Bug Summary

File:tools/clang/lib/CodeGen/CGObjCRuntime.cpp
Warning:line 113, column 58
Access to field 'StorageSize' results in a dereference of a null pointer (loaded from variable 'Info')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name CGObjCRuntime.cpp -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -mrelocation-model pic -pic-level 2 -mthread-model posix -relaxed-aliasing -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debugger-tuning=gdb -momit-leaf-frame-pointer -ffunction-sections -fdata-sections -resource-dir /usr/lib/llvm-8/lib/clang/8.0.0 -D _DEBUG -D _GNU_SOURCE -D __STDC_CONSTANT_MACROS -D __STDC_FORMAT_MACROS -D __STDC_LIMIT_MACROS -I /build/llvm-toolchain-snapshot-8~svn345461/build-llvm/tools/clang/lib/CodeGen -I /build/llvm-toolchain-snapshot-8~svn345461/tools/clang/lib/CodeGen -I /build/llvm-toolchain-snapshot-8~svn345461/tools/clang/include -I /build/llvm-toolchain-snapshot-8~svn345461/build-llvm/tools/clang/include -I /build/llvm-toolchain-snapshot-8~svn345461/build-llvm/include -I /build/llvm-toolchain-snapshot-8~svn345461/include -U NDEBUG -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/6.3.0/../../../../include/c++/6.3.0 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/6.3.0/../../../../include/x86_64-linux-gnu/c++/6.3.0 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/6.3.0/../../../../include/x86_64-linux-gnu/c++/6.3.0 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/6.3.0/../../../../include/c++/6.3.0/backward -internal-isystem /usr/include/clang/8.0.0/include/ -internal-isystem /usr/local/include -internal-isystem /usr/lib/llvm-8/lib/clang/8.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-long-long -Wno-maybe-uninitialized -Wno-comment -std=c++11 -fdeprecated-macro -fdebug-compilation-dir /build/llvm-toolchain-snapshot-8~svn345461/build-llvm/tools/clang/lib/CodeGen -ferror-limit 19 -fmessage-length 0 -fvisibility-inlines-hidden -fobjc-runtime=gcc -fno-common -fdiagnostics-show-option -vectorize-loops -vectorize-slp -analyzer-output=html -analyzer-config stable-report-filename=true -o /tmp/scan-build-2018-10-27-211344-32123-1 -x c++ /build/llvm-toolchain-snapshot-8~svn345461/tools/clang/lib/CodeGen/CGObjCRuntime.cpp -faddrsig
1//==- CGObjCRuntime.cpp - Interface to Shared Objective-C Runtime Features ==//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This abstract class defines the interface for Objective-C runtime-specific
11// code generation. It provides some concrete helper methods for functionality
12// shared between all (or most) of the Objective-C runtimes supported by clang.
13//
14//===----------------------------------------------------------------------===//
15
16#include "CGObjCRuntime.h"
17#include "CGCleanup.h"
18#include "CGCXXABI.h"
19#include "CGRecordLayout.h"
20#include "CodeGenFunction.h"
21#include "CodeGenModule.h"
22#include "clang/AST/RecordLayout.h"
23#include "clang/AST/StmtObjC.h"
24#include "clang/CodeGen/CGFunctionInfo.h"
25#include "llvm/IR/CallSite.h"
26#include "llvm/Support/SaveAndRestore.h"
27
28using namespace clang;
29using namespace CodeGen;
30
31uint64_t CGObjCRuntime::ComputeIvarBaseOffset(CodeGen::CodeGenModule &CGM,
32 const ObjCInterfaceDecl *OID,
33 const ObjCIvarDecl *Ivar) {
34 return CGM.getContext().lookupFieldBitOffset(OID, nullptr, Ivar) /
35 CGM.getContext().getCharWidth();
36}
37
38uint64_t CGObjCRuntime::ComputeIvarBaseOffset(CodeGen::CodeGenModule &CGM,
39 const ObjCImplementationDecl *OID,
40 const ObjCIvarDecl *Ivar) {
41 return CGM.getContext().lookupFieldBitOffset(OID->getClassInterface(), OID,
42 Ivar) /
43 CGM.getContext().getCharWidth();
44}
45
46unsigned CGObjCRuntime::ComputeBitfieldBitOffset(
47 CodeGen::CodeGenModule &CGM,
48 const ObjCInterfaceDecl *ID,
49 const ObjCIvarDecl *Ivar) {
50 return CGM.getContext().lookupFieldBitOffset(ID, ID->getImplementation(),
51 Ivar);
52}
53
54LValue CGObjCRuntime::EmitValueForIvarAtOffset(CodeGen::CodeGenFunction &CGF,
55 const ObjCInterfaceDecl *OID,
56 llvm::Value *BaseValue,
57 const ObjCIvarDecl *Ivar,
58 unsigned CVRQualifiers,
59 llvm::Value *Offset) {
60 // Compute (type*) ( (char *) BaseValue + Offset)
61 QualType InterfaceTy{OID->getTypeForDecl(), 0};
62 QualType ObjectPtrTy =
63 CGF.CGM.getContext().getObjCObjectPointerType(InterfaceTy);
64 QualType IvarTy =
65 Ivar->getUsageType(ObjectPtrTy).withCVRQualifiers(CVRQualifiers);
66 llvm::Type *LTy = CGF.CGM.getTypes().ConvertTypeForMem(IvarTy);
67 llvm::Value *V = CGF.Builder.CreateBitCast(BaseValue, CGF.Int8PtrTy);
68 V = CGF.Builder.CreateInBoundsGEP(V, Offset, "add.ptr");
69
70 if (!Ivar->isBitField()) {
1
Assuming the condition is false
2
Taking false branch
71 V = CGF.Builder.CreateBitCast(V, llvm::PointerType::getUnqual(LTy));
72 LValue LV = CGF.MakeNaturalAlignAddrLValue(V, IvarTy);
73 return LV;
74 }
75
76 // We need to compute an access strategy for this bit-field. We are given the
77 // offset to the first byte in the bit-field, the sub-byte offset is taken
78 // from the original layout. We reuse the normal bit-field access strategy by
79 // treating this as an access to a struct where the bit-field is in byte 0,
80 // and adjust the containing type size as appropriate.
81 //
82 // FIXME: Note that currently we make a very conservative estimate of the
83 // alignment of the bit-field, because (a) it is not clear what guarantees the
84 // runtime makes us, and (b) we don't have a way to specify that the struct is
85 // at an alignment plus offset.
86 //
87 // Note, there is a subtle invariant here: we can only call this routine on
88 // non-synthesized ivars but we may be called for synthesized ivars. However,
89 // a synthesized ivar can never be a bit-field, so this is safe.
90 uint64_t FieldBitOffset =
91 CGF.CGM.getContext().lookupFieldBitOffset(OID, nullptr, Ivar);
92 uint64_t BitOffset = FieldBitOffset % CGF.CGM.getContext().getCharWidth();
93 uint64_t AlignmentBits = CGF.CGM.getTarget().getCharAlign();
94 uint64_t BitFieldSize = Ivar->getBitWidthValue(CGF.getContext());
95 CharUnits StorageSize = CGF.CGM.getContext().toCharUnitsFromBits(
96 llvm::alignTo(BitOffset + BitFieldSize, AlignmentBits));
97 CharUnits Alignment = CGF.CGM.getContext().toCharUnitsFromBits(AlignmentBits);
98
99 // Allocate a new CGBitFieldInfo object to describe this access.
100 //
101 // FIXME: This is incredibly wasteful, these should be uniqued or part of some
102 // layout object. However, this is blocked on other cleanups to the
103 // Objective-C code, so for now we just live with allocating a bunch of these
104 // objects.
105 CGBitFieldInfo *Info = new (CGF.CGM.getContext()) CGBitFieldInfo(
3
'Info' initialized to a null pointer value
106 CGBitFieldInfo::MakeInfo(CGF.CGM.getTypes(), Ivar, BitOffset, BitFieldSize,
107 CGF.CGM.getContext().toBits(StorageSize),
108 CharUnits::fromQuantity(0)));
109
110 Address Addr(V, Alignment);
111 Addr = CGF.Builder.CreateElementBitCast(Addr,
112 llvm::Type::getIntNTy(CGF.getLLVMContext(),
113 Info->StorageSize));
4
Access to field 'StorageSize' results in a dereference of a null pointer (loaded from variable 'Info')
114 return LValue::MakeBitfield(Addr, *Info, IvarTy,
115 LValueBaseInfo(AlignmentSource::Decl),
116 TBAAAccessInfo());
117}
118
119namespace {
120 struct CatchHandler {
121 const VarDecl *Variable;
122 const Stmt *Body;
123 llvm::BasicBlock *Block;
124 llvm::Constant *TypeInfo;
125 /// Flags used to differentiate cleanups and catchalls in Windows SEH
126 unsigned Flags;
127 };
128
129 struct CallObjCEndCatch final : EHScopeStack::Cleanup {
130 CallObjCEndCatch(bool MightThrow, llvm::Value *Fn)
131 : MightThrow(MightThrow), Fn(Fn) {}
132 bool MightThrow;
133 llvm::Value *Fn;
134
135 void Emit(CodeGenFunction &CGF, Flags flags) override {
136 if (MightThrow)
137 CGF.EmitRuntimeCallOrInvoke(Fn);
138 else
139 CGF.EmitNounwindRuntimeCall(Fn);
140 }
141 };
142}
143
144
145void CGObjCRuntime::EmitTryCatchStmt(CodeGenFunction &CGF,
146 const ObjCAtTryStmt &S,
147 llvm::Constant *beginCatchFn,
148 llvm::Constant *endCatchFn,
149 llvm::Constant *exceptionRethrowFn) {
150 // Jump destination for falling out of catch bodies.
151 CodeGenFunction::JumpDest Cont;
152 if (S.getNumCatchStmts())
153 Cont = CGF.getJumpDestInCurrentScope("eh.cont");
154
155 bool useFunclets = EHPersonality::get(CGF).usesFuncletPads();
156
157 CodeGenFunction::FinallyInfo FinallyInfo;
158 if (!useFunclets)
159 if (const ObjCAtFinallyStmt *Finally = S.getFinallyStmt())
160 FinallyInfo.enter(CGF, Finally->getFinallyBody(),
161 beginCatchFn, endCatchFn, exceptionRethrowFn);
162
163 SmallVector<CatchHandler, 8> Handlers;
164
165
166 // Enter the catch, if there is one.
167 if (S.getNumCatchStmts()) {
168 for (unsigned I = 0, N = S.getNumCatchStmts(); I != N; ++I) {
169 const ObjCAtCatchStmt *CatchStmt = S.getCatchStmt(I);
170 const VarDecl *CatchDecl = CatchStmt->getCatchParamDecl();
171
172 Handlers.push_back(CatchHandler());
173 CatchHandler &Handler = Handlers.back();
174 Handler.Variable = CatchDecl;
175 Handler.Body = CatchStmt->getCatchBody();
176 Handler.Block = CGF.createBasicBlock("catch");
177 Handler.Flags = 0;
178
179 // @catch(...) always matches.
180 if (!CatchDecl) {
181 auto catchAll = getCatchAllTypeInfo();
182 Handler.TypeInfo = catchAll.RTTI;
183 Handler.Flags = catchAll.Flags;
184 // Don't consider any other catches.
185 break;
186 }
187
188 Handler.TypeInfo = GetEHType(CatchDecl->getType());
189 }
190
191 EHCatchScope *Catch = CGF.EHStack.pushCatch(Handlers.size());
192 for (unsigned I = 0, E = Handlers.size(); I != E; ++I)
193 Catch->setHandler(I, { Handlers[I].TypeInfo, Handlers[I].Flags }, Handlers[I].Block);
194 }
195
196 if (useFunclets)
197 if (const ObjCAtFinallyStmt *Finally = S.getFinallyStmt()) {
198 CodeGenFunction HelperCGF(CGM, /*suppressNewContext=*/true);
199 if (!CGF.CurSEHParent)
200 CGF.CurSEHParent = cast<NamedDecl>(CGF.CurFuncDecl);
201 // Outline the finally block.
202 const Stmt *FinallyBlock = Finally->getFinallyBody();
203 HelperCGF.startOutlinedSEHHelper(CGF, /*isFilter*/false, FinallyBlock);
204
205 // Emit the original filter expression, convert to i32, and return.
206 HelperCGF.EmitStmt(FinallyBlock);
207
208 HelperCGF.FinishFunction(FinallyBlock->getEndLoc());
209
210 llvm::Function *FinallyFunc = HelperCGF.CurFn;
211
212
213 // Push a cleanup for __finally blocks.
214 CGF.pushSEHCleanup(NormalAndEHCleanup, FinallyFunc);
215 }
216
217
218 // Emit the try body.
219 CGF.EmitStmt(S.getTryBody());
220
221 // Leave the try.
222 if (S.getNumCatchStmts())
223 CGF.popCatchScope();
224
225 // Remember where we were.
226 CGBuilderTy::InsertPoint SavedIP = CGF.Builder.saveAndClearIP();
227
228 // Emit the handlers.
229 for (unsigned I = 0, E = Handlers.size(); I != E; ++I) {
230 CatchHandler &Handler = Handlers[I];
231
232 CGF.EmitBlock(Handler.Block);
233 llvm::CatchPadInst *CPI = nullptr;
234 SaveAndRestore<llvm::Instruction *> RestoreCurrentFuncletPad(CGF.CurrentFuncletPad);
235 if (useFunclets)
236 if ((CPI = dyn_cast_or_null<llvm::CatchPadInst>(Handler.Block->getFirstNonPHI()))) {
237 CGF.CurrentFuncletPad = CPI;
238 CPI->setOperand(2, CGF.getExceptionSlot().getPointer());
239 }
240 llvm::Value *RawExn = CGF.getExceptionFromSlot();
241
242 // Enter the catch.
243 llvm::Value *Exn = RawExn;
244 if (beginCatchFn)
245 Exn = CGF.EmitNounwindRuntimeCall(beginCatchFn, RawExn, "exn.adjusted");
246
247 CodeGenFunction::LexicalScope cleanups(CGF, Handler.Body->getSourceRange());
248
249 if (endCatchFn) {
250 // Add a cleanup to leave the catch.
251 bool EndCatchMightThrow = (Handler.Variable == nullptr);
252
253 CGF.EHStack.pushCleanup<CallObjCEndCatch>(NormalAndEHCleanup,
254 EndCatchMightThrow,
255 endCatchFn);
256 }
257
258 // Bind the catch parameter if it exists.
259 if (const VarDecl *CatchParam = Handler.Variable) {
260 llvm::Type *CatchType = CGF.ConvertType(CatchParam->getType());
261 llvm::Value *CastExn = CGF.Builder.CreateBitCast(Exn, CatchType);
262
263 CGF.EmitAutoVarDecl(*CatchParam);
264 EmitInitOfCatchParam(CGF, CastExn, CatchParam);
265 }
266 if (CPI)
267 CGF.EHStack.pushCleanup<CatchRetScope>(NormalCleanup, CPI);
268
269 CGF.ObjCEHValueStack.push_back(Exn);
270 CGF.EmitStmt(Handler.Body);
271 CGF.ObjCEHValueStack.pop_back();
272
273 // Leave any cleanups associated with the catch.
274 cleanups.ForceCleanup();
275
276 CGF.EmitBranchThroughCleanup(Cont);
277 }
278
279 // Go back to the try-statement fallthrough.
280 CGF.Builder.restoreIP(SavedIP);
281
282 // Pop out of the finally.
283 if (!useFunclets && S.getFinallyStmt())
284 FinallyInfo.exit(CGF);
285
286 if (Cont.isValid())
287 CGF.EmitBlock(Cont.getBlock());
288}
289
290void CGObjCRuntime::EmitInitOfCatchParam(CodeGenFunction &CGF,
291 llvm::Value *exn,
292 const VarDecl *paramDecl) {
293
294 Address paramAddr = CGF.GetAddrOfLocalVar(paramDecl);
295
296 switch (paramDecl->getType().getQualifiers().getObjCLifetime()) {
297 case Qualifiers::OCL_Strong:
298 exn = CGF.EmitARCRetainNonBlock(exn);
299 // fallthrough
300
301 case Qualifiers::OCL_None:
302 case Qualifiers::OCL_ExplicitNone:
303 case Qualifiers::OCL_Autoreleasing:
304 CGF.Builder.CreateStore(exn, paramAddr);
305 return;
306
307 case Qualifiers::OCL_Weak:
308 CGF.EmitARCInitWeak(paramAddr, exn);
309 return;
310 }
311 llvm_unreachable("invalid ownership qualifier")::llvm::llvm_unreachable_internal("invalid ownership qualifier"
, "/build/llvm-toolchain-snapshot-8~svn345461/tools/clang/lib/CodeGen/CGObjCRuntime.cpp"
, 311)
;
312}
313
314namespace {
315 struct CallSyncExit final : EHScopeStack::Cleanup {
316 llvm::Value *SyncExitFn;
317 llvm::Value *SyncArg;
318 CallSyncExit(llvm::Value *SyncExitFn, llvm::Value *SyncArg)
319 : SyncExitFn(SyncExitFn), SyncArg(SyncArg) {}
320
321 void Emit(CodeGenFunction &CGF, Flags flags) override {
322 CGF.EmitNounwindRuntimeCall(SyncExitFn, SyncArg);
323 }
324 };
325}
326
327void CGObjCRuntime::EmitAtSynchronizedStmt(CodeGenFunction &CGF,
328 const ObjCAtSynchronizedStmt &S,
329 llvm::Function *syncEnterFn,
330 llvm::Function *syncExitFn) {
331 CodeGenFunction::RunCleanupsScope cleanups(CGF);
332
333 // Evaluate the lock operand. This is guaranteed to dominate the
334 // ARC release and lock-release cleanups.
335 const Expr *lockExpr = S.getSynchExpr();
336 llvm::Value *lock;
337 if (CGF.getLangOpts().ObjCAutoRefCount) {
338 lock = CGF.EmitARCRetainScalarExpr(lockExpr);
339 lock = CGF.EmitObjCConsumeObject(lockExpr->getType(), lock);
340 } else {
341 lock = CGF.EmitScalarExpr(lockExpr);
342 }
343 lock = CGF.Builder.CreateBitCast(lock, CGF.VoidPtrTy);
344
345 // Acquire the lock.
346 CGF.Builder.CreateCall(syncEnterFn, lock)->setDoesNotThrow();
347
348 // Register an all-paths cleanup to release the lock.
349 CGF.EHStack.pushCleanup<CallSyncExit>(NormalAndEHCleanup, syncExitFn, lock);
350
351 // Emit the body of the statement.
352 CGF.EmitStmt(S.getSynchBody());
353}
354
355/// Compute the pointer-to-function type to which a message send
356/// should be casted in order to correctly call the given method
357/// with the given arguments.
358///
359/// \param method - may be null
360/// \param resultType - the result type to use if there's no method
361/// \param callArgs - the actual arguments, including implicit ones
362CGObjCRuntime::MessageSendInfo
363CGObjCRuntime::getMessageSendInfo(const ObjCMethodDecl *method,
364 QualType resultType,
365 CallArgList &callArgs) {
366 // If there's a method, use information from that.
367 if (method) {
368 const CGFunctionInfo &signature =
369 CGM.getTypes().arrangeObjCMessageSendSignature(method, callArgs[0].Ty);
370
371 llvm::PointerType *signatureType =
372 CGM.getTypes().GetFunctionType(signature)->getPointerTo();
373
374 const CGFunctionInfo &signatureForCall =
375 CGM.getTypes().arrangeCall(signature, callArgs);
376
377 return MessageSendInfo(signatureForCall, signatureType);
378 }
379
380 // There's no method; just use a default CC.
381 const CGFunctionInfo &argsInfo =
382 CGM.getTypes().arrangeUnprototypedObjCMessageSend(resultType, callArgs);
383
384 // Derive the signature to call from that.
385 llvm::PointerType *signatureType =
386 CGM.getTypes().GetFunctionType(argsInfo)->getPointerTo();
387 return MessageSendInfo(argsInfo, signatureType);
388}