1 //===- DynamicTypePropagation.cpp ------------------------------*- C++ -*--===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file contains two checkers. One helps the static analyzer core to track
11 // types, the other does type inference on Obj-C generics and report type
14 // Dynamic Type Propagation:
15 // This checker defines the rules for dynamic type gathering and propagation.
17 // Generics Checker for Objective-C:
18 // This checker tries to find type errors that the compiler is not able to catch
19 // due to the implicit conversions that were introduced for backward
22 //===----------------------------------------------------------------------===//
24 #include "ClangSACheckers.h"
25 #include "clang/AST/RecursiveASTVisitor.h"
26 #include "clang/Basic/Builtins.h"
27 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
28 #include "clang/StaticAnalyzer/Core/Checker.h"
29 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
30 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
31 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
32 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
33 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
35 using namespace clang;
38 // ProgramState trait - The type inflation is tracked by DynamicTypeMap. This is
39 // an auxiliary map that tracks more information about generic types, because in
40 // some cases the most derived type is not the most informative one about the
41 // type parameters. This types that are stored for each symbol in this map must
43 // TODO: In some case the type stored in this map is exactly the same that is
44 // stored in DynamicTypeMap. We should no store duplicated information in those
46 REGISTER_MAP_WITH_PROGRAMSTATE(MostSpecializedTypeArgsMap, SymbolRef,
47 const ObjCObjectPointerType *)
50 class DynamicTypePropagation:
51 public Checker< check::PreCall,
54 check::PostStmt<CastExpr>,
55 check::PostStmt<CXXNewExpr>,
56 check::PreObjCMessage,
57 check::PostObjCMessage > {
58 const ObjCObjectType *getObjectTypeForAllocAndNew(const ObjCMessageExpr *MsgE,
59 CheckerContext &C) const;
61 /// \brief Return a better dynamic type if one can be derived from the cast.
62 const ObjCObjectPointerType *getBetterObjCType(const Expr *CastE,
63 CheckerContext &C) const;
65 ExplodedNode *dynamicTypePropagationOnCasts(const CastExpr *CE,
66 ProgramStateRef &State,
67 CheckerContext &C) const;
69 mutable std::unique_ptr<BugType> ObjCGenericsBugType;
70 void initBugType() const {
71 if (!ObjCGenericsBugType)
72 ObjCGenericsBugType.reset(
73 new BugType(this, "Generics", categories::CoreFoundationObjectiveC));
76 class GenericsBugVisitor : public BugReporterVisitorImpl<GenericsBugVisitor> {
78 GenericsBugVisitor(SymbolRef S) : Sym(S) {}
80 void Profile(llvm::FoldingSetNodeID &ID) const override {
86 std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
87 const ExplodedNode *PrevN,
88 BugReporterContext &BRC,
89 BugReport &BR) override;
92 // The tracked symbol.
96 void reportGenericsBug(const ObjCObjectPointerType *From,
97 const ObjCObjectPointerType *To, ExplodedNode *N,
98 SymbolRef Sym, CheckerContext &C,
99 const Stmt *ReportedNode = nullptr) const;
102 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
103 void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
104 void checkPostStmt(const CastExpr *CastE, CheckerContext &C) const;
105 void checkPostStmt(const CXXNewExpr *NewE, CheckerContext &C) const;
106 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
107 void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
108 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
110 /// This value is set to true, when the Generics checker is turned on.
111 DefaultBool CheckGenerics;
113 } // end anonymous namespace
115 void DynamicTypePropagation::checkDeadSymbols(SymbolReaper &SR,
116 CheckerContext &C) const {
117 ProgramStateRef State = C.getState();
118 DynamicTypeMapImpl TypeMap = State->get<DynamicTypeMap>();
119 for (DynamicTypeMapImpl::iterator I = TypeMap.begin(), E = TypeMap.end();
121 if (!SR.isLiveRegion(I->first)) {
122 State = State->remove<DynamicTypeMap>(I->first);
126 if (!SR.hasDeadSymbols()) {
127 C.addTransition(State);
131 MostSpecializedTypeArgsMapTy TyArgMap =
132 State->get<MostSpecializedTypeArgsMap>();
133 for (MostSpecializedTypeArgsMapTy::iterator I = TyArgMap.begin(),
136 if (SR.isDead(I->first)) {
137 State = State->remove<MostSpecializedTypeArgsMap>(I->first);
141 C.addTransition(State);
144 static void recordFixedType(const MemRegion *Region, const CXXMethodDecl *MD,
149 ASTContext &Ctx = C.getASTContext();
150 QualType Ty = Ctx.getPointerType(Ctx.getRecordType(MD->getParent()));
152 ProgramStateRef State = C.getState();
153 State = setDynamicTypeInfo(State, Region, Ty, /*CanBeSubclass=*/false);
154 C.addTransition(State);
157 void DynamicTypePropagation::checkPreCall(const CallEvent &Call,
158 CheckerContext &C) const {
159 if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) {
160 // C++11 [class.cdtor]p4: When a virtual function is called directly or
161 // indirectly from a constructor or from a destructor, including during
162 // the construction or destruction of the class's non-static data members,
163 // and the object to which the call applies is the object under
164 // construction or destruction, the function called is the final overrider
165 // in the constructor's or destructor's class and not one overriding it in
166 // a more-derived class.
168 switch (Ctor->getOriginExpr()->getConstructionKind()) {
169 case CXXConstructExpr::CK_Complete:
170 case CXXConstructExpr::CK_Delegating:
171 // No additional type info necessary.
173 case CXXConstructExpr::CK_NonVirtualBase:
174 case CXXConstructExpr::CK_VirtualBase:
175 if (const MemRegion *Target = Ctor->getCXXThisVal().getAsRegion())
176 recordFixedType(Target, Ctor->getDecl(), C);
183 if (const CXXDestructorCall *Dtor = dyn_cast<CXXDestructorCall>(&Call)) {
184 // C++11 [class.cdtor]p4 (see above)
185 if (!Dtor->isBaseDestructor())
188 const MemRegion *Target = Dtor->getCXXThisVal().getAsRegion();
192 const Decl *D = Dtor->getDecl();
196 recordFixedType(Target, cast<CXXDestructorDecl>(D), C);
201 void DynamicTypePropagation::checkPostCall(const CallEvent &Call,
202 CheckerContext &C) const {
203 // We can obtain perfect type info for return values from some calls.
204 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(&Call)) {
206 // Get the returned value if it's a region.
207 const MemRegion *RetReg = Call.getReturnValue().getAsRegion();
211 ProgramStateRef State = C.getState();
212 const ObjCMethodDecl *D = Msg->getDecl();
214 if (D && D->hasRelatedResultType()) {
215 switch (Msg->getMethodFamily()) {
219 // We assume that the type of the object returned by alloc and new are the
220 // pointer to the object of the class specified in the receiver of the
224 // Get the type of object that will get created.
225 const ObjCMessageExpr *MsgE = Msg->getOriginExpr();
226 const ObjCObjectType *ObjTy = getObjectTypeForAllocAndNew(MsgE, C);
230 C.getASTContext().getObjCObjectPointerType(QualType(ObjTy, 0));
231 C.addTransition(setDynamicTypeInfo(State, RetReg, DynResTy, false));
235 // Assume, the result of the init method has the same dynamic type as
236 // the receiver and propagate the dynamic type info.
237 const MemRegion *RecReg = Msg->getReceiverSVal().getAsRegion();
240 DynamicTypeInfo RecDynType = getDynamicTypeInfo(State, RecReg);
241 C.addTransition(setDynamicTypeInfo(State, RetReg, RecDynType));
249 if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) {
250 // We may need to undo the effects of our pre-call check.
251 switch (Ctor->getOriginExpr()->getConstructionKind()) {
252 case CXXConstructExpr::CK_Complete:
253 case CXXConstructExpr::CK_Delegating:
254 // No additional work necessary.
255 // Note: This will leave behind the actual type of the object for
256 // complete constructors, but arguably that's a good thing, since it
257 // means the dynamic type info will be correct even for objects
258 // constructed with operator new.
260 case CXXConstructExpr::CK_NonVirtualBase:
261 case CXXConstructExpr::CK_VirtualBase:
262 if (const MemRegion *Target = Ctor->getCXXThisVal().getAsRegion()) {
263 // We just finished a base constructor. Now we can use the subclass's
264 // type when resolving virtual calls.
265 const Decl *D = C.getLocationContext()->getDecl();
266 recordFixedType(Target, cast<CXXConstructorDecl>(D), C);
273 /// TODO: Handle explicit casts.
274 /// Handle C++ casts.
276 /// Precondition: the cast is between ObjCObjectPointers.
277 ExplodedNode *DynamicTypePropagation::dynamicTypePropagationOnCasts(
278 const CastExpr *CE, ProgramStateRef &State, CheckerContext &C) const {
279 // We only track type info for regions.
280 const MemRegion *ToR = C.getSVal(CE).getAsRegion();
282 return C.getPredecessor();
284 if (isa<ExplicitCastExpr>(CE))
285 return C.getPredecessor();
287 if (const Type *NewTy = getBetterObjCType(CE, C)) {
288 State = setDynamicTypeInfo(State, ToR, QualType(NewTy, 0));
289 return C.addTransition(State);
291 return C.getPredecessor();
294 void DynamicTypePropagation::checkPostStmt(const CXXNewExpr *NewE,
295 CheckerContext &C) const {
299 // We only track dynamic type info for regions.
300 const MemRegion *MR = C.getSVal(NewE).getAsRegion();
304 C.addTransition(setDynamicTypeInfo(C.getState(), MR, NewE->getType(),
305 /*CanBeSubclass=*/false));
308 const ObjCObjectType *
309 DynamicTypePropagation::getObjectTypeForAllocAndNew(const ObjCMessageExpr *MsgE,
310 CheckerContext &C) const {
311 if (MsgE->getReceiverKind() == ObjCMessageExpr::Class) {
312 if (const ObjCObjectType *ObjTy
313 = MsgE->getClassReceiver()->getAs<ObjCObjectType>())
317 if (MsgE->getReceiverKind() == ObjCMessageExpr::SuperClass) {
318 if (const ObjCObjectType *ObjTy
319 = MsgE->getSuperType()->getAs<ObjCObjectType>())
323 const Expr *RecE = MsgE->getInstanceReceiver();
327 RecE= RecE->IgnoreParenImpCasts();
328 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(RecE)) {
329 const StackFrameContext *SFCtx = C.getStackFrame();
330 // Are we calling [self alloc]? If this is self, get the type of the
331 // enclosing ObjC class.
332 if (DRE->getDecl() == SFCtx->getSelfDecl()) {
333 if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(SFCtx->getDecl()))
334 if (const ObjCObjectType *ObjTy =
335 dyn_cast<ObjCObjectType>(MD->getClassInterface()->getTypeForDecl()))
342 // Return a better dynamic type if one can be derived from the cast.
343 // Compare the current dynamic type of the region and the new type to which we
344 // are casting. If the new type is lower in the inheritance hierarchy, pick it.
345 const ObjCObjectPointerType *
346 DynamicTypePropagation::getBetterObjCType(const Expr *CastE,
347 CheckerContext &C) const {
348 const MemRegion *ToR = C.getSVal(CastE).getAsRegion();
351 // Get the old and new types.
352 const ObjCObjectPointerType *NewTy =
353 CastE->getType()->getAs<ObjCObjectPointerType>();
356 QualType OldDTy = getDynamicTypeInfo(C.getState(), ToR).getType();
357 if (OldDTy.isNull()) {
360 const ObjCObjectPointerType *OldTy =
361 OldDTy->getAs<ObjCObjectPointerType>();
365 // Id the old type is 'id', the new one is more precise.
366 if (OldTy->isObjCIdType() && !NewTy->isObjCIdType())
369 // Return new if it's a subclass of old.
370 const ObjCInterfaceDecl *ToI = NewTy->getInterfaceDecl();
371 const ObjCInterfaceDecl *FromI = OldTy->getInterfaceDecl();
372 if (ToI && FromI && FromI->isSuperClassOf(ToI))
378 static const ObjCObjectPointerType *getMostInformativeDerivedClassImpl(
379 const ObjCObjectPointerType *From, const ObjCObjectPointerType *To,
380 const ObjCObjectPointerType *MostInformativeCandidate, ASTContext &C) {
381 // Checking if from and to are the same classes modulo specialization.
382 if (From->getInterfaceDecl()->getCanonicalDecl() ==
383 To->getInterfaceDecl()->getCanonicalDecl()) {
384 if (To->isSpecialized()) {
385 assert(MostInformativeCandidate->isSpecialized());
386 return MostInformativeCandidate;
391 if (To->getObjectType()->getSuperClassType().isNull()) {
392 // If To has no super class and From and To aren't the same then
393 // To was not actually a descendent of From. In this case the best we can
398 const auto *SuperOfTo =
399 To->getObjectType()->getSuperClassType()->getAs<ObjCObjectType>();
401 QualType SuperPtrOfToQual =
402 C.getObjCObjectPointerType(QualType(SuperOfTo, 0));
403 const auto *SuperPtrOfTo = SuperPtrOfToQual->getAs<ObjCObjectPointerType>();
404 if (To->isUnspecialized())
405 return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo, SuperPtrOfTo,
408 return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo,
409 MostInformativeCandidate, C);
412 /// A downcast may loose specialization information. E. g.:
413 /// MutableMap<T, U> : Map
414 /// The downcast to MutableMap looses the information about the types of the
415 /// Map (due to the type parameters are not being forwarded to Map), and in
416 /// general there is no way to recover that information from the
417 /// declaration. In order to have to most information, lets find the most
418 /// derived type that has all the type parameters forwarded.
420 /// Get the a subclass of \p From (which has a lower bound \p To) that do not
421 /// loose information about type parameters. \p To has to be a subclass of
422 /// \p From. From has to be specialized.
423 static const ObjCObjectPointerType *
424 getMostInformativeDerivedClass(const ObjCObjectPointerType *From,
425 const ObjCObjectPointerType *To, ASTContext &C) {
426 return getMostInformativeDerivedClassImpl(From, To, To, C);
430 /// \param StaticLowerBound Static lower bound for a symbol. The dynamic lower
431 /// bound might be the subclass of this type.
432 /// \param StaticUpperBound A static upper bound for a symbol.
433 /// \p StaticLowerBound expected to be the subclass of \p StaticUpperBound.
434 /// \param Current The type that was inferred for a symbol in a previous
435 /// context. Might be null when this is the first time that inference happens.
437 /// \p StaticLowerBound or \p StaticUpperBound is specialized. If \p Current
438 /// is not null, it is specialized.
440 /// (1) The \p Current is null and \p StaticLowerBound <: \p StaticUpperBound
441 /// (2) \p StaticLowerBound <: \p Current <: \p StaticUpperBound
442 /// (3) \p Current <: \p StaticLowerBound <: \p StaticUpperBound
443 /// (4) \p StaticLowerBound <: \p StaticUpperBound <: \p Current
445 /// Use getMostInformativeDerivedClass with the upper and lower bound of the
446 /// set {\p StaticLowerBound, \p Current, \p StaticUpperBound}. The computed
447 /// lower bound must be specialized. If the result differs from \p Current or
448 /// \p Current is null, store the result.
450 storeWhenMoreInformative(ProgramStateRef &State, SymbolRef Sym,
451 const ObjCObjectPointerType *const *Current,
452 const ObjCObjectPointerType *StaticLowerBound,
453 const ObjCObjectPointerType *StaticUpperBound,
455 // TODO: The above 4 cases are not exhaustive. In particular, it is possible
456 // for Current to be incomparable with StaticLowerBound, StaticUpperBound,
459 // For example, suppose Foo<T> and Bar<T> are unrelated types.
466 // id t2 = f; // StaticLowerBound is Foo<T>, Current is Bar<T>
468 // We should either constrain the callers of this function so that the stated
469 // preconditions hold (and assert it) or rewrite the function to expicitly
470 // handle the additional cases.
473 assert(StaticUpperBound->isSpecialized() ||
474 StaticLowerBound->isSpecialized());
475 assert(!Current || (*Current)->isSpecialized());
479 if (StaticUpperBound->isUnspecialized()) {
480 State = State->set<MostSpecializedTypeArgsMap>(Sym, StaticLowerBound);
483 // Upper bound is specialized.
484 const ObjCObjectPointerType *WithMostInfo =
485 getMostInformativeDerivedClass(StaticUpperBound, StaticLowerBound, C);
486 State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
491 if (C.canAssignObjCInterfaces(StaticLowerBound, *Current)) {
496 if (C.canAssignObjCInterfaces(*Current, StaticUpperBound)) {
497 // The type arguments might not be forwarded at any point of inheritance.
498 const ObjCObjectPointerType *WithMostInfo =
499 getMostInformativeDerivedClass(*Current, StaticUpperBound, C);
501 getMostInformativeDerivedClass(WithMostInfo, StaticLowerBound, C);
502 if (WithMostInfo == *Current)
504 State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
509 const ObjCObjectPointerType *WithMostInfo =
510 getMostInformativeDerivedClass(*Current, StaticLowerBound, C);
511 if (WithMostInfo != *Current) {
512 State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
519 /// Type inference based on static type information that is available for the
520 /// cast and the tracked type information for the given symbol. When the tracked
521 /// symbol and the destination type of the cast are unrelated, report an error.
522 void DynamicTypePropagation::checkPostStmt(const CastExpr *CE,
523 CheckerContext &C) const {
524 if (CE->getCastKind() != CK_BitCast)
527 QualType OriginType = CE->getSubExpr()->getType();
528 QualType DestType = CE->getType();
530 const auto *OrigObjectPtrType = OriginType->getAs<ObjCObjectPointerType>();
531 const auto *DestObjectPtrType = DestType->getAs<ObjCObjectPointerType>();
533 if (!OrigObjectPtrType || !DestObjectPtrType)
536 ProgramStateRef State = C.getState();
537 ExplodedNode *AfterTypeProp = dynamicTypePropagationOnCasts(CE, State, C);
539 ASTContext &ASTCtxt = C.getASTContext();
541 // This checker detects the subtyping relationships using the assignment
542 // rules. In order to be able to do this the kindofness must be stripped
543 // first. The checker treats every type as kindof type anyways: when the
544 // tracked type is the subtype of the static type it tries to look up the
545 // methods in the tracked type first.
546 OrigObjectPtrType = OrigObjectPtrType->stripObjCKindOfTypeAndQuals(ASTCtxt);
547 DestObjectPtrType = DestObjectPtrType->stripObjCKindOfTypeAndQuals(ASTCtxt);
549 // TODO: erase tracked information when there is a cast to unrelated type
550 // and everything is unspecialized statically.
551 if (OrigObjectPtrType->isUnspecialized() &&
552 DestObjectPtrType->isUnspecialized())
555 SymbolRef Sym = State->getSVal(CE, C.getLocationContext()).getAsSymbol();
559 // Check which assignments are legal.
561 ASTCtxt.canAssignObjCInterfaces(DestObjectPtrType, OrigObjectPtrType);
563 ASTCtxt.canAssignObjCInterfaces(OrigObjectPtrType, DestObjectPtrType);
564 const ObjCObjectPointerType *const *TrackedType =
565 State->get<MostSpecializedTypeArgsMap>(Sym);
567 // Downcasts and upcasts handled in an uniform way regardless of being
568 // explicit. Explicit casts however can happen between mismatched types.
569 if (isa<ExplicitCastExpr>(CE) && !OrigToDest && !DestToOrig) {
570 // Mismatched types. If the DestType specialized, store it. Forget the
571 // tracked type otherwise.
572 if (DestObjectPtrType->isSpecialized()) {
573 State = State->set<MostSpecializedTypeArgsMap>(Sym, DestObjectPtrType);
574 C.addTransition(State, AfterTypeProp);
575 } else if (TrackedType) {
576 State = State->remove<MostSpecializedTypeArgsMap>(Sym);
577 C.addTransition(State, AfterTypeProp);
582 // The tracked type should be the sub or super class of the static destination
583 // type. When an (implicit) upcast or a downcast happens according to static
584 // types, and there is no subtyping relationship between the tracked and the
585 // static destination types, it indicates an error.
587 !ASTCtxt.canAssignObjCInterfaces(DestObjectPtrType, *TrackedType) &&
588 !ASTCtxt.canAssignObjCInterfaces(*TrackedType, DestObjectPtrType)) {
589 static CheckerProgramPointTag IllegalConv(this, "IllegalConversion");
590 ExplodedNode *N = C.addTransition(State, AfterTypeProp, &IllegalConv);
591 reportGenericsBug(*TrackedType, DestObjectPtrType, N, Sym, C);
595 // Handle downcasts and upcasts.
597 const ObjCObjectPointerType *LowerBound = DestObjectPtrType;
598 const ObjCObjectPointerType *UpperBound = OrigObjectPtrType;
599 if (OrigToDest && !DestToOrig)
600 std::swap(LowerBound, UpperBound);
602 // The id type is not a real bound. Eliminate it.
603 LowerBound = LowerBound->isObjCIdType() ? UpperBound : LowerBound;
604 UpperBound = UpperBound->isObjCIdType() ? LowerBound : UpperBound;
606 if (storeWhenMoreInformative(State, Sym, TrackedType, LowerBound, UpperBound,
608 C.addTransition(State, AfterTypeProp);
612 static const Expr *stripCastsAndSugar(const Expr *E) {
613 E = E->IgnoreParenImpCasts();
614 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(E))
615 E = POE->getSyntacticForm()->IgnoreParenImpCasts();
616 if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E))
617 E = OVE->getSourceExpr()->IgnoreParenImpCasts();
621 static bool isObjCTypeParamDependent(QualType Type) {
622 // It is illegal to typedef parameterized types inside an interface. Therfore
623 // an Objective-C type can only be dependent on a type parameter when the type
624 // parameter structurally present in the type itself.
625 class IsObjCTypeParamDependentTypeVisitor
626 : public RecursiveASTVisitor<IsObjCTypeParamDependentTypeVisitor> {
628 IsObjCTypeParamDependentTypeVisitor() : Result(false) {}
629 bool VisitObjCTypeParamType(const ObjCTypeParamType *Type) {
630 if (isa<ObjCTypeParamDecl>(Type->getDecl())) {
640 IsObjCTypeParamDependentTypeVisitor Visitor;
641 Visitor.TraverseType(Type);
642 return Visitor.Result;
645 /// A method might not be available in the interface indicated by the static
646 /// type. However it might be available in the tracked type. In order to
647 /// properly substitute the type parameters we need the declaration context of
648 /// the method. The more specialized the enclosing class of the method is, the
649 /// more likely that the parameter substitution will be successful.
650 static const ObjCMethodDecl *
651 findMethodDecl(const ObjCMessageExpr *MessageExpr,
652 const ObjCObjectPointerType *TrackedType, ASTContext &ASTCtxt) {
653 const ObjCMethodDecl *Method = nullptr;
655 QualType ReceiverType = MessageExpr->getReceiverType();
656 const auto *ReceiverObjectPtrType =
657 ReceiverType->getAs<ObjCObjectPointerType>();
659 // Do this "devirtualization" on instance and class methods only. Trust the
660 // static type on super and super class calls.
661 if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Instance ||
662 MessageExpr->getReceiverKind() == ObjCMessageExpr::Class) {
663 // When the receiver type is id, Class, or some super class of the tracked
664 // type, look up the method in the tracked type, not in the receiver type.
665 // This way we preserve more information.
666 if (ReceiverType->isObjCIdType() || ReceiverType->isObjCClassType() ||
667 ASTCtxt.canAssignObjCInterfaces(ReceiverObjectPtrType, TrackedType)) {
668 const ObjCInterfaceDecl *InterfaceDecl = TrackedType->getInterfaceDecl();
669 // The method might not be found.
670 Selector Sel = MessageExpr->getSelector();
671 Method = InterfaceDecl->lookupInstanceMethod(Sel);
673 Method = InterfaceDecl->lookupClassMethod(Sel);
677 // Fallback to statick method lookup when the one based on the tracked type
679 return Method ? Method : MessageExpr->getMethodDecl();
682 /// Get the returned ObjCObjectPointerType by a method based on the tracked type
683 /// information, or null pointer when the returned type is not an
684 /// ObjCObjectPointerType.
685 static QualType getReturnTypeForMethod(
686 const ObjCMethodDecl *Method, ArrayRef<QualType> TypeArgs,
687 const ObjCObjectPointerType *SelfType, ASTContext &C) {
688 QualType StaticResultType = Method->getReturnType();
690 // Is the return type declared as instance type?
691 if (StaticResultType == C.getObjCInstanceType())
692 return QualType(SelfType, 0);
694 // Check whether the result type depends on a type parameter.
695 if (!isObjCTypeParamDependent(StaticResultType))
698 QualType ResultType = StaticResultType.substObjCTypeArgs(
699 C, TypeArgs, ObjCSubstitutionContext::Result);
704 /// When the receiver has a tracked type, use that type to validate the
705 /// argumments of the message expression and the return value.
706 void DynamicTypePropagation::checkPreObjCMessage(const ObjCMethodCall &M,
707 CheckerContext &C) const {
708 ProgramStateRef State = C.getState();
709 SymbolRef Sym = M.getReceiverSVal().getAsSymbol();
713 const ObjCObjectPointerType *const *TrackedType =
714 State->get<MostSpecializedTypeArgsMap>(Sym);
718 // Get the type arguments from tracked type and substitute type arguments
719 // before do the semantic check.
721 ASTContext &ASTCtxt = C.getASTContext();
722 const ObjCMessageExpr *MessageExpr = M.getOriginExpr();
723 const ObjCMethodDecl *Method =
724 findMethodDecl(MessageExpr, *TrackedType, ASTCtxt);
726 // It is possible to call non-existent methods in Obj-C.
730 // If the method is declared on a class that has a non-invariant
731 // type parameter, don't warn about parameter mismatches after performing
732 // substitution. This prevents warning when the programmer has purposely
733 // casted the receiver to a super type or unspecialized type but the analyzer
734 // has a more precise tracked type than the programmer intends at the call
737 // For example, consider NSArray (which has a covariant type parameter)
738 // and NSMutableArray (a subclass of NSArray where the type parameter is
740 // NSMutableArray *a = [[NSMutableArray<NSString *> alloc] init;
742 // [a containsObject:number]; // Safe: -containsObject is defined on NSArray.
743 // NSArray<NSObject *> *other = [a arrayByAddingObject:number] // Safe
745 // [a addObject:number] // Unsafe: -addObject: is defined on NSMutableArray
748 const ObjCInterfaceDecl *Interface = Method->getClassInterface();
752 ObjCTypeParamList *TypeParams = Interface->getTypeParamList();
756 for (ObjCTypeParamDecl *TypeParam : *TypeParams) {
757 if (TypeParam->getVariance() != ObjCTypeParamVariance::Invariant)
761 Optional<ArrayRef<QualType>> TypeArgs =
762 (*TrackedType)->getObjCSubstitutions(Method->getDeclContext());
763 // This case might happen when there is an unspecialized override of a
764 // specialized method.
768 for (unsigned i = 0; i < Method->param_size(); i++) {
769 const Expr *Arg = MessageExpr->getArg(i);
770 const ParmVarDecl *Param = Method->parameters()[i];
772 QualType OrigParamType = Param->getType();
773 if (!isObjCTypeParamDependent(OrigParamType))
776 QualType ParamType = OrigParamType.substObjCTypeArgs(
777 ASTCtxt, *TypeArgs, ObjCSubstitutionContext::Parameter);
778 // Check if it can be assigned
779 const auto *ParamObjectPtrType = ParamType->getAs<ObjCObjectPointerType>();
780 const auto *ArgObjectPtrType =
781 stripCastsAndSugar(Arg)->getType()->getAs<ObjCObjectPointerType>();
782 if (!ParamObjectPtrType || !ArgObjectPtrType)
785 // Check if we have more concrete tracked type that is not a super type of
786 // the static argument type.
787 SVal ArgSVal = M.getArgSVal(i);
788 SymbolRef ArgSym = ArgSVal.getAsSymbol();
790 const ObjCObjectPointerType *const *TrackedArgType =
791 State->get<MostSpecializedTypeArgsMap>(ArgSym);
792 if (TrackedArgType &&
793 ASTCtxt.canAssignObjCInterfaces(ArgObjectPtrType, *TrackedArgType)) {
794 ArgObjectPtrType = *TrackedArgType;
798 // Warn when argument is incompatible with the parameter.
799 if (!ASTCtxt.canAssignObjCInterfaces(ParamObjectPtrType,
801 static CheckerProgramPointTag Tag(this, "ArgTypeMismatch");
802 ExplodedNode *N = C.addTransition(State, &Tag);
803 reportGenericsBug(ArgObjectPtrType, ParamObjectPtrType, N, Sym, C, Arg);
809 /// This callback is used to infer the types for Class variables. This info is
810 /// used later to validate messages that sent to classes. Class variables are
811 /// initialized with by invoking the 'class' method on a class.
812 /// This method is also used to infer the type information for the return
814 // TODO: right now it only tracks generic types. Extend this to track every
815 // type in the DynamicTypeMap and diagnose type errors!
816 void DynamicTypePropagation::checkPostObjCMessage(const ObjCMethodCall &M,
817 CheckerContext &C) const {
818 const ObjCMessageExpr *MessageExpr = M.getOriginExpr();
820 SymbolRef RetSym = M.getReturnValue().getAsSymbol();
824 Selector Sel = MessageExpr->getSelector();
825 ProgramStateRef State = C.getState();
826 // Inference for class variables.
827 // We are only interested in cases where the class method is invoked on a
828 // class. This method is provided by the runtime and available on all classes.
829 if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Class &&
830 Sel.getAsString() == "class") {
831 QualType ReceiverType = MessageExpr->getClassReceiver();
832 const auto *ReceiverClassType = ReceiverType->getAs<ObjCObjectType>();
833 QualType ReceiverClassPointerType =
834 C.getASTContext().getObjCObjectPointerType(
835 QualType(ReceiverClassType, 0));
837 if (!ReceiverClassType->isSpecialized())
839 const auto *InferredType =
840 ReceiverClassPointerType->getAs<ObjCObjectPointerType>();
841 assert(InferredType);
843 State = State->set<MostSpecializedTypeArgsMap>(RetSym, InferredType);
844 C.addTransition(State);
848 // Tracking for return types.
849 SymbolRef RecSym = M.getReceiverSVal().getAsSymbol();
853 const ObjCObjectPointerType *const *TrackedType =
854 State->get<MostSpecializedTypeArgsMap>(RecSym);
858 ASTContext &ASTCtxt = C.getASTContext();
859 const ObjCMethodDecl *Method =
860 findMethodDecl(MessageExpr, *TrackedType, ASTCtxt);
864 Optional<ArrayRef<QualType>> TypeArgs =
865 (*TrackedType)->getObjCSubstitutions(Method->getDeclContext());
869 QualType ResultType =
870 getReturnTypeForMethod(Method, *TypeArgs, *TrackedType, ASTCtxt);
871 // The static type is the same as the deduced type.
872 if (ResultType.isNull())
875 const MemRegion *RetRegion = M.getReturnValue().getAsRegion();
876 ExplodedNode *Pred = C.getPredecessor();
877 // When there is an entry available for the return symbol in DynamicTypeMap,
878 // the call was inlined, and the information in the DynamicTypeMap is should
880 if (RetRegion && !State->get<DynamicTypeMap>(RetRegion)) {
881 // TODO: we have duplicated information in DynamicTypeMap and
882 // MostSpecializedTypeArgsMap. We should only store anything in the later if
883 // the stored data differs from the one stored in the former.
884 State = setDynamicTypeInfo(State, RetRegion, ResultType,
885 /*CanBeSubclass=*/true);
886 Pred = C.addTransition(State);
889 const auto *ResultPtrType = ResultType->getAs<ObjCObjectPointerType>();
891 if (!ResultPtrType || ResultPtrType->isUnspecialized())
894 // When the result is a specialized type and it is not tracked yet, track it
895 // for the result symbol.
896 if (!State->get<MostSpecializedTypeArgsMap>(RetSym)) {
897 State = State->set<MostSpecializedTypeArgsMap>(RetSym, ResultPtrType);
898 C.addTransition(State, Pred);
902 void DynamicTypePropagation::reportGenericsBug(
903 const ObjCObjectPointerType *From, const ObjCObjectPointerType *To,
904 ExplodedNode *N, SymbolRef Sym, CheckerContext &C,
905 const Stmt *ReportedNode) const {
910 SmallString<192> Buf;
911 llvm::raw_svector_ostream OS(Buf);
912 OS << "Conversion from value of type '";
913 QualType::print(From, Qualifiers(), OS, C.getLangOpts(), llvm::Twine());
914 OS << "' to incompatible type '";
915 QualType::print(To, Qualifiers(), OS, C.getLangOpts(), llvm::Twine());
917 std::unique_ptr<BugReport> R(
918 new BugReport(*ObjCGenericsBugType, OS.str(), N));
919 R->markInteresting(Sym);
920 R->addVisitor(llvm::make_unique<GenericsBugVisitor>(Sym));
922 R->addRange(ReportedNode->getSourceRange());
923 C.emitReport(std::move(R));
926 std::shared_ptr<PathDiagnosticPiece>
927 DynamicTypePropagation::GenericsBugVisitor::VisitNode(const ExplodedNode *N,
928 const ExplodedNode *PrevN,
929 BugReporterContext &BRC,
931 ProgramStateRef state = N->getState();
932 ProgramStateRef statePrev = PrevN->getState();
934 const ObjCObjectPointerType *const *TrackedType =
935 state->get<MostSpecializedTypeArgsMap>(Sym);
936 const ObjCObjectPointerType *const *TrackedTypePrev =
937 statePrev->get<MostSpecializedTypeArgsMap>(Sym);
941 if (TrackedTypePrev && *TrackedTypePrev == *TrackedType)
944 // Retrieve the associated statement.
945 const Stmt *S = PathDiagnosticLocation::getStmt(N);
949 const LangOptions &LangOpts = BRC.getASTContext().getLangOpts();
951 SmallString<256> Buf;
952 llvm::raw_svector_ostream OS(Buf);
954 QualType::print(*TrackedType, Qualifiers(), OS, LangOpts, llvm::Twine());
955 OS << "' is inferred from ";
957 if (const auto *ExplicitCast = dyn_cast<ExplicitCastExpr>(S)) {
958 OS << "explicit cast (from '";
959 QualType::print(ExplicitCast->getSubExpr()->getType().getTypePtr(),
960 Qualifiers(), OS, LangOpts, llvm::Twine());
962 QualType::print(ExplicitCast->getType().getTypePtr(), Qualifiers(), OS,
963 LangOpts, llvm::Twine());
965 } else if (const auto *ImplicitCast = dyn_cast<ImplicitCastExpr>(S)) {
966 OS << "implicit cast (from '";
967 QualType::print(ImplicitCast->getSubExpr()->getType().getTypePtr(),
968 Qualifiers(), OS, LangOpts, llvm::Twine());
970 QualType::print(ImplicitCast->getType().getTypePtr(), Qualifiers(), OS,
971 LangOpts, llvm::Twine());
974 OS << "this context";
977 // Generate the extra diagnostic.
978 PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
979 N->getLocationContext());
980 return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true,
984 /// Register checkers.
985 void ento::registerObjCGenericsChecker(CheckerManager &mgr) {
986 DynamicTypePropagation *checker =
987 mgr.registerChecker<DynamicTypePropagation>();
988 checker->CheckGenerics = true;
991 void ento::registerDynamicTypePropagation(CheckerManager &mgr) {
992 mgr.registerChecker<DynamicTypePropagation>();