1// MacOSXAPIChecker.h - Checks proper use of various MacOS X APIs --*- C++ -*-//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines MacOSXAPIChecker, which is an assortment of checks on calls
10// to various, widely used Apple APIs.
11//
12// FIXME: What's currently in BasicObjCFoundationChecks.cpp should be migrated
13// to here, using the new Checker interface.
14//
15//===----------------------------------------------------------------------===//
16
17#include "clang/AST/Attr.h"
18#include "clang/Basic/TargetInfo.h"
19#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
20#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
21#include "clang/StaticAnalyzer/Core/Checker.h"
22#include "clang/StaticAnalyzer/Core/CheckerManager.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
25#include "llvm/ADT/SmallString.h"
26#include "llvm/ADT/StringSwitch.h"
27#include "llvm/Support/raw_ostream.h"
28
29using namespace clang;
30using namespace ento;
31
32namespace {
33class MacOSXAPIChecker : public Checker< check::PreStmt<CallExpr> > {
34  mutable std::unique_ptr<BugType> BT_dispatchOnce;
35
36  static const ObjCIvarRegion *getParentIvarRegion(const MemRegion *R);
37
38public:
39  void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
40
41  void CheckDispatchOnce(CheckerContext &C, const CallExpr *CE,
42                         StringRef FName) const;
43
44  typedef void (MacOSXAPIChecker::*SubChecker)(CheckerContext &,
45                                               const CallExpr *,
46                                               StringRef FName) const;
47};
48} //end anonymous namespace
49
50//===----------------------------------------------------------------------===//
51// dispatch_once and dispatch_once_f
52//===----------------------------------------------------------------------===//
53
54const ObjCIvarRegion *
55MacOSXAPIChecker::getParentIvarRegion(const MemRegion *R) {
56  const SubRegion *SR = dyn_cast<SubRegion>(R);
57  while (SR) {
58    if (const ObjCIvarRegion *IR = dyn_cast<ObjCIvarRegion>(SR))
59      return IR;
60    SR = dyn_cast<SubRegion>(SR->getSuperRegion());
61  }
62  return nullptr;
63}
64
65void MacOSXAPIChecker::CheckDispatchOnce(CheckerContext &C, const CallExpr *CE,
66                                         StringRef FName) const {
67  if (CE->getNumArgs() < 1)
68    return;
69
70  // Check if the first argument is improperly allocated.  If so, issue a
71  // warning because that's likely to be bad news.
72  const MemRegion *R = C.getSVal(CE->getArg(0)).getAsRegion();
73  if (!R)
74    return;
75
76  // Global variables are fine.
77  const MemRegion *RB = R->getBaseRegion();
78  const MemSpaceRegion *RS = RB->getMemorySpace();
79  if (isa<GlobalsSpaceRegion>(RS))
80    return;
81
82  // Handle _dispatch_once.  In some versions of the OS X SDK we have the case
83  // that dispatch_once is a macro that wraps a call to _dispatch_once.
84  // _dispatch_once is then a function which then calls the real dispatch_once.
85  // Users do not care; they just want the warning at the top-level call.
86  if (CE->getBeginLoc().isMacroID()) {
87    StringRef TrimmedFName = FName.ltrim('_');
88    if (TrimmedFName != FName)
89      FName = TrimmedFName;
90  }
91
92  SmallString<256> S;
93  llvm::raw_svector_ostream os(S);
94  bool SuggestStatic = false;
95  os << "Call to '" << FName << "' uses";
96  if (const VarRegion *VR = dyn_cast<VarRegion>(RB)) {
97    const VarDecl *VD = VR->getDecl();
98    // FIXME: These should have correct memory space and thus should be filtered
99    // out earlier. This branch only fires when we're looking from a block,
100    // which we analyze as a top-level declaration, onto a static local
101    // in a function that contains the block.
102    if (VD->isStaticLocal())
103      return;
104    // We filtered out globals earlier, so it must be a local variable
105    // or a block variable which is under UnknownSpaceRegion.
106    if (VR != R)
107      os << " memory within";
108    if (VD->hasAttr<BlocksAttr>())
109      os << " the block variable '";
110    else
111      os << " the local variable '";
112    os << VR->getDecl()->getName() << '\'';
113    SuggestStatic = true;
114  } else if (const ObjCIvarRegion *IVR = getParentIvarRegion(R)) {
115    if (IVR != R)
116      os << " memory within";
117    os << " the instance variable '" << IVR->getDecl()->getName() << '\'';
118  } else if (isa<HeapSpaceRegion>(RS)) {
119    os << " heap-allocated memory";
120  } else if (isa<UnknownSpaceRegion>(RS)) {
121    // Presence of an IVar superregion has priority over this branch, because
122    // ObjC objects are on the heap even if the core doesn't realize this.
123    // Presence of a block variable base region has priority over this branch,
124    // because block variables are known to be either on stack or on heap
125    // (might actually move between the two, hence UnknownSpace).
126    return;
127  } else {
128    os << " stack allocated memory";
129  }
130  os << " for the predicate value.  Using such transient memory for "
131        "the predicate is potentially dangerous.";
132  if (SuggestStatic)
133    os << "  Perhaps you intended to declare the variable as 'static'?";
134
135  ExplodedNode *N = C.generateErrorNode();
136  if (!N)
137    return;
138
139  if (!BT_dispatchOnce)
140    BT_dispatchOnce.reset(new BugType(this, "Improper use of 'dispatch_once'",
141                                      "API Misuse (Apple)"));
142
143  auto report =
144      std::make_unique<PathSensitiveBugReport>(*BT_dispatchOnce, os.str(), N);
145  report->addRange(CE->getArg(0)->getSourceRange());
146  C.emitReport(std::move(report));
147}
148
149//===----------------------------------------------------------------------===//
150// Central dispatch function.
151//===----------------------------------------------------------------------===//
152
153void MacOSXAPIChecker::checkPreStmt(const CallExpr *CE,
154                                    CheckerContext &C) const {
155  StringRef Name = C.getCalleeName(CE);
156  if (Name.empty())
157    return;
158
159  SubChecker SC =
160    llvm::StringSwitch<SubChecker>(Name)
161      .Cases("dispatch_once",
162             "_dispatch_once",
163             "dispatch_once_f",
164             &MacOSXAPIChecker::CheckDispatchOnce)
165      .Default(nullptr);
166
167  if (SC)
168    (this->*SC)(C, CE, Name);
169}
170
171//===----------------------------------------------------------------------===//
172// Registration.
173//===----------------------------------------------------------------------===//
174
175void ento::registerMacOSXAPIChecker(CheckerManager &mgr) {
176  mgr.registerChecker<MacOSXAPIChecker>();
177}
178
179bool ento::shouldRegisterMacOSXAPIChecker(const CheckerManager &mgr) {
180  return true;
181}
182