This PR fixes a bug that when a template specialization is declared with
a forward declaration of a template, the checker fails to find its
definition in the same translation unit and erroneously emit an unsafe
forward declaration warning.
This PR adds the support for recognizing calling adoptCF/adoptNS on the
result of a cast operation on the return value of a function which
creates NS or CF types. It also fixes a bug that we weren't reporting
memory leaks when CF types are created without ever calling RetainPtr's
constructor, adoptCF, or adoptNS.
To do this, this PR adds a new mechanism to report a memory leak
whenever create or copy CF functions are invoked unless this CallExpr
has already been visited while validating a call to adoptCF. Also added
an early exit when isOwned returns IsOwnedResult::Skip due to an
unresolved template argument.
This PR adds the support for treating capturing of "self" as safe if the
lambda simultaneously captures "protectedSelf", which is a RetainPtr of
"self".
This PR also fixes a bug that the checker wasn't generating a warning
when "self" is implicitly captured. Note when "self" is implicitly
captured, we use the lambda's getBeginLoc as a fallback source location.
This PR adds the support for recognizing the return value of copy /
mutableCopy as +1. isAllocInit and isOwned now traverses
PseudoObjectExpr to its last semantic expression.
There are some system libraries such as sqlite3 which forward declare a
struct then use a pointer to that forward declared type in various APIs.
Ignore these types ForwardDeclChecker like other pointer types.
Reverts llvm/llvm-project#133265
This causes the whole libc++ CI to fail, since we're not building
against a compiler built from current trunk. Specifically, the CMake
changes causes some feature detection to fail, resulting in CMake
being unable to configure libc++.
Prior to this PR, we were emitting warnings for Objective-C ivars and
properties if the forward declaration of the type appeared first in a
non-system header. This PR fixes the checker so tha we'd ignore ivars
and properties defined for a forward declared type.
This turns on the unnecessary-virtual-specifier warning in general, but
disables it when building LLVM. It also tweaks the warning description
to be slightly more accurate.
Background: I've been working on cleaning up this warning in two
codebases: LLVM and chromium (plus its dependencies). The chromium
cleanup has been straightforward. Git archaeology shows that there are
two reasons for the warnings: classes to which `final` was added after
they were initially committed, and classes with virtual destructors that
nobody remarks on. Presumably the latter case is because people are just
very used to destructors being virtual.
The LLVM cleanup was more surprising: I discovered that we have an [old
policy](https://llvm.org/docs/CodingStandards.html#provide-a-virtual-method-anchor-for-classes-in-headers)
about including out-of-line virtual functions in every class with a
vtable, even `final` ones. This means our codebase has many virtual
"anchor" functions which do nothing except control where the vtable is
emitted, and which trigger the warning. I looked into alternatives to
satisfy the policy, such as using destructors instead of introducing a
new function, but it wasn't clear if they had larger implications.
Overall, it seems like the warning is genuinely useful in most codebases
(evidenced by chromium and its dependencies), and LLVM is an unusual
case. Therefore we should enable the warning by default, and turn it off
only for LLVM builds.
This PR fixes the bug that we weren't generating warnings when a raw
poiner is used to point to a NS type in Objective-C ivars. Also fix the
bug that we weren't suppressing this warning in system headers.
Previously `optin.taint.GenericTaint` misinterpreted the parameter
indices and produced false positives in situations when a [format
attribute](https://clang.llvm.org/docs/AttributeReference.html#format)
is applied on a non-static method. This commit fixes this bug
this PR fixes#91835.
For `DeclRefExpr` in lambda's function body, it will references to
original variable declaration in AST rather than `FieldDecl` for lambda
class, so it's needed to find the corresponding `FieldDecl` and bind
`DeclRefExpr`'s value to it.
This is already implemented for variables that are not in a structured
binding structure, so I extracted that part of the code so that it can
be used in the structured binding case.
Fixes#116372
From this PR #83585, CSA starts to model overload operator member
function with explicit this as `SimpleFunctionCall` rather than
`CXXMemberOperatorCall` (derived from `CXXInstanceCall`), so
`CXXInstanceCall` only represents a non-static C++ member function call
`with implicit this`.
For this checker, it models `operator=` for STL containers, which always
uses implicit this, so the situation using explicit this can be skipped
directly.
Fixes#132010
Associative containers in STL has an unique `insert` overload member
function comparing to un-associative
containers(https://en.cppreference.com/w/cpp/container/unordered_set/insert):
```
template< class InputIt >
void insert( InputIt first, InputIt last );
```
Add support for this `insert` overload in `MismatchedIteratorChecker`,
verify if `first` and `last` belongs to the same container in this case.
Original PR: #130537
Originally reverted due to revert of dependent commit. Relanding with no
changes.
This changes the MemberPointerType representation to use a
NestedNameSpecifier instead of a Type to represent the base class.
Since the qualifiers are always parsed as nested names, there was an
impedance mismatch when converting these back and forth into types, and
this led to issues in preserving sugar.
The nested names are indeed a better match for these, as the differences
which a QualType can represent cannot be expressed syntatically, and
they represent the use case more exactly, being either dependent or
referring to a CXXRecord, unqualified.
This patch also makes the MemberPointerType able to represent sugar for
a {up/downcast}cast conversion of the base class, although for now the
underlying type is canonical, as preserving the sugar up to that point
requires further work.
As usual, includes a few drive-by fixes in order to make use of the
improvements.
Original PR: #130537
Reland after updating lldb too.
This changes the MemberPointerType representation to use a
NestedNameSpecifier instead of a Type to represent the base class.
Since the qualifiers are always parsed as nested names, there was an
impedance mismatch when converting these back and forth into types, and
this led to issues in preserving sugar.
The nested names are indeed a better match for these, as the differences
which a QualType can represent cannot be expressed syntatically, and
they represent the use case more exactly, being either dependent or
referring to a CXXRecord, unqualified.
This patch also makes the MemberPointerType able to represent sugar for
a {up/downcast}cast conversion of the base class, although for now the
underlying type is canonical, as preserving the sugar up to that point
requires further work.
As usual, includes a few drive-by fixes in order to make use of the
improvements.
This changes the MemberPointerType representation to use a
NestedNameSpecifier instead of a Type to represent the class.
Since the qualifiers are always parsed as nested names, there was an
impedance mismatch when converting these back and forth into types, and
this led to issues in preserving sugar.
The nested names are indeed a better match for these, as the differences
which a QualType can represent cannot be expressed syntactically, and it
also represents the use case more exactly, being either dependent or
referring to a CXXRecord, unqualified.
This patch also makes the MemberPointerType able to represent sugar for
a {up/downcast}cast conversion of the base class, although for now the
underlying type is canonical, as preserving the sugar up to that point
requires further work.
As usual, includes a few drive-by fixes in order to make use of the
improvements, and removing some duplications, for example
CheckBaseClassAccess is deduplicated from across SemaAccess and
SemaCast.
VirtualCallChecker.cpp implements two related checkers:
- `optin.cplusplus.VirtualCall` which reports situations when
constructors or destructors call virtual methods (which is bugprone
because it does not trigger virtual dispatch, but can be legitmate).
- `cplusplus.PureVirtualCall` reports situations when constructors or
destructors call _pure_ virtual methods, which is an error.
Six years ago these two bug types were both reported by the same checker
(called `optin.cplusplus.VirtualCall`) and it had an option called
`PureOnly` which limited its output to the pure case.
When (in 2019) the two checker parts were separated by the commit
d3971fe97b64785c079d64bf4c8c3e2b5e1f85a1, the option `PureOnly` was
preserved for the sake of compatibility, but it is no longer useful
(when it is set to true, it just suppresses all reports from
`optin.cplusplus.VirtualCall`) so it was marked as deprecated.
I'm removing this deprecated option now because it is no longer relevant
and its presence caused minor complications when I was porting
`VirtualCallChecker.cpp` to the new multipart checker framework
(introduced in 27099982da2f5a6c2d282d6b385e79d080669546).
This PR fixes a regression that webkit.NoUncountedMemberChecker and
alpha.webkit.NoUncheckedMemberChecker emits warnings for every class as
if they supported ref counting and checked ptr because we were
erroneously coercing the return value of isRefCountable and
isCheckedPtrCapable, which is std::optional<bool>, to boolean values.
…os_log functions should be treated as safe in call arguments checkers.
Also treat __builtin_* functions and __libcpp_verbose_abort functions as
"trivial" for the purpose in call argument checkers.
So far CSA was relying on the LLVM Statistic package that allowed us to
gather some data about analysis of an entire translation unit. However,
the translation unit consists of a collection of loosely related entry
points. Aggregating data across multiple such entry points is often
counter productive.
This change introduces a new lightweight always-on facility to collect
Boolean or numerical statistics for each entry point and dump them in a
CSV format. Such format makes it easy to aggregate data across multiple
translation units and analyze it with common data-processing tools.
We break down the existing statistics that were collected on the per-TU
basis into values per entry point.
Additionally, we enable the statistics unconditionally (STATISTIC ->
ALWAYS_ENABLED_STATISTIC) to facilitate their use (you can gather the
data with a simple run-time flag rather than having to recompile the
analyzer). These statistics are very light and add virtually no
overhead.
Co-authored-by: Balazs Benics <benicsbalazs@gmail.com>
CPP-6160
Add a new static analyzer which emits warnings for function call
arguments, local variables, and member variables that are only forward
declared. These forward declaration prevents other WebKit checkers from
checking the safety of code.
Add a new WebKit checker to validate the correct use of RetainPtr
constructor as well as adoptNS and adoptCF functions. adoptNS and
adoptCf are used for +1 semantics and RetainPtr constructor is used for
+0 semantics.
In WebKit, it's a common pattern for a lambda to capture "this" along
with "protectedThis" of Ref/RefPtr type, and re-capture "this" and
"std::move(protectedThis)" for a nested inner lambda. Recognize this
pattern and treat it as safe.
This PR adds alpha.webkit.UnretainedCallArgsChecker by generalizing
RawPtrRefCallArgsChecker. It checks call arguments of NS or CF types are
backed by a RetainPtr or not. The new checker emits warnings for CF
types in Objective-C++ code regardless of ARC and it emits warning for
NS types when ARC is disabled.
Hard-code a few cases as safe: class and superclass properties on class
interfaces and constant dictionary or array literals as well as the
return value of NSClassFromString.
Finally, add the support for variadic function calls and selector
invocations.
For the unix function
`int setsockopt(int, int, int, const void *, socklen_t);`, the last two
parameters represent a buffer and a size.
In case the size is zero, buffer can be null. Previously, the hard-coded
pre-condition requires the buffer to never be null, which can cause
false positives.
(rdar://146678142)
This PR splits the existing modeling of builtin assume from the
BuiltinFunctionChecker.
We just sink the execution path if we are about to leave the assume
expression with a false assumption.
Assumptions with side-effects are skipped, and ignored. Their values are
"UnknownVal" anyway.
This commit finishes the reorganization of the tests for the checker
`security.ArrayBound`.
Previously these tests were all named `out-of-bounds-*` which was only
weakly connected to the checker name; this commit moves them to a
directory named after the checker (`ArrayBound`). I decided to use a
directory instead of the more common filename prefix ("poor man's
directory") system because it seems to be a more natural use of the
filesystem and there are already a few precedents for it.
I also added (or edited) comments at the beginning of each test file to
describe their purpose; and I added a single new testcase to highlight
that the assumption note tags can be added to reports by any checker.
(Previously all tests in the file triggered out-of-bounds reports to
reveal the note tags; but that was just for convenience.)
Recently commit 7e5821bae80db3f3f0fe0d5f8ce62f79e548eed5 (which is a
re-application of 89da344e5879e5347b5057520d5230e40ae24831) added some
tests to `out-of-bounds-new.cpp`, which use a very simple out of bounds
report to reveal the internal state of the analyzer, but are otherwise
completely unrelated to the checker `security.ArrayBound`, which is
tested in `out-of-bounds-new.cpp`.
(Instead, they test handling of `__builtin_assume` and `[[assume()]]`
annotations.)
This commit reverts `out-of-bounds-new.cpp` to its previous state and
moves the new tests to a separate test file.
Prior to this PR, WebKit checkers erroneously treated functions to be
safe if it has a trivial body even if it was marked as virtual. In the
case of a virtual function, it can have an override which does not pass
the triviality check so we must not make such an assumption.
This PR also restricts the allowed operator overloading while finding
the pointer origin to just operators on smart pointer types: Ref,
RefPtr, CheckedRef, CheckedPtr, RetainPtr, WeakPtr, WeakRef, unique_ptr,
and UniqueRef.
Add a new WebKit checker for member variables and instance variables of
NS and CF types. A member variable or instance variable to a CF type
should be RetainPtr regardless of whether ARC is enabled or disabled,
and that of a NS type should be RetainPtr when ARC is disabled.
Add a new WebKit checker for checking that lambda captures of CF types
use RetainPtr either when ARC is disabled or enabled, and those of NS
types use RetainPtr when ARC is disabled.
