Bug Summary

File:tools/clang/lib/CodeGen/CGObjCRuntime.cpp
Warning:line 111, column 58
Access to field 'StorageSize' results in a dereference of a null pointer (loaded from variable 'Info')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name CGObjCRuntime.cpp -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-eagerly-assume -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -mrelocation-model pic -pic-level 2 -mthread-model posix -relaxed-aliasing -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debugger-tuning=gdb -momit-leaf-frame-pointer -ffunction-sections -fdata-sections -resource-dir /usr/lib/llvm-7/lib/clang/7.0.0 -D _DEBUG -D _GNU_SOURCE -D __STDC_CONSTANT_MACROS -D __STDC_FORMAT_MACROS -D __STDC_LIMIT_MACROS -I /build/llvm-toolchain-snapshot-7~svn338205/build-llvm/tools/clang/lib/CodeGen -I /build/llvm-toolchain-snapshot-7~svn338205/tools/clang/lib/CodeGen -I /build/llvm-toolchain-snapshot-7~svn338205/tools/clang/include -I /build/llvm-toolchain-snapshot-7~svn338205/build-llvm/tools/clang/include -I /build/llvm-toolchain-snapshot-7~svn338205/build-llvm/include -I /build/llvm-toolchain-snapshot-7~svn338205/include -U NDEBUG -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/x86_64-linux-gnu/c++/8 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/x86_64-linux-gnu/c++/8 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/backward -internal-isystem /usr/include/clang/7.0.0/include/ -internal-isystem /usr/local/include -internal-isystem /usr/lib/llvm-7/lib/clang/7.0.0/include -internal-externc-isystem /usr/lib/gcc/x86_64-linux-gnu/8/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-long-long -Wno-maybe-uninitialized -Wno-class-memaccess -Wno-comment -std=c++11 -fdeprecated-macro -fdebug-compilation-dir /build/llvm-toolchain-snapshot-7~svn338205/build-llvm/tools/clang/lib/CodeGen -ferror-limit 19 -fmessage-length 0 -fvisibility-inlines-hidden -fobjc-runtime=gcc -fno-common -fdiagnostics-show-option -vectorize-loops -vectorize-slp -analyzer-output=html -analyzer-config stable-report-filename=true -o /tmp/scan-build-2018-07-29-043837-17923-1 -x c++ /build/llvm-toolchain-snapshot-7~svn338205/tools/clang/lib/CodeGen/CGObjCRuntime.cpp -faddrsig
1//==- CGObjCRuntime.cpp - Interface to Shared Objective-C Runtime Features ==//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This abstract class defines the interface for Objective-C runtime-specific
11// code generation. It provides some concrete helper methods for functionality
12// shared between all (or most) of the Objective-C runtimes supported by clang.
13//
14//===----------------------------------------------------------------------===//
15
16#include "CGObjCRuntime.h"
17#include "CGCleanup.h"
18#include "CGRecordLayout.h"
19#include "CodeGenFunction.h"
20#include "CodeGenModule.h"
21#include "clang/AST/RecordLayout.h"
22#include "clang/AST/StmtObjC.h"
23#include "clang/CodeGen/CGFunctionInfo.h"
24#include "llvm/IR/CallSite.h"
25
26using namespace clang;
27using namespace CodeGen;
28
29uint64_t CGObjCRuntime::ComputeIvarBaseOffset(CodeGen::CodeGenModule &CGM,
30 const ObjCInterfaceDecl *OID,
31 const ObjCIvarDecl *Ivar) {
32 return CGM.getContext().lookupFieldBitOffset(OID, nullptr, Ivar) /
33 CGM.getContext().getCharWidth();
34}
35
36uint64_t CGObjCRuntime::ComputeIvarBaseOffset(CodeGen::CodeGenModule &CGM,
37 const ObjCImplementationDecl *OID,
38 const ObjCIvarDecl *Ivar) {
39 return CGM.getContext().lookupFieldBitOffset(OID->getClassInterface(), OID,
40 Ivar) /
41 CGM.getContext().getCharWidth();
42}
43
44unsigned CGObjCRuntime::ComputeBitfieldBitOffset(
45 CodeGen::CodeGenModule &CGM,
46 const ObjCInterfaceDecl *ID,
47 const ObjCIvarDecl *Ivar) {
48 return CGM.getContext().lookupFieldBitOffset(ID, ID->getImplementation(),
49 Ivar);
50}
51
52LValue CGObjCRuntime::EmitValueForIvarAtOffset(CodeGen::CodeGenFunction &CGF,
53 const ObjCInterfaceDecl *OID,
54 llvm::Value *BaseValue,
55 const ObjCIvarDecl *Ivar,
56 unsigned CVRQualifiers,
57 llvm::Value *Offset) {
58 // Compute (type*) ( (char *) BaseValue + Offset)
59 QualType InterfaceTy{OID->getTypeForDecl(), 0};
60 QualType ObjectPtrTy =
61 CGF.CGM.getContext().getObjCObjectPointerType(InterfaceTy);
62 QualType IvarTy =
63 Ivar->getUsageType(ObjectPtrTy).withCVRQualifiers(CVRQualifiers);
64 llvm::Type *LTy = CGF.CGM.getTypes().ConvertTypeForMem(IvarTy);
65 llvm::Value *V = CGF.Builder.CreateBitCast(BaseValue, CGF.Int8PtrTy);
66 V = CGF.Builder.CreateInBoundsGEP(V, Offset, "add.ptr");
67
68 if (!Ivar->isBitField()) {
1
Assuming the condition is false
2
Taking false branch
69 V = CGF.Builder.CreateBitCast(V, llvm::PointerType::getUnqual(LTy));
70 LValue LV = CGF.MakeNaturalAlignAddrLValue(V, IvarTy);
71 return LV;
72 }
73
74 // We need to compute an access strategy for this bit-field. We are given the
75 // offset to the first byte in the bit-field, the sub-byte offset is taken
76 // from the original layout. We reuse the normal bit-field access strategy by
77 // treating this as an access to a struct where the bit-field is in byte 0,
78 // and adjust the containing type size as appropriate.
79 //
80 // FIXME: Note that currently we make a very conservative estimate of the
81 // alignment of the bit-field, because (a) it is not clear what guarantees the
82 // runtime makes us, and (b) we don't have a way to specify that the struct is
83 // at an alignment plus offset.
84 //
85 // Note, there is a subtle invariant here: we can only call this routine on
86 // non-synthesized ivars but we may be called for synthesized ivars. However,
87 // a synthesized ivar can never be a bit-field, so this is safe.
88 uint64_t FieldBitOffset =
89 CGF.CGM.getContext().lookupFieldBitOffset(OID, nullptr, Ivar);
90 uint64_t BitOffset = FieldBitOffset % CGF.CGM.getContext().getCharWidth();
91 uint64_t AlignmentBits = CGF.CGM.getTarget().getCharAlign();
92 uint64_t BitFieldSize = Ivar->getBitWidthValue(CGF.getContext());
93 CharUnits StorageSize = CGF.CGM.getContext().toCharUnitsFromBits(
94 llvm::alignTo(BitOffset + BitFieldSize, AlignmentBits));
95 CharUnits Alignment = CGF.CGM.getContext().toCharUnitsFromBits(AlignmentBits);
96
97 // Allocate a new CGBitFieldInfo object to describe this access.
98 //
99 // FIXME: This is incredibly wasteful, these should be uniqued or part of some
100 // layout object. However, this is blocked on other cleanups to the
101 // Objective-C code, so for now we just live with allocating a bunch of these
102 // objects.
103 CGBitFieldInfo *Info = new (CGF.CGM.getContext()) CGBitFieldInfo(
3
'Info' initialized to a null pointer value
104 CGBitFieldInfo::MakeInfo(CGF.CGM.getTypes(), Ivar, BitOffset, BitFieldSize,
105 CGF.CGM.getContext().toBits(StorageSize),
106 CharUnits::fromQuantity(0)));
107
108 Address Addr(V, Alignment);
109 Addr = CGF.Builder.CreateElementBitCast(Addr,
110 llvm::Type::getIntNTy(CGF.getLLVMContext(),
111 Info->StorageSize));
4
Access to field 'StorageSize' results in a dereference of a null pointer (loaded from variable 'Info')
112 return LValue::MakeBitfield(Addr, *Info, IvarTy,
113 LValueBaseInfo(AlignmentSource::Decl),
114 TBAAAccessInfo());
115}
116
117namespace {
118 struct CatchHandler {
119 const VarDecl *Variable;
120 const Stmt *Body;
121 llvm::BasicBlock *Block;
122 llvm::Constant *TypeInfo;
123 };
124
125 struct CallObjCEndCatch final : EHScopeStack::Cleanup {
126 CallObjCEndCatch(bool MightThrow, llvm::Value *Fn)
127 : MightThrow(MightThrow), Fn(Fn) {}
128 bool MightThrow;
129 llvm::Value *Fn;
130
131 void Emit(CodeGenFunction &CGF, Flags flags) override {
132 if (MightThrow)
133 CGF.EmitRuntimeCallOrInvoke(Fn);
134 else
135 CGF.EmitNounwindRuntimeCall(Fn);
136 }
137 };
138}
139
140
141void CGObjCRuntime::EmitTryCatchStmt(CodeGenFunction &CGF,
142 const ObjCAtTryStmt &S,
143 llvm::Constant *beginCatchFn,
144 llvm::Constant *endCatchFn,
145 llvm::Constant *exceptionRethrowFn) {
146 // Jump destination for falling out of catch bodies.
147 CodeGenFunction::JumpDest Cont;
148 if (S.getNumCatchStmts())
149 Cont = CGF.getJumpDestInCurrentScope("eh.cont");
150
151 CodeGenFunction::FinallyInfo FinallyInfo;
152 if (const ObjCAtFinallyStmt *Finally = S.getFinallyStmt())
153 FinallyInfo.enter(CGF, Finally->getFinallyBody(),
154 beginCatchFn, endCatchFn, exceptionRethrowFn);
155
156 SmallVector<CatchHandler, 8> Handlers;
157
158 // Enter the catch, if there is one.
159 if (S.getNumCatchStmts()) {
160 for (unsigned I = 0, N = S.getNumCatchStmts(); I != N; ++I) {
161 const ObjCAtCatchStmt *CatchStmt = S.getCatchStmt(I);
162 const VarDecl *CatchDecl = CatchStmt->getCatchParamDecl();
163
164 Handlers.push_back(CatchHandler());
165 CatchHandler &Handler = Handlers.back();
166 Handler.Variable = CatchDecl;
167 Handler.Body = CatchStmt->getCatchBody();
168 Handler.Block = CGF.createBasicBlock("catch");
169
170 // @catch(...) always matches.
171 if (!CatchDecl) {
172 Handler.TypeInfo = nullptr; // catch-all
173 // Don't consider any other catches.
174 break;
175 }
176
177 Handler.TypeInfo = GetEHType(CatchDecl->getType());
178 }
179
180 EHCatchScope *Catch = CGF.EHStack.pushCatch(Handlers.size());
181 for (unsigned I = 0, E = Handlers.size(); I != E; ++I)
182 Catch->setHandler(I, Handlers[I].TypeInfo, Handlers[I].Block);
183 }
184
185 // Emit the try body.
186 CGF.EmitStmt(S.getTryBody());
187
188 // Leave the try.
189 if (S.getNumCatchStmts())
190 CGF.popCatchScope();
191
192 // Remember where we were.
193 CGBuilderTy::InsertPoint SavedIP = CGF.Builder.saveAndClearIP();
194
195 // Emit the handlers.
196 for (unsigned I = 0, E = Handlers.size(); I != E; ++I) {
197 CatchHandler &Handler = Handlers[I];
198
199 CGF.EmitBlock(Handler.Block);
200 llvm::Value *RawExn = CGF.getExceptionFromSlot();
201
202 // Enter the catch.
203 llvm::Value *Exn = RawExn;
204 if (beginCatchFn)
205 Exn = CGF.EmitNounwindRuntimeCall(beginCatchFn, RawExn, "exn.adjusted");
206
207 CodeGenFunction::LexicalScope cleanups(CGF, Handler.Body->getSourceRange());
208
209 if (endCatchFn) {
210 // Add a cleanup to leave the catch.
211 bool EndCatchMightThrow = (Handler.Variable == nullptr);
212
213 CGF.EHStack.pushCleanup<CallObjCEndCatch>(NormalAndEHCleanup,
214 EndCatchMightThrow,
215 endCatchFn);
216 }
217
218 // Bind the catch parameter if it exists.
219 if (const VarDecl *CatchParam = Handler.Variable) {
220 llvm::Type *CatchType = CGF.ConvertType(CatchParam->getType());
221 llvm::Value *CastExn = CGF.Builder.CreateBitCast(Exn, CatchType);
222
223 CGF.EmitAutoVarDecl(*CatchParam);
224 EmitInitOfCatchParam(CGF, CastExn, CatchParam);
225 }
226
227 CGF.ObjCEHValueStack.push_back(Exn);
228 CGF.EmitStmt(Handler.Body);
229 CGF.ObjCEHValueStack.pop_back();
230
231 // Leave any cleanups associated with the catch.
232 cleanups.ForceCleanup();
233
234 CGF.EmitBranchThroughCleanup(Cont);
235 }
236
237 // Go back to the try-statement fallthrough.
238 CGF.Builder.restoreIP(SavedIP);
239
240 // Pop out of the finally.
241 if (S.getFinallyStmt())
242 FinallyInfo.exit(CGF);
243
244 if (Cont.isValid())
245 CGF.EmitBlock(Cont.getBlock());
246}
247
248void CGObjCRuntime::EmitInitOfCatchParam(CodeGenFunction &CGF,
249 llvm::Value *exn,
250 const VarDecl *paramDecl) {
251
252 Address paramAddr = CGF.GetAddrOfLocalVar(paramDecl);
253
254 switch (paramDecl->getType().getQualifiers().getObjCLifetime()) {
255 case Qualifiers::OCL_Strong:
256 exn = CGF.EmitARCRetainNonBlock(exn);
257 // fallthrough
258
259 case Qualifiers::OCL_None:
260 case Qualifiers::OCL_ExplicitNone:
261 case Qualifiers::OCL_Autoreleasing:
262 CGF.Builder.CreateStore(exn, paramAddr);
263 return;
264
265 case Qualifiers::OCL_Weak:
266 CGF.EmitARCInitWeak(paramAddr, exn);
267 return;
268 }
269 llvm_unreachable("invalid ownership qualifier")::llvm::llvm_unreachable_internal("invalid ownership qualifier"
, "/build/llvm-toolchain-snapshot-7~svn338205/tools/clang/lib/CodeGen/CGObjCRuntime.cpp"
, 269)
;
270}
271
272namespace {
273 struct CallSyncExit final : EHScopeStack::Cleanup {
274 llvm::Value *SyncExitFn;
275 llvm::Value *SyncArg;
276 CallSyncExit(llvm::Value *SyncExitFn, llvm::Value *SyncArg)
277 : SyncExitFn(SyncExitFn), SyncArg(SyncArg) {}
278
279 void Emit(CodeGenFunction &CGF, Flags flags) override {
280 CGF.Builder.CreateCall(SyncExitFn, SyncArg)->setDoesNotThrow();
281 }
282 };
283}
284
285void CGObjCRuntime::EmitAtSynchronizedStmt(CodeGenFunction &CGF,
286 const ObjCAtSynchronizedStmt &S,
287 llvm::Function *syncEnterFn,
288 llvm::Function *syncExitFn) {
289 CodeGenFunction::RunCleanupsScope cleanups(CGF);
290
291 // Evaluate the lock operand. This is guaranteed to dominate the
292 // ARC release and lock-release cleanups.
293 const Expr *lockExpr = S.getSynchExpr();
294 llvm::Value *lock;
295 if (CGF.getLangOpts().ObjCAutoRefCount) {
296 lock = CGF.EmitARCRetainScalarExpr(lockExpr);
297 lock = CGF.EmitObjCConsumeObject(lockExpr->getType(), lock);
298 } else {
299 lock = CGF.EmitScalarExpr(lockExpr);
300 }
301 lock = CGF.Builder.CreateBitCast(lock, CGF.VoidPtrTy);
302
303 // Acquire the lock.
304 CGF.Builder.CreateCall(syncEnterFn, lock)->setDoesNotThrow();
305
306 // Register an all-paths cleanup to release the lock.
307 CGF.EHStack.pushCleanup<CallSyncExit>(NormalAndEHCleanup, syncExitFn, lock);
308
309 // Emit the body of the statement.
310 CGF.EmitStmt(S.getSynchBody());
311}
312
313/// Compute the pointer-to-function type to which a message send
314/// should be casted in order to correctly call the given method
315/// with the given arguments.
316///
317/// \param method - may be null
318/// \param resultType - the result type to use if there's no method
319/// \param callArgs - the actual arguments, including implicit ones
320CGObjCRuntime::MessageSendInfo
321CGObjCRuntime::getMessageSendInfo(const ObjCMethodDecl *method,
322 QualType resultType,
323 CallArgList &callArgs) {
324 // If there's a method, use information from that.
325 if (method) {
326 const CGFunctionInfo &signature =
327 CGM.getTypes().arrangeObjCMessageSendSignature(method, callArgs[0].Ty);
328
329 llvm::PointerType *signatureType =
330 CGM.getTypes().GetFunctionType(signature)->getPointerTo();
331
332 const CGFunctionInfo &signatureForCall =
333 CGM.getTypes().arrangeCall(signature, callArgs);
334
335 return MessageSendInfo(signatureForCall, signatureType);
336 }
337
338 // There's no method; just use a default CC.
339 const CGFunctionInfo &argsInfo =
340 CGM.getTypes().arrangeUnprototypedObjCMessageSend(resultType, callArgs);
341
342 // Derive the signature to call from that.
343 llvm::PointerType *signatureType =
344 CGM.getTypes().GetFunctionType(argsInfo)->getPointerTo();
345 return MessageSendInfo(argsInfo, signatureType);
346}