commit 516bc1ea61fd1f5fa4ed15d3de9d552e2059ae95
author Artem Dergachev <artem.dergachev@gmail.com> Thu Dec 08 14:05:48 2016 +0000
committer Artem Dergachev <artem.dergachev@gmail.com> Mon Dec 12 17:21:28 2016 +0300
tree e46f4d836bcd8b40ffa700d67c988d1b6b40b290
parent 1b80950d56130a8842ae4ac8acadac5dc36c7524

[analyzer] Add dispatch_data_create as a special case in RetainCountChecker.

This function receives a callback block. The analyzer suspects that this block
may be used to take care of releasing the libdispatch object returned from
the function. In fact, it doesn't - it only releases the raw data buffer.
Inform the analyzer about that. Fixes the resulting false negatives.

rdar://problem/22280098

Differential Revision: https://reviews.llvm.org/D27409

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@289047 91177308-0d34-0410-b5e6-96231b3b80d8
(cherry picked from commit 8b047f1bb9536fec0f74f68bdbe5901b8a4c7d7e)

lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp

diff --git a/lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp b/lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp
index 6054b83..b7d1670 100644
--- a/lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp
+++ b/lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp
@@ -953,7 +953,10 @@
       if (IdentifierInfo *Name = FC->getDecl()->getIdentifier()) {
         // When the CGBitmapContext is deallocated, the callback here will free
         // the associated data buffer.
-        if (Name->isStr("CGBitmapContextCreateWithData"))
+        // The callback in dispatch_data_create frees the buffer, but not
+        // the data object.
+        if (Name->isStr("CGBitmapContextCreateWithData") ||
+            Name->isStr("dispatch_data_create"))
           RE = S->getRetEffect();
       }
     }

test/Analysis/retain-release-arc.m

diff --git a/test/Analysis/retain-release-arc.m b/test/Analysis/retain-release-arc.m
index e27f519..616e009 100644
--- a/test/Analysis/retain-release-arc.m
+++ b/test/Analysis/retain-release-arc.m
@@ -1,6 +1,8 @@
 // RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-checker=core,osx.coreFoundation.CFRetainRelease,osx.cocoa.ClassRelease,osx.cocoa.RetainCount -fobjc-arc -fblocks -verify -Wno-objc-root-class %s -analyzer-output=text
 // RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-checker=core,osx.coreFoundation.CFRetainRelease,osx.cocoa.ClassRelease,osx.cocoa.RetainCount -fblocks -verify -Wno-objc-root-class %s -analyzer-output=text
 
+typedef __typeof(sizeof(int)) size_t;
+
 #define HAS_ARC __has_feature(objc_arc)
 
 typedef unsigned long long CFOptionFlags;
@@ -45,6 +47,41 @@
 @interface NSDictionary : NSObject
 @end
 
+#define OS_OBJECT_RETURNS_RETAINED __attribute__((__ns_returns_retained__))
+#define DISPATCH_RETURNS_RETAINED OS_OBJECT_RETURNS_RETAINED
+
+@protocol OS_dispatch_object
+@end
+@protocol OS_dispatch_data <OS_dispatch_object>
+@end
+@protocol OS_dispatch_queue <OS_dispatch_object>
+@end
+
+typedef NSObject<OS_dispatch_object> *dispatch_object_t;
+typedef NSObject<OS_dispatch_data> *dispatch_data_t;
+typedef NSObject<OS_dispatch_queue> *dispatch_queue_t;
+
+typedef void (^dispatch_block_t)(void);
+
+dispatch_queue_t dispatch_get_main_queue(void);
+
+DISPATCH_RETURNS_RETAINED dispatch_data_t
+dispatch_data_create(const void *buffer, size_t size,
+                     dispatch_queue_t _Nullable queue,
+                     dispatch_block_t _Nullable destructor);
+
+void _dispatch_object_validate(dispatch_object_t object);
+
+#define dispatch_retain(object) \
+  __extension__({ dispatch_object_t _o = (object); \
+                  _dispatch_object_validate(_o); \
+                  (void)[_o retain]; })
+#define dispatch_release(object) \
+  __extension__({ dispatch_object_t _o = (object); \
+                  _dispatch_object_validate(_o); \
+                  [_o release]; })
+
+
 @interface SomeClass
 @end
 
@@ -84,3 +121,46 @@
 }
 @end
 
+int buf[1024];
+
+void libdispatch_leaked_data() {
+  dispatch_data_t data = dispatch_data_create(buf, 1024,
+                                              dispatch_get_main_queue(), ^{});
+}
+#if !HAS_ARC
+  // expected-warning@-2{{Potential leak of an object stored into 'data'}}
+  // expected-note@-5{{Call to function 'dispatch_data_create' returns an Objective-C object with a +1 retain count}}
+  // expected-note@-4{{Object leaked: object allocated and stored into 'data' is not referenced later in this execution path and has a retain count of +1}}
+#endif
+
+void libdispatch_dispatch_released_data() {
+  dispatch_data_t data = dispatch_data_create(buf, 1024,
+                                              dispatch_get_main_queue(), ^{});
+#if !HAS_ARC
+  dispatch_release(data); // no-warning
+#endif
+}
+
+void libdispatch_objc_released_data() {
+  dispatch_data_t data = dispatch_data_create(buf, 1024,
+                                              dispatch_get_main_queue(), ^{});
+#if !HAS_ARC
+  [data release]; // no-warning
+#endif
+}
+
+void libdispatch_leaked_retained_data() {
+  dispatch_data_t data = dispatch_data_create(buf, 1024,
+                                              dispatch_get_main_queue(), ^{});
+#if !HAS_ARC
+  dispatch_retain(data);
+  [data release];
+#endif
+}
+#if !HAS_ARC
+// expected-warning@-2{{Potential leak of an object stored into 'data'}}
+// expected-note@-9{{Call to function 'dispatch_data_create' returns an Objective-C object with a +1 retain count}}
+// expected-note@-7{{Reference count incremented. The object now has a +2 retain count}}
+// expected-note@-7{{Reference count decremented. The object now has a +1 retain count}}
+// expected-note@-6{{Object leaked: object allocated and stored into 'data' is not referenced later in this execution path and has a retain count of +1}}
+#endif