1 //===- DynamicTypePropagation.cpp ------------------------------*- C++ -*--===//
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
7 //===----------------------------------------------------------------------===//
9 // This file contains two checkers. One helps the static analyzer core to track
10 // types, the other does type inference on Obj-C generics and report type
13 // Dynamic Type Propagation:
14 // This checker defines the rules for dynamic type gathering and propagation.
16 // Generics Checker for Objective-C:
17 // This checker tries to find type errors that the compiler is not able to catch
18 // due to the implicit conversions that were introduced for backward
21 //===----------------------------------------------------------------------===//
23 #include "clang/AST/ParentMap.h"
24 #include "clang/AST/RecursiveASTVisitor.h"
25 #include "clang/Basic/Builtins.h"
26 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
27 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
28 #include "clang/StaticAnalyzer/Core/Checker.h"
29 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
30 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
31 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
32 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
33 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
35 using namespace clang;
38 // ProgramState trait - The type inflation is tracked by DynamicTypeMap. This is
39 // an auxiliary map that tracks more information about generic types, because in
40 // some cases the most derived type is not the most informative one about the
41 // type parameters. This types that are stored for each symbol in this map must
43 // TODO: In some case the type stored in this map is exactly the same that is
44 // stored in DynamicTypeMap. We should no store duplicated information in those
46 REGISTER_MAP_WITH_PROGRAMSTATE(MostSpecializedTypeArgsMap, SymbolRef,
47 const ObjCObjectPointerType *)
50 class DynamicTypePropagation:
51 public Checker< check::PreCall,
54 check::PostStmt<CastExpr>,
55 check::PostStmt<CXXNewExpr>,
56 check::PreObjCMessage,
57 check::PostObjCMessage > {
59 const ObjCObjectType *getObjectTypeForAllocAndNew(const ObjCMessageExpr *MsgE,
60 CheckerContext &C) const;
62 /// Return a better dynamic type if one can be derived from the cast.
63 const ObjCObjectPointerType *getBetterObjCType(const Expr *CastE,
64 CheckerContext &C) const;
66 ExplodedNode *dynamicTypePropagationOnCasts(const CastExpr *CE,
67 ProgramStateRef &State,
68 CheckerContext &C) const;
70 mutable std::unique_ptr<BugType> ObjCGenericsBugType;
71 void initBugType() const {
72 if (!ObjCGenericsBugType)
73 ObjCGenericsBugType.reset(new BugType(
74 GenericCheckName, "Generics", categories::CoreFoundationObjectiveC));
77 class GenericsBugVisitor : public BugReporterVisitor {
79 GenericsBugVisitor(SymbolRef S) : Sym(S) {}
81 void Profile(llvm::FoldingSetNodeID &ID) const override {
87 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
88 BugReporterContext &BRC,
89 PathSensitiveBugReport &BR) override;
92 // The tracked symbol.
96 void reportGenericsBug(const ObjCObjectPointerType *From,
97 const ObjCObjectPointerType *To, ExplodedNode *N,
98 SymbolRef Sym, CheckerContext &C,
99 const Stmt *ReportedNode = nullptr) const;
102 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
103 void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
104 void checkPostStmt(const CastExpr *CastE, CheckerContext &C) const;
105 void checkPostStmt(const CXXNewExpr *NewE, CheckerContext &C) const;
106 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
107 void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
108 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
110 /// This value is set to true, when the Generics checker is turned on.
111 DefaultBool CheckGenerics;
112 CheckerNameRef GenericCheckName;
115 bool isObjCClassType(QualType Type) {
116 if (const auto *PointerType = dyn_cast<ObjCObjectPointerType>(Type)) {
117 return PointerType->getObjectType()->isObjCClass();
123 const ObjCObjectType *Type = nullptr;
124 bool Precise = false;
126 operator bool() const { return Type != nullptr; }
129 RuntimeType inferReceiverType(const ObjCMethodCall &Message,
131 const ObjCMessageExpr *MessageExpr = Message.getOriginExpr();
133 // Check if we can statically infer the actual type precisely.
135 // 1. Class is written directly in the message:
137 // [ActualClass classMethod];
139 if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Class) {
140 return {MessageExpr->getClassReceiver()->getAs<ObjCObjectType>(),
144 // 2. Receiver is 'super' from a class method (a.k.a 'super' is a
147 // [super classMethod];
149 if (MessageExpr->getReceiverKind() == ObjCMessageExpr::SuperClass) {
150 return {MessageExpr->getSuperType()->getAs<ObjCObjectType>(),
154 // 3. Receiver is 'super' from an instance method (a.k.a 'super' is an
155 // instance of a super class).
157 // [super instanceMethod];
159 if (MessageExpr->getReceiverKind() == ObjCMessageExpr::SuperInstance) {
160 if (const auto *ObjTy =
161 MessageExpr->getSuperType()->getAs<ObjCObjectPointerType>())
162 return {ObjTy->getObjectType(), /*Precise=*/true};
165 const Expr *RecE = MessageExpr->getInstanceReceiver();
170 // Otherwise, let's try to get type information from our estimations of
172 QualType InferredType;
173 SVal ReceiverSVal = C.getSVal(RecE);
174 ProgramStateRef State = C.getState();
176 if (const MemRegion *ReceiverRegion = ReceiverSVal.getAsRegion()) {
177 if (DynamicTypeInfo DTI = getDynamicTypeInfo(State, ReceiverRegion)) {
178 InferredType = DTI.getType().getCanonicalType();
182 if (SymbolRef ReceiverSymbol = ReceiverSVal.getAsSymbol()) {
183 if (InferredType.isNull()) {
184 InferredType = ReceiverSymbol->getType();
187 // If receiver is a Class object, we want to figure out the type it
189 if (isObjCClassType(InferredType)) {
190 // We actually might have some info on what type is contained in there.
191 if (DynamicTypeInfo DTI =
192 getClassObjectDynamicTypeInfo(State, ReceiverSymbol)) {
194 // Types in Class objects can be ONLY Objective-C types
195 return {cast<ObjCObjectType>(DTI.getType()), !DTI.canBeASubClass()};
198 SVal SelfSVal = State->getSelfSVal(C.getLocationContext());
200 // Another way we can guess what is in Class object, is when it is a
201 // 'self' variable of the current class method.
202 if (ReceiverSVal == SelfSVal) {
203 // In this case, we should return the type of the enclosing class
205 if (const ObjCMethodDecl *MD =
206 dyn_cast<ObjCMethodDecl>(C.getStackFrame()->getDecl()))
207 if (const ObjCObjectType *ObjTy = dyn_cast<ObjCObjectType>(
208 MD->getClassInterface()->getTypeForDecl()))
214 // Unfortunately, it seems like we have no idea what that type is.
215 if (InferredType.isNull()) {
219 // We can end up here if we got some dynamic type info and the
220 // receiver is not one of the known Class objects.
221 if (const auto *ReceiverInferredType =
222 dyn_cast<ObjCObjectPointerType>(InferredType)) {
223 return {ReceiverInferredType->getObjectType()};
226 // Any other type (like 'Class') is not really useful at this point.
229 } // end anonymous namespace
231 void DynamicTypePropagation::checkDeadSymbols(SymbolReaper &SR,
232 CheckerContext &C) const {
233 ProgramStateRef State = removeDeadTypes(C.getState(), SR);
234 State = removeDeadClassObjectTypes(State, SR);
236 MostSpecializedTypeArgsMapTy TyArgMap =
237 State->get<MostSpecializedTypeArgsMap>();
238 for (MostSpecializedTypeArgsMapTy::iterator I = TyArgMap.begin(),
241 if (SR.isDead(I->first)) {
242 State = State->remove<MostSpecializedTypeArgsMap>(I->first);
246 C.addTransition(State);
249 static void recordFixedType(const MemRegion *Region, const CXXMethodDecl *MD,
254 ASTContext &Ctx = C.getASTContext();
255 QualType Ty = Ctx.getPointerType(Ctx.getRecordType(MD->getParent()));
257 ProgramStateRef State = C.getState();
258 State = setDynamicTypeInfo(State, Region, Ty, /*CanBeSubClassed=*/false);
259 C.addTransition(State);
262 void DynamicTypePropagation::checkPreCall(const CallEvent &Call,
263 CheckerContext &C) const {
264 if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) {
265 // C++11 [class.cdtor]p4: When a virtual function is called directly or
266 // indirectly from a constructor or from a destructor, including during
267 // the construction or destruction of the class's non-static data members,
268 // and the object to which the call applies is the object under
269 // construction or destruction, the function called is the final overrider
270 // in the constructor's or destructor's class and not one overriding it in
271 // a more-derived class.
273 switch (Ctor->getOriginExpr()->getConstructionKind()) {
274 case CXXConstructExpr::CK_Complete:
275 case CXXConstructExpr::CK_Delegating:
276 // No additional type info necessary.
278 case CXXConstructExpr::CK_NonVirtualBase:
279 case CXXConstructExpr::CK_VirtualBase:
280 if (const MemRegion *Target = Ctor->getCXXThisVal().getAsRegion())
281 recordFixedType(Target, Ctor->getDecl(), C);
288 if (const CXXDestructorCall *Dtor = dyn_cast<CXXDestructorCall>(&Call)) {
289 // C++11 [class.cdtor]p4 (see above)
290 if (!Dtor->isBaseDestructor())
293 const MemRegion *Target = Dtor->getCXXThisVal().getAsRegion();
297 const Decl *D = Dtor->getDecl();
301 recordFixedType(Target, cast<CXXDestructorDecl>(D), C);
306 void DynamicTypePropagation::checkPostCall(const CallEvent &Call,
307 CheckerContext &C) const {
308 // We can obtain perfect type info for return values from some calls.
309 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(&Call)) {
311 // Get the returned value if it's a region.
312 const MemRegion *RetReg = Call.getReturnValue().getAsRegion();
316 ProgramStateRef State = C.getState();
317 const ObjCMethodDecl *D = Msg->getDecl();
319 if (D && D->hasRelatedResultType()) {
320 switch (Msg->getMethodFamily()) {
324 // We assume that the type of the object returned by alloc and new are the
325 // pointer to the object of the class specified in the receiver of the
329 // Get the type of object that will get created.
330 RuntimeType ObjTy = inferReceiverType(*Msg, C);
336 C.getASTContext().getObjCObjectPointerType(QualType(ObjTy.Type, 0));
337 // We used to assume that whatever type we got from inferring the
338 // type is actually precise (and it is not exactly correct).
339 // A big portion of the existing behavior depends on that assumption
340 // (e.g. certain inlining won't take place). For this reason, we don't
341 // use ObjTy.Precise flag here.
343 // TODO: We should mitigate this problem some time in the future
344 // and replace hardcoded 'false' with '!ObjTy.Precise'.
345 C.addTransition(setDynamicTypeInfo(State, RetReg, DynResTy, false));
349 // Assume, the result of the init method has the same dynamic type as
350 // the receiver and propagate the dynamic type info.
351 const MemRegion *RecReg = Msg->getReceiverSVal().getAsRegion();
354 DynamicTypeInfo RecDynType = getDynamicTypeInfo(State, RecReg);
355 C.addTransition(setDynamicTypeInfo(State, RetReg, RecDynType));
363 if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) {
364 // We may need to undo the effects of our pre-call check.
365 switch (Ctor->getOriginExpr()->getConstructionKind()) {
366 case CXXConstructExpr::CK_Complete:
367 case CXXConstructExpr::CK_Delegating:
368 // No additional work necessary.
369 // Note: This will leave behind the actual type of the object for
370 // complete constructors, but arguably that's a good thing, since it
371 // means the dynamic type info will be correct even for objects
372 // constructed with operator new.
374 case CXXConstructExpr::CK_NonVirtualBase:
375 case CXXConstructExpr::CK_VirtualBase:
376 if (const MemRegion *Target = Ctor->getCXXThisVal().getAsRegion()) {
377 // We just finished a base constructor. Now we can use the subclass's
378 // type when resolving virtual calls.
379 const LocationContext *LCtx = C.getLocationContext();
381 // FIXME: In C++17 classes with non-virtual bases may be treated as
382 // aggregates, and in such case no top-frame constructor will be called.
383 // Figure out if we need to do anything in this case.
384 // FIXME: Instead of relying on the ParentMap, we should have the
385 // trigger-statement (InitListExpr in this case) available in this
386 // callback, ideally as part of CallEvent.
387 if (dyn_cast_or_null<InitListExpr>(
388 LCtx->getParentMap().getParent(Ctor->getOriginExpr())))
391 recordFixedType(Target, cast<CXXConstructorDecl>(LCtx->getDecl()), C);
398 /// TODO: Handle explicit casts.
399 /// Handle C++ casts.
401 /// Precondition: the cast is between ObjCObjectPointers.
402 ExplodedNode *DynamicTypePropagation::dynamicTypePropagationOnCasts(
403 const CastExpr *CE, ProgramStateRef &State, CheckerContext &C) const {
404 // We only track type info for regions.
405 const MemRegion *ToR = C.getSVal(CE).getAsRegion();
407 return C.getPredecessor();
409 if (isa<ExplicitCastExpr>(CE))
410 return C.getPredecessor();
412 if (const Type *NewTy = getBetterObjCType(CE, C)) {
413 State = setDynamicTypeInfo(State, ToR, QualType(NewTy, 0));
414 return C.addTransition(State);
416 return C.getPredecessor();
419 void DynamicTypePropagation::checkPostStmt(const CXXNewExpr *NewE,
420 CheckerContext &C) const {
424 // We only track dynamic type info for regions.
425 const MemRegion *MR = C.getSVal(NewE).getAsRegion();
429 C.addTransition(setDynamicTypeInfo(C.getState(), MR, NewE->getType(),
430 /*CanBeSubClassed=*/false));
433 // Return a better dynamic type if one can be derived from the cast.
434 // Compare the current dynamic type of the region and the new type to which we
435 // are casting. If the new type is lower in the inheritance hierarchy, pick it.
436 const ObjCObjectPointerType *
437 DynamicTypePropagation::getBetterObjCType(const Expr *CastE,
438 CheckerContext &C) const {
439 const MemRegion *ToR = C.getSVal(CastE).getAsRegion();
442 // Get the old and new types.
443 const ObjCObjectPointerType *NewTy =
444 CastE->getType()->getAs<ObjCObjectPointerType>();
447 QualType OldDTy = getDynamicTypeInfo(C.getState(), ToR).getType();
448 if (OldDTy.isNull()) {
451 const ObjCObjectPointerType *OldTy =
452 OldDTy->getAs<ObjCObjectPointerType>();
456 // Id the old type is 'id', the new one is more precise.
457 if (OldTy->isObjCIdType() && !NewTy->isObjCIdType())
460 // Return new if it's a subclass of old.
461 const ObjCInterfaceDecl *ToI = NewTy->getInterfaceDecl();
462 const ObjCInterfaceDecl *FromI = OldTy->getInterfaceDecl();
463 if (ToI && FromI && FromI->isSuperClassOf(ToI))
469 static const ObjCObjectPointerType *getMostInformativeDerivedClassImpl(
470 const ObjCObjectPointerType *From, const ObjCObjectPointerType *To,
471 const ObjCObjectPointerType *MostInformativeCandidate, ASTContext &C) {
472 // Checking if from and to are the same classes modulo specialization.
473 if (From->getInterfaceDecl()->getCanonicalDecl() ==
474 To->getInterfaceDecl()->getCanonicalDecl()) {
475 if (To->isSpecialized()) {
476 assert(MostInformativeCandidate->isSpecialized());
477 return MostInformativeCandidate;
482 if (To->getObjectType()->getSuperClassType().isNull()) {
483 // If To has no super class and From and To aren't the same then
484 // To was not actually a descendent of From. In this case the best we can
489 const auto *SuperOfTo =
490 To->getObjectType()->getSuperClassType()->castAs<ObjCObjectType>();
492 QualType SuperPtrOfToQual =
493 C.getObjCObjectPointerType(QualType(SuperOfTo, 0));
494 const auto *SuperPtrOfTo = SuperPtrOfToQual->castAs<ObjCObjectPointerType>();
495 if (To->isUnspecialized())
496 return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo, SuperPtrOfTo,
499 return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo,
500 MostInformativeCandidate, C);
503 /// A downcast may loose specialization information. E. g.:
504 /// MutableMap<T, U> : Map
505 /// The downcast to MutableMap looses the information about the types of the
506 /// Map (due to the type parameters are not being forwarded to Map), and in
507 /// general there is no way to recover that information from the
508 /// declaration. In order to have to most information, lets find the most
509 /// derived type that has all the type parameters forwarded.
511 /// Get the a subclass of \p From (which has a lower bound \p To) that do not
512 /// loose information about type parameters. \p To has to be a subclass of
513 /// \p From. From has to be specialized.
514 static const ObjCObjectPointerType *
515 getMostInformativeDerivedClass(const ObjCObjectPointerType *From,
516 const ObjCObjectPointerType *To, ASTContext &C) {
517 return getMostInformativeDerivedClassImpl(From, To, To, C);
521 /// \param StaticLowerBound Static lower bound for a symbol. The dynamic lower
522 /// bound might be the subclass of this type.
523 /// \param StaticUpperBound A static upper bound for a symbol.
524 /// \p StaticLowerBound expected to be the subclass of \p StaticUpperBound.
525 /// \param Current The type that was inferred for a symbol in a previous
526 /// context. Might be null when this is the first time that inference happens.
528 /// \p StaticLowerBound or \p StaticUpperBound is specialized. If \p Current
529 /// is not null, it is specialized.
531 /// (1) The \p Current is null and \p StaticLowerBound <: \p StaticUpperBound
532 /// (2) \p StaticLowerBound <: \p Current <: \p StaticUpperBound
533 /// (3) \p Current <: \p StaticLowerBound <: \p StaticUpperBound
534 /// (4) \p StaticLowerBound <: \p StaticUpperBound <: \p Current
536 /// Use getMostInformativeDerivedClass with the upper and lower bound of the
537 /// set {\p StaticLowerBound, \p Current, \p StaticUpperBound}. The computed
538 /// lower bound must be specialized. If the result differs from \p Current or
539 /// \p Current is null, store the result.
541 storeWhenMoreInformative(ProgramStateRef &State, SymbolRef Sym,
542 const ObjCObjectPointerType *const *Current,
543 const ObjCObjectPointerType *StaticLowerBound,
544 const ObjCObjectPointerType *StaticUpperBound,
546 // TODO: The above 4 cases are not exhaustive. In particular, it is possible
547 // for Current to be incomparable with StaticLowerBound, StaticUpperBound,
550 // For example, suppose Foo<T> and Bar<T> are unrelated types.
557 // id t2 = f; // StaticLowerBound is Foo<T>, Current is Bar<T>
559 // We should either constrain the callers of this function so that the stated
560 // preconditions hold (and assert it) or rewrite the function to expicitly
561 // handle the additional cases.
564 assert(StaticUpperBound->isSpecialized() ||
565 StaticLowerBound->isSpecialized());
566 assert(!Current || (*Current)->isSpecialized());
570 if (StaticUpperBound->isUnspecialized()) {
571 State = State->set<MostSpecializedTypeArgsMap>(Sym, StaticLowerBound);
574 // Upper bound is specialized.
575 const ObjCObjectPointerType *WithMostInfo =
576 getMostInformativeDerivedClass(StaticUpperBound, StaticLowerBound, C);
577 State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
582 if (C.canAssignObjCInterfaces(StaticLowerBound, *Current)) {
587 if (C.canAssignObjCInterfaces(*Current, StaticUpperBound)) {
588 // The type arguments might not be forwarded at any point of inheritance.
589 const ObjCObjectPointerType *WithMostInfo =
590 getMostInformativeDerivedClass(*Current, StaticUpperBound, C);
592 getMostInformativeDerivedClass(WithMostInfo, StaticLowerBound, C);
593 if (WithMostInfo == *Current)
595 State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
600 const ObjCObjectPointerType *WithMostInfo =
601 getMostInformativeDerivedClass(*Current, StaticLowerBound, C);
602 if (WithMostInfo != *Current) {
603 State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
610 /// Type inference based on static type information that is available for the
611 /// cast and the tracked type information for the given symbol. When the tracked
612 /// symbol and the destination type of the cast are unrelated, report an error.
613 void DynamicTypePropagation::checkPostStmt(const CastExpr *CE,
614 CheckerContext &C) const {
615 if (CE->getCastKind() != CK_BitCast)
618 QualType OriginType = CE->getSubExpr()->getType();
619 QualType DestType = CE->getType();
621 const auto *OrigObjectPtrType = OriginType->getAs<ObjCObjectPointerType>();
622 const auto *DestObjectPtrType = DestType->getAs<ObjCObjectPointerType>();
624 if (!OrigObjectPtrType || !DestObjectPtrType)
627 ProgramStateRef State = C.getState();
628 ExplodedNode *AfterTypeProp = dynamicTypePropagationOnCasts(CE, State, C);
630 ASTContext &ASTCtxt = C.getASTContext();
632 // This checker detects the subtyping relationships using the assignment
633 // rules. In order to be able to do this the kindofness must be stripped
634 // first. The checker treats every type as kindof type anyways: when the
635 // tracked type is the subtype of the static type it tries to look up the
636 // methods in the tracked type first.
637 OrigObjectPtrType = OrigObjectPtrType->stripObjCKindOfTypeAndQuals(ASTCtxt);
638 DestObjectPtrType = DestObjectPtrType->stripObjCKindOfTypeAndQuals(ASTCtxt);
640 if (OrigObjectPtrType->isUnspecialized() &&
641 DestObjectPtrType->isUnspecialized())
644 SymbolRef Sym = C.getSVal(CE).getAsSymbol();
648 const ObjCObjectPointerType *const *TrackedType =
649 State->get<MostSpecializedTypeArgsMap>(Sym);
651 if (isa<ExplicitCastExpr>(CE)) {
652 // Treat explicit casts as an indication from the programmer that the
653 // Objective-C type system is not rich enough to express the needed
654 // invariant. In such cases, forget any existing information inferred
655 // about the type arguments. We don't assume the casted-to specialized
656 // type here because the invariant the programmer specifies in the cast
657 // may only hold at this particular program point and not later ones.
658 // We don't want a suppressing cast to require a cascade of casts down the
661 State = State->remove<MostSpecializedTypeArgsMap>(Sym);
662 C.addTransition(State, AfterTypeProp);
667 // Check which assignments are legal.
669 ASTCtxt.canAssignObjCInterfaces(DestObjectPtrType, OrigObjectPtrType);
671 ASTCtxt.canAssignObjCInterfaces(OrigObjectPtrType, DestObjectPtrType);
673 // The tracked type should be the sub or super class of the static destination
674 // type. When an (implicit) upcast or a downcast happens according to static
675 // types, and there is no subtyping relationship between the tracked and the
676 // static destination types, it indicates an error.
678 !ASTCtxt.canAssignObjCInterfaces(DestObjectPtrType, *TrackedType) &&
679 !ASTCtxt.canAssignObjCInterfaces(*TrackedType, DestObjectPtrType)) {
680 static CheckerProgramPointTag IllegalConv(this, "IllegalConversion");
681 ExplodedNode *N = C.addTransition(State, AfterTypeProp, &IllegalConv);
682 reportGenericsBug(*TrackedType, DestObjectPtrType, N, Sym, C);
686 // Handle downcasts and upcasts.
688 const ObjCObjectPointerType *LowerBound = DestObjectPtrType;
689 const ObjCObjectPointerType *UpperBound = OrigObjectPtrType;
690 if (OrigToDest && !DestToOrig)
691 std::swap(LowerBound, UpperBound);
693 // The id type is not a real bound. Eliminate it.
694 LowerBound = LowerBound->isObjCIdType() ? UpperBound : LowerBound;
695 UpperBound = UpperBound->isObjCIdType() ? LowerBound : UpperBound;
697 if (storeWhenMoreInformative(State, Sym, TrackedType, LowerBound, UpperBound,
699 C.addTransition(State, AfterTypeProp);
703 static const Expr *stripCastsAndSugar(const Expr *E) {
704 E = E->IgnoreParenImpCasts();
705 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(E))
706 E = POE->getSyntacticForm()->IgnoreParenImpCasts();
707 if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E))
708 E = OVE->getSourceExpr()->IgnoreParenImpCasts();
712 static bool isObjCTypeParamDependent(QualType Type) {
713 // It is illegal to typedef parameterized types inside an interface. Therefore
714 // an Objective-C type can only be dependent on a type parameter when the type
715 // parameter structurally present in the type itself.
716 class IsObjCTypeParamDependentTypeVisitor
717 : public RecursiveASTVisitor<IsObjCTypeParamDependentTypeVisitor> {
719 IsObjCTypeParamDependentTypeVisitor() : Result(false) {}
720 bool VisitObjCTypeParamType(const ObjCTypeParamType *Type) {
721 if (isa<ObjCTypeParamDecl>(Type->getDecl())) {
731 IsObjCTypeParamDependentTypeVisitor Visitor;
732 Visitor.TraverseType(Type);
733 return Visitor.Result;
736 /// A method might not be available in the interface indicated by the static
737 /// type. However it might be available in the tracked type. In order to
738 /// properly substitute the type parameters we need the declaration context of
739 /// the method. The more specialized the enclosing class of the method is, the
740 /// more likely that the parameter substitution will be successful.
741 static const ObjCMethodDecl *
742 findMethodDecl(const ObjCMessageExpr *MessageExpr,
743 const ObjCObjectPointerType *TrackedType, ASTContext &ASTCtxt) {
744 const ObjCMethodDecl *Method = nullptr;
746 QualType ReceiverType = MessageExpr->getReceiverType();
747 const auto *ReceiverObjectPtrType =
748 ReceiverType->getAs<ObjCObjectPointerType>();
750 // Do this "devirtualization" on instance and class methods only. Trust the
751 // static type on super and super class calls.
752 if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Instance ||
753 MessageExpr->getReceiverKind() == ObjCMessageExpr::Class) {
754 // When the receiver type is id, Class, or some super class of the tracked
755 // type, look up the method in the tracked type, not in the receiver type.
756 // This way we preserve more information.
757 if (ReceiverType->isObjCIdType() || ReceiverType->isObjCClassType() ||
758 ASTCtxt.canAssignObjCInterfaces(ReceiverObjectPtrType, TrackedType)) {
759 const ObjCInterfaceDecl *InterfaceDecl = TrackedType->getInterfaceDecl();
760 // The method might not be found.
761 Selector Sel = MessageExpr->getSelector();
762 Method = InterfaceDecl->lookupInstanceMethod(Sel);
764 Method = InterfaceDecl->lookupClassMethod(Sel);
768 // Fallback to statick method lookup when the one based on the tracked type
770 return Method ? Method : MessageExpr->getMethodDecl();
773 /// Get the returned ObjCObjectPointerType by a method based on the tracked type
774 /// information, or null pointer when the returned type is not an
775 /// ObjCObjectPointerType.
776 static QualType getReturnTypeForMethod(
777 const ObjCMethodDecl *Method, ArrayRef<QualType> TypeArgs,
778 const ObjCObjectPointerType *SelfType, ASTContext &C) {
779 QualType StaticResultType = Method->getReturnType();
781 // Is the return type declared as instance type?
782 if (StaticResultType == C.getObjCInstanceType())
783 return QualType(SelfType, 0);
785 // Check whether the result type depends on a type parameter.
786 if (!isObjCTypeParamDependent(StaticResultType))
789 QualType ResultType = StaticResultType.substObjCTypeArgs(
790 C, TypeArgs, ObjCSubstitutionContext::Result);
795 /// When the receiver has a tracked type, use that type to validate the
796 /// argumments of the message expression and the return value.
797 void DynamicTypePropagation::checkPreObjCMessage(const ObjCMethodCall &M,
798 CheckerContext &C) const {
799 ProgramStateRef State = C.getState();
800 SymbolRef Sym = M.getReceiverSVal().getAsSymbol();
804 const ObjCObjectPointerType *const *TrackedType =
805 State->get<MostSpecializedTypeArgsMap>(Sym);
809 // Get the type arguments from tracked type and substitute type arguments
810 // before do the semantic check.
812 ASTContext &ASTCtxt = C.getASTContext();
813 const ObjCMessageExpr *MessageExpr = M.getOriginExpr();
814 const ObjCMethodDecl *Method =
815 findMethodDecl(MessageExpr, *TrackedType, ASTCtxt);
817 // It is possible to call non-existent methods in Obj-C.
821 // If the method is declared on a class that has a non-invariant
822 // type parameter, don't warn about parameter mismatches after performing
823 // substitution. This prevents warning when the programmer has purposely
824 // casted the receiver to a super type or unspecialized type but the analyzer
825 // has a more precise tracked type than the programmer intends at the call
828 // For example, consider NSArray (which has a covariant type parameter)
829 // and NSMutableArray (a subclass of NSArray where the type parameter is
831 // NSMutableArray *a = [[NSMutableArray<NSString *> alloc] init;
833 // [a containsObject:number]; // Safe: -containsObject is defined on NSArray.
834 // NSArray<NSObject *> *other = [a arrayByAddingObject:number] // Safe
836 // [a addObject:number] // Unsafe: -addObject: is defined on NSMutableArray
839 const ObjCInterfaceDecl *Interface = Method->getClassInterface();
843 ObjCTypeParamList *TypeParams = Interface->getTypeParamList();
847 for (ObjCTypeParamDecl *TypeParam : *TypeParams) {
848 if (TypeParam->getVariance() != ObjCTypeParamVariance::Invariant)
852 Optional<ArrayRef<QualType>> TypeArgs =
853 (*TrackedType)->getObjCSubstitutions(Method->getDeclContext());
854 // This case might happen when there is an unspecialized override of a
855 // specialized method.
859 for (unsigned i = 0; i < Method->param_size(); i++) {
860 const Expr *Arg = MessageExpr->getArg(i);
861 const ParmVarDecl *Param = Method->parameters()[i];
863 QualType OrigParamType = Param->getType();
864 if (!isObjCTypeParamDependent(OrigParamType))
867 QualType ParamType = OrigParamType.substObjCTypeArgs(
868 ASTCtxt, *TypeArgs, ObjCSubstitutionContext::Parameter);
869 // Check if it can be assigned
870 const auto *ParamObjectPtrType = ParamType->getAs<ObjCObjectPointerType>();
871 const auto *ArgObjectPtrType =
872 stripCastsAndSugar(Arg)->getType()->getAs<ObjCObjectPointerType>();
873 if (!ParamObjectPtrType || !ArgObjectPtrType)
876 // Check if we have more concrete tracked type that is not a super type of
877 // the static argument type.
878 SVal ArgSVal = M.getArgSVal(i);
879 SymbolRef ArgSym = ArgSVal.getAsSymbol();
881 const ObjCObjectPointerType *const *TrackedArgType =
882 State->get<MostSpecializedTypeArgsMap>(ArgSym);
883 if (TrackedArgType &&
884 ASTCtxt.canAssignObjCInterfaces(ArgObjectPtrType, *TrackedArgType)) {
885 ArgObjectPtrType = *TrackedArgType;
889 // Warn when argument is incompatible with the parameter.
890 if (!ASTCtxt.canAssignObjCInterfaces(ParamObjectPtrType,
892 static CheckerProgramPointTag Tag(this, "ArgTypeMismatch");
893 ExplodedNode *N = C.addTransition(State, &Tag);
894 reportGenericsBug(ArgObjectPtrType, ParamObjectPtrType, N, Sym, C, Arg);
900 /// This callback is used to infer the types for Class variables. This info is
901 /// used later to validate messages that sent to classes. Class variables are
902 /// initialized with by invoking the 'class' method on a class.
903 /// This method is also used to infer the type information for the return
905 // TODO: right now it only tracks generic types. Extend this to track every
906 // type in the DynamicTypeMap and diagnose type errors!
907 void DynamicTypePropagation::checkPostObjCMessage(const ObjCMethodCall &M,
908 CheckerContext &C) const {
909 const ObjCMessageExpr *MessageExpr = M.getOriginExpr();
911 SymbolRef RetSym = M.getReturnValue().getAsSymbol();
915 Selector Sel = MessageExpr->getSelector();
916 ProgramStateRef State = C.getState();
918 // Here we try to propagate information on Class objects.
919 if (Sel.getAsString() == "class") {
920 // We try to figure out the type from the receiver of the 'class' message.
921 if (RuntimeType ReceiverRuntimeType = inferReceiverType(M, C)) {
923 ReceiverRuntimeType.Type->getSuperClassType();
924 QualType ReceiverClassType(ReceiverRuntimeType.Type, 0);
926 // We want to consider only precise information on generics.
927 if (ReceiverRuntimeType.Type->isSpecialized() &&
928 ReceiverRuntimeType.Precise) {
929 QualType ReceiverClassPointerType =
930 C.getASTContext().getObjCObjectPointerType(ReceiverClassType);
931 const auto *InferredType =
932 ReceiverClassPointerType->castAs<ObjCObjectPointerType>();
933 State = State->set<MostSpecializedTypeArgsMap>(RetSym, InferredType);
936 // Constrain the resulting class object to the inferred type.
937 State = setClassObjectDynamicTypeInfo(State, RetSym, ReceiverClassType,
938 !ReceiverRuntimeType.Precise);
940 C.addTransition(State);
945 if (Sel.getAsString() == "superclass") {
946 // We try to figure out the type from the receiver of the 'superclass'
948 if (RuntimeType ReceiverRuntimeType = inferReceiverType(M, C)) {
950 // Result type would be a super class of the receiver's type.
951 QualType ReceiversSuperClass =
952 ReceiverRuntimeType.Type->getSuperClassType();
954 // Check if it really had super class.
956 // TODO: we can probably pay closer attention to cases when the class
957 // object can be 'nil' as the result of such message.
958 if (!ReceiversSuperClass.isNull()) {
959 // Constrain the resulting class object to the inferred type.
960 State = setClassObjectDynamicTypeInfo(
961 State, RetSym, ReceiversSuperClass, !ReceiverRuntimeType.Precise);
963 C.addTransition(State);
969 // Tracking for return types.
970 SymbolRef RecSym = M.getReceiverSVal().getAsSymbol();
974 const ObjCObjectPointerType *const *TrackedType =
975 State->get<MostSpecializedTypeArgsMap>(RecSym);
979 ASTContext &ASTCtxt = C.getASTContext();
980 const ObjCMethodDecl *Method =
981 findMethodDecl(MessageExpr, *TrackedType, ASTCtxt);
985 Optional<ArrayRef<QualType>> TypeArgs =
986 (*TrackedType)->getObjCSubstitutions(Method->getDeclContext());
990 QualType ResultType =
991 getReturnTypeForMethod(Method, *TypeArgs, *TrackedType, ASTCtxt);
992 // The static type is the same as the deduced type.
993 if (ResultType.isNull())
996 const MemRegion *RetRegion = M.getReturnValue().getAsRegion();
997 ExplodedNode *Pred = C.getPredecessor();
998 // When there is an entry available for the return symbol in DynamicTypeMap,
999 // the call was inlined, and the information in the DynamicTypeMap is should
1001 if (RetRegion && !getRawDynamicTypeInfo(State, RetRegion)) {
1002 // TODO: we have duplicated information in DynamicTypeMap and
1003 // MostSpecializedTypeArgsMap. We should only store anything in the later if
1004 // the stored data differs from the one stored in the former.
1005 State = setDynamicTypeInfo(State, RetRegion, ResultType,
1006 /*CanBeSubClassed=*/true);
1007 Pred = C.addTransition(State);
1010 const auto *ResultPtrType = ResultType->getAs<ObjCObjectPointerType>();
1012 if (!ResultPtrType || ResultPtrType->isUnspecialized())
1015 // When the result is a specialized type and it is not tracked yet, track it
1016 // for the result symbol.
1017 if (!State->get<MostSpecializedTypeArgsMap>(RetSym)) {
1018 State = State->set<MostSpecializedTypeArgsMap>(RetSym, ResultPtrType);
1019 C.addTransition(State, Pred);
1023 void DynamicTypePropagation::reportGenericsBug(
1024 const ObjCObjectPointerType *From, const ObjCObjectPointerType *To,
1025 ExplodedNode *N, SymbolRef Sym, CheckerContext &C,
1026 const Stmt *ReportedNode) const {
1031 SmallString<192> Buf;
1032 llvm::raw_svector_ostream OS(Buf);
1033 OS << "Conversion from value of type '";
1034 QualType::print(From, Qualifiers(), OS, C.getLangOpts(), llvm::Twine());
1035 OS << "' to incompatible type '";
1036 QualType::print(To, Qualifiers(), OS, C.getLangOpts(), llvm::Twine());
1038 auto R = std::make_unique<PathSensitiveBugReport>(*ObjCGenericsBugType,
1040 R->markInteresting(Sym);
1041 R->addVisitor(std::make_unique<GenericsBugVisitor>(Sym));
1043 R->addRange(ReportedNode->getSourceRange());
1044 C.emitReport(std::move(R));
1047 PathDiagnosticPieceRef DynamicTypePropagation::GenericsBugVisitor::VisitNode(
1048 const ExplodedNode *N, BugReporterContext &BRC,
1049 PathSensitiveBugReport &BR) {
1050 ProgramStateRef state = N->getState();
1051 ProgramStateRef statePrev = N->getFirstPred()->getState();
1053 const ObjCObjectPointerType *const *TrackedType =
1054 state->get<MostSpecializedTypeArgsMap>(Sym);
1055 const ObjCObjectPointerType *const *TrackedTypePrev =
1056 statePrev->get<MostSpecializedTypeArgsMap>(Sym);
1060 if (TrackedTypePrev && *TrackedTypePrev == *TrackedType)
1063 // Retrieve the associated statement.
1064 const Stmt *S = N->getStmtForDiagnostics();
1068 const LangOptions &LangOpts = BRC.getASTContext().getLangOpts();
1070 SmallString<256> Buf;
1071 llvm::raw_svector_ostream OS(Buf);
1073 QualType::print(*TrackedType, Qualifiers(), OS, LangOpts, llvm::Twine());
1074 OS << "' is inferred from ";
1076 if (const auto *ExplicitCast = dyn_cast<ExplicitCastExpr>(S)) {
1077 OS << "explicit cast (from '";
1078 QualType::print(ExplicitCast->getSubExpr()->getType().getTypePtr(),
1079 Qualifiers(), OS, LangOpts, llvm::Twine());
1081 QualType::print(ExplicitCast->getType().getTypePtr(), Qualifiers(), OS,
1082 LangOpts, llvm::Twine());
1084 } else if (const auto *ImplicitCast = dyn_cast<ImplicitCastExpr>(S)) {
1085 OS << "implicit cast (from '";
1086 QualType::print(ImplicitCast->getSubExpr()->getType().getTypePtr(),
1087 Qualifiers(), OS, LangOpts, llvm::Twine());
1089 QualType::print(ImplicitCast->getType().getTypePtr(), Qualifiers(), OS,
1090 LangOpts, llvm::Twine());
1093 OS << "this context";
1096 // Generate the extra diagnostic.
1097 PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
1098 N->getLocationContext());
1099 return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true);
1102 /// Register checkers.
1103 void ento::registerObjCGenericsChecker(CheckerManager &mgr) {
1104 DynamicTypePropagation *checker = mgr.getChecker<DynamicTypePropagation>();
1105 checker->CheckGenerics = true;
1106 checker->GenericCheckName = mgr.getCurrentCheckerName();
1109 bool ento::shouldRegisterObjCGenericsChecker(const CheckerManager &mgr) {
1113 void ento::registerDynamicTypePropagation(CheckerManager &mgr) {
1114 mgr.registerChecker<DynamicTypePropagation>();
1117 bool ento::shouldRegisterDynamicTypePropagation(const CheckerManager &mgr) {