[LLVMbugs] [Bug 7538] New: Failure to detect obj-c overreleased block

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Wed Jun 30 21:47:53 PDT 2010 

http://llvm.org/bugs/show_bug.cgi?id=7538

           Summary: Failure to detect obj-c overreleased block
           Product: clang
           Version: unspecified
          Platform: Macintosh
        OS/Version: MacOS X
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
        AssignedTo: kremenek at apple.com
        ReportedBy: aeberbach at mac.com
                CC: llvmbugs at cs.uiuc.edu


Originally on stackoverflow as
http://stackoverflow.com/questions/3154598/use-of-ivar-in-block-returned-to-other-object
- the solution is to add a copy before the block autorelease, but analyzer does
not produce a warning.

I have found a crash in an iPhone application with target iOS 4 that changes
depending on the type of build. 

The debugger is giving me nothing much to go on, it stops at

 UIViewController *result = [self factory](self);
with EXC_BAD_ACCESS. self is a class inheriting from NSObject (shown below as
NSObjectInheritor). Zombies are enabled. I've tried changing method factory
three ways with the following results.

This crashes in both debug and ad hoc builds...

- (FactoryMethod) factory;
{
    return [^ UIViewController * (NSObjectInheritor *newThing)
    {
      return [[ViewControllerClass alloc] initWithStuff:(boolValue ? foo :
bar)];
    } autorelease];
}
This works in debug builds but crashes in ad hoc...

- (FactoryMethod) factory;
{
  return [^ UIViewController * (NSObjectInheritor *newThing)
  {
    if(boolValue)
    {
      return [[ViewControllerClass alloc] initWithStuff:foo];
    }
    else
    {
      return [[ViewControllerClass alloc] initWithStuff:bar];
    }
  } autorelease];
}
This works in both debug and ad hoc but is very ugly and redundant:

- (FactoryMethod) factory;
{
  if(boolValue)
  {
    return [^ UIViewController * (NSObjectInheritor *newThing)
    {
      return [[ViewControllerClass alloc] initWithStuff:foo];
    } autorelease];
  }
  else
  {
    return [^ UIViewController * (NSObjectInheritor *newThing)
    {
      return [[[ViewControllerClass alloc] initWithStuff:bar];
    } autorelease];
  }
}
My theory is that boolValue becomes inaccessible at the time the returned block
is executed. It is

@interface SubclassOfNSObjectInheritor : NSObjectInheritor
{
  BOOL boolValue;
}

@property (readonly) BOOL boolValue;
(YES or NO assigned in SubclassOfNSObjectInheritor's init of course) and

@synthesize boolValue;
in SubclassOfNSObjectInheritor's implementation.

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list