Coverage Report

Created: 2020-10-24 06:27

/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
Line
Count
Source (jump to first uncovered line)
1
//===- DynamicTypePropagation.cpp ------------------------------*- C++ -*--===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
// This file contains two checkers. One helps the static analyzer core to track
10
// types, the other does type inference on Obj-C generics and report type
11
// errors.
12
//
13
// Dynamic Type Propagation:
14
// This checker defines the rules for dynamic type gathering and propagation.
15
//
16
// Generics Checker for Objective-C:
17
// This checker tries to find type errors that the compiler is not able to catch
18
// due to the implicit conversions that were introduced for backward
19
// compatibility.
20
//
21
//===----------------------------------------------------------------------===//
22
23
#include "clang/AST/ParentMap.h"
24
#include "clang/AST/RecursiveASTVisitor.h"
25
#include "clang/Basic/Builtins.h"
26
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
27
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
28
#include "clang/StaticAnalyzer/Core/Checker.h"
29
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
30
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
31
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
32
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
33
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
34
35
using namespace clang;
36
using namespace ento;
37
38
// ProgramState trait - The type inflation is tracked by DynamicTypeMap. This is
39
// an auxiliary map that tracks more information about generic types, because in
40
// some cases the most derived type is not the most informative one about the
41
// type parameters. This types that are stored for each symbol in this map must
42
// be specialized.
43
// TODO: In some case the type stored in this map is exactly the same that is
44
// stored in DynamicTypeMap. We should no store duplicated information in those
45
// cases.
46
REGISTER_MAP_WITH_PROGRAMSTATE(MostSpecializedTypeArgsMap, SymbolRef,
47
                               const ObjCObjectPointerType *)
48
49
namespace {
50
class DynamicTypePropagation:
51
    public Checker< check::PreCall,
52
                    check::PostCall,
53
                    check::DeadSymbols,
54
                    check::PostStmt<CastExpr>,
55
                    check::PostStmt<CXXNewExpr>,
56
                    check::PreObjCMessage,
57
                    check::PostObjCMessage > {
58
59
  const ObjCObjectType *getObjectTypeForAllocAndNew(const ObjCMessageExpr *MsgE,
60
                                                    CheckerContext &C) const;
61
62
  /// Return a better dynamic type if one can be derived from the cast.
63
  const ObjCObjectPointerType *getBetterObjCType(const Expr *CastE,
64
                                                 CheckerContext &C) const;
65
66
  ExplodedNode *dynamicTypePropagationOnCasts(const CastExpr *CE,
67
                                              ProgramStateRef &State,
68
                                              CheckerContext &C) const;
69
70
  mutable std::unique_ptr<BugType> ObjCGenericsBugType;
71
72
  void initBugType() const {
72
72
    if (!ObjCGenericsBugType)
73
2
      ObjCGenericsBugType.reset(new BugType(
74
2
          GenericCheckName, "Generics", categories::CoreFoundationObjectiveC));
75
72
  }
76
77
  class GenericsBugVisitor : public BugReporterVisitor {
78
  public:
79
72
    GenericsBugVisitor(SymbolRef S) : Sym(S) {}
80
81
72
    void Profile(llvm::FoldingSetNodeID &ID) const override {
82
72
      static int X = 0;
83
72
      ID.AddPointer(&X);
84
72
      ID.AddPointer(Sym);
85
72
    }
86
87
    PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
88
                                     BugReporterContext &BRC,
89
                                     PathSensitiveBugReport &BR) override;
90
91
  private:
92
    // The tracked symbol.
93
    SymbolRef Sym;
94
  };
95
96
  void reportGenericsBug(const ObjCObjectPointerType *From,
97
                         const ObjCObjectPointerType *To, ExplodedNode *N,
98
                         SymbolRef Sym, CheckerContext &C,
99
                         const Stmt *ReportedNode = nullptr) const;
100
101
public:
102
  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
103
  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
104
  void checkPostStmt(const CastExpr *CastE, CheckerContext &C) const;
105
  void checkPostStmt(const CXXNewExpr *NewE, CheckerContext &C) const;
106
  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
107
  void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
108
  void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
109
110
  /// This value is set to true, when the Generics checker is turned on.
111
  DefaultBool CheckGenerics;
112
  CheckerNameRef GenericCheckName;
113
};
114
115
31
bool isObjCClassType(QualType Type) {
116
31
  if (const auto *PointerType = dyn_cast<ObjCObjectPointerType>(Type)) {
117
31
    return PointerType->getObjectType()->isObjCClass();
118
31
  }
119
0
  return false;
120
0
}
121
122
struct RuntimeType {
123
  const ObjCObjectType *Type = nullptr;
124
  bool Precise = false;
125
126
669
  operator bool() const { return Type != nullptr; }
127
};
128
129
RuntimeType inferReceiverType(const ObjCMethodCall &Message,
130
669
                              CheckerContext &C) {
131
669
  const ObjCMessageExpr *MessageExpr = Message.getOriginExpr();
132
133
  // Check if we can statically infer the actual type precisely.
134
  //
135
  // 1. Class is written directly in the message:
136
  // \code
137
  //   [ActualClass classMethod];
138
  // \endcode
139
669
  if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Class) {
140
629
    return {MessageExpr->getClassReceiver()->getAs<ObjCObjectType>(),
141
629
            /*Precise=*/true};
142
629
  }
143
144
  // 2. Receiver is 'super' from a class method (a.k.a 'super' is a
145
  //    class object).
146
  // \code
147
  //   [super classMethod];
148
  // \endcode
149
40
  if (MessageExpr->getReceiverKind() == ObjCMessageExpr::SuperClass) {
150
7
    return {MessageExpr->getSuperType()->getAs<ObjCObjectType>(),
151
7
            /*Precise=*/true};
152
7
  }
153
154
  // 3. Receiver is 'super' from an instance method (a.k.a 'super' is an
155
  //    instance of a super class).
156
  // \code
157
  //   [super instanceMethod];
158
  // \encode
159
33
  if (MessageExpr->getReceiverKind() == ObjCMessageExpr::SuperInstance) {
160
2
    if (const auto *ObjTy =
161
2
            MessageExpr->getSuperType()->getAs<ObjCObjectPointerType>())
162
2
      return {ObjTy->getObjectType(), /*Precise=*/true};
163
31
  }
164
165
31
  const Expr *RecE = MessageExpr->getInstanceReceiver();
166
167
31
  if (!RecE)
168
0
    return {};
169
170
  // Otherwise, let's try to get type information from our estimations of
171
  // runtime types.
172
31
  QualType InferredType;
173
31
  SVal ReceiverSVal = C.getSVal(RecE);
174
31
  ProgramStateRef State = C.getState();
175
176
31
  if (const MemRegion *ReceiverRegion = ReceiverSVal.getAsRegion()) {
177
31
    if (DynamicTypeInfo DTI = getDynamicTypeInfo(State, ReceiverRegion)) {
178
31
      InferredType = DTI.getType().getCanonicalType();
179
31
    }
180
31
  }
181
182
31
  if (SymbolRef ReceiverSymbol = ReceiverSVal.getAsSymbol()) {
183
31
    if (InferredType.isNull()) {
184
0
      InferredType = ReceiverSymbol->getType();
185
0
    }
186
187
    // If receiver is a Class object, we want to figure out the type it
188
    // represents.
189
31
    if (isObjCClassType(InferredType)) {
190
      // We actually might have some info on what type is contained in there.
191
20
      if (DynamicTypeInfo DTI =
192
6
              getClassObjectDynamicTypeInfo(State, ReceiverSymbol)) {
193
194
        // Types in Class objects can be ONLY Objective-C types
195
6
        return {cast<ObjCObjectType>(DTI.getType()), !DTI.canBeASubClass()};
196
6
      }
197
198
14
      SVal SelfSVal = State->getSelfSVal(C.getLocationContext());
199
200
      // Another way we can guess what is in Class object, is when it is a
201
      // 'self' variable of the current class method.
202
14
      if (ReceiverSVal == SelfSVal) {
203
        // In this case, we should return the type of the enclosing class
204
        // declaration.
205
14
        if (const ObjCMethodDecl *MD =
206
14
                dyn_cast<ObjCMethodDecl>(C.getStackFrame()->getDecl()))
207
14
          if (const ObjCObjectType *ObjTy = dyn_cast<ObjCObjectType>(
208
14
                  MD->getClassInterface()->getTypeForDecl()))
209
14
            return {ObjTy};
210
11
      }
211
14
    }
212
31
  }
213
214
  // Unfortunately, it seems like we have no idea what that type is.
215
11
  if (InferredType.isNull()) {
216
0
    return {};
217
0
  }
218
219
  // We can end up here if we got some dynamic type info and the
220
  // receiver is not one of the known Class objects.
221
11
  if (const auto *ReceiverInferredType =
222
11
          dyn_cast<ObjCObjectPointerType>(InferredType)) {
223
11
    return {ReceiverInferredType->getObjectType()};
224
11
  }
225
226
  // Any other type (like 'Class') is not really useful at this point.
227
0
  return {};
228
0
}
229
} // end anonymous namespace
230
231
void DynamicTypePropagation::checkDeadSymbols(SymbolReaper &SR,
232
350k
                                              CheckerContext &C) const {
233
350k
  ProgramStateRef State = removeDeadTypes(C.getState(), SR);
234
350k
  State = removeDeadClassObjectTypes(State, SR);
235
236
350k
  MostSpecializedTypeArgsMapTy TyArgMap =
237
350k
      State->get<MostSpecializedTypeArgsMap>();
238
350k
  for (MostSpecializedTypeArgsMapTy::iterator I = TyArgMap.begin(),
239
350k
                                              E = TyArgMap.end();
240
350k
       I != E; 
++I552
) {
241
552
    if (SR.isDead(I->first)) {
242
100
      State = State->remove<MostSpecializedTypeArgsMap>(I->first);
243
100
    }
244
552
  }
245
246
350k
  C.addTransition(State);
247
350k
}
248
249
static void recordFixedType(const MemRegion *Region, const CXXMethodDecl *MD,
250
1.56k
                            CheckerContext &C) {
251
1.56k
  assert(Region);
252
1.56k
  assert(MD);
253
254
1.56k
  ASTContext &Ctx = C.getASTContext();
255
1.56k
  QualType Ty = Ctx.getPointerType(Ctx.getRecordType(MD->getParent()));
256
257
1.56k
  ProgramStateRef State = C.getState();
258
1.56k
  State = setDynamicTypeInfo(State, Region, Ty, /*CanBeSubClassed=*/false);
259
1.56k
  C.addTransition(State);
260
1.56k
}
261
262
void DynamicTypePropagation::checkPreCall(const CallEvent &Call,
263
94.6k
                                          CheckerContext &C) const {
264
94.6k
  if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) {
265
    // C++11 [class.cdtor]p4: When a virtual function is called directly or
266
    //   indirectly from a constructor or from a destructor, including during
267
    //   the construction or destruction of the class's non-static data members,
268
    //   and the object to which the call applies is the object under
269
    //   construction or destruction, the function called is the final overrider
270
    //   in the constructor's or destructor's class and not one overriding it in
271
    //   a more-derived class.
272
273
22.8k
    switch (Ctor->getOriginExpr()->getConstructionKind()) {
274
22.0k
    case CXXConstructExpr::CK_Complete:
275
22.0k
    case CXXConstructExpr::CK_Delegating:
276
      // No additional type info necessary.
277
22.0k
      return;
278
737
    case CXXConstructExpr::CK_NonVirtualBase:
279
737
    case CXXConstructExpr::CK_VirtualBase:
280
737
      if (const MemRegion *Target = Ctor->getCXXThisVal().getAsRegion())
281
737
        recordFixedType(Target, Ctor->getDecl(), C);
282
737
      return;
283
0
    }
284
285
0
    return;
286
0
  }
287
288
71.8k
  if (const CXXDestructorCall *Dtor = dyn_cast<CXXDestructorCall>(&Call)) {
289
    // C++11 [class.cdtor]p4 (see above)
290
1.44k
    if (!Dtor->isBaseDestructor())
291
1.32k
      return;
292
293
120
    const MemRegion *Target = Dtor->getCXXThisVal().getAsRegion();
294
120
    if (!Target)
295
0
      return;
296
297
120
    const Decl *D = Dtor->getDecl();
298
120
    if (!D)
299
0
      return;
300
301
120
    recordFixedType(Target, cast<CXXDestructorDecl>(D), C);
302
120
    return;
303
120
  }
304
71.8k
}
305
306
void DynamicTypePropagation::checkPostCall(const CallEvent &Call,
307
99.5k
                                           CheckerContext &C) const {
308
  // We can obtain perfect type info for return values from some calls.
309
99.5k
  if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(&Call)) {
310
311
    // Get the returned value if it's a region.
312
3.49k
    const MemRegion *RetReg = Call.getReturnValue().getAsRegion();
313
3.49k
    if (!RetReg)
314
1.17k
      return;
315
316
2.32k
    ProgramStateRef State = C.getState();
317
2.32k
    const ObjCMethodDecl *D = Msg->getDecl();
318
319
2.32k
    if (D && 
D->hasRelatedResultType()2.29k
) {
320
1.65k
      switch (Msg->getMethodFamily()) {
321
319
      default:
322
319
        break;
323
324
      // We assume that the type of the object returned by alloc and new are the
325
      // pointer to the object of the class specified in the receiver of the
326
      // message.
327
639
      case OMF_alloc:
328
639
      case OMF_new: {
329
        // Get the type of object that will get created.
330
639
        RuntimeType ObjTy = inferReceiverType(*Msg, C);
331
332
639
        if (!ObjTy)
333
0
          return;
334
335
639
        QualType DynResTy =
336
639
            C.getASTContext().getObjCObjectPointerType(QualType(ObjTy.Type, 0));
337
        // We used to assume that whatever type we got from inferring the
338
        // type is actually precise (and it is not exactly correct).
339
        // A big portion of the existing behavior depends on that assumption
340
        // (e.g. certain inlining won't take place). For this reason, we don't
341
        // use ObjTy.Precise flag here.
342
        //
343
        // TODO: We should mitigate this problem some time in the future
344
        // and replace hardcoded 'false' with '!ObjTy.Precise'.
345
639
        C.addTransition(setDynamicTypeInfo(State, RetReg, DynResTy, false));
346
639
        break;
347
639
      }
348
694
      case OMF_init: {
349
        // Assume, the result of the init method has the same dynamic type as
350
        // the receiver and propagate the dynamic type info.
351
694
        const MemRegion *RecReg = Msg->getReceiverSVal().getAsRegion();
352
694
        if (!RecReg)
353
0
          return;
354
694
        DynamicTypeInfo RecDynType = getDynamicTypeInfo(State, RecReg);
355
694
        C.addTransition(setDynamicTypeInfo(State, RetReg, RecDynType));
356
694
        break;
357
694
      }
358
1.65k
      }
359
1.65k
    }
360
2.32k
    return;
361
2.32k
  }
362
363
96.0k
  if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) {
364
    // We may need to undo the effects of our pre-call check.
365
22.8k
    switch (Ctor->getOriginExpr()->getConstructionKind()) {
366
22.1k
    case CXXConstructExpr::CK_Complete:
367
22.1k
    case CXXConstructExpr::CK_Delegating:
368
      // No additional work necessary.
369
      // Note: This will leave behind the actual type of the object for
370
      // complete constructors, but arguably that's a good thing, since it
371
      // means the dynamic type info will be correct even for objects
372
      // constructed with operator new.
373
22.1k
      return;
374
735
    case CXXConstructExpr::CK_NonVirtualBase:
375
735
    case CXXConstructExpr::CK_VirtualBase:
376
735
      if (const MemRegion *Target = Ctor->getCXXThisVal().getAsRegion()) {
377
        // We just finished a base constructor. Now we can use the subclass's
378
        // type when resolving virtual calls.
379
735
        const LocationContext *LCtx = C.getLocationContext();
380
381
        // FIXME: In C++17 classes with non-virtual bases may be treated as
382
        // aggregates, and in such case no top-frame constructor will be called.
383
        // Figure out if we need to do anything in this case.
384
        // FIXME: Instead of relying on the ParentMap, we should have the
385
        // trigger-statement (InitListExpr in this case) available in this
386
        // callback, ideally as part of CallEvent.
387
735
        if (dyn_cast_or_null<InitListExpr>(
388
735
                LCtx->getParentMap().getParent(Ctor->getOriginExpr())))
389
24
          return;
390
391
711
        recordFixedType(Target, cast<CXXConstructorDecl>(LCtx->getDecl()), C);
392
711
      }
393
711
      return;
394
22.8k
    }
395
22.8k
  }
396
96.0k
}
397
398
/// TODO: Handle explicit casts.
399
///       Handle C++ casts.
400
///
401
/// Precondition: the cast is between ObjCObjectPointers.
402
ExplodedNode *DynamicTypePropagation::dynamicTypePropagationOnCasts(
403
1.12k
    const CastExpr *CE, ProgramStateRef &State, CheckerContext &C) const {
404
  // We only track type info for regions.
405
1.12k
  const MemRegion *ToR = C.getSVal(CE).getAsRegion();
406
1.12k
  if (!ToR)
407
141
    return C.getPredecessor();
408
409
980
  if (isa<ExplicitCastExpr>(CE))
410
18
    return C.getPredecessor();
411
412
962
  if (const Type *NewTy = getBetterObjCType(CE, C)) {
413
226
    State = setDynamicTypeInfo(State, ToR, QualType(NewTy, 0));
414
226
    return C.addTransition(State);
415
226
  }
416
736
  return C.getPredecessor();
417
736
}
418
419
void DynamicTypePropagation::checkPostStmt(const CXXNewExpr *NewE,
420
954
                                           CheckerContext &C) const {
421
954
  if (NewE->isArray())
422
118
    return;
423
424
  // We only track dynamic type info for regions.
425
836
  const MemRegion *MR = C.getSVal(NewE).getAsRegion();
426
836
  if (!MR)
427
6
    return;
428
429
830
  C.addTransition(setDynamicTypeInfo(C.getState(), MR, NewE->getType(),
430
830
                                     /*CanBeSubClassed=*/false));
431
830
}
432
433
// Return a better dynamic type if one can be derived from the cast.
434
// Compare the current dynamic type of the region and the new type to which we
435
// are casting. If the new type is lower in the inheritance hierarchy, pick it.
436
const ObjCObjectPointerType *
437
DynamicTypePropagation::getBetterObjCType(const Expr *CastE,
438
962
                                          CheckerContext &C) const {
439
962
  const MemRegion *ToR = C.getSVal(CastE).getAsRegion();
440
962
  assert(ToR);
441
442
  // Get the old and new types.
443
962
  const ObjCObjectPointerType *NewTy =
444
962
      CastE->getType()->getAs<ObjCObjectPointerType>();
445
962
  if (!NewTy)
446
0
    return nullptr;
447
962
  QualType OldDTy = getDynamicTypeInfo(C.getState(), ToR).getType();
448
962
  if (OldDTy.isNull()) {
449
0
    return NewTy;
450
0
  }
451
962
  const ObjCObjectPointerType *OldTy =
452
962
    OldDTy->getAs<ObjCObjectPointerType>();
453
962
  if (!OldTy)
454
115
    return nullptr;
455
456
  // Id the old type is 'id', the new one is more precise.
457
847
  if (OldTy->isObjCIdType() && 
!NewTy->isObjCIdType()136
)
458
136
    return NewTy;
459
460
  // Return new if it's a subclass of old.
461
711
  const ObjCInterfaceDecl *ToI = NewTy->getInterfaceDecl();
462
711
  const ObjCInterfaceDecl *FromI = OldTy->getInterfaceDecl();
463
711
  if (ToI && 
FromI191
&&
FromI->isSuperClassOf(ToI)191
)
464
90
    return NewTy;
465
466
621
  return nullptr;
467
621
}
468
469
static const ObjCObjectPointerType *getMostInformativeDerivedClassImpl(
470
    const ObjCObjectPointerType *From, const ObjCObjectPointerType *To,
471
120
    const ObjCObjectPointerType *MostInformativeCandidate, ASTContext &C) {
472
  // Checking if from and to are the same classes modulo specialization.
473
120
  if (From->getInterfaceDecl()->getCanonicalDecl() ==
474
80
      To->getInterfaceDecl()->getCanonicalDecl()) {
475
80
    if (To->isSpecialized()) {
476
38
      assert(MostInformativeCandidate->isSpecialized());
477
38
      return MostInformativeCandidate;
478
38
    }
479
42
    return From;
480
42
  }
481
482
40
  if (To->getObjectType()->getSuperClassType().isNull()) {
483
    // If To has no super class and From and To aren't the same then
484
    // To was not actually a descendent of From. In this case the best we can
485
    // do is 'From'.
486
2
    return From;
487
2
  }
488
489
38
  const auto *SuperOfTo =
490
38
      To->getObjectType()->getSuperClassType()->castAs<ObjCObjectType>();
491
38
  assert(SuperOfTo);
492
38
  QualType SuperPtrOfToQual =
493
38
      C.getObjCObjectPointerType(QualType(SuperOfTo, 0));
494
38
  const auto *SuperPtrOfTo = SuperPtrOfToQual->castAs<ObjCObjectPointerType>();
495
38
  if (To->isUnspecialized())
496
14
    return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo, SuperPtrOfTo,
497
14
                                              C);
498
24
  else
499
24
    return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo,
500
24
                                              MostInformativeCandidate, C);
501
38
}
502
503
/// A downcast may loose specialization information. E. g.:
504
///   MutableMap<T, U> : Map
505
/// The downcast to MutableMap looses the information about the types of the
506
/// Map (due to the type parameters are not being forwarded to Map), and in
507
/// general there is no way to recover that information from the
508
/// declaration. In order to have to most information, lets find the most
509
/// derived type that has all the type parameters forwarded.
510
///
511
/// Get the a subclass of \p From (which has a lower bound \p To) that do not
512
/// loose information about type parameters. \p To has to be a subclass of
513
/// \p From. From has to be specialized.
514
static const ObjCObjectPointerType *
515
getMostInformativeDerivedClass(const ObjCObjectPointerType *From,
516
82
                               const ObjCObjectPointerType *To, ASTContext &C) {
517
82
  return getMostInformativeDerivedClassImpl(From, To, To, C);
518
82
}
519
520
/// Inputs:
521
///   \param StaticLowerBound Static lower bound for a symbol. The dynamic lower
522
///   bound might be the subclass of this type.
523
///   \param StaticUpperBound A static upper bound for a symbol.
524
///   \p StaticLowerBound expected to be the subclass of \p StaticUpperBound.
525
///   \param Current The type that was inferred for a symbol in a previous
526
///   context. Might be null when this is the first time that inference happens.
527
/// Precondition:
528
///   \p StaticLowerBound or \p StaticUpperBound is specialized. If \p Current
529
///   is not null, it is specialized.
530
/// Possible cases:
531
///   (1) The \p Current is null and \p StaticLowerBound <: \p StaticUpperBound
532
///   (2) \p StaticLowerBound <: \p Current <: \p StaticUpperBound
533
///   (3) \p Current <: \p StaticLowerBound <: \p StaticUpperBound
534
///   (4) \p StaticLowerBound <: \p StaticUpperBound <: \p Current
535
/// Effect:
536
///   Use getMostInformativeDerivedClass with the upper and lower bound of the
537
///   set {\p StaticLowerBound, \p Current, \p StaticUpperBound}. The computed
538
///   lower bound must be specialized. If the result differs from \p Current or
539
///   \p Current is null, store the result.
540
static bool
541
storeWhenMoreInformative(ProgramStateRef &State, SymbolRef Sym,
542
                         const ObjCObjectPointerType *const *Current,
543
                         const ObjCObjectPointerType *StaticLowerBound,
544
                         const ObjCObjectPointerType *StaticUpperBound,
545
104
                         ASTContext &C) {
546
  // TODO: The above 4 cases are not exhaustive. In particular, it is possible
547
  // for Current to be incomparable with StaticLowerBound, StaticUpperBound,
548
  // or both.
549
  //
550
  // For example, suppose Foo<T> and Bar<T> are unrelated types.
551
  //
552
  //  Foo<T> *f = ...
553
  //  Bar<T> *b = ...
554
  //
555
  //  id t1 = b;
556
  //  f = t1;
557
  //  id t2 = f; // StaticLowerBound is Foo<T>, Current is Bar<T>
558
  //
559
  // We should either constrain the callers of this function so that the stated
560
  // preconditions hold (and assert it) or rewrite the function to expicitly
561
  // handle the additional cases.
562
563
  // Precondition
564
104
  assert(StaticUpperBound->isSpecialized() ||
565
104
         StaticLowerBound->isSpecialized());
566
104
  assert(!Current || (*Current)->isSpecialized());
567
568
  // Case (1)
569
104
  if (!Current) {
570
82
    if (StaticUpperBound->isUnspecialized()) {
571
10
      State = State->set<MostSpecializedTypeArgsMap>(Sym, StaticLowerBound);
572
10
      return true;
573
10
    }
574
    // Upper bound is specialized.
575
72
    const ObjCObjectPointerType *WithMostInfo =
576
72
        getMostInformativeDerivedClass(StaticUpperBound, StaticLowerBound, C);
577
72
    State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
578
72
    return true;
579
72
  }
580
581
  // Case (3)
582
22
  if (C.canAssignObjCInterfaces(StaticLowerBound, *Current)) {
583
16
    return false;
584
16
  }
585
586
  // Case (4)
587
6
  if (C.canAssignObjCInterfaces(*Current, StaticUpperBound)) {
588
    // The type arguments might not be forwarded at any point of inheritance.
589
4
    const ObjCObjectPointerType *WithMostInfo =
590
4
        getMostInformativeDerivedClass(*Current, StaticUpperBound, C);
591
4
    WithMostInfo =
592
4
        getMostInformativeDerivedClass(WithMostInfo, StaticLowerBound, C);
593
4
    if (WithMostInfo == *Current)
594
0
      return false;
595
4
    State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
596
4
    return true;
597
4
  }
598
599
  // Case (2)
600
2
  const ObjCObjectPointerType *WithMostInfo =
601
2
      getMostInformativeDerivedClass(*Current, StaticLowerBound, C);
602
2
  if (WithMostInfo != *Current) {
603
0
    State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
604
0
    return true;
605
0
  }
606
607
2
  return false;
608
2
}
609
610
/// Type inference based on static type information that is available for the
611
/// cast and the tracked type information for the given symbol. When the tracked
612
/// symbol and the destination type of the cast are unrelated, report an error.
613
void DynamicTypePropagation::checkPostStmt(const CastExpr *CE,
614
305k
                                           CheckerContext &C) const {
615
305k
  if (CE->getCastKind() != CK_BitCast)
616
295k
    return;
617
618
10.3k
  QualType OriginType = CE->getSubExpr()->getType();
619
10.3k
  QualType DestType = CE->getType();
620
621
10.3k
  const auto *OrigObjectPtrType = OriginType->getAs<ObjCObjectPointerType>();
622
10.3k
  const auto *DestObjectPtrType = DestType->getAs<ObjCObjectPointerType>();
623
624
10.3k
  if (!OrigObjectPtrType || 
!DestObjectPtrType1.32k
)
625
9.22k
    return;
626
627
1.12k
  ProgramStateRef State = C.getState();
628
1.12k
  ExplodedNode *AfterTypeProp = dynamicTypePropagationOnCasts(CE, State, C);
629
630
1.12k
  ASTContext &ASTCtxt = C.getASTContext();
631
632
  // This checker detects the subtyping relationships using the assignment
633
  // rules. In order to be able to do this the kindofness must be stripped
634
  // first. The checker treats every type as kindof type anyways: when the
635
  // tracked type is the subtype of the static type it tries to look up the
636
  // methods in the tracked type first.
637
1.12k
  OrigObjectPtrType = OrigObjectPtrType->stripObjCKindOfTypeAndQuals(ASTCtxt);
638
1.12k
  DestObjectPtrType = DestObjectPtrType->stripObjCKindOfTypeAndQuals(ASTCtxt);
639
640
1.12k
  if (OrigObjectPtrType->isUnspecialized() &&
641
1.03k
      DestObjectPtrType->isUnspecialized())
642
953
    return;
643
644
168
  SymbolRef Sym = C.getSVal(CE).getAsSymbol();
645
168
  if (!Sym)
646
0
    return;
647
648
168
  const ObjCObjectPointerType *const *TrackedType =
649
168
      State->get<MostSpecializedTypeArgsMap>(Sym);
650
651
168
  if (isa<ExplicitCastExpr>(CE)) {
652
    // Treat explicit casts as an indication from the programmer that the
653
    // Objective-C type system is not rich enough to express the needed
654
    // invariant. In such cases, forget any existing information inferred
655
    // about the type arguments. We don't assume the casted-to specialized
656
    // type here because the invariant the programmer specifies in the cast
657
    // may only hold at this particular program point and not later ones.
658
    // We don't want a suppressing cast to require a cascade of casts down the
659
    // line.
660
12
    if (TrackedType) {
661
6
      State = State->remove<MostSpecializedTypeArgsMap>(Sym);
662
6
      C.addTransition(State, AfterTypeProp);
663
6
    }
664
12
    return;
665
12
  }
666
667
  // Check which assignments are legal.
668
156
  bool OrigToDest =
669
156
      ASTCtxt.canAssignObjCInterfaces(DestObjectPtrType, OrigObjectPtrType);
670
156
  bool DestToOrig =
671
156
      ASTCtxt.canAssignObjCInterfaces(OrigObjectPtrType, DestObjectPtrType);
672
673
  // The tracked type should be the sub or super class of the static destination
674
  // type. When an (implicit) upcast or a downcast happens according to static
675
  // types, and there is no subtyping relationship between the tracked and the
676
  // static destination types, it indicates an error.
677
156
  if (TrackedType &&
678
74
      !ASTCtxt.canAssignObjCInterfaces(DestObjectPtrType, *TrackedType) &&
679
56
      !ASTCtxt.canAssignObjCInterfaces(*TrackedType, DestObjectPtrType)) {
680
52
    static CheckerProgramPointTag IllegalConv(this, "IllegalConversion");
681
52
    ExplodedNode *N = C.addTransition(State, AfterTypeProp, &IllegalConv);
682
52
    reportGenericsBug(*TrackedType, DestObjectPtrType, N, Sym, C);
683
52
    return;
684
52
  }
685
686
  // Handle downcasts and upcasts.
687
688
104
  const ObjCObjectPointerType *LowerBound = DestObjectPtrType;
689
104
  const ObjCObjectPointerType *UpperBound = OrigObjectPtrType;
690
104
  if (OrigToDest && 
!DestToOrig100
)
691
26
    std::swap(LowerBound, UpperBound);
692
693
  // The id type is not a real bound. Eliminate it.
694
86
  LowerBound = LowerBound->isObjCIdType() ? 
UpperBound18
: LowerBound;
695
88
  UpperBound = UpperBound->isObjCIdType() ? 
LowerBound16
: UpperBound;
696
697
104
  if (storeWhenMoreInformative(State, Sym, TrackedType, LowerBound, UpperBound,
698
86
                               ASTCtxt)) {
699
86
    C.addTransition(State, AfterTypeProp);
700
86
  }
701
104
}
702
703
33
static const Expr *stripCastsAndSugar(const Expr *E) {
704
33
  E = E->IgnoreParenImpCasts();
705
33
  if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(E))
706
0
    E = POE->getSyntacticForm()->IgnoreParenImpCasts();
707
33
  if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E))
708
0
    E = OVE->getSourceExpr()->IgnoreParenImpCasts();
709
33
  return E;
710
33
}
711
712
101
static bool isObjCTypeParamDependent(QualType Type) {
713
  // It is illegal to typedef parameterized types inside an interface. Therefore
714
  // an Objective-C type can only be dependent on a type parameter when the type
715
  // parameter structurally present in the type itself.
716
101
  class IsObjCTypeParamDependentTypeVisitor
717
101
      : public RecursiveASTVisitor<IsObjCTypeParamDependentTypeVisitor> {
718
101
  public:
719
101
    IsObjCTypeParamDependentTypeVisitor() : Result(false) {}
720
68
    bool VisitObjCTypeParamType(const ObjCTypeParamType *Type) {
721
68
      if (isa<ObjCTypeParamDecl>(Type->getDecl())) {
722
68
        Result = true;
723
68
        return false;
724
68
      }
725
0
      return true;
726
0
    }
727
728
101
    bool Result;
729
101
  };
730
731
101
  IsObjCTypeParamDependentTypeVisitor Visitor;
732
101
  Visitor.TraverseType(Type);
733
101
  return Visitor.Result;
734
101
}
735
736
/// A method might not be available in the interface indicated by the static
737
/// type. However it might be available in the tracked type. In order to
738
/// properly substitute the type parameters we need the declaration context of
739
/// the method. The more specialized the enclosing class of the method is, the
740
/// more likely that the parameter substitution will be successful.
741
static const ObjCMethodDecl *
742
findMethodDecl(const ObjCMessageExpr *MessageExpr,
743
176
               const ObjCObjectPointerType *TrackedType, ASTContext &ASTCtxt) {
744
176
  const ObjCMethodDecl *Method = nullptr;
745
746
176
  QualType ReceiverType = MessageExpr->getReceiverType();
747
176
  const auto *ReceiverObjectPtrType =
748
176
      ReceiverType->getAs<ObjCObjectPointerType>();
749
750
  // Do this "devirtualization" on instance and class methods only. Trust the
751
  // static type on super and super class calls.
752
176
  if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Instance ||
753
176
      
MessageExpr->getReceiverKind() == ObjCMessageExpr::Class0
) {
754
    // When the receiver type is id, Class, or some super class of the tracked
755
    // type, look up the method in the tracked type, not in the receiver type.
756
    // This way we preserve more information.
757
176
    if (ReceiverType->isObjCIdType() || 
ReceiverType->isObjCClassType()126
||
758
176
        
ASTCtxt.canAssignObjCInterfaces(ReceiverObjectPtrType, TrackedType)118
) {
759
176
      const ObjCInterfaceDecl *InterfaceDecl = TrackedType->getInterfaceDecl();
760
      // The method might not be found.
761
176
      Selector Sel = MessageExpr->getSelector();
762
176
      Method = InterfaceDecl->lookupInstanceMethod(Sel);
763
176
      if (!Method)
764
12
        Method = InterfaceDecl->lookupClassMethod(Sel);
765
176
    }
766
176
  }
767
768
  // Fallback to statick method lookup when the one based on the tracked type
769
  // failed.
770
172
  return Method ? Method : 
MessageExpr->getMethodDecl()4
;
771
176
}
772
773
/// Get the returned ObjCObjectPointerType by a method based on the tracked type
774
/// information, or null pointer when the returned type is not an
775
/// ObjCObjectPointerType.
776
static QualType getReturnTypeForMethod(
777
    const ObjCMethodDecl *Method, ArrayRef<QualType> TypeArgs,
778
70
    const ObjCObjectPointerType *SelfType, ASTContext &C) {
779
70
  QualType StaticResultType = Method->getReturnType();
780
781
  // Is the return type declared as instance type?
782
70
  if (StaticResultType == C.getObjCInstanceType())
783
2
    return QualType(SelfType, 0);
784
785
  // Check whether the result type depends on a type parameter.
786
68
  if (!isObjCTypeParamDependent(StaticResultType))
787
33
    return QualType();
788
789
35
  QualType ResultType = StaticResultType.substObjCTypeArgs(
790
35
      C, TypeArgs, ObjCSubstitutionContext::Result);
791
792
35
  return ResultType;
793
35
}
794
795
/// When the receiver has a tracked type, use that type to validate the
796
/// argumments of the message expression and the return value.
797
void DynamicTypePropagation::checkPreObjCMessage(const ObjCMethodCall &M,
798
3.54k
                                                 CheckerContext &C) const {
799
3.54k
  ProgramStateRef State = C.getState();
800
3.54k
  SymbolRef Sym = M.getReceiverSVal().getAsSymbol();
801
3.54k
  if (!Sym)
802
942
    return;
803
804
2.60k
  const ObjCObjectPointerType *const *TrackedType =
805
2.60k
      State->get<MostSpecializedTypeArgsMap>(Sym);
806
2.60k
  if (!TrackedType)
807
2.50k
    return;
808
809
  // Get the type arguments from tracked type and substitute type arguments
810
  // before do the semantic check.
811
812
104
  ASTContext &ASTCtxt = C.getASTContext();
813
104
  const ObjCMessageExpr *MessageExpr = M.getOriginExpr();
814
104
  const ObjCMethodDecl *Method =
815
104
      findMethodDecl(MessageExpr, *TrackedType, ASTCtxt);
816
817
  // It is possible to call non-existent methods in Obj-C.
818
104
  if (!Method)
819
2
    return;
820
821
  // If the method is declared on a class that has a non-invariant
822
  // type parameter, don't warn about parameter mismatches after performing
823
  // substitution. This prevents warning when the programmer has purposely
824
  // casted the receiver to a super type or unspecialized type but the analyzer
825
  // has a more precise tracked type than the programmer intends at the call
826
  // site.
827
  //
828
  // For example, consider NSArray (which has a covariant type parameter)
829
  // and NSMutableArray (a subclass of NSArray where the type parameter is
830
  // invariant):
831
  // NSMutableArray *a = [[NSMutableArray<NSString *> alloc] init;
832
  //
833
  // [a containsObject:number]; // Safe: -containsObject is defined on NSArray.
834
  // NSArray<NSObject *> *other = [a arrayByAddingObject:number]  // Safe
835
  //
836
  // [a addObject:number] // Unsafe: -addObject: is defined on NSMutableArray
837
  //
838
839
102
  const ObjCInterfaceDecl *Interface = Method->getClassInterface();
840
102
  if (!Interface)
841
0
    return;
842
843
102
  ObjCTypeParamList *TypeParams = Interface->getTypeParamList();
844
102
  if (!TypeParams)
845
0
    return;
846
847
102
  for (ObjCTypeParamDecl *TypeParam : *TypeParams) {
848
102
    if (TypeParam->getVariance() != ObjCTypeParamVariance::Invariant)
849
68
      return;
850
102
  }
851
852
34
  Optional<ArrayRef<QualType>> TypeArgs =
853
34
      (*TrackedType)->getObjCSubstitutions(Method->getDeclContext());
854
  // This case might happen when there is an unspecialized override of a
855
  // specialized method.
856
34
  if (!TypeArgs)
857
0
    return;
858
859
47
  
for (unsigned i = 0; 34
i < Method->param_size();
i++13
) {
860
33
    const Expr *Arg = MessageExpr->getArg(i);
861
33
    const ParmVarDecl *Param = Method->parameters()[i];
862
863
33
    QualType OrigParamType = Param->getType();
864
33
    if (!isObjCTypeParamDependent(OrigParamType))
865
0
      continue;
866
867
33
    QualType ParamType = OrigParamType.substObjCTypeArgs(
868
33
        ASTCtxt, *TypeArgs, ObjCSubstitutionContext::Parameter);
869
    // Check if it can be assigned
870
33
    const auto *ParamObjectPtrType = ParamType->getAs<ObjCObjectPointerType>();
871
33
    const auto *ArgObjectPtrType =
872
33
        stripCastsAndSugar(Arg)->getType()->getAs<ObjCObjectPointerType>();
873
33
    if (!ParamObjectPtrType || !ArgObjectPtrType)
874
0
      continue;
875
876
    // Check if we have more concrete tracked type that is not a super type of
877
    // the static argument type.
878
33
    SVal ArgSVal = M.getArgSVal(i);
879
33
    SymbolRef ArgSym = ArgSVal.getAsSymbol();
880
33
    if (ArgSym) {
881
33
      const ObjCObjectPointerType *const *TrackedArgType =
882
33
          State->get<MostSpecializedTypeArgsMap>(ArgSym);
883
33
      if (TrackedArgType &&
884
0
          ASTCtxt.canAssignObjCInterfaces(ArgObjectPtrType, *TrackedArgType)) {
885
0
        ArgObjectPtrType = *TrackedArgType;
886
0
      }
887
33
    }
888
889
    // Warn when argument is incompatible with the parameter.
890
33
    if (!ASTCtxt.canAssignObjCInterfaces(ParamObjectPtrType,
891
20
                                         ArgObjectPtrType)) {
892
20
      static CheckerProgramPointTag Tag(this, "ArgTypeMismatch");
893
20
      ExplodedNode *N = C.addTransition(State, &Tag);
894
20
      reportGenericsBug(ArgObjectPtrType, ParamObjectPtrType, N, Sym, C, Arg);
895
20
      return;
896
20
    }
897
33
  }
898
34
}
899
900
/// This callback is used to infer the types for Class variables. This info is
901
/// used later to validate messages that sent to classes. Class variables are
902
/// initialized with by invoking the 'class' method on a class.
903
/// This method is also used to infer the type information for the return
904
/// types.
905
// TODO: right now it only tracks generic types. Extend this to track every
906
// type in the DynamicTypeMap and diagnose type errors!
907
void DynamicTypePropagation::checkPostObjCMessage(const ObjCMethodCall &M,
908
3.44k
                                                  CheckerContext &C) const {
909
3.44k
  const ObjCMessageExpr *MessageExpr = M.getOriginExpr();
910
911
3.44k
  SymbolRef RetSym = M.getReturnValue().getAsSymbol();
912
3.44k
  if (!RetSym)
913
971
    return;
914
915
2.47k
  Selector Sel = MessageExpr->getSelector();
916
2.47k
  ProgramStateRef State = C.getState();
917
918
  // Here we try to propagate information on Class objects.
919
2.47k
  if (Sel.getAsString() == "class") {
920
    // We try to figure out the type from the receiver of the 'class' message.
921
29
    if (RuntimeType ReceiverRuntimeType = inferReceiverType(M, C)) {
922
923
29
      ReceiverRuntimeType.Type->getSuperClassType();
924
29
      QualType ReceiverClassType(ReceiverRuntimeType.Type, 0);
925
926
      // We want to consider only precise information on generics.
927
29
      if (ReceiverRuntimeType.Type->isSpecialized() &&
928
2
          ReceiverRuntimeType.Precise) {
929
2
        QualType ReceiverClassPointerType =
930
2
            C.getASTContext().getObjCObjectPointerType(ReceiverClassType);
931
2
        const auto *InferredType =
932
2
            ReceiverClassPointerType->castAs<ObjCObjectPointerType>();
933
2
        State = State->set<MostSpecializedTypeArgsMap>(RetSym, InferredType);
934
2
      }
935
936
      // Constrain the resulting class object to the inferred type.
937
29
      State = setClassObjectDynamicTypeInfo(State, RetSym, ReceiverClassType,
938
29
                                            !ReceiverRuntimeType.Precise);
939
940
29
      C.addTransition(State);
941
29
      return;
942
29
    }
943
2.44k
  }
944
945
2.44k
  if (Sel.getAsString() == "superclass") {
946
    // We try to figure out the type from the receiver of the 'superclass'
947
    // message.
948
1
    if (RuntimeType ReceiverRuntimeType = inferReceiverType(M, C)) {
949
950
      // Result type would be a super class of the receiver's type.
951
1
      QualType ReceiversSuperClass =
952
1
          ReceiverRuntimeType.Type->getSuperClassType();
953
954
      // Check if it really had super class.
955
      //
956
      // TODO: we can probably pay closer attention to cases when the class
957
      // object can be 'nil' as the result of such message.
958
1
      if (!ReceiversSuperClass.isNull()) {
959
        // Constrain the resulting class object to the inferred type.
960
1
        State = setClassObjectDynamicTypeInfo(
961
1
            State, RetSym, ReceiversSuperClass, !ReceiverRuntimeType.Precise);
962
963
1
        C.addTransition(State);
964
1
      }
965
1
      return;
966
1
    }
967
2.44k
  }
968
969
  // Tracking for return types.
970
2.44k
  SymbolRef RecSym = M.getReceiverSVal().getAsSymbol();
971
2.44k
  if (!RecSym)
972
847
    return;
973
974
1.59k
  const ObjCObjectPointerType *const *TrackedType =
975
1.59k
      State->get<MostSpecializedTypeArgsMap>(RecSym);
976
1.59k
  if (!TrackedType)
977
1.52k
    return;
978
979
72
  ASTContext &ASTCtxt = C.getASTContext();
980
72
  const ObjCMethodDecl *Method =
981
72
      findMethodDecl(MessageExpr, *TrackedType, ASTCtxt);
982
72
  if (!Method)
983
2
    return;
984
985
70
  Optional<ArrayRef<QualType>> TypeArgs =
986
70
      (*TrackedType)->getObjCSubstitutions(Method->getDeclContext());
987
70
  if (!TypeArgs)
988
0
    return;
989
990
70
  QualType ResultType =
991
70
      getReturnTypeForMethod(Method, *TypeArgs, *TrackedType, ASTCtxt);
992
  // The static type is the same as the deduced type.
993
70
  if (ResultType.isNull())
994
33
    return;
995
996
37
  const MemRegion *RetRegion = M.getReturnValue().getAsRegion();
997
37
  ExplodedNode *Pred = C.getPredecessor();
998
  // When there is an entry available for the return symbol in DynamicTypeMap,
999
  // the call was inlined, and the information in the DynamicTypeMap is should
1000
  // be precise.
1001
37
  if (RetRegion && !getRawDynamicTypeInfo(State, RetRegion)) {
1002
    // TODO: we have duplicated information in DynamicTypeMap and
1003
    // MostSpecializedTypeArgsMap. We should only store anything in the later if
1004
    // the stored data differs from the one stored in the former.
1005
37
    State = setDynamicTypeInfo(State, RetRegion, ResultType,
1006
37
                               /*CanBeSubClassed=*/true);
1007
37
    Pred = C.addTransition(State);
1008
37
  }
1009
1010
37
  const auto *ResultPtrType = ResultType->getAs<ObjCObjectPointerType>();
1011
1012
37
  if (!ResultPtrType || ResultPtrType->isUnspecialized())
1013
19
    return;
1014
1015
  // When the result is a specialized type and it is not tracked yet, track it
1016
  // for the result symbol.
1017
18
  if (!State->get<MostSpecializedTypeArgsMap>(RetSym)) {
1018
18
    State = State->set<MostSpecializedTypeArgsMap>(RetSym, ResultPtrType);
1019
18
    C.addTransition(State, Pred);
1020
18
  }
1021
18
}
1022
1023
void DynamicTypePropagation::reportGenericsBug(
1024
    const ObjCObjectPointerType *From, const ObjCObjectPointerType *To,
1025
    ExplodedNode *N, SymbolRef Sym, CheckerContext &C,
1026
72
    const Stmt *ReportedNode) const {
1027
72
  if (!CheckGenerics)
1028
0
    return;
1029
1030
72
  initBugType();
1031
72
  SmallString<192> Buf;
1032
72
  llvm::raw_svector_ostream OS(Buf);
1033
72
  OS << "Conversion from value of type '";
1034
72
  QualType::print(From, Qualifiers(), OS, C.getLangOpts(), llvm::Twine());
1035
72
  OS << "' to incompatible type '";
1036
72
  QualType::print(To, Qualifiers(), OS, C.getLangOpts(), llvm::Twine());
1037
72
  OS << "'";
1038
72
  auto R = std::make_unique<PathSensitiveBugReport>(*ObjCGenericsBugType,
1039
72
                                                    OS.str(), N);
1040
72
  R->markInteresting(Sym);
1041
72
  R->addVisitor(std::make_unique<GenericsBugVisitor>(Sym));
1042
72
  if (ReportedNode)
1043
20
    R->addRange(ReportedNode->getSourceRange());
1044
72
  C.emitReport(std::move(R));
1045
72
}
1046
1047
PathDiagnosticPieceRef DynamicTypePropagation::GenericsBugVisitor::VisitNode(
1048
    const ExplodedNode *N, BugReporterContext &BRC,
1049
3.13k
    PathSensitiveBugReport &BR) {
1050
3.13k
  ProgramStateRef state = N->getState();
1051
3.13k
  ProgramStateRef statePrev = N->getFirstPred()->getState();
1052
1053
3.13k
  const ObjCObjectPointerType *const *TrackedType =
1054
3.13k
      state->get<MostSpecializedTypeArgsMap>(Sym);
1055
3.13k
  const ObjCObjectPointerType *const *TrackedTypePrev =
1056
3.13k
      statePrev->get<MostSpecializedTypeArgsMap>(Sym);
1057
3.13k
  if (!TrackedType)
1058
754
    return nullptr;
1059
1060
2.38k
  if (TrackedTypePrev && 
*TrackedTypePrev == *TrackedType2.31k
)
1061
2.30k
    return nullptr;
1062
1063
  // Retrieve the associated statement.
1064
78
  const Stmt *S = N->getStmtForDiagnostics();
1065
78
  if (!S)
1066
0
    return nullptr;
1067
1068
78
  const LangOptions &LangOpts = BRC.getASTContext().getLangOpts();
1069
1070
78
  SmallString<256> Buf;
1071
78
  llvm::raw_svector_ostream OS(Buf);
1072
78
  OS << "Type '";
1073
78
  QualType::print(*TrackedType, Qualifiers(), OS, LangOpts, llvm::Twine());
1074
78
  OS << "' is inferred from ";
1075
1076
78
  if (const auto *ExplicitCast = dyn_cast<ExplicitCastExpr>(S)) {
1077
0
    OS << "explicit cast (from '";
1078
0
    QualType::print(ExplicitCast->getSubExpr()->getType().getTypePtr(),
1079
0
                    Qualifiers(), OS, LangOpts, llvm::Twine());
1080
0
    OS << "' to '";
1081
0
    QualType::print(ExplicitCast->getType().getTypePtr(), Qualifiers(), OS,
1082
0
                    LangOpts, llvm::Twine());
1083
0
    OS << "')";
1084
78
  } else if (const auto *ImplicitCast = dyn_cast<ImplicitCastExpr>(S)) {
1085
70
    OS << "implicit cast (from '";
1086
70
    QualType::print(ImplicitCast->getSubExpr()->getType().getTypePtr(),
1087
70
                    Qualifiers(), OS, LangOpts, llvm::Twine());
1088
70
    OS << "' to '";
1089
70
    QualType::print(ImplicitCast->getType().getTypePtr(), Qualifiers(), OS,
1090
70
                    LangOpts, llvm::Twine());
1091
70
    OS << "')";
1092
8
  } else {
1093
8
    OS << "this context";
1094
8
  }
1095
1096
  // Generate the extra diagnostic.
1097
78
  PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
1098
78
                             N->getLocationContext());
1099
78
  return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true);
1100
78
}
1101
1102
/// Register checkers.
1103
40
void ento::registerObjCGenericsChecker(CheckerManager &mgr) {
1104
40
  DynamicTypePropagation *checker = mgr.getChecker<DynamicTypePropagation>();
1105
40
  checker->CheckGenerics = true;
1106
40
  checker->GenericCheckName = mgr.getCurrentCheckerName();
1107
40
}
1108
1109
80
bool ento::shouldRegisterObjCGenericsChecker(const CheckerManager &mgr) {
1110
80
  return true;
1111
80
}
1112
1113
1.07k
void ento::registerDynamicTypePropagation(CheckerManager &mgr) {
1114
1.07k
  mgr.registerChecker<DynamicTypePropagation>();
1115
1.07k
}
1116
1117
2.23k
bool ento::shouldRegisterDynamicTypePropagation(const CheckerManager &mgr) {
1118
2.23k
  return true;
1119
2.23k
}