1// RUN: %clang_cc1 -analyze -analyzer-checker=core,osx.cocoa.RetainCount -analyzer-store=region -analyzer-max-loop 6 -verify %s 2 3//===----------------------------------------------------------------------===// 4// The following code is reduced using delta-debugging from 5// Foundation.h (Mac OS X). 6// 7// It includes the basic definitions for the test cases below. 8// Not including Foundation.h directly makes this test case both svelte and 9// portable to non-Mac platforms. 10//===----------------------------------------------------------------------===// 11 12typedef unsigned int __darwin_natural_t; 13typedef unsigned long UInt32; 14typedef signed long CFIndex; 15typedef const void * CFTypeRef; 16typedef const struct __CFString * CFStringRef; 17typedef const struct __CFAllocator * CFAllocatorRef; 18extern const CFAllocatorRef kCFAllocatorDefault; 19extern CFTypeRef CFRetain(CFTypeRef cf); 20extern void CFRelease(CFTypeRef cf); 21typedef struct { 22} 23CFArrayCallBacks; 24extern const CFArrayCallBacks kCFTypeArrayCallBacks; 25typedef const struct __CFArray * CFArrayRef; 26typedef struct __CFArray * CFMutableArrayRef; 27extern CFMutableArrayRef CFArrayCreateMutable(CFAllocatorRef allocator, CFIndex capacity, const CFArrayCallBacks *callBacks); 28extern const void *CFArrayGetValueAtIndex(CFArrayRef theArray, CFIndex idx); 29typedef const struct __CFDictionary * CFDictionaryRef; 30typedef UInt32 CFStringEncoding; 31enum { 32kCFStringEncodingMacRoman = 0, kCFStringEncodingWindowsLatin1 = 0x0500, kCFStringEncodingISOLatin1 = 0x0201, kCFStringEncodingNextStepLatin = 0x0B01, kCFStringEncodingASCII = 0x0600, kCFStringEncodingUnicode = 0x0100, kCFStringEncodingUTF8 = 0x08000100, kCFStringEncodingNonLossyASCII = 0x0BFF , kCFStringEncodingUTF16 = 0x0100, kCFStringEncodingUTF16BE = 0x10000100, kCFStringEncodingUTF16LE = 0x14000100, kCFStringEncodingUTF32 = 0x0c000100, kCFStringEncodingUTF32BE = 0x18000100, kCFStringEncodingUTF32LE = 0x1c000100 }; 33extern CFStringRef CFStringCreateWithCString(CFAllocatorRef alloc, const char *cStr, CFStringEncoding encoding); 34typedef double CFTimeInterval; 35typedef CFTimeInterval CFAbsoluteTime; 36typedef const struct __CFDate * CFDateRef; 37extern CFDateRef CFDateCreate(CFAllocatorRef allocator, CFAbsoluteTime at); 38extern CFAbsoluteTime CFDateGetAbsoluteTime(CFDateRef theDate); 39typedef __darwin_natural_t natural_t; 40typedef natural_t mach_port_name_t; 41typedef mach_port_name_t mach_port_t; 42typedef signed char BOOL; 43typedef struct _NSZone NSZone; 44@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator; 45@protocol NSObject 46- (BOOL)isEqual:(id)object; 47- (id)retain; 48- (oneway void)release; 49@end @protocol NSCopying - (id)copyWithZone:(NSZone *)zone; 50@end @protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder; 51@end 52@interface NSObject <NSObject> {} 53- (id)init; 54+ (id)allocWithZone:(NSZone *)zone; 55+ (id)alloc; 56- (void)dealloc; 57@end 58typedef float CGFloat; 59typedef double NSTimeInterval; 60@interface NSDate : NSObject <NSCopying, NSCoding> - (NSTimeInterval)timeIntervalSinceReferenceDate; 61@end enum { 62NSObjCNoType = 0, NSObjCVoidType = 'v', NSObjCCharType = 'c', NSObjCShortType = 's', NSObjCLongType = 'l', NSObjCLonglongType = 'q', NSObjCFloatType = 'f', NSObjCDoubleType = 'd', NSObjCBoolType = 'B', NSObjCSelectorType = ':', NSObjCObjectType = '@', NSObjCStructType = '{', NSObjCPointerType = '^', NSObjCStringType = '*', NSObjCArrayType = '[', NSObjCUnionType = '(', NSObjCBitfield = 'b' } 63__attribute__((deprecated)); 64typedef int kern_return_t; 65typedef kern_return_t mach_error_t; 66typedef mach_port_t io_object_t; 67typedef io_object_t io_service_t; 68typedef struct __DASession * DASessionRef; 69extern DASessionRef DASessionCreate( CFAllocatorRef allocator ); 70typedef struct __DADisk * DADiskRef; 71extern DADiskRef DADiskCreateFromBSDName( CFAllocatorRef allocator, DASessionRef session, const char * name ); 72extern DADiskRef DADiskCreateFromIOMedia( CFAllocatorRef allocator, DASessionRef session, io_service_t media ); 73extern CFDictionaryRef DADiskCopyDescription( DADiskRef disk ); 74extern DADiskRef DADiskCopyWholeDisk( DADiskRef disk ); 75@interface NSAppleEventManager : NSObject { 76} 77@end enum { 78kDAReturnSuccess = 0, kDAReturnError = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x01, kDAReturnBusy = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x02, kDAReturnBadArgument = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x03, kDAReturnExclusiveAccess = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x04, kDAReturnNoResources = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x05, kDAReturnNotFound = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x06, kDAReturnNotMounted = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x07, kDAReturnNotPermitted = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x08, kDAReturnNotPrivileged = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x09, kDAReturnNotReady = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x0A, kDAReturnNotWritable = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x0B, kDAReturnUnsupported = (((0x3eU)&0x3f)<<26) | (((0x368)&0xfff)<<14) | 0x0C }; 79typedef mach_error_t DAReturn; 80typedef const struct __DADissenter * DADissenterRef; 81extern DADissenterRef DADissenterCreate( CFAllocatorRef allocator, DAReturn status, CFStringRef string ); 82@interface NSNumber : NSObject 83- (id)initWithInt:(int)value; 84@end 85typedef unsigned long NSUInteger; 86@interface NSArray : NSObject 87-(id) initWithObjects:(const id *)objects count:(NSUInteger) cnt; 88@end 89 90//===----------------------------------------------------------------------===// 91// Test cases. 92//===----------------------------------------------------------------------===// 93 94// Test to see if we *issue* an error when we store the pointer 95// to a struct. This differs from basic store. 96 97CFAbsoluteTime CFAbsoluteTimeGetCurrent(void); 98 99struct foo { 100 NSDate* f; 101}; 102 103// FIXME: We should be warning about a use-after-free here, but we 104// temporarily "escape" retain counted objects stored to structs very eagerly 105// until we can properly tell whether they have escaped via a return value 106// or not. 107CFAbsoluteTime f4() { 108 struct foo x; 109 110 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 111 CFDateRef date = CFDateCreate(0, t); 112 [((NSDate*) date) retain]; 113 CFRelease(date); 114 CFDateGetAbsoluteTime(date); // no-warning 115 x.f = (NSDate*) date; 116 [((NSDate*) date) release]; 117 // FIXME: the following line should warn. 118 t = CFDateGetAbsoluteTime(date); // no-warning 119 return t; 120} 121 122// Test that assigning to an self.ivar loses track of an object. 123// This is a temporary hack to reduce false positives. 124@interface Test3 : NSObject { 125 id myObj; 126} 127- (void)test_self_assign_ivar; 128@end 129 130@implementation Test3 131- (void)test_self_assign_ivar { 132 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 133 CFDateRef date = CFDateCreate(0, t); // no-warning 134 myObj = (id) date; 135} 136@end 137 138//===------------------------------------------------------------------------------------------===// 139// <rdar://problem/7257223> (also <rdar://problem/7283470>) - False positive due to not invalidating 140// the reference count of a tracked region that was itself invalidated. 141//===------------------------------------------------------------------------------------------===// 142 143typedef struct __rdar_7257223 { CFDateRef x; } RDar7257223; 144void rdar_7257223_aux(RDar7257223 *p); 145 146CFDateRef rdar7257223_Create(void) { 147 RDar7257223 s; 148 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 149 s.x = CFDateCreate(0, t); // no-warning 150 rdar_7257223_aux(&s); 151 return s.x; 152} 153 154CFDateRef rdar7257223_Create_2(void) { 155 RDar7257223 s; 156 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 157 s.x = CFDateCreate(0, t); // no-warning 158 return s.x; 159} 160 161void rdar7283470(void) { 162 NSNumber *numbers[] = { 163 [[NSNumber alloc] initWithInt:1], // no-warning 164 [[NSNumber alloc] initWithInt:2], // no-warning 165 [[NSNumber alloc] initWithInt:3], // no-warning 166 [[NSNumber alloc] initWithInt:4], // no-warning 167 [[NSNumber alloc] initWithInt:5] // no-warning 168 }; 169 170 for (unsigned i = 0 ; i < sizeof(numbers) / sizeof(numbers[0]) ; ++i) 171 [numbers[i] release]; 172} 173 174void rdar7283470_positive(void) { 175 NSNumber *numbers[] = { 176 [[NSNumber alloc] initWithInt:1], // expected-warning{{leak}} 177 [[NSNumber alloc] initWithInt:2], // expected-warning{{leak}} 178 [[NSNumber alloc] initWithInt:3], // expected-warning{{leak}} 179 [[NSNumber alloc] initWithInt:4], // expected-warning{{leak}} 180 [[NSNumber alloc] initWithInt:5] // expected-warning{{leak}} 181 }; 182} 183 184void rdar7283470_2(void) { 185 NSNumber *numbers[] = { 186 [[NSNumber alloc] initWithInt:1], // no-warning 187 [[NSNumber alloc] initWithInt:2], // no-warning 188 [[NSNumber alloc] initWithInt:3], // no-warning 189 [[NSNumber alloc] initWithInt:4], // no-warning 190 [[NSNumber alloc] initWithInt:5] // no-warning 191 }; 192 193 NSArray *s_numbers =[[NSArray alloc] initWithObjects:&numbers[0] count:sizeof(numbers) / sizeof(numbers[0])]; 194 195 for (unsigned i = 0 ; i < sizeof(numbers) / sizeof(numbers[0]) ; ++i) 196 [numbers[i] release]; 197 198 [s_numbers release]; 199} 200 201void rdar7283470_2_positive(void) { 202 NSNumber *numbers[] = { 203 [[NSNumber alloc] initWithInt:1], // no-warning 204 [[NSNumber alloc] initWithInt:2], // no-warning 205 [[NSNumber alloc] initWithInt:3], // no-warning 206 [[NSNumber alloc] initWithInt:4], // no-warning 207 [[NSNumber alloc] initWithInt:5] // no-warning 208 }; 209 210 NSArray *s_numbers =[[NSArray alloc] initWithObjects: &numbers[0] count:sizeof(numbers) / sizeof(numbers[0])]; // expected-warning{{leak}} 211 212 for (unsigned i = 0 ; i < sizeof(numbers) / sizeof(numbers[0]) ; ++i) 213 [numbers[i] release]; 214} 215 216void pr6699(int x) { 217 CFDateRef values[2]; 218 values[0] = values[1] = 0; 219 220 if (x) { 221 CFAbsoluteTime t = CFAbsoluteTimeGetCurrent(); 222 values[1] = CFDateCreate(0, t); 223 } 224 225 if (values[1]) { 226 // A bug in RegionStore::RemoveDeadBindings caused 'values[1]' to get prematurely 227 // pruned from the store. 228 CFRelease(values[1]); // no-warning 229 } 230} 231 232// <rdar://problem/8261992> Idempotent operation checker false positive with ObjC ivars 233@interface R8261992 : NSObject { 234 @package int myIvar; 235} 236@end 237 238static void R8261992_ChangeMyIvar(R8261992 *tc) { 239 tc->myIvar = 5; 240} 241 242void R8261992_test(R8261992 *tc) { 243 int temp = tc->myIvar; 244 // The ivar binding for tc->myIvar gets invalidated. 245 R8261992_ChangeMyIvar(tc); 246 tc->myIvar = temp; // no-warning 247 tc = [[R8261992 alloc] init]; 248 temp = tc->myIvar; // no-warning 249 // The ivar binding for tc->myIvar gets invalidated. 250 R8261992_ChangeMyIvar(tc); 251 tc->myIvar = temp; 252 [tc release]; // no-warning 253 // did we analyze this? 254 int *p = 0x0; 255 *p = 0xDEADBEEF; // expected-warning{{null}} 256} 257 258