSet &IVars;
101 
102     /// Flag is set as the result of a message send to another
103     /// invalidation method.
104     bool &CalledAnotherInvalidationMethod;
105 
106     /// Property setter to ivar mapping.
107     const MethToIvarMapTy &PropertySetterToIvarMap;
108 
109     /// Property getter to ivar mapping.
110     const MethToIvarMapTy &PropertyGetterToIvarMap;
111 
112     /// Property to ivar mapping.
113     const PropToIvarMapTy &PropertyToIvarMap;
114 
115     /// The invalidation method being currently processed.
116     const ObjCMethodDecl *InvalidationMethod;
117 
118     ASTContext &Ctx;
119 
120     /// Peel off parens, casts, OpaqueValueExpr, and PseudoObjectExpr.
121     const Expr *peel(const Expr *E) const;
122 
123     /// Does this expression represent zero: '0'?
124     bool isZero(const Expr *E) const;
125 
126     /// Mark the given ivar as invalidated.
127     void markInvalidated(const ObjCIvarDecl *Iv);
128 
129     /// Checks if IvarRef refers to the tracked IVar, if yes, marks it as
130     /// invalidated.
131     void checkObjCIvarRefExpr(const ObjCIvarRefExpr *IvarRef);
132 
133     /// Checks if ObjCPropertyRefExpr refers to the tracked IVar, if yes, marks
134     /// it as invalidated.
135     void checkObjCPropertyRefExpr(const ObjCPropertyRefExpr *PA);
136 
137     /// Checks if ObjCMessageExpr refers to (is a getter for) the tracked IVar,
138     /// if yes, marks it as invalidated.
139     void checkObjCMessageExpr(const ObjCMessageExpr *ME);
140 
141     /// Checks if the Expr refers to an ivar, if yes, marks it as invalidated.
142     void check(const Expr *E);
143 
144   public:
145     MethodCrawler(IvarSet &InIVars,
146                   bool &InCalledAnotherInvalidationMethod,
147                   const MethToIvarMapTy &InPropertySetterToIvarMap,
148                   const MethToIvarMapTy &InPropertyGetterToIvarMap,
149                   const PropToIvarMapTy &InPropertyToIvarMap,
150                   ASTContext &InCtx)
151     : IVars(InIVars),
152       CalledAnotherInvalidationMethod(InCalledAnotherInvalidationMethod),
153       PropertySetterToIvarMap(InPropertySetterToIvarMap),
154       PropertyGetterToIvarMap(InPropertyGetterToIvarMap),
155       PropertyToIvarMap(InPropertyToIvarMap),
156       InvalidationMethod(nullptr),
157       Ctx(InCtx) {}
158 
159     void VisitStmt(const Stmt *S) { VisitChildren(S); }
160 
161     void VisitBinaryOperator(const BinaryOperator *BO);
162 
163     void VisitObjCMessageExpr(const ObjCMessageExpr *ME);
164 
165     void VisitChildren(const Stmt *S) {
166       for (const auto *Child : S->children()) {
167         if (Child)
168           this->Visit(Child);
169         if (CalledAnotherInvalidationMethod)
170           return;
171       }
172     }
173   };
174 
175   /// Check if the any of the methods inside the interface are annotated with
176   /// the invalidation annotation, update the IvarInfo accordingly.
177   /// \param LookForPartial is set when we are searching for partial
178   ///        invalidators.
179   static void containsInvalidationMethod(const ObjCContainerDecl *D,
180                                          InvalidationInfo &Out,
181                                          bool LookForPartial);
182 
183   /// Check if ivar should be tracked and add to TrackedIvars if positive.
184   /// Returns true if ivar should be tracked.
185   static bool trackIvar(const ObjCIvarDecl *Iv, IvarSet &TrackedIvars,
186                         const ObjCIvarDecl **FirstIvarDecl);
187 
188   /// Given the property declaration, and the list of tracked ivars, finds
189   /// the ivar backing the property when possible. Returns '0' when no such
190   /// ivar could be found.
191   static const ObjCIvarDecl *findPropertyBackingIvar(
192       const ObjCPropertyDecl *Prop,
193       const ObjCInterfaceDecl *InterfaceD,
194       IvarSet &TrackedIvars,
195       const ObjCIvarDecl **FirstIvarDecl);
196 
197   /// Print ivar name or the property if the given ivar backs a property.
198   static void printIvar(llvm::raw_svector_ostream &os,
199                         const ObjCIvarDecl *IvarDecl,
200                         const IvarToPropMapTy &IvarToPopertyMap);
201 
202   void reportNoInvalidationMethod(CheckerNameRef CheckName,
203                                   const ObjCIvarDecl *FirstIvarDecl,
204                                   const IvarToPropMapTy &IvarToPopertyMap,
205                                   const ObjCInterfaceDecl *InterfaceD,
206                                   bool MissingDeclaration) const;
207 
208   void reportIvarNeedsInvalidation(const ObjCIvarDecl *IvarD,
209                                    const IvarToPropMapTy &IvarToPopertyMap,
210                                    const ObjCMethodDecl *MethodD) const;
211 
212   AnalysisManager& Mgr;
213   BugReporter &BR;
214   /// Filter on the checks performed.
215   const ChecksFilter &Filter;
216 
217 public:
218   IvarInvalidationCheckerImpl(AnalysisManager& InMgr,
219                               BugReporter &InBR,
220                               const ChecksFilter &InFilter) :
221     Mgr (InMgr), BR(InBR), Filter(InFilter) {}
222 
223   void visit(const ObjCImplementationDecl *D) const;
224 };
225 
226 static bool isInvalidationMethod(const ObjCMethodDecl *M, bool LookForPartial) {
227   for (const auto *Ann : M->specific_attrs<AnnotateAttr>()) {
228     if (!LookForPartial &&
229         Ann->getAnnotation() == "objc_instance_variable_invalidator")
230       return true;
231     if (LookForPartial &&
232         Ann->getAnnotation() == "objc_instance_variable_invalidator_partial")
233       return true;
234   }
235   return false;
236 }
237 
238 void IvarInvalidationCheckerImpl::containsInvalidationMethod(
239     const ObjCContainerDecl *D, InvalidationInfo &OutInfo, bool Partial) {
240 
241   if (!D)
242     return;
243 
244   assert(!isa<ObjCImplementationDecl>(D));
245   // TODO: Cache the results.
246 
247   // Check all methods.
248   for (const auto *MDI : D->methods())
249     if (isInvalidationMethod(MDI, Partial))
250       OutInfo.addInvalidationMethod(
251           cast<ObjCMethodDecl>(MDI->getCanonicalDecl()));
252 
253   // If interface, check all parent protocols and super.
254   if (const ObjCInterfaceDecl *InterfD = dyn_cast<ObjCInterfaceDecl>(D)) {
255 
256     // Visit all protocols.
257     for (const auto *I : InterfD->protocols())
258       containsInvalidationMethod(I->getDefinition(), OutInfo, Partial);
259 
260     // Visit all categories in case the invalidation method is declared in
261     // a category.
262     for (const auto *Ext : InterfD->visible_extensions())
263       containsInvalidationMethod(Ext, OutInfo, Partial);
264 
265     containsInvalidationMethod(InterfD->getSuperClass(), OutInfo, Partial);
266     return;
267   }
268 
269   // If protocol, check all parent protocols.
270   if (const ObjCProtocolDecl *ProtD = dyn_cast<ObjCProtocolDecl>(D)) {
271     for (const auto *I : ProtD->protocols()) {
272       containsInvalidationMethod(I->getDefinition(), OutInfo, Partial);
273     }
274     return;
275   }
276 }
277 
278 bool IvarInvalidationCheckerImpl::trackIvar(const ObjCIvarDecl *Iv,
279                                         IvarSet &TrackedIvars,
280                                         const ObjCIvarDecl **FirstIvarDecl) {
281   QualType IvQTy = Iv->getType();
282   const ObjCObjectPointerType *IvTy = IvQTy->getAs<ObjCObjectPointerType>();
283   if (!IvTy)
284     return false;
285   const ObjCInterfaceDecl *IvInterf = IvTy->getInterfaceDecl();
286 
287   InvalidationInfo Info;
288   containsInvalidationMethod(IvInterf, Info, /*LookForPartial*/ false);
289   if (Info.needsInvalidation()) {
290     const ObjCIvarDecl *I = cast<ObjCIvarDecl>(Iv->getCanonicalDecl());
291     TrackedIvars[I] = Info;
292     if (!*FirstIvarDecl)
293       *FirstIvarDecl = I;
294     return true;
295   }
296   return false;
297 }
298 
299 const ObjCIvarDecl *IvarInvalidationCheckerImpl::findPropertyBackingIvar(
300                         const ObjCPropertyDecl *Prop,
301                         const ObjCInterfaceDecl *InterfaceD,
302                         IvarSet &TrackedIvars,
303                         const ObjCIvarDecl **FirstIvarDecl) {
304   const ObjCIvarDecl *IvarD = nullptr;
305 
306   // Lookup for the synthesized case.
307   IvarD = Prop->getPropertyIvarDecl();
308   // We only track the ivars/properties that are defined in the current
309   // class (not the parent).
310   if (IvarD && IvarD->getContainingInterface() == InterfaceD) {
311     if (TrackedIvars.count(IvarD)) {
312       return IvarD;
313     }
314     // If the ivar is synthesized we still want to track it.
315     if (trackIvar(IvarD, TrackedIvars, FirstIvarDecl))
316       return IvarD;
317   }
318 
319   // Lookup IVars named "_PropName"or "PropName" among the tracked Ivars.
320   StringRef PropName = Prop->getIdentifier()->getName();
321   for (IvarSet::const_iterator I = TrackedIvars.begin(),
322                                E = TrackedIvars.end(); I != E; ++I) {
323     const ObjCIvarDecl *Iv = I->first;
324     StringRef IvarName = Iv->getName();
325 
326     if (IvarName == PropName)
327       return Iv;
328 
329     SmallString<128> PropNameWithUnderscore;
330     {
331       llvm::raw_svector_ostream os(PropNameWithUnderscore);
332       os << '_' << PropName;
333     }
334     if (IvarName == PropNameWithUnderscore)
335       return Iv;
336   }
337 
338   // Note, this is a possible source of false positives. We could look at the
339   // getter implementation to find the ivar when its name is not derived from
340   // the property name.
341   return nullptr;
342 }
343 
344 void IvarInvalidationCheckerImpl::printIvar(llvm::raw_svector_ostream &os,
345                                       const ObjCIvarDecl *IvarDecl,
346                                       const IvarToPropMapTy &IvarToPopertyMap) {
347   if (IvarDecl->getSynthesize()) {
348     const ObjCPropertyDecl *PD = IvarToPopertyMap.lookup(IvarDecl);
349     assert(PD &&"Do we synthesize ivars for something other than properties?");
350     os << "Property "<< PD->getName() << " ";
351   } else {
352     os << "Instance variable "<< IvarDecl->getName() << " ";
353   }
354 }
355 
356 // Check that the invalidatable interfaces with ivars/properties implement the
357 // invalidation methods.
358 void IvarInvalidationCheckerImpl::
359 visit(const ObjCImplementationDecl *ImplD) const {
360   // Collect all ivars that need cleanup.
361   IvarSet Ivars;
362   // Record the first Ivar needing invalidation; used in reporting when only
363   // one ivar is sufficient. Cannot grab the first on the Ivars set to ensure
364   // deterministic output.
365   const ObjCIvarDecl *FirstIvarDecl = nullptr;
366   const ObjCInterfaceDecl *InterfaceD = ImplD->getClassInterface();
367 
368   // Collect ivars declared in this class, its extensions and its implementation
369   ObjCInterfaceDecl *IDecl = const_cast<ObjCInterfaceDecl *>(InterfaceD);
370   for (const ObjCIvarDecl *Iv = IDecl->all_declared_ivar_begin(); Iv;
371        Iv= Iv->getNextIvar())
372     trackIvar(Iv, Ivars, &FirstIvarDecl);
373 
374   // Construct Property/Property Accessor to Ivar maps to assist checking if an
375   // ivar which is backing a property has been reset.
376   MethToIvarMapTy PropSetterToIvarMap;
377   MethToIvarMapTy PropGetterToIvarMap;
378   PropToIvarMapTy PropertyToIvarMap;
379   IvarToPropMapTy IvarToPopertyMap;
380 
381   ObjCInterfaceDecl::PropertyMap PropMap;
382   InterfaceD->collectPropertiesToImplement(PropMap);
383 
384   for (ObjCInterfaceDecl::PropertyMap::iterator
385       I = PropMap.begin(), E = PropMap.end(); I != E; ++I) {
386     const ObjCPropertyDecl *PD = I->second;
387     if (PD->isClassProperty())
388       continue;
389 
390     const ObjCIvarDecl *ID = findPropertyBackingIvar(PD, InterfaceD, Ivars,
391                                                      &FirstIvarDecl);
392     if (!ID)
393       continue;
394 
395     // Store the mappings.
396     PD = cast<ObjCPropertyDecl>(PD->getCanonicalDecl());
397     PropertyToIvarMap[PD] = ID;
398     IvarToPopertyMap[ID] = PD;
399 
400     // Find the setter and the getter.
401     const ObjCMethodDecl *SetterD = PD->getSetterMethodDecl();
402     if (SetterD) {
403       SetterD = SetterD->getCanonicalDecl();
404       PropSetterToIvarMap[SetterD] = ID;
405     }
406 
407     const ObjCMethodDecl *GetterD = PD->getGetterMethodDecl();
408     if (GetterD) {
409       GetterD = GetterD->getCanonicalDecl();
410       PropGetterToIvarMap[GetterD] = ID;
411     }
412   }
413 
414   // If no ivars need invalidation, there is nothing to check here.
415   if (Ivars.empty())
416     return;
417 
418   // Find all partial invalidation methods.
419   InvalidationInfo PartialInfo;
420   containsInvalidationMethod(InterfaceD, PartialInfo, /*LookForPartial*/ true);
421 
422   // Remove ivars invalidated by the partial invalidation methods. They do not
423   // need to be invalidated in the regular invalidation methods.
424   bool AtImplementationContainsAtLeastOnePartialInvalidationMethod = false;
425   for (MethodSet::iterator
426       I = PartialInfo.InvalidationMethods.begin(),
427       E = PartialInfo.InvalidationMethods.end(); I != E; ++I) {
428     const ObjCMethodDecl *InterfD = *I;
429 
430     // Get the corresponding method in the @implementation.
431     const ObjCMethodDecl *D = ImplD->getMethod(InterfD->getSelector(),
432                                                InterfD->isInstanceMethod());
433     if (D && D->hasBody()) {
434       AtImplementationContainsAtLeastOnePartialInvalidationMethod = true;
435 
436       bool CalledAnotherInvalidationMethod = false;
437       // The MethodCrowler is going to remove the invalidated ivars.
438       MethodCrawler(Ivars,
439                     CalledAnotherInvalidationMethod,
440                     PropSetterToIvarMap,
441                     PropGetterToIvarMap,
442                     PropertyToIvarMap,
443                     BR.getContext()).VisitStmt(D->getBody());
444       // If another invalidation method was called, trust that full invalidation
445       // has occurred.
446       if (CalledAnotherInvalidationMethod)
447         Ivars.clear();
448     }
449   }
450 
451   // If all ivars have been invalidated by partial invalidators, there is
452   // nothing to check here.
453   if (Ivars.empty())
454     return;
455 
456   // Find all invalidation methods in this @interface declaration and parents.
457   InvalidationInfo Info;
458   containsInvalidationMethod(InterfaceD, Info, /*LookForPartial*/ false);
459 
460   // Report an error in case none of the invalidation methods are declared.
461   if (!Info.needsInvalidation() && !PartialInfo.needsInvalidation()) {
462     if (Filter.check_MissingInvalidationMethod)
463       reportNoInvalidationMethod(Filter.checkName_MissingInvalidationMethod,
464                                  FirstIvarDecl, IvarToPopertyMap, InterfaceD,
465                                  /*MissingDeclaration*/ true);
466     // If there are no invalidation methods, there is no ivar validation work
467     // to be done.
468     return;
469   }
470 
471   // Only check if Ivars are invalidated when InstanceVariableInvalidation
472   // has been requested.
473   if (!Filter.check_InstanceVariableInvalidation)
474     return;
475 
476   // Check that all ivars are invalidated by the invalidation methods.
477   bool AtImplementationContainsAtLeastOneInvalidationMethod = false;
478   for (MethodSet::iterator I = Info.InvalidationMethods.begin(),
479                            E = Info.InvalidationMethods.end(); I != E; ++I) {
480     const ObjCMethodDecl *InterfD = *I;
481 
482     // Get the corresponding method in the @implementation.
483     const ObjCMethodDecl *D = ImplD->getMethod(InterfD->getSelector(),
484                                                InterfD->isInstanceMethod());
485     if (D && D->hasBody()) {
486       AtImplementationContainsAtLeastOneInvalidationMethod = true;
487 
488       // Get a copy of ivars needing invalidation.
489       IvarSet IvarsI = Ivars;
490 
491       bool CalledAnotherInvalidationMethod = false;
492       MethodCrawler(IvarsI,
493                     CalledAnotherInvalidationMethod,
494                     PropSetterToIvarMap,
495                     PropGetterToIvarMap,
496                     PropertyToIvarMap,
497                     BR.getContext()).VisitStmt(D->getBody());
498       // If another invalidation method was called, trust that full invalidation
499       // has occurred.
500       if (CalledAnotherInvalidationMethod)
501         continue;
502 
503       // Warn on the ivars that were not invalidated by the method.
504       for (IvarSet::const_iterator
505           I = IvarsI.begin(), E = IvarsI.end(); I != E; ++I)
506         reportIvarNeedsInvalidation(I->first, IvarToPopertyMap, D);
507     }
508   }
509 
510   // Report an error in case none of the invalidation methods are implemented.
511   if (!AtImplementationContainsAtLeastOneInvalidationMethod) {
512     if (AtImplementationContainsAtLeastOnePartialInvalidationMethod) {
513       // Warn on the ivars that were not invalidated by the prrtial
514       // invalidation methods.
515       for (IvarSet::const_iterator
516            I = Ivars.begin(), E = Ivars.end(); I != E; ++I)
517         reportIvarNeedsInvalidation(I->first, IvarToPopertyMap, nullptr);
518     } else {
519       // Otherwise, no invalidation methods were implemented.
520       reportNoInvalidationMethod(Filter.checkName_InstanceVariableInvalidation,
521                                  FirstIvarDecl, IvarToPopertyMap, InterfaceD,
522                                  /*MissingDeclaration*/ false);
523     }
524   }
525 }
526 
527 void IvarInvalidationCheckerImpl::reportNoInvalidationMethod(
528     CheckerNameRef CheckName, const ObjCIvarDecl *FirstIvarDecl,
529     const IvarToPropMapTy &IvarToPopertyMap,
530     const ObjCInterfaceDecl *InterfaceD, bool MissingDeclaration) const {
531   SmallString<128> sbuf;
532   llvm::raw_svector_ostream os(sbuf);
533   assert(FirstIvarDecl);
534   printIvar(os, FirstIvarDecl, IvarToPopertyMap);
535   os << "needs to be invalidated; ";
536   if (MissingDeclaration)
537     os << "no invalidation method is declared for ";
538   else
539     os << "no invalidation method is defined in the @implementation for ";
540   os << InterfaceD->getName();
541 
542   PathDiagnosticLocation IvarDecLocation =
543     PathDiagnosticLocation::createBegin(FirstIvarDecl, BR.getSourceManager());
544 
545   BR.EmitBasicReport(FirstIvarDecl, CheckName, "Incomplete invalidation",
546                      categories::CoreFoundationObjectiveC, os.str(),
547                      IvarDecLocation);
548 }
549 
550 void IvarInvalidationCheckerImpl::
551 reportIvarNeedsInvalidation(const ObjCIvarDecl *IvarD,
552                             const IvarToPropMapTy &IvarToPopertyMap,
553                             const ObjCMethodDecl *MethodD) const {
554   SmallString<128> sbuf;
555   llvm::raw_svector_ostream os(sbuf);
556   printIvar(os, IvarD, IvarToPopertyMap);
557   os << "needs to be invalidated or set to nil";
558   if (MethodD) {
559     PathDiagnosticLocation MethodDecLocation =
560                            PathDiagnosticLocation::createEnd(MethodD->getBody(),
561                            BR.getSourceManager(),
562                            Mgr.getAnalysisDeclContext(MethodD));
563     BR.EmitBasicReport(MethodD, Filter.checkName_InstanceVariableInvalidation,
564                        "Incomplete invalidation",
565                        categories::CoreFoundationObjectiveC, os.str(),
566                        MethodDecLocation);
567   } else {
568     BR.EmitBasicReport(
569         IvarD, Filter.checkName_InstanceVariableInvalidation,
570         "Incomplete invalidation", categories::CoreFoundationObjectiveC,
571         os.str(),
572         PathDiagnosticLocation::createBegin(IvarD, BR.getSourceManager()));
573   }
574 }
575 
576 void IvarInvalidationCheckerImpl::MethodCrawler::markInvalidated(
577     const ObjCIvarDecl *Iv) {
578   IvarSet::iterator I = IVars.find(Iv);
579   if (I != IVars.end()) {
580     // If InvalidationMethod is present, we are processing the message send and
581     // should ensure we are invalidating with the appropriate method,
582     // otherwise, we are processing setting to 'nil'.
583     if (!InvalidationMethod || I->second.hasMethod(InvalidationMethod))
584       IVars.erase(I);
585   }
586 }
587 
588 const Expr *IvarInvalidationCheckerImpl::MethodCrawler::peel(const Expr *E) const {
589   E = E->IgnoreParenCasts();
590   if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(E))
591     E = POE->getSyntacticForm()->IgnoreParenCasts();
592   if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E))
593     E = OVE->getSourceExpr()->IgnoreParenCasts();
594   return E;
595 }
596 
597 void IvarInvalidationCheckerImpl::MethodCrawler::checkObjCIvarRefExpr(
598     const ObjCIvarRefExpr *IvarRef) {
599   if (const Decl *D = IvarRef->getDecl())
600     markInvalidated(cast<ObjCIvarDecl>(D->getCanonicalDecl()));
601 }
602 
603 void IvarInvalidationCheckerImpl::MethodCrawler::checkObjCMessageExpr(
604     const ObjCMessageExpr *ME) {
605   const ObjCMethodDecl *MD = ME->getMethodDecl();
606   if (MD) {
607     MD = MD->getCanonicalDecl();
608     MethToIvarMapTy::const_iterator IvI = PropertyGetterToIvarMap.find(MD);
609     if (IvI != PropertyGetterToIvarMap.end())
610       markInvalidated(IvI->second);
611   }
612 }
613 
614 void IvarInvalidationCheckerImpl::MethodCrawler::checkObjCPropertyRefExpr(
615     const ObjCPropertyRefExpr *PA) {
616 
617   if (PA->isExplicitProperty()) {
618     const ObjCPropertyDecl *PD = PA->getExplicitProperty();
619     if (PD) {
620       PD = cast<ObjCPropertyDecl>(PD->getCanonicalDecl());
621       PropToIvarMapTy::const_iterator IvI = PropertyToIvarMap.find(PD);
622       if (IvI != PropertyToIvarMap.end())
623         markInvalidated(IvI->second);
624       return;
625     }
626   }
627 
628   if (PA->isImplicitProperty()) {
629     const ObjCMethodDecl *MD = PA->getImplicitPropertySetter();
630     if (MD) {
631       MD = MD->getCanonicalDecl();
632       MethToIvarMapTy::const_iterator IvI =PropertyGetterToIvarMap.find(MD);
633       if (IvI != PropertyGetterToIvarMap.end())
634         markInvalidated(IvI->second);
635       return;
636     }
637   }
638 }
639 
640 bool IvarInvalidationCheckerImpl::MethodCrawler::isZero(const Expr *E) const {
641   E = peel(E);
642 
643   return (E->isNullPointerConstant(Ctx, Expr::NPC_ValueDependentIsNotNull)
644            != Expr::NPCK_NotNull);
645 }
646 
647 void IvarInvalidationCheckerImpl::MethodCrawler::check(const Expr *E) {
648   E = peel(E);
649 
650   if (const ObjCIvarRefExpr *IvarRef = dyn_cast<ObjCIvarRefExpr>(E)) {
651     checkObjCIvarRefExpr(IvarRef);
652     return;
653   }
654 
655   if (const ObjCPropertyRefExpr *PropRef = dyn_cast<ObjCPropertyRefExpr>(E)) {
656     checkObjCPropertyRefExpr(PropRef);
657     return;
658   }
659 
660   if (const ObjCMessageExpr *MsgExpr = dyn_cast<ObjCMessageExpr>(E)) {
661     checkObjCMessageExpr(MsgExpr);
662     return;
663   }
664 }
665 
666 void IvarInvalidationCheckerImpl::MethodCrawler::VisitBinaryOperator(
667     const BinaryOperator *BO) {
668   VisitStmt(BO);
669 
670   // Do we assign/compare against zero? If yes, check the variable we are
671   // assigning to.
672   BinaryOperatorKind Opcode = BO->getOpcode();
673   if (Opcode != BO_Assign &&
674       Opcode != BO_EQ &&
675       Opcode != BO_NE)
676     return;
677 
678   if (isZero(BO->getRHS())) {
679       check(BO->getLHS());
680       return;
681   }
682 
683   if (Opcode != BO_Assign && isZero(BO->getLHS())) {
684     check(BO->getRHS());
685     return;
686   }
687 }
688 
689 void IvarInvalidationCheckerImpl::MethodCrawler::VisitObjCMessageExpr(
690   const ObjCMessageExpr *ME) {
691   const ObjCMethodDecl *MD = ME->getMethodDecl();
692   const Expr *Receiver = ME->getInstanceReceiver();
693 
694   // Stop if we are calling '[self invalidate]'.
695   if (Receiver && isInvalidationMethod(MD, /*LookForPartial*/ false))
696     if (Receiver->isObjCSelfExpr()) {
697       CalledAnotherInvalidationMethod = true;
698       return;
699     }
700 
701   // Check if we call a setter and set the property to 'nil'.
702   if (MD && (ME->getNumArgs() == 1) && isZero(ME->getArg(0))) {
703     MD = MD->getCanonicalDecl();
704     MethToIvarMapTy::const_iterator IvI = PropertySetterToIvarMap.find(MD);
705     if (IvI != PropertySetterToIvarMap.end()) {
706       markInvalidated(IvI->second);
707       return;
708     }
709   }
710 
711   // Check if we call the 'invalidation' routine on the ivar.
712   if (Receiver) {
713     InvalidationMethod = MD;
714     check(Receiver->IgnoreParenCasts());
715     InvalidationMethod = nullptr;
716   }
717 
718   VisitStmt(ME);
719 }
720 } // end anonymous namespace
721 
722 // Register the checkers.
723 namespace {
724 class IvarInvalidationChecker :
725   public Checker<check::ASTDecl<ObjCImplementationDecl> > {
726 public:
727   ChecksFilter Filter;
728 public:
729   void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& Mgr,
730                     BugReporter &BR) const {
731     IvarInvalidationCheckerImpl Walker(Mgr, BR, Filter);
732     Walker.visit(D);
733   }
734 };
735 } // end anonymous namespace
736 
737 void ento::registerIvarInvalidationModeling(CheckerManager &mgr) {
738   mgr.registerChecker<IvarInvalidationChecker>();
739 }
740 
741 bool ento::shouldRegisterIvarInvalidationModeling(const CheckerManager &mgr) {
742   return true;
743 }
744 
745 #define REGISTER_CHECKER(name)                                                 \
746   void ento::register##name(CheckerManager &mgr) {                             \
747     IvarInvalidationChecker *checker =                                         \
748         mgr.getChecker<IvarInvalidationChecker>();                             \
749     checker->Filter.check_##name = true;                                       \
750     checker->Filter.checkName_##name = mgr.getCurrentCheckerName();            \
751   }                                                                            \
752                                                                                \
753   bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
754 
755 REGISTER_CHECKER(InstanceVariableInvalidation)
756 REGISTER_CHECKER(MissingInvalidationMethod)
757