[Static Analyzer] General type checker based on dynamic type information.

Differential Revision: http://reviews.llvm.org/D12973

llvm-svn: 248041

4 files changed, 207 insertions, 52 deletions

diff --git a/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt b/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
index 93167c7d43b..3416e0d91d0 100644
--- a/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
+++ b/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
@@ -33,6 +33,7 @@ add_clang_library(clangStaticAnalyzerCheckers
   DirectIvarAssignment.cpp
   DivZeroChecker.cpp
   DynamicTypePropagation.cpp
+  DynamicTypeChecker.cpp
   ExprInspectionChecker.cpp
   FixedAddressChecker.cpp
   GenericTaintChecker.cpp
diff --git a/clang/lib/StaticAnalyzer/Checkers/Checkers.td b/clang/lib/StaticAnalyzer/Checkers/Checkers.td
index 3f6de2a0473..d42ba64c6c1 100644
--- a/clang/lib/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/lib/StaticAnalyzer/Checkers/Checkers.td
@@ -129,6 +129,10 @@ def TestAfterDivZeroChecker : Checker<"TestAfterDivZero">,
   HelpText<"Check for division by variable that is later compared against 0. Either the comparison is useless or there is division by zero.">,
   DescFile<"TestAfterDivZeroChecker.cpp">;
 
+def DynamicTypeChecker : Checker<"DynamicTypeChecker">,
+  HelpText<"Check for cases where the dynamic and the static type of an object are unrelated.">,
+  DescFile<"DynamicTypeChecker.cpp">;
+
 } // end "alpha.core"
 
 let ParentPackage = Nullability in {
diff --git a/clang/lib/StaticAnalyzer/Checkers/DynamicTypeChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/DynamicTypeChecker.cpp
new file mode 100644
index 00000000000..af4187005c3
--- /dev/null
+++ b/clang/lib/StaticAnalyzer/Checkers/DynamicTypeChecker.cpp
@@ -0,0 +1,202 @@
+//== DynamicTypeChecker.cpp ------------------------------------ -*- C++ -*--=//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This checker looks for cases where the dynamic type of an object is unrelated
+// to its static type. The type information utilized by this check is collected
+// by the DynamicTypePropagation checker. This check does not report any type
+// error for ObjC Generic types, in order to avoid duplicate erros from the
+// ObjC Generics checker. This checker is not supposed to modify the program
+// state, it is just the observer of the type information provided by other
+// checkers.
+//
+//===----------------------------------------------------------------------===//
+
+#include "ClangSACheckers.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+class DynamicTypeChecker : public Checker<check::PostStmt<ImplicitCastExpr>> {
+  mutable std::unique_ptr<BugType> BT;
+  void initBugType() const {
+    if (!BT)
+      BT.reset(
+          new BugType(this, "Dynamic and static type mismatch", "Type Error"));
+  }
+
+  class DynamicTypeBugVisitor
+      : public BugReporterVisitorImpl<DynamicTypeBugVisitor> {
+  public:
+    DynamicTypeBugVisitor(const MemRegion *Reg) : Reg(Reg) {}
+
+    void Profile(llvm::FoldingSetNodeID &ID) const override {
+      static int X = 0;
+      ID.AddPointer(&X);
+      ID.AddPointer(Reg);
+    }
+
+    PathDiagnosticPiece *VisitNode(const ExplodedNode *N,
+                                   const ExplodedNode *PrevN,
+                                   BugReporterContext &BRC,
+                                   BugReport &BR) override;
+
+  private:
+    // The tracked region.
+    const MemRegion *Reg;
+  };
+
+  void reportTypeError(QualType DynamicType, QualType StaticType,
+                       const MemRegion *Reg, const Stmt *ReportedNode,
+                       CheckerContext &C) const;
+
+public:
+  void checkPostStmt(const ImplicitCastExpr *CE, CheckerContext &C) const;
+};
+}
+
+void DynamicTypeChecker::reportTypeError(QualType DynamicType,
+                                         QualType StaticType,
+                                         const MemRegion *Reg,
+                                         const Stmt *ReportedNode,
+                                         CheckerContext &C) const {
+  initBugType();
+  SmallString<192> Buf;
+  llvm::raw_svector_ostream OS(Buf);
+  OS << "Object has a dynamic type '";
+  QualType::print(DynamicType.getTypePtr(), Qualifiers(), OS, C.getLangOpts(),
+                  llvm::Twine());
+  OS << "' which is incompatible with static type '";
+  QualType::print(StaticType.getTypePtr(), Qualifiers(), OS, C.getLangOpts(),
+                  llvm::Twine());
+  OS << "'";
+  std::unique_ptr<BugReport> R(
+      new BugReport(*BT, OS.str(), C.generateNonFatalErrorNode()));
+  R->markInteresting(Reg);
+  R->addVisitor(llvm::make_unique<DynamicTypeBugVisitor>(Reg));
+  R->addRange(ReportedNode->getSourceRange());
+  C.emitReport(std::move(R));
+}
+
+PathDiagnosticPiece *DynamicTypeChecker::DynamicTypeBugVisitor::VisitNode(
+    const ExplodedNode *N, const ExplodedNode *PrevN, BugReporterContext &BRC,
+    BugReport &BR) {
+  ProgramStateRef State = N->getState();
+  ProgramStateRef StatePrev = PrevN->getState();
+
+  DynamicTypeInfo TrackedType = getDynamicTypeInfo(State, Reg);
+  DynamicTypeInfo TrackedTypePrev = getDynamicTypeInfo(StatePrev, Reg);
+  if (!TrackedType.isValid())
+    return nullptr;
+
+  if (TrackedTypePrev.isValid() &&
+      TrackedTypePrev.getType() == TrackedType.getType())
+    return nullptr;
+
+  // Retrieve the associated statement.
+  const Stmt *S = nullptr;
+  ProgramPoint ProgLoc = N->getLocation();
+  if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) {
+    S = SP->getStmt();
+  }
+
+  if (!S)
+    return nullptr;
+
+  const LangOptions &LangOpts = BRC.getASTContext().getLangOpts();
+
+  SmallString<256> Buf;
+  llvm::raw_svector_ostream OS(Buf);
+  OS << "Type '";
+  QualType::print(TrackedType.getType().getTypePtr(), Qualifiers(), OS,
+                  LangOpts, llvm::Twine());
+  OS << "' is inferred from ";
+
+  if (const auto *ExplicitCast = dyn_cast<ExplicitCastExpr>(S)) {
+    OS << "explicit cast (from '";
+    QualType::print(ExplicitCast->getSubExpr()->getType().getTypePtr(),
+                    Qualifiers(), OS, LangOpts, llvm::Twine());
+    OS << "' to '";
+    QualType::print(ExplicitCast->getType().getTypePtr(), Qualifiers(), OS,
+                    LangOpts, llvm::Twine());
+    OS << "')";
+  } else if (const auto *ImplicitCast = dyn_cast<ImplicitCastExpr>(S)) {
+    OS << "implicit cast (from '";
+    QualType::print(ImplicitCast->getSubExpr()->getType().getTypePtr(),
+                    Qualifiers(), OS, LangOpts, llvm::Twine());
+    OS << "' to '";
+    QualType::print(ImplicitCast->getType().getTypePtr(), Qualifiers(), OS,
+                    LangOpts, llvm::Twine());
+    OS << "')";
+  } else {
+    OS << "this context";
+  }
+
+  // Generate the extra diagnostic.
+  PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
+                             N->getLocationContext());
+  return new PathDiagnosticEventPiece(Pos, OS.str(), true, nullptr);
+}
+
+// TODO: consider checking explicit casts?
+void DynamicTypeChecker::checkPostStmt(const ImplicitCastExpr *CE,
+                                       CheckerContext &C) const {
+  // TODO: C++ support.
+  if (CE->getCastKind() != CK_BitCast)
+    return;
+
+  const MemRegion *Region = C.getSVal(CE).getAsRegion();
+  if (!Region)
+    return;
+
+  ProgramStateRef State = C.getState();
+  DynamicTypeInfo DynTypeInfo = getDynamicTypeInfo(State, Region);
+
+  if (!DynTypeInfo.isValid())
+    return;
+
+  QualType DynType = DynTypeInfo.getType();
+  QualType StaticType = CE->getType();
+
+  const auto *DynObjCType = DynType->getAs<ObjCObjectPointerType>();
+  const auto *StaticObjCType = StaticType->getAs<ObjCObjectPointerType>();
+
+  if (!DynObjCType || !StaticObjCType)
+    return;
+
+  ASTContext &ASTCtxt = C.getASTContext();
+
+  // Strip kindeofness to correctly detect subtyping relationships.
+  DynObjCType = DynObjCType->stripObjCKindOfTypeAndQuals(ASTCtxt);
+  StaticObjCType = StaticObjCType->stripObjCKindOfTypeAndQuals(ASTCtxt);
+
+  // Specialized objects are handled by the generics checker.
+  if (StaticObjCType->isSpecialized())
+    return;
+
+  if (ASTCtxt.canAssignObjCInterfaces(StaticObjCType, DynObjCType))
+    return;
+
+  if (DynTypeInfo.canBeASubClass() &&
+      ASTCtxt.canAssignObjCInterfaces(DynObjCType, StaticObjCType))
+    return;
+
+  reportTypeError(DynType, StaticType, Region, CE, C);
+}
+
+void ento::registerDynamicTypeChecker(CheckerManager &mgr) {
+  mgr.registerChecker<DynamicTypeChecker>();
+}
diff --git a/clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp b/clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
index a2ef65a045b..30f629830c6 100644
--- a/clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
@@ -22,7 +22,6 @@
 //===----------------------------------------------------------------------===//
 
 #include "ClangSACheckers.h"
-#include "clang/AST/ParentMap.h"
 #include "clang/AST/RecursiveASTVisitor.h"
 #include "clang/Basic/Builtins.h"
 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
@@ -98,13 +97,6 @@ class DynamicTypePropagation:
                          const ObjCObjectPointerType *To, ExplodedNode *N,
                          SymbolRef Sym, CheckerContext &C,
                          const Stmt *ReportedNode = nullptr) const;
-
-  bool isReturnValueMisused(const ObjCMessageExpr *MessageExpr,
-                            const ObjCObjectPointerType *TrackedType,
-                            SymbolRef Sym, const ObjCMethodDecl *Method,
-                            ArrayRef<QualType> TypeArgs,
-                            bool SubscriptOrProperty, CheckerContext &C) const;
-
 public:
   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
   void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
@@ -684,46 +676,6 @@ static QualType getReturnTypeForMethod(
   return ResultType;
 }
 
-/// Validate that the return type of a message expression is used correctly.
-/// Returns true in case an error is detected.
-bool DynamicTypePropagation::isReturnValueMisused(
-    const ObjCMessageExpr *MessageExpr,
-    const ObjCObjectPointerType *ResultPtrType, SymbolRef Sym,
-    const ObjCMethodDecl *Method, ArrayRef<QualType> TypeArgs,
-    bool SubscriptOrProperty, CheckerContext &C) const {
-  if (!ResultPtrType)
-    return false;
-
-  ASTContext &ASTCtxt = C.getASTContext();
-  const Stmt *Parent =
-      C.getCurrentAnalysisDeclContext()->getParentMap().getParent(MessageExpr);
-  if (SubscriptOrProperty) {
-    // Properties and subscripts are not direct parents.
-    Parent =
-        C.getCurrentAnalysisDeclContext()->getParentMap().getParent(Parent);
-  }
-
-  const auto *ImplicitCast = dyn_cast_or_null<ImplicitCastExpr>(Parent);
-  if (!ImplicitCast || ImplicitCast->getCastKind() != CK_BitCast)
-    return false;
-
-  const auto *ExprTypeAboveCast =
-      ImplicitCast->getType()->getAs<ObjCObjectPointerType>();
-  if (!ExprTypeAboveCast)
-    return false;
-
-  // Only warn on unrelated types to avoid too many false positives on
-  // downcasts.
-  if (!ASTCtxt.canAssignObjCInterfaces(ExprTypeAboveCast, ResultPtrType) &&
-      !ASTCtxt.canAssignObjCInterfaces(ResultPtrType, ExprTypeAboveCast)) {
-    static CheckerProgramPointTag Tag(this, "ReturnTypeMismatch");
-    ExplodedNode *N = C.addTransition(C.getState(), &Tag);
-    reportGenericsBug(ResultPtrType, ExprTypeAboveCast, N, Sym, C);
-    return true;
-  }
-  return false;
-}
-
 /// When the receiver has a tracked type, use that type to validate the
 /// argumments of the message expression and the return value.
 void DynamicTypePropagation::checkPreObjCMessage(const ObjCMethodCall &M,
@@ -881,10 +833,6 @@ void DynamicTypePropagation::checkPostObjCMessage(const ObjCMethodCall &M,
 
   const auto *ResultPtrType = ResultType->getAs<ObjCObjectPointerType>();
 
-  if (isReturnValueMisused(MessageExpr, ResultPtrType, RecSym, Method,
-                           *TypeArgs, M.getMessageKind() != OCM_Message, C))
-    return;
-
   if (!ResultPtrType || ResultPtrType->isUnspecialized())
     return;