Coverage Report

Created: 2019-07-24 05:18

/Users/buildslave/jenkins/workspace/clang-stage2-coverage-R/llvm/tools/clang/lib/StaticAnalyzer/Checkers/CheckObjCDealloc.cpp
Line
Count
Source (jump to first uncovered line)
1
//==- CheckObjCDealloc.cpp - Check ObjC -dealloc implementation --*- C++ -*-==//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
//  This checker analyzes Objective-C -dealloc methods and their callees
10
//  to warn about improper releasing of instance variables that back synthesized
11
// properties. It warns about missing releases in the following cases:
12
//  - When a class has a synthesized instance variable for a 'retain' or 'copy'
13
//    property and lacks a -dealloc method in its implementation.
14
//  - When a class has a synthesized instance variable for a 'retain'/'copy'
15
//   property but the ivar is not released in -dealloc by either -release
16
//   or by nilling out the property.
17
//
18
//  It warns about extra releases in -dealloc (but not in callees) when a
19
//  synthesized instance variable is released in the following cases:
20
//  - When the property is 'assign' and is not 'readonly'.
21
//  - When the property is 'weak'.
22
//
23
//  This checker only warns for instance variables synthesized to back
24
//  properties. Handling the more general case would require inferring whether
25
//  an instance variable is stored retained or not. For synthesized properties,
26
//  this is specified in the property declaration itself.
27
//
28
//===----------------------------------------------------------------------===//
29
30
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
31
#include "clang/AST/Attr.h"
32
#include "clang/AST/DeclObjC.h"
33
#include "clang/AST/Expr.h"
34
#include "clang/AST/ExprObjC.h"
35
#include "clang/Basic/LangOptions.h"
36
#include "clang/Basic/TargetInfo.h"
37
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
38
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
39
#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
40
#include "clang/StaticAnalyzer/Core/Checker.h"
41
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
42
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
43
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
44
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
45
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
46
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
47
#include "llvm/Support/raw_ostream.h"
48
49
using namespace clang;
50
using namespace ento;
51
52
/// Indicates whether an instance variable is required to be released in
53
/// -dealloc.
54
enum class ReleaseRequirement {
55
  /// The instance variable must be released, either by calling
56
  /// -release on it directly or by nilling it out with a property setter.
57
  MustRelease,
58
59
  /// The instance variable must not be directly released with -release.
60
  MustNotReleaseDirectly,
61
62
  /// The requirement for the instance variable could not be determined.
63
  Unknown
64
};
65
66
/// Returns true if the property implementation is synthesized and the
67
/// type of the property is retainable.
68
static bool isSynthesizedRetainableProperty(const ObjCPropertyImplDecl *I,
69
                                            const ObjCIvarDecl **ID,
70
274
                                            const ObjCPropertyDecl **PD) {
71
274
72
274
  if (I->getPropertyImplementation() != ObjCPropertyImplDecl::Synthesize)
73
0
    return false;
74
274
75
274
  (*ID) = I->getPropertyIvarDecl();
76
274
  if (!(*ID))
77
0
    return false;
78
274
79
274
  QualType T = (*ID)->getType();
80
274
  if (!T->isObjCRetainableType())
81
19
    return false;
82
255
83
255
  (*PD) = I->getPropertyDecl();
84
255
  // Shouldn't be able to synthesize a property that doesn't exist.
85
255
  assert(*PD);
86
255
87
255
  return true;
88
255
}
89
90
namespace {
91
92
class ObjCDeallocChecker
93
    : public Checker<check::ASTDecl<ObjCImplementationDecl>,
94
                     check::PreObjCMessage, check::PostObjCMessage,
95
                     check::PreCall,
96
                     check::BeginFunction, check::EndFunction,
97
                     eval::Assume,
98
                     check::PointerEscape,
99
                     check::PreStmt<ReturnStmt>> {
100
101
  mutable IdentifierInfo *NSObjectII, *SenTestCaseII, *XCTestCaseII,
102
      *Block_releaseII, *CIFilterII;
103
104
  mutable Selector DeallocSel, ReleaseSel;
105
106
  std::unique_ptr<BugType> MissingReleaseBugType;
107
  std::unique_ptr<BugType> ExtraReleaseBugType;
108
  std::unique_ptr<BugType> MistakenDeallocBugType;
109
110
public:
111
  ObjCDeallocChecker();
112
113
  void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& Mgr,
114
                    BugReporter &BR) const;
115
  void checkBeginFunction(CheckerContext &Ctx) const;
116
  void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
117
  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
118
  void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
119
120
  ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond,
121
                             bool Assumption) const;
122
123
  ProgramStateRef checkPointerEscape(ProgramStateRef State,
124
                                     const InvalidatedSymbols &Escaped,
125
                                     const CallEvent *Call,
126
                                     PointerEscapeKind Kind) const;
127
  void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
128
  void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;
129
130
private:
131
  void diagnoseMissingReleases(CheckerContext &C) const;
132
133
  bool diagnoseExtraRelease(SymbolRef ReleasedValue, const ObjCMethodCall &M,
134
                            CheckerContext &C) const;
135
136
  bool diagnoseMistakenDealloc(SymbolRef DeallocedValue,
137
                               const ObjCMethodCall &M,
138
                               CheckerContext &C) const;
139
140
  SymbolRef getValueReleasedByNillingOut(const ObjCMethodCall &M,
141
                                         CheckerContext &C) const;
142
143
  const ObjCIvarRegion *getIvarRegionForIvarSymbol(SymbolRef IvarSym) const;
144
  SymbolRef getInstanceSymbolFromIvarSymbol(SymbolRef IvarSym) const;
145
146
  const ObjCPropertyImplDecl*
147
  findPropertyOnDeallocatingInstance(SymbolRef IvarSym,
148
                                     CheckerContext &C) const;
149
150
  ReleaseRequirement
151
  getDeallocReleaseRequirement(const ObjCPropertyImplDecl *PropImpl) const;
152
153
  bool isInInstanceDealloc(const CheckerContext &C, SVal &SelfValOut) const;
154
  bool isInInstanceDealloc(const CheckerContext &C, const LocationContext *LCtx,
155
                           SVal &SelfValOut) const;
156
  bool instanceDeallocIsOnStack(const CheckerContext &C,
157
                                SVal &InstanceValOut) const;
158
159
  bool isSuperDeallocMessage(const ObjCMethodCall &M) const;
160
161
  const ObjCImplDecl *getContainingObjCImpl(const LocationContext *LCtx) const;
162
163
  const ObjCPropertyDecl *
164
  findShadowedPropertyDecl(const ObjCPropertyImplDecl *PropImpl) const;
165
166
  void transitionToReleaseValue(CheckerContext &C, SymbolRef Value) const;
167
  ProgramStateRef removeValueRequiringRelease(ProgramStateRef State,
168
                                              SymbolRef InstanceSym,
169
                                              SymbolRef ValueSym) const;
170
171
  void initIdentifierInfoAndSelectors(ASTContext &Ctx) const;
172
173
  bool classHasSeparateTeardown(const ObjCInterfaceDecl *ID) const;
174
175
  bool isReleasedByCIFilterDealloc(const ObjCPropertyImplDecl *PropImpl) const;
176
  bool isNibLoadedIvarWithoutRetain(const ObjCPropertyImplDecl *PropImpl) const;
177
};
178
} // End anonymous namespace.
179
180
181
/// Maps from the symbol for a class instance to the set of
182
/// symbols remaining that must be released in -dealloc.
183
REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(SymbolSet, SymbolRef)
184
REGISTER_MAP_WITH_PROGRAMSTATE(UnreleasedIvarMap, SymbolRef, SymbolSet)
185
186
187
/// An AST check that diagnose when the class requires a -dealloc method and
188
/// is missing one.
189
void ObjCDeallocChecker::checkASTDecl(const ObjCImplementationDecl *D,
190
                                      AnalysisManager &Mgr,
191
126
                                      BugReporter &BR) const {
192
126
  assert(Mgr.getLangOpts().getGC() != LangOptions::GCOnly);
193
126
  assert(!Mgr.getLangOpts().ObjCAutoRefCount);
194
126
  initIdentifierInfoAndSelectors(Mgr.getASTContext());
195
126
196
126
  const ObjCInterfaceDecl *ID = D->getClassInterface();
197
126
  // If the class is known to have a lifecycle with a separate teardown method
198
126
  // then it may not require a -dealloc method.
199
126
  if (classHasSeparateTeardown(ID))
200
22
    return;
201
104
202
104
  // Does the class contain any synthesized properties that are retainable?
203
104
  // If not, skip the check entirely.
204
104
  const ObjCPropertyImplDecl *PropImplRequiringRelease = nullptr;
205
104
  bool HasOthers = false;
206
109
  for (const auto *I : D->property_impls()) {
207
109
    if (getDeallocReleaseRequirement(I) == ReleaseRequirement::MustRelease) {
208
74
      if (!PropImplRequiringRelease)
209
64
        PropImplRequiringRelease = I;
210
10
      else {
211
10
        HasOthers = true;
212
10
        break;
213
10
      }
214
74
    }
215
109
  }
216
104
217
104
  if (!PropImplRequiringRelease)
218
40
    return;
219
64
220
64
  const ObjCMethodDecl *MD = nullptr;
221
64
222
64
  // Scan the instance methods for "dealloc".
223
70
  for (const auto *I : D->instance_methods()) {
224
70
    if (I->getSelector() == DeallocSel) {
225
59
      MD = I;
226
59
      break;
227
59
    }
228
70
  }
229
64
230
64
  if (!MD) { // No dealloc found.
231
5
    const char* Name = "Missing -dealloc";
232
5
233
5
    std::string Buf;
234
5
    llvm::raw_string_ostream OS(Buf);
235
5
    OS << "'" << *D << "' lacks a 'dealloc' instance method but "
236
5
       << "must release '" << *PropImplRequiringRelease->getPropertyIvarDecl()
237
5
       << "'";
238
5
239
5
    if (HasOthers)
240
1
      OS << " and others";
241
5
    PathDiagnosticLocation DLoc =
242
5
        PathDiagnosticLocation::createBegin(D, BR.getSourceManager());
243
5
244
5
    BR.EmitBasicReport(D, this, Name, categories::CoreFoundationObjectiveC,
245
5
                       OS.str(), DLoc);
246
5
    return;
247
5
  }
248
64
}
249
250
/// If this is the beginning of -dealloc, mark the values initially stored in
251
/// instance variables that must be released by the end of -dealloc
252
/// as unreleased in the state.
253
void ObjCDeallocChecker::checkBeginFunction(
254
565
    CheckerContext &C) const {
255
565
  initIdentifierInfoAndSelectors(C.getASTContext());
256
565
257
565
  // Only do this if the current method is -dealloc.
258
565
  SVal SelfVal;
259
565
  if (!isInInstanceDealloc(C, SelfVal))
260
472
    return;
261
93
262
93
  SymbolRef SelfSymbol = SelfVal.getAsSymbol();
263
93
264
93
  const LocationContext *LCtx = C.getLocationContext();
265
93
  ProgramStateRef InitialState = C.getState();
266
93
267
93
  ProgramStateRef State = InitialState;
268
93
269
93
  SymbolSet::Factory &F = State->getStateManager().get_context<SymbolSet>();
270
93
271
93
  // Symbols that must be released by the end of the -dealloc;
272
93
  SymbolSet RequiredReleases = F.getEmptySet();
273
93
274
93
  // If we're an inlined -dealloc, we should add our symbols to the existing
275
93
  // set from our subclass.
276
93
  if (const SymbolSet *CurrSet = State->get<UnreleasedIvarMap>(SelfSymbol))
277
4
    RequiredReleases = *CurrSet;
278
93
279
133
  for (auto *PropImpl : getContainingObjCImpl(LCtx)->property_impls()) {
280
133
    ReleaseRequirement Requirement = getDeallocReleaseRequirement(PropImpl);
281
133
    if (Requirement != ReleaseRequirement::MustRelease)
282
33
      continue;
283
100
284
100
    SVal LVal = State->getLValue(PropImpl->getPropertyIvarDecl(), SelfVal);
285
100
    Optional<Loc> LValLoc = LVal.getAs<Loc>();
286
100
    if (!LValLoc)
287
0
      continue;
288
100
289
100
    SVal InitialVal = State->getSVal(LValLoc.getValue());
290
100
    SymbolRef Symbol = InitialVal.getAsSymbol();
291
100
    if (!Symbol || !isa<SymbolRegionValue>(Symbol))
292
2
      continue;
293
98
294
98
    // Mark the value as requiring a release.
295
98
    RequiredReleases = F.add(RequiredReleases, Symbol);
296
98
  }
297
93
298
93
  if (!RequiredReleases.isEmpty()) {
299
69
    State = State->set<UnreleasedIvarMap>(SelfSymbol, RequiredReleases);
300
69
  }
301
93
302
93
  if (State != InitialState) {
303
69
    C.addTransition(State);
304
69
  }
305
93
}
306
307
/// Given a symbol for an ivar, return the ivar region it was loaded from.
308
/// Returns nullptr if the instance symbol cannot be found.
309
const ObjCIvarRegion *
310
926
ObjCDeallocChecker::getIvarRegionForIvarSymbol(SymbolRef IvarSym) const {
311
926
  return dyn_cast_or_null<ObjCIvarRegion>(IvarSym->getOriginRegion());
312
926
}
313
314
/// Given a symbol for an ivar, return a symbol for the instance containing
315
/// the ivar. Returns nullptr if the instance symbol cannot be found.
316
SymbolRef
317
335
ObjCDeallocChecker::getInstanceSymbolFromIvarSymbol(SymbolRef IvarSym) const {
318
335
319
335
  const ObjCIvarRegion *IvarRegion = getIvarRegionForIvarSymbol(IvarSym);
320
335
  if (!IvarRegion)
321
184
    return nullptr;
322
151
323
151
  return IvarRegion->getSymbolicBase()->getSymbol();
324
151
}
325
326
/// If we are in -dealloc or -dealloc is on the stack, handle the call if it is
327
/// a release or a nilling-out property setter.
328
void ObjCDeallocChecker::checkPreObjCMessage(
329
582
    const ObjCMethodCall &M, CheckerContext &C) const {
330
582
  // Only run if -dealloc is on the stack.
331
582
  SVal DeallocedInstance;
332
582
  if (!instanceDeallocIsOnStack(C, DeallocedInstance))
333
342
    return;
334
240
335
240
  SymbolRef ReleasedValue = nullptr;
336
240
337
240
  if (M.getSelector() == ReleaseSel) {
338
61
    ReleasedValue = M.getReceiverSVal().getAsSymbol();
339
179
  } else if (M.getSelector() == DeallocSel && 
!M.isReceiverSelfOrSuper()102
) {
340
5
    if (diagnoseMistakenDealloc(M.getReceiverSVal().getAsSymbol(), M, C))
341
2
      return;
342
238
  }
343
238
344
238
  if (ReleasedValue) {
345
61
    // An instance variable symbol was released with -release:
346
61
    //    [_property release];
347
61
    if (diagnoseExtraRelease(ReleasedValue,M, C))
348
5
      return;
349
177
  } else {
350
177
    // An instance variable symbol was released nilling out its property:
351
177
    //    self.property = nil;
352
177
    ReleasedValue = getValueReleasedByNillingOut(M, C);
353
177
  }
354
238
355
238
  
if (233
!ReleasedValue233
)
356
162
    return;
357
71
358
71
  transitionToReleaseValue(C, ReleasedValue);
359
71
}
360
361
/// If we are in -dealloc or -dealloc is on the stack, handle the call if it is
362
/// call to Block_release().
363
void ObjCDeallocChecker::checkPreCall(const CallEvent &Call,
364
1.00k
                                      CheckerContext &C) const {
365
1.00k
  const IdentifierInfo *II = Call.getCalleeIdentifier();
366
1.00k
  if (II != Block_releaseII)
367
1.00k
    return;
368
2
369
2
  if (Call.getNumArgs() != 1)
370
0
    return;
371
2
372
2
  SymbolRef ReleasedValue = Call.getArgSVal(0).getAsSymbol();
373
2
  if (!ReleasedValue)
374
0
    return;
375
2
376
2
  transitionToReleaseValue(C, ReleasedValue);
377
2
}
378
/// If the message was a call to '[super dealloc]', diagnose any missing
379
/// releases.
380
void ObjCDeallocChecker::checkPostObjCMessage(
381
576
    const ObjCMethodCall &M, CheckerContext &C) const {
382
576
  // We perform this check post-message so that if the super -dealloc
383
576
  // calls a helper method and that this class overrides, any ivars released in
384
576
  // the helper method will be recorded before checking.
385
576
  if (isSuperDeallocMessage(M))
386
97
    diagnoseMissingReleases(C);
387
576
}
388
389
/// Check for missing releases even when -dealloc does not call
390
/// '[super dealloc]'.
391
void ObjCDeallocChecker::checkEndFunction(
392
582
    const ReturnStmt *RS, CheckerContext &C) const {
393
582
  diagnoseMissingReleases(C);
394
582
}
395
396
/// Check for missing releases on early return.
397
void ObjCDeallocChecker::checkPreStmt(
398
209
    const ReturnStmt *RS, CheckerContext &C) const {
399
209
  diagnoseMissingReleases(C);
400
209
}
401
402
/// When a symbol is assumed to be nil, remove it from the set of symbols
403
/// require to be nil.
404
ProgramStateRef ObjCDeallocChecker::evalAssume(ProgramStateRef State, SVal Cond,
405
3.00k
                                               bool Assumption) const {
406
3.00k
  if (State->get<UnreleasedIvarMap>().isEmpty())
407
2.70k
    return State;
408
300
409
300
  auto *CondBSE = dyn_cast_or_null<BinarySymExpr>(Cond.getAsSymExpr());
410
300
  if (!CondBSE)
411
25
    return State;
412
275
413
275
  BinaryOperator::Opcode OpCode = CondBSE->getOpcode();
414
275
  if (Assumption) {
415
198
    if (OpCode != BO_EQ)
416
197
      return State;
417
77
  } else {
418
77
    if (OpCode != BO_NE)
419
1
      return State;
420
77
  }
421
77
422
77
  SymbolRef NullSymbol = nullptr;
423
77
  if (auto *SIE = dyn_cast<SymIntExpr>(CondBSE)) {
424
77
    const llvm::APInt &RHS = SIE->getRHS();
425
77
    if (RHS != 0)
426
0
      return State;
427
77
    NullSymbol = SIE->getLHS();
428
77
  } else 
if (auto *0
SIE0
= dyn_cast<IntSymExpr>(CondBSE)) {
429
0
    const llvm::APInt &LHS = SIE->getLHS();
430
0
    if (LHS != 0)
431
0
      return State;
432
0
    NullSymbol = SIE->getRHS();
433
0
  } else {
434
0
    return State;
435
0
  }
436
77
437
77
  SymbolRef InstanceSymbol = getInstanceSymbolFromIvarSymbol(NullSymbol);
438
77
  if (!InstanceSymbol)
439
22
    return State;
440
55
441
55
  State = removeValueRequiringRelease(State, InstanceSymbol, NullSymbol);
442
55
443
55
  return State;
444
55
}
445
446
/// If a symbol escapes conservatively assume unseen code released it.
447
ProgramStateRef ObjCDeallocChecker::checkPointerEscape(
448
    ProgramStateRef State, const InvalidatedSymbols &Escaped,
449
893
    const CallEvent *Call, PointerEscapeKind Kind) const {
450
893
451
893
  if (State->get<UnreleasedIvarMap>().isEmpty())
452
682
    return State;
453
211
454
211
  // Don't treat calls to '[super dealloc]' as escaping for the purposes
455
211
  // of this checker. Because the checker diagnoses missing releases in the
456
211
  // post-message handler for '[super dealloc], escaping here would cause
457
211
  // the checker to never warn.
458
211
  auto *OMC = dyn_cast_or_null<ObjCMethodCall>(Call);
459
211
  if (OMC && 
isSuperDeallocMessage(*OMC)202
)
460
67
    return State;
461
144
462
185
  
for (const auto &Sym : Escaped)144
{
463
185
    if (!Call || 
(183
Call183
&&
!Call->isInSystemHeader()183
)) {
464
55
      // If Sym is a symbol for an object with instance variables that
465
55
      // must be released, remove these obligations when the object escapes
466
55
      // unless via a call to a system function. System functions are
467
55
      // very unlikely to release instance variables on objects passed to them,
468
55
      // and are frequently called on 'self' in -dealloc (e.g., to remove
469
55
      // observers) -- we want to avoid false negatives from escaping on
470
55
      // them.
471
55
      State = State->remove<UnreleasedIvarMap>(Sym);
472
55
    }
473
185
474
185
475
185
    SymbolRef InstanceSymbol = getInstanceSymbolFromIvarSymbol(Sym);
476
185
    if (!InstanceSymbol)
477
146
      continue;
478
39
479
39
    State = removeValueRequiringRelease(State, InstanceSymbol, Sym);
480
39
  }
481
144
482
144
  return State;
483
144
}
484
485
/// Report any unreleased instance variables for the current instance being
486
/// dealloced.
487
888
void ObjCDeallocChecker::diagnoseMissingReleases(CheckerContext &C) const {
488
888
  ProgramStateRef State = C.getState();
489
888
490
888
  SVal SelfVal;
491
888
  if (!isInInstanceDealloc(C, SelfVal))
492
698
    return;
493
190
494
190
  const MemRegion *SelfRegion = SelfVal.castAs<loc::MemRegionVal>().getRegion();
495
190
  const LocationContext *LCtx = C.getLocationContext();
496
190
497
190
  ExplodedNode *ErrNode = nullptr;
498
190
499
190
  SymbolRef SelfSym = SelfVal.getAsSymbol();
500
190
  if (!SelfSym)
501
0
    return;
502
190
503
190
  const SymbolSet *OldUnreleased = State->get<UnreleasedIvarMap>(SelfSym);
504
190
  if (!OldUnreleased)
505
130
    return;
506
60
507
60
  SymbolSet NewUnreleased = *OldUnreleased;
508
60
  SymbolSet::Factory &F = State->getStateManager().get_context<SymbolSet>();
509
60
510
60
  ProgramStateRef InitialState = State;
511
60
512
64
  for (auto *IvarSymbol : *OldUnreleased) {
513
64
    const TypedValueRegion *TVR =
514
64
        cast<SymbolRegionValue>(IvarSymbol)->getRegion();
515
64
    const ObjCIvarRegion *IvarRegion = cast<ObjCIvarRegion>(TVR);
516
64
517
64
    // Don't warn if the ivar is not for this instance.
518
64
    if (SelfRegion != IvarRegion->getSuperRegion())
519
0
      continue;
520
64
521
64
    const ObjCIvarDecl *IvarDecl = IvarRegion->getDecl();
522
64
    // Prevent an inlined call to -dealloc in a super class from warning
523
64
    // about the values the subclass's -dealloc should release.
524
64
    if (IvarDecl->getContainingInterface() !=
525
64
        cast<ObjCMethodDecl>(LCtx->getDecl())->getClassInterface())
526
4
      continue;
527
60
528
60
    // Prevents diagnosing multiple times for the same instance variable
529
60
    // at, for example, both a return and at the end of the function.
530
60
    NewUnreleased = F.remove(NewUnreleased, IvarSymbol);
531
60
532
60
    if (State->getStateManager()
533
60
            .getConstraintManager()
534
60
            .isNull(State, IvarSymbol)
535
60
            .isConstrainedTrue()) {
536
0
      continue;
537
0
    }
538
60
539
60
    // A missing release manifests as a leak, so treat as a non-fatal error.
540
60
    if (!ErrNode)
541
58
      ErrNode = C.generateNonFatalErrorNode();
542
60
    // If we've already reached this node on another path, return without
543
60
    // diagnosing.
544
60
    if (!ErrNode)
545
0
      return;
546
60
547
60
    std::string Buf;
548
60
    llvm::raw_string_ostream OS(Buf);
549
60
550
60
    const ObjCInterfaceDecl *Interface = IvarDecl->getContainingInterface();
551
60
    // If the class is known to have a lifecycle with teardown that is
552
60
    // separate from -dealloc, do not warn about missing releases. We
553
60
    // suppress here (rather than not tracking for instance variables in
554
60
    // such classes) because these classes are rare.
555
60
    if (classHasSeparateTeardown(Interface))
556
10
      return;
557
50
558
50
    ObjCImplDecl *ImplDecl = Interface->getImplementation();
559
50
560
50
    const ObjCPropertyImplDecl *PropImpl =
561
50
        ImplDecl->FindPropertyImplIvarDecl(IvarDecl->getIdentifier());
562
50
563
50
    const ObjCPropertyDecl *PropDecl = PropImpl->getPropertyDecl();
564
50
565
50
    assert(PropDecl->getSetterKind() == ObjCPropertyDecl::Copy ||
566
50
           PropDecl->getSetterKind() == ObjCPropertyDecl::Retain);
567
50
568
50
    OS << "The '" << *IvarDecl << "' ivar in '" << *ImplDecl
569
50
       << "' was ";
570
50
571
50
    if (PropDecl->getSetterKind() == ObjCPropertyDecl::Retain)
572
46
      OS << "retained";
573
4
    else
574
4
      OS << "copied";
575
50
576
50
    OS << " by a synthesized property but not released"
577
50
          " before '[super dealloc]'";
578
50
579
50
    std::unique_ptr<BugReport> BR(
580
50
        new BugReport(*MissingReleaseBugType, OS.str(), ErrNode));
581
50
582
50
    C.emitReport(std::move(BR));
583
50
  }
584
60
585
60
  
if (50
NewUnreleased.isEmpty()50
) {
586
46
    State = State->remove<UnreleasedIvarMap>(SelfSym);
587
46
  } else {
588
4
    State = State->set<UnreleasedIvarMap>(SelfSym, NewUnreleased);
589
4
  }
590
50
591
50
  if (ErrNode) {
592
48
    C.addTransition(State, ErrNode);
593
48
  } else 
if (2
State != InitialState2
) {
594
0
    C.addTransition(State);
595
0
  }
596
50
597
50
  // Make sure that after checking in the top-most frame the list of
598
50
  // tracked ivars is empty. This is intended to detect accidental leaks in
599
50
  // the UnreleasedIvarMap program state.
600
50
  assert(!LCtx->inTopFrame() || State->get<UnreleasedIvarMap>().isEmpty());
601
50
}
602
603
/// Given a symbol, determine whether the symbol refers to an ivar on
604
/// the top-most deallocating instance. If so, find the property for that
605
/// ivar, if one exists. Otherwise return null.
606
const ObjCPropertyImplDecl *
607
ObjCDeallocChecker::findPropertyOnDeallocatingInstance(
608
65
    SymbolRef IvarSym, CheckerContext &C) const {
609
65
  SVal DeallocedInstance;
610
65
  if (!isInInstanceDealloc(C, DeallocedInstance))
611
13
    return nullptr;
612
52
613
52
  // Try to get the region from which the ivar value was loaded.
614
52
  auto *IvarRegion = getIvarRegionForIvarSymbol(IvarSym);
615
52
  if (!IvarRegion)
616
16
    return nullptr;
617
36
618
36
  // Don't try to find the property if the ivar was not loaded from the
619
36
  // given instance.
620
36
  if (DeallocedInstance.castAs<loc::MemRegionVal>().getRegion() !=
621
36
      IvarRegion->getSuperRegion())
622
1
    return nullptr;
623
35
624
35
  const LocationContext *LCtx = C.getLocationContext();
625
35
  const ObjCIvarDecl *IvarDecl = IvarRegion->getDecl();
626
35
627
35
  const ObjCImplDecl *Container = getContainingObjCImpl(LCtx);
628
35
  const ObjCPropertyImplDecl *PropImpl =
629
35
      Container->FindPropertyImplIvarDecl(IvarDecl->getIdentifier());
630
35
  return PropImpl;
631
35
}
632
633
/// Emits a warning if the current context is -dealloc and ReleasedValue
634
/// must not be directly released in a -dealloc. Returns true if a diagnostic
635
/// was emitted.
636
bool ObjCDeallocChecker::diagnoseExtraRelease(SymbolRef ReleasedValue,
637
                                              const ObjCMethodCall &M,
638
61
                                              CheckerContext &C) const {
639
61
  // Try to get the region from which the released value was loaded.
640
61
  // Note that, unlike diagnosing for missing releases, here we don't track
641
61
  // values that must not be released in the state. This is because even if
642
61
  // these values escape, it is still an error under the rules of MRR to
643
61
  // release them in -dealloc.
644
61
  const ObjCPropertyImplDecl *PropImpl =
645
61
      findPropertyOnDeallocatingInstance(ReleasedValue, C);
646
61
647
61
  if (!PropImpl)
648
31
    return false;
649
30
650
30
  // If the ivar belongs to a property that must not be released directly
651
30
  // in dealloc, emit a warning.
652
30
  if (getDeallocReleaseRequirement(PropImpl) !=
653
30
      ReleaseRequirement::MustNotReleaseDirectly) {
654
24
    return false;
655
24
  }
656
6
657
6
  // If the property is readwrite but it shadows a read-only property in its
658
6
  // external interface, treat the property a read-only. If the outside
659
6
  // world cannot write to a property then the internal implementation is free
660
6
  // to make its own convention about whether the value is stored retained
661
6
  // or not. We look up the shadow here rather than in
662
6
  // getDeallocReleaseRequirement() because doing so can be expensive.
663
6
  const ObjCPropertyDecl *PropDecl = findShadowedPropertyDecl(PropImpl);
664
6
  if (PropDecl) {
665
1
    if (PropDecl->isReadOnly())
666
1
      return false;
667
5
  } else {
668
5
    PropDecl = PropImpl->getPropertyDecl();
669
5
  }
670
6
671
6
  ExplodedNode *ErrNode = C.generateNonFatalErrorNode();
672
5
  if (!ErrNode)
673
0
    return false;
674
5
675
5
  std::string Buf;
676
5
  llvm::raw_string_ostream OS(Buf);
677
5
678
5
  assert(PropDecl->getSetterKind() == ObjCPropertyDecl::Weak ||
679
5
         (PropDecl->getSetterKind() == ObjCPropertyDecl::Assign &&
680
5
          !PropDecl->isReadOnly()) ||
681
5
         isReleasedByCIFilterDealloc(PropImpl)
682
5
         );
683
5
684
5
  const ObjCImplDecl *Container = getContainingObjCImpl(C.getLocationContext());
685
5
  OS << "The '" << *PropImpl->getPropertyIvarDecl()
686
5
     << "' ivar in '" << *Container;
687
5
688
5
689
5
  if (isReleasedByCIFilterDealloc(PropImpl)) {
690
2
    OS << "' will be released by '-[CIFilter dealloc]' but also released here";
691
3
  } else {
692
3
    OS << "' was synthesized for ";
693
3
694
3
    if (PropDecl->getSetterKind() == ObjCPropertyDecl::Weak)
695
2
      OS << "a weak";
696
1
    else
697
1
      OS << "an assign, readwrite";
698
3
699
3
    OS <<  " property but was released in 'dealloc'";
700
3
  }
701
5
702
5
  std::unique_ptr<BugReport> BR(
703
5
      new BugReport(*ExtraReleaseBugType, OS.str(), ErrNode));
704
5
  BR->addRange(M.getOriginExpr()->getSourceRange());
705
5
706
5
  C.emitReport(std::move(BR));
707
5
708
5
  return true;
709
5
}
710
711
/// Emits a warning if the current context is -dealloc and DeallocedValue
712
/// must not be directly dealloced in a -dealloc. Returns true if a diagnostic
713
/// was emitted.
714
bool ObjCDeallocChecker::diagnoseMistakenDealloc(SymbolRef DeallocedValue,
715
                                                 const ObjCMethodCall &M,
716
5
                                                 CheckerContext &C) const {
717
5
  // TODO: Apart from unknown/undefined receivers, this may happen when
718
5
  // dealloc is called as a class method. Should we warn?
719
5
  if (!DeallocedValue)
720
1
    return false;
721
4
722
4
  // Find the property backing the instance variable that M
723
4
  // is dealloc'ing.
724
4
  const ObjCPropertyImplDecl *PropImpl =
725
4
      findPropertyOnDeallocatingInstance(DeallocedValue, C);
726
4
  if (!PropImpl)
727
2
    return false;
728
2
729
2
  if (getDeallocReleaseRequirement(PropImpl) !=
730
2
      ReleaseRequirement::MustRelease) {
731
0
    return false;
732
0
  }
733
2
734
2
  ExplodedNode *ErrNode = C.generateErrorNode();
735
2
  if (!ErrNode)
736
0
    return false;
737
2
738
2
  std::string Buf;
739
2
  llvm::raw_string_ostream OS(Buf);
740
2
741
2
  OS << "'" << *PropImpl->getPropertyIvarDecl()
742
2
     << "' should be released rather than deallocated";
743
2
744
2
  std::unique_ptr<BugReport> BR(
745
2
      new BugReport(*MistakenDeallocBugType, OS.str(), ErrNode));
746
2
  BR->addRange(M.getOriginExpr()->getSourceRange());
747
2
748
2
  C.emitReport(std::move(BR));
749
2
750
2
  return true;
751
2
}
752
753
ObjCDeallocChecker::ObjCDeallocChecker()
754
    : NSObjectII(nullptr), SenTestCaseII(nullptr), XCTestCaseII(nullptr),
755
28
      CIFilterII(nullptr) {
756
28
757
28
  MissingReleaseBugType.reset(
758
28
      new BugType(this, "Missing ivar release (leak)",
759
28
                  categories::MemoryRefCount));
760
28
761
28
  ExtraReleaseBugType.reset(
762
28
      new BugType(this, "Extra ivar release",
763
28
                  categories::MemoryRefCount));
764
28
765
28
  MistakenDeallocBugType.reset(
766
28
      new BugType(this, "Mistaken dealloc",
767
28
                  categories::MemoryRefCount));
768
28
}
769
770
void ObjCDeallocChecker::initIdentifierInfoAndSelectors(
771
691
    ASTContext &Ctx) const {
772
691
  if (NSObjectII)
773
663
    return;
774
28
775
28
  NSObjectII = &Ctx.Idents.get("NSObject");
776
28
  SenTestCaseII = &Ctx.Idents.get("SenTestCase");
777
28
  XCTestCaseII = &Ctx.Idents.get("XCTestCase");
778
28
  Block_releaseII = &Ctx.Idents.get("_Block_release");
779
28
  CIFilterII = &Ctx.Idents.get("CIFilter");
780
28
781
28
  IdentifierInfo *DeallocII = &Ctx.Idents.get("dealloc");
782
28
  IdentifierInfo *ReleaseII = &Ctx.Idents.get("release");
783
28
  DeallocSel = Ctx.Selectors.getSelector(0, &DeallocII);
784
28
  ReleaseSel = Ctx.Selectors.getSelector(0, &ReleaseII);
785
28
}
786
787
/// Returns true if M is a call to '[super dealloc]'.
788
bool ObjCDeallocChecker::isSuperDeallocMessage(
789
778
    const ObjCMethodCall &M) const {
790
778
  if (M.getOriginExpr()->getReceiverKind() != ObjCMessageExpr::SuperInstance)
791
601
    return false;
792
177
793
177
  return M.getSelector() == DeallocSel;
794
177
}
795
796
/// Returns the ObjCImplDecl containing the method declaration in LCtx.
797
const ObjCImplDecl *
798
133
ObjCDeallocChecker::getContainingObjCImpl(const LocationContext *LCtx) const {
799
133
  auto *MD = cast<ObjCMethodDecl>(LCtx->getDecl());
800
133
  return cast<ObjCImplDecl>(MD->getDeclContext());
801
133
}
802
803
/// Returns the property that shadowed by PropImpl if one exists and
804
/// nullptr otherwise.
805
const ObjCPropertyDecl *ObjCDeallocChecker::findShadowedPropertyDecl(
806
6
    const ObjCPropertyImplDecl *PropImpl) const {
807
6
  const ObjCPropertyDecl *PropDecl = PropImpl->getPropertyDecl();
808
6
809
6
  // Only readwrite properties can shadow.
810
6
  if (PropDecl->isReadOnly())
811
1
    return nullptr;
812
5
813
5
  auto *CatDecl = dyn_cast<ObjCCategoryDecl>(PropDecl->getDeclContext());
814
5
815
5
  // Only class extensions can contain shadowing properties.
816
5
  if (!CatDecl || 
!CatDecl->IsClassExtension()1
)
817
4
    return nullptr;
818
1
819
1
  IdentifierInfo *ID = PropDecl->getIdentifier();
820
1
  DeclContext::lookup_result R = CatDecl->getClassInterface()->lookup(ID);
821
1
  for (DeclContext::lookup_iterator I = R.begin(), E = R.end(); I != E; 
++I0
) {
822
1
    auto *ShadowedPropDecl = dyn_cast<ObjCPropertyDecl>(*I);
823
1
    if (!ShadowedPropDecl)
824
0
      continue;
825
1
826
1
    if (ShadowedPropDecl->isInstanceProperty()) {
827
1
      assert(ShadowedPropDecl->isReadOnly());
828
1
      return ShadowedPropDecl;
829
1
    }
830
1
  }
831
1
832
1
  
return nullptr0
;
833
1
}
834
835
/// Add a transition noting the release of the given value.
836
void ObjCDeallocChecker::transitionToReleaseValue(CheckerContext &C,
837
73
                                                  SymbolRef Value) const {
838
73
  assert(Value);
839
73
  SymbolRef InstanceSym = getInstanceSymbolFromIvarSymbol(Value);
840
73
  if (!InstanceSym)
841
16
    return;
842
57
  ProgramStateRef InitialState = C.getState();
843
57
844
57
  ProgramStateRef ReleasedState =
845
57
      removeValueRequiringRelease(InitialState, InstanceSym, Value);
846
57
847
57
  if (ReleasedState != InitialState) {
848
48
    C.addTransition(ReleasedState);
849
48
  }
850
57
}
851
852
/// Remove the Value requiring a release from the tracked set for
853
/// Instance and return the resultant state.
854
ProgramStateRef ObjCDeallocChecker::removeValueRequiringRelease(
855
151
    ProgramStateRef State, SymbolRef Instance, SymbolRef Value) const {
856
151
  assert(Instance);
857
151
  assert(Value);
858
151
  const ObjCIvarRegion *RemovedRegion = getIvarRegionForIvarSymbol(Value);
859
151
  if (!RemovedRegion)
860
0
    return State;
861
151
862
151
  const SymbolSet *Unreleased = State->get<UnreleasedIvarMap>(Instance);
863
151
  if (!Unreleased)
864
11
    return State;
865
140
866
140
  // Mark the value as no longer requiring a release.
867
140
  SymbolSet::Factory &F = State->getStateManager().get_context<SymbolSet>();
868
140
  SymbolSet NewUnreleased = *Unreleased;
869
388
  for (auto &Sym : *Unreleased) {
870
388
    const ObjCIvarRegion *UnreleasedRegion = getIvarRegionForIvarSymbol(Sym);
871
388
    assert(UnreleasedRegion);
872
388
    if (RemovedRegion->getDecl() == UnreleasedRegion->getDecl()) {
873
90
      NewUnreleased = F.remove(NewUnreleased, Sym);
874
90
    }
875
388
  }
876
140
877
140
  if (NewUnreleased.isEmpty()) {
878
24
    return State->remove<UnreleasedIvarMap>(Instance);
879
24
  }
880
116
881
116
  return State->set<UnreleasedIvarMap>(Instance, NewUnreleased);
882
116
}
883
884
/// Determines whether the instance variable for \p PropImpl must or must not be
885
/// released in -dealloc or whether it cannot be determined.
886
ReleaseRequirement ObjCDeallocChecker::getDeallocReleaseRequirement(
887
274
    const ObjCPropertyImplDecl *PropImpl) const {
888
274
  const ObjCIvarDecl *IvarDecl;
889
274
  const ObjCPropertyDecl *PropDecl;
890
274
  if (!isSynthesizedRetainableProperty(PropImpl, &IvarDecl, &PropDecl))
891
19
    return ReleaseRequirement::Unknown;
892
255
893
255
  ObjCPropertyDecl::SetterKind SK = PropDecl->getSetterKind();
894
255
895
255
  switch (SK) {
896
255
  // Retain and copy setters retain/copy their values before storing and so
897
255
  // the value in their instance variables must be released in -dealloc.
898
255
  case ObjCPropertyDecl::Retain:
899
229
  case ObjCPropertyDecl::Copy:
900
229
    if (isReleasedByCIFilterDealloc(PropImpl))
901
28
      return ReleaseRequirement::MustNotReleaseDirectly;
902
201
903
201
    if (isNibLoadedIvarWithoutRetain(PropImpl))
904
2
      return ReleaseRequirement::Unknown;
905
199
906
199
    return ReleaseRequirement::MustRelease;
907
199
908
199
  case ObjCPropertyDecl::Weak:
909
10
    return ReleaseRequirement::MustNotReleaseDirectly;
910
199
911
199
  case ObjCPropertyDecl::Assign:
912
16
    // It is common for the ivars for read-only assign properties to
913
16
    // always be stored retained, so their release requirement cannot be
914
16
    // be determined.
915
16
    if (PropDecl->isReadOnly())
916
3
      return ReleaseRequirement::Unknown;
917
13
918
13
    return ReleaseRequirement::MustNotReleaseDirectly;
919
0
  }
920
0
  llvm_unreachable("Unrecognized setter kind");
921
0
}
922
923
/// Returns the released value if M is a call a setter that releases
924
/// and nils out its underlying instance variable.
925
SymbolRef
926
ObjCDeallocChecker::getValueReleasedByNillingOut(const ObjCMethodCall &M,
927
177
                                                 CheckerContext &C) const {
928
177
  SVal ReceiverVal = M.getReceiverSVal();
929
177
  if (!ReceiverVal.isValid())
930
20
    return nullptr;
931
157
932
157
  if (M.getNumArgs() == 0)
933
117
    return nullptr;
934
40
935
40
  if (!M.getArgExpr(0)->getType()->isObjCRetainableType())
936
4
    return nullptr;
937
36
938
36
  // Is the first argument nil?
939
36
  SVal Arg = M.getArgSVal(0);
940
36
  ProgramStateRef notNilState, nilState;
941
36
  std::tie(notNilState, nilState) =
942
36
      M.getState()->assume(Arg.castAs<DefinedOrUnknownSVal>());
943
36
  if (!(nilState && 
!notNilState19
))
944
18
    return nullptr;
945
18
946
18
  const ObjCPropertyDecl *Prop = M.getAccessedProperty();
947
18
  if (!Prop)
948
1
    return nullptr;
949
17
950
17
  ObjCIvarDecl *PropIvarDecl = Prop->getPropertyIvarDecl();
951
17
  if (!PropIvarDecl)
952
2
    return nullptr;
953
15
954
15
  ProgramStateRef State = C.getState();
955
15
956
15
  SVal LVal = State->getLValue(PropIvarDecl, ReceiverVal);
957
15
  Optional<Loc> LValLoc = LVal.getAs<Loc>();
958
15
  if (!LValLoc)
959
0
    return nullptr;
960
15
961
15
  SVal CurrentValInIvar = State->getSVal(LValLoc.getValue());
962
15
  return CurrentValInIvar.getAsSymbol();
963
15
}
964
965
/// Returns true if the current context is a call to -dealloc and false
966
/// otherwise. If true, it also sets SelfValOut to the value of
967
/// 'self'.
968
bool ObjCDeallocChecker::isInInstanceDealloc(const CheckerContext &C,
969
1.51k
                                             SVal &SelfValOut) const {
970
1.51k
  return isInInstanceDealloc(C, C.getLocationContext(), SelfValOut);
971
1.51k
}
972
973
/// Returns true if LCtx is a call to -dealloc and false
974
/// otherwise. If true, it also sets SelfValOut to the value of
975
/// 'self'.
976
bool ObjCDeallocChecker::isInInstanceDealloc(const CheckerContext &C,
977
                                             const LocationContext *LCtx,
978
2.12k
                                             SVal &SelfValOut) const {
979
2.12k
  auto *MD = dyn_cast<ObjCMethodDecl>(LCtx->getDecl());
980
2.12k
  if (!MD || 
!MD->isInstanceMethod()1.53k
||
MD->getSelector() != DeallocSel1.48k
)
981
1.55k
    return false;
982
575
983
575
  const ImplicitParamDecl *SelfDecl = LCtx->getSelfDecl();
984
575
  assert(SelfDecl && "No self in -dealloc?");
985
575
986
575
  ProgramStateRef State = C.getState();
987
575
  SelfValOut = State->getSVal(State->getRegion(SelfDecl, LCtx));
988
575
  return true;
989
575
}
990
991
/// Returns true if there is a call to -dealloc anywhere on the stack and false
992
/// otherwise. If true, it also sets InstanceValOut to the value of
993
/// 'self' in the frame for -dealloc.
994
bool ObjCDeallocChecker::instanceDeallocIsOnStack(const CheckerContext &C,
995
582
                                                  SVal &InstanceValOut) const {
996
582
  const LocationContext *LCtx = C.getLocationContext();
997
582
998
952
  while (LCtx) {
999
610
    if (isInInstanceDealloc(C, LCtx, InstanceValOut))
1000
240
      return true;
1001
370
1002
370
    LCtx = LCtx->getParent();
1003
370
  }
1004
582
1005
582
  
return false342
;
1006
582
}
1007
1008
/// Returns true if the ID is a class in which which is known to have
1009
/// a separate teardown lifecycle. In this case, -dealloc warnings
1010
/// about missing releases should be suppressed.
1011
bool ObjCDeallocChecker::classHasSeparateTeardown(
1012
186
    const ObjCInterfaceDecl *ID) const {
1013
186
  // Suppress if the class is not a subclass of NSObject.
1014
394
  for ( ; ID ; 
ID = ID->getSuperClass()208
) {
1015
375
    IdentifierInfo *II = ID->getIdentifier();
1016
375
1017
375
    if (II == NSObjectII)
1018
154
      return false;
1019
221
1020
221
    // FIXME: For now, ignore classes that subclass SenTestCase and XCTestCase,
1021
221
    // as these don't need to implement -dealloc.  They implement tear down in
1022
221
    // another way, which we should try and catch later.
1023
221
    //  http://llvm.org/bugs/show_bug.cgi?id=3187
1024
221
    if (II == XCTestCaseII || 
II == SenTestCaseII215
)
1025
13
      return true;
1026
221
  }
1027
186
1028
186
  
return true19
;
1029
186
}
1030
1031
/// The -dealloc method in CIFilter highly unusual in that is will release
1032
/// instance variables belonging to its *subclasses* if the variable name
1033
/// starts with "input" or backs a property whose name starts with "input".
1034
/// Subclasses should not release these ivars in their own -dealloc method --
1035
/// doing so could result in an over release.
1036
///
1037
/// This method returns true if the property will be released by
1038
/// -[CIFilter dealloc].
1039
bool ObjCDeallocChecker::isReleasedByCIFilterDealloc(
1040
234
    const ObjCPropertyImplDecl *PropImpl) const {
1041
234
  assert(PropImpl->getPropertyIvarDecl());
1042
234
  StringRef PropName = PropImpl->getPropertyDecl()->getName();
1043
234
  StringRef IvarName = PropImpl->getPropertyIvarDecl()->getName();
1044
234
1045
234
  const char *ReleasePrefix = "input";
1046
234
  if (!(PropName.startswith(ReleasePrefix) ||
1047
234
        
IvarName.startswith(ReleasePrefix)208
)) {
1048
204
    return false;
1049
204
  }
1050
30
1051
30
  const ObjCInterfaceDecl *ID =
1052
30
      PropImpl->getPropertyIvarDecl()->getContainingInterface();
1053
60
  for ( ; ID ; 
ID = ID->getSuperClass()30
) {
1054
60
    IdentifierInfo *II = ID->getIdentifier();
1055
60
    if (II == CIFilterII)
1056
30
      return true;
1057
60
  }
1058
30
1059
30
  
return false0
;
1060
30
}
1061
1062
/// Returns whether the ivar backing the property is an IBOutlet that
1063
/// has its value set by nib loading code without retaining the value.
1064
///
1065
/// On macOS, if there is no setter, the nib-loading code sets the ivar
1066
/// directly, without retaining the value,
1067
///
1068
/// On iOS and its derivatives, the nib-loading code will call
1069
/// -setValue:forKey:, which retains the value before directly setting the ivar.
1070
bool ObjCDeallocChecker::isNibLoadedIvarWithoutRetain(
1071
201
    const ObjCPropertyImplDecl *PropImpl) const {
1072
201
  const ObjCIvarDecl *IvarDecl = PropImpl->getPropertyIvarDecl();
1073
201
  if (!IvarDecl->hasAttr<IBOutletAttr>())
1074
193
    return false;
1075
8
1076
8
  const llvm::Triple &Target =
1077
8
      IvarDecl->getASTContext().getTargetInfo().getTriple();
1078
8
1079
8
  if (!Target.isMacOSX())
1080
4
    return false;
1081
4
1082
4
  if (PropImpl->getPropertyDecl()->getSetterMethodDecl())
1083
2
    return false;
1084
2
1085
2
  return true;
1086
2
}
1087
1088
28
void ento::registerObjCDeallocChecker(CheckerManager &Mgr) {
1089
28
  Mgr.registerChecker<ObjCDeallocChecker>();
1090
28
}
1091
1092
31
bool ento::shouldRegisterObjCDeallocChecker(const LangOptions &LO) {
1093
31
  // These checker only makes sense under MRR.
1094
31
  return LO.getGC() != LangOptions::GCOnly && !LO.ObjCAutoRefCount;
1095
31
}