xref: /freebsd/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/MacOSXAPIChecker.cpp (revision e64bea71c21eb42e97aa615188ba91f6cce0d36d) 
1 // MacOSXAPIChecker.h - Checks proper use of various MacOS X APIs --*- C++ -*-//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This defines MacOSXAPIChecker, which is an assortment of checks on calls
10 // to various, widely used Apple APIs.
11 //
12 // FIXME: What's currently in BasicObjCFoundationChecks.cpp should be migrated
13 // to here, using the new Checker interface.
14 //
15 //===----------------------------------------------------------------------===//
16 
17 #include "clang/AST/Attr.h"
18 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
20 #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
21 #include "clang/StaticAnalyzer/Core/Checker.h"
22 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
23 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
24 #include "llvm/ADT/StringSwitch.h"
25 #include "llvm/Support/raw_ostream.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 namespace {
31 class MacOSXAPIChecker : public Checker< check::PreStmt<CallExpr> > {
32   const BugType BT_dispatchOnce{this, "Improper use of 'dispatch_once'",
33                                 categories::AppleAPIMisuse};
34 
35   static const ObjCIvarRegion *getParentIvarRegion(const MemRegion *R);
36 
37 public:
38   void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
39 
40   void CheckDispatchOnce(CheckerContext &C, const CallExpr *CE,
41                          StringRef FName) const;
42 
43   typedef void (MacOSXAPIChecker::*SubChecker)(CheckerContext &,
44                                                const CallExpr *,
45                                                StringRef FName) const;
46 };
47 } //end anonymous namespace
48 
49 //===----------------------------------------------------------------------===//
50 // dispatch_once and dispatch_once_f
51 //===----------------------------------------------------------------------===//
52 
53 const ObjCIvarRegion *
54 MacOSXAPIChecker::getParentIvarRegion(const MemRegion *R) {
55   const SubRegion *SR = dyn_cast<SubRegion>(R);
56   while (SR) {
57     if (const ObjCIvarRegion *IR = dyn_cast<ObjCIvarRegion>(SR))
58       return IR;
59     SR = dyn_cast<SubRegion>(SR->getSuperRegion());
60   }
61   return nullptr;
62 }
63 
64 void MacOSXAPIChecker::CheckDispatchOnce(CheckerContext &C, const CallExpr *CE,
65                                          StringRef FName) const {
66   if (CE->getNumArgs() < 1)
67     return;
68 
69   // Check if the first argument is improperly allocated.  If so, issue a
70   // warning because that's likely to be bad news.
71   const MemRegion *R = C.getSVal(CE->getArg(0)).getAsRegion();
72   if (!R)
73     return;
74 
75   // Global variables are fine.
76   const MemSpaceRegion *Space = R->getMemorySpace(C.getState());
77   if (isa<GlobalsSpaceRegion>(Space))
78     return;
79 
80   // Handle _dispatch_once.  In some versions of the OS X SDK we have the case
81   // that dispatch_once is a macro that wraps a call to _dispatch_once.
82   // _dispatch_once is then a function which then calls the real dispatch_once.
83   // Users do not care; they just want the warning at the top-level call.
84   if (CE->getBeginLoc().isMacroID()) {
85     StringRef TrimmedFName = FName.ltrim('_');
86     if (TrimmedFName != FName)
87       FName = TrimmedFName;
88   }
89 
90   SmallString<256> S;
91   llvm::raw_svector_ostream os(S);
92   bool SuggestStatic = false;
93   os << "Call to '" << FName << "' uses";
94   if (const VarRegion *VR = dyn_cast<VarRegion>(R->getBaseRegion())) {
95     const VarDecl *VD = VR->getDecl();
96     // FIXME: These should have correct memory space and thus should be filtered
97     // out earlier. This branch only fires when we're looking from a block,
98     // which we analyze as a top-level declaration, onto a static local
99     // in a function that contains the block.
100     if (VD->isStaticLocal())
101       return;
102     // We filtered out globals earlier, so it must be a local variable
103     // or a block variable which is under UnknownSpaceRegion.
104     if (VR != R)
105       os << " memory within";
106     if (VD->hasAttr<BlocksAttr>())
107       os << " the block variable '";
108     else
109       os << " the local variable '";
110     os << VR->getDecl()->getName() << '\'';
111     SuggestStatic = true;
112   } else if (const ObjCIvarRegion *IVR = getParentIvarRegion(R)) {
113     if (IVR != R)
114       os << " memory within";
115     os << " the instance variable '" << IVR->getDecl()->getName() << '\'';
116   } else if (isa<HeapSpaceRegion>(Space)) {
117     os << " heap-allocated memory";
118   } else if (isa<UnknownSpaceRegion>(Space)) {
119     // Presence of an IVar superregion has priority over this branch, because
120     // ObjC objects are on the heap even if the core doesn't realize this.
121     // Presence of a block variable base region has priority over this branch,
122     // because block variables are known to be either on stack or on heap
123     // (might actually move between the two, hence UnknownSpace).
124     return;
125   } else {
126     os << " stack allocated memory";
127   }
128   os << " for the predicate value.  Using such transient memory for "
129         "the predicate is potentially dangerous.";
130   if (SuggestStatic)
131     os << "  Perhaps you intended to declare the variable as 'static'?";
132 
133   ExplodedNode *N = C.generateErrorNode();
134   if (!N)
135     return;
136 
137   auto report =
138       std::make_unique<PathSensitiveBugReport>(BT_dispatchOnce, os.str(), N);
139   report->addRange(CE->getArg(0)->getSourceRange());
140   C.emitReport(std::move(report));
141 }
142 
143 //===----------------------------------------------------------------------===//
144 // Central dispatch function.
145 //===----------------------------------------------------------------------===//
146 
147 void MacOSXAPIChecker::checkPreStmt(const CallExpr *CE,
148                                     CheckerContext &C) const {
149   StringRef Name = C.getCalleeName(CE);
150   if (Name.empty())
151     return;
152 
153   SubChecker SC =
154     llvm::StringSwitch<SubChecker>(Name)
155       .Cases("dispatch_once",
156              "_dispatch_once",
157              "dispatch_once_f",
158              &MacOSXAPIChecker::CheckDispatchOnce)
159       .Default(nullptr);
160 
161   if (SC)
162     (this->*SC)(C, CE, Name);
163 }
164 
165 //===----------------------------------------------------------------------===//
166 // Registration.
167 //===----------------------------------------------------------------------===//
168 
169 void ento::registerMacOSXAPIChecker(CheckerManager &mgr) {
170   mgr.registerChecker<MacOSXAPIChecker>();
171 }
172 
173 bool ento::shouldRegisterMacOSXAPIChecker(const CheckerManager &mgr) {
174   return true;
175 }
176