blob: b07f59125a82e4e198fe3dabcd9b023e1a1000fb [file] [log] [blame]
//===- DynamicTypePropagation.cpp ------------------------------*- C++ -*--===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file contains two checkers. One helps the static analyzer core to track
// types, the other does type inference on Obj-C generics and report type
// errors.
//
// Dynamic Type Propagation:
// This checker defines the rules for dynamic type gathering and propagation.
//
// Generics Checker for Objective-C:
// This checker tries to find type errors that the compiler is not able to catch
// due to the implicit conversions that were introduced for backward
// compatibility.
//
//===----------------------------------------------------------------------===//
#include "clang/AST/ParentMap.h"
#include "clang/AST/RecursiveASTVisitor.h"
#include "clang/Basic/Builtins.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
using namespace clang;
using namespace ento;
// ProgramState trait - The type inflation is tracked by DynamicTypeMap. This is
// an auxiliary map that tracks more information about generic types, because in
// some cases the most derived type is not the most informative one about the
// type parameters. This types that are stored for each symbol in this map must
// be specialized.
// TODO: In some case the type stored in this map is exactly the same that is
// stored in DynamicTypeMap. We should no store duplicated information in those
// cases.
REGISTER_MAP_WITH_PROGRAMSTATE(MostSpecializedTypeArgsMap, SymbolRef,
const ObjCObjectPointerType *)
namespace {
class DynamicTypePropagation:
public Checker< check::PreCall,
check::PostCall,
check::DeadSymbols,
check::PostStmt<CastExpr>,
check::PostStmt<CXXNewExpr>,
check::PreObjCMessage,
check::PostObjCMessage > {
const ObjCObjectType *getObjectTypeForAllocAndNew(const ObjCMessageExpr *MsgE,
CheckerContext &C) const;
/// Return a better dynamic type if one can be derived from the cast.
const ObjCObjectPointerType *getBetterObjCType(const Expr *CastE,
CheckerContext &C) const;
ExplodedNode *dynamicTypePropagationOnCasts(const CastExpr *CE,
ProgramStateRef &State,
CheckerContext &C) const;
mutable std::unique_ptr<BugType> ObjCGenericsBugType;
void initBugType() const {
if (!ObjCGenericsBugType)
ObjCGenericsBugType.reset(new BugType(
GenericCheckName, "Generics", categories::CoreFoundationObjectiveC));
}
class GenericsBugVisitor : public BugReporterVisitor {
public:
GenericsBugVisitor(SymbolRef S) : Sym(S) {}
void Profile(llvm::FoldingSetNodeID &ID) const override {
static int X = 0;
ID.AddPointer(&X);
ID.AddPointer(Sym);
}
PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
BugReporterContext &BRC,
PathSensitiveBugReport &BR) override;
private:
// The tracked symbol.
SymbolRef Sym;
};
void reportGenericsBug(const ObjCObjectPointerType *From,
const ObjCObjectPointerType *To, ExplodedNode *N,
SymbolRef Sym, CheckerContext &C,
const Stmt *ReportedNode = nullptr) const;
public:
void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostStmt(const CastExpr *CastE, CheckerContext &C) const;
void checkPostStmt(const CXXNewExpr *NewE, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
/// This value is set to true, when the Generics checker is turned on.
DefaultBool CheckGenerics;
CheckerNameRef GenericCheckName;
};
bool isObjCClassType(QualType Type) {
if (const auto *PointerType = dyn_cast<ObjCObjectPointerType>(Type)) {
return PointerType->getObjectType()->isObjCClass();
}
return false;
}
struct RuntimeType {
const ObjCObjectType *Type = nullptr;
bool Precise = false;
operator bool() const { return Type != nullptr; }
};
RuntimeType inferReceiverType(const ObjCMethodCall &Message,
CheckerContext &C) {
const ObjCMessageExpr *MessageExpr = Message.getOriginExpr();
// Check if we can statically infer the actual type precisely.
//
// 1. Class is written directly in the message:
// \code
// [ActualClass classMethod];
// \endcode
if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Class) {
return {MessageExpr->getClassReceiver()->getAs<ObjCObjectType>(),
/*Precise=*/true};
}
// 2. Receiver is 'super' from a class method (a.k.a 'super' is a
// class object).
// \code
// [super classMethod];
// \endcode
if (MessageExpr->getReceiverKind() == ObjCMessageExpr::SuperClass) {
return {MessageExpr->getSuperType()->getAs<ObjCObjectType>(),
/*Precise=*/true};
}
// 3. Receiver is 'super' from an instance method (a.k.a 'super' is an
// instance of a super class).
// \code
// [super instanceMethod];
// \encode
if (MessageExpr->getReceiverKind() == ObjCMessageExpr::SuperInstance) {
if (const auto *ObjTy =
MessageExpr->getSuperType()->getAs<ObjCObjectPointerType>())
return {ObjTy->getObjectType(), /*Precise=*/true};
}
const Expr *RecE = MessageExpr->getInstanceReceiver();
if (!RecE)
return {};
// Otherwise, let's try to get type information from our estimations of
// runtime types.
QualType InferredType;
SVal ReceiverSVal = C.getSVal(RecE);
ProgramStateRef State = C.getState();
if (const MemRegion *ReceiverRegion = ReceiverSVal.getAsRegion()) {
if (DynamicTypeInfo DTI = getDynamicTypeInfo(State, ReceiverRegion)) {
InferredType = DTI.getType().getCanonicalType();
}
}
if (SymbolRef ReceiverSymbol = ReceiverSVal.getAsSymbol()) {
if (InferredType.isNull()) {
InferredType = ReceiverSymbol->getType();
}
// If receiver is a Class object, we want to figure out the type it
// represents.
if (isObjCClassType(InferredType)) {
// We actually might have some info on what type is contained in there.
if (DynamicTypeInfo DTI =
getClassObjectDynamicTypeInfo(State, ReceiverSymbol)) {
// Types in Class objects can be ONLY Objective-C types
return {cast<ObjCObjectType>(DTI.getType()), !DTI.canBeASubClass()};
}
SVal SelfSVal = State->getSelfSVal(C.getLocationContext());
// Another way we can guess what is in Class object, is when it is a
// 'self' variable of the current class method.
if (ReceiverSVal == SelfSVal) {
// In this case, we should return the type of the enclosing class
// declaration.
if (const ObjCMethodDecl *MD =
dyn_cast<ObjCMethodDecl>(C.getStackFrame()->getDecl()))
if (const ObjCObjectType *ObjTy = dyn_cast<ObjCObjectType>(
MD->getClassInterface()->getTypeForDecl()))
return {ObjTy};
}
}
}
// Unfortunately, it seems like we have no idea what that type is.
if (InferredType.isNull()) {
return {};
}
// We can end up here if we got some dynamic type info and the
// receiver is not one of the known Class objects.
if (const auto *ReceiverInferredType =
dyn_cast<ObjCObjectPointerType>(InferredType)) {
return {ReceiverInferredType->getObjectType()};
}
// Any other type (like 'Class') is not really useful at this point.
return {};
}
} // end anonymous namespace
void DynamicTypePropagation::checkDeadSymbols(SymbolReaper &SR,
CheckerContext &C) const {
ProgramStateRef State = removeDeadTypes(C.getState(), SR);
State = removeDeadClassObjectTypes(State, SR);
MostSpecializedTypeArgsMapTy TyArgMap =
State->get<MostSpecializedTypeArgsMap>();
for (MostSpecializedTypeArgsMapTy::iterator I = TyArgMap.begin(),
E = TyArgMap.end();
I != E; ++I) {
if (SR.isDead(I->first)) {
State = State->remove<MostSpecializedTypeArgsMap>(I->first);
}
}
C.addTransition(State);
}
static void recordFixedType(const MemRegion *Region, const CXXMethodDecl *MD,
CheckerContext &C) {
assert(Region);
assert(MD);
ASTContext &Ctx = C.getASTContext();
QualType Ty = Ctx.getPointerType(Ctx.getRecordType(MD->getParent()));
ProgramStateRef State = C.getState();
State = setDynamicTypeInfo(State, Region, Ty, /*CanBeSubClassed=*/false);
C.addTransition(State);
}
void DynamicTypePropagation::checkPreCall(const CallEvent &Call,
CheckerContext &C) const {
if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) {
// C++11 [class.cdtor]p4: When a virtual function is called directly or
// indirectly from a constructor or from a destructor, including during
// the construction or destruction of the class's non-static data members,
// and the object to which the call applies is the object under
// construction or destruction, the function called is the final overrider
// in the constructor's or destructor's class and not one overriding it in
// a more-derived class.
switch (Ctor->getOriginExpr()->getConstructionKind()) {
case CXXConstructExpr::CK_Complete:
case CXXConstructExpr::CK_Delegating:
// No additional type info necessary.
return;
case CXXConstructExpr::CK_NonVirtualBase:
case CXXConstructExpr::CK_VirtualBase:
if (const MemRegion *Target = Ctor->getCXXThisVal().getAsRegion())
recordFixedType(Target, Ctor->getDecl(), C);
return;
}
return;
}
if (const CXXDestructorCall *Dtor = dyn_cast<CXXDestructorCall>(&Call)) {
// C++11 [class.cdtor]p4 (see above)
if (!Dtor->isBaseDestructor())
return;
const MemRegion *Target = Dtor->getCXXThisVal().getAsRegion();
if (!Target)
return;
const Decl *D = Dtor->getDecl();
if (!D)
return;
recordFixedType(Target, cast<CXXDestructorDecl>(D), C);
return;
}
}
void DynamicTypePropagation::checkPostCall(const CallEvent &Call,
CheckerContext &C) const {
// We can obtain perfect type info for return values from some calls.
if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(&Call)) {
// Get the returned value if it's a region.
const MemRegion *RetReg = Call.getReturnValue().getAsRegion();
if (!RetReg)
return;
ProgramStateRef State = C.getState();
const ObjCMethodDecl *D = Msg->getDecl();
if (D && D->hasRelatedResultType()) {
switch (Msg->getMethodFamily()) {
default:
break;
// We assume that the type of the object returned by alloc and new are the
// pointer to the object of the class specified in the receiver of the
// message.
case OMF_alloc:
case OMF_new: {
// Get the type of object that will get created.
RuntimeType ObjTy = inferReceiverType(*Msg, C);
if (!ObjTy)
return;
QualType DynResTy =
C.getASTContext().getObjCObjectPointerType(QualType(ObjTy.Type, 0));
// We used to assume that whatever type we got from inferring the
// type is actually precise (and it is not exactly correct).
// A big portion of the existing behavior depends on that assumption
// (e.g. certain inlining won't take place). For this reason, we don't
// use ObjTy.Precise flag here.
//
// TODO: We should mitigate this problem some time in the future
// and replace hardcoded 'false' with '!ObjTy.Precise'.
C.addTransition(setDynamicTypeInfo(State, RetReg, DynResTy, false));
break;
}
case OMF_init: {
// Assume, the result of the init method has the same dynamic type as
// the receiver and propagate the dynamic type info.
const MemRegion *RecReg = Msg->getReceiverSVal().getAsRegion();
if (!RecReg)
return;
DynamicTypeInfo RecDynType = getDynamicTypeInfo(State, RecReg);
C.addTransition(setDynamicTypeInfo(State, RetReg, RecDynType));
break;
}
}
}
return;
}
if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) {
// We may need to undo the effects of our pre-call check.
switch (Ctor->getOriginExpr()->getConstructionKind()) {
case CXXConstructExpr::CK_Complete:
case CXXConstructExpr::CK_Delegating:
// No additional work necessary.
// Note: This will leave behind the actual type of the object for
// complete constructors, but arguably that's a good thing, since it
// means the dynamic type info will be correct even for objects
// constructed with operator new.
return;
case CXXConstructExpr::CK_NonVirtualBase:
case CXXConstructExpr::CK_VirtualBase:
if (const MemRegion *Target = Ctor->getCXXThisVal().getAsRegion()) {
// We just finished a base constructor. Now we can use the subclass's
// type when resolving virtual calls.
const LocationContext *LCtx = C.getLocationContext();
// FIXME: In C++17 classes with non-virtual bases may be treated as
// aggregates, and in such case no top-frame constructor will be called.
// Figure out if we need to do anything in this case.
// FIXME: Instead of relying on the ParentMap, we should have the
// trigger-statement (InitListExpr in this case) available in this
// callback, ideally as part of CallEvent.
if (isa_and_nonnull<InitListExpr>(
LCtx->getParentMap().getParent(Ctor->getOriginExpr())))
return;
recordFixedType(Target, cast<CXXConstructorDecl>(LCtx->getDecl()), C);
}
return;
}
}
}
/// TODO: Handle explicit casts.
/// Handle C++ casts.
///
/// Precondition: the cast is between ObjCObjectPointers.
ExplodedNode *DynamicTypePropagation::dynamicTypePropagationOnCasts(
const CastExpr *CE, ProgramStateRef &State, CheckerContext &C) const {
// We only track type info for regions.
const MemRegion *ToR = C.getSVal(CE).getAsRegion();
if (!ToR)
return C.getPredecessor();
if (isa<ExplicitCastExpr>(CE))
return C.getPredecessor();
if (const Type *NewTy = getBetterObjCType(CE, C)) {
State = setDynamicTypeInfo(State, ToR, QualType(NewTy, 0));
return C.addTransition(State);
}
return C.getPredecessor();
}
void DynamicTypePropagation::checkPostStmt(const CXXNewExpr *NewE,
CheckerContext &C) const {
if (NewE->isArray())
return;
// We only track dynamic type info for regions.
const MemRegion *MR = C.getSVal(NewE).getAsRegion();
if (!MR)
return;
C.addTransition(setDynamicTypeInfo(C.getState(), MR, NewE->getType(),
/*CanBeSubClassed=*/false));
}
// Return a better dynamic type if one can be derived from the cast.
// Compare the current dynamic type of the region and the new type to which we
// are casting. If the new type is lower in the inheritance hierarchy, pick it.
const ObjCObjectPointerType *
DynamicTypePropagation::getBetterObjCType(const Expr *CastE,
CheckerContext &C) const {
const MemRegion *ToR = C.getSVal(CastE).getAsRegion();
assert(ToR);
// Get the old and new types.
const ObjCObjectPointerType *NewTy =
CastE->getType()->getAs<ObjCObjectPointerType>();
if (!NewTy)
return nullptr;
QualType OldDTy = getDynamicTypeInfo(C.getState(), ToR).getType();
if (OldDTy.isNull()) {
return NewTy;
}
const ObjCObjectPointerType *OldTy =
OldDTy->getAs<ObjCObjectPointerType>();
if (!OldTy)
return nullptr;
// Id the old type is 'id', the new one is more precise.
if (OldTy->isObjCIdType() && !NewTy->isObjCIdType())
return NewTy;
// Return new if it's a subclass of old.
const ObjCInterfaceDecl *ToI = NewTy->getInterfaceDecl();
const ObjCInterfaceDecl *FromI = OldTy->getInterfaceDecl();
if (ToI && FromI && FromI->isSuperClassOf(ToI))
return NewTy;
return nullptr;
}
static const ObjCObjectPointerType *getMostInformativeDerivedClassImpl(
const ObjCObjectPointerType *From, const ObjCObjectPointerType *To,
const ObjCObjectPointerType *MostInformativeCandidate, ASTContext &C) {
// Checking if from and to are the same classes modulo specialization.
if (From->getInterfaceDecl()->getCanonicalDecl() ==
To->getInterfaceDecl()->getCanonicalDecl()) {
if (To->isSpecialized()) {
assert(MostInformativeCandidate->isSpecialized());
return MostInformativeCandidate;
}
return From;
}
if (To->getObjectType()->getSuperClassType().isNull()) {
// If To has no super class and From and To aren't the same then
// To was not actually a descendent of From. In this case the best we can
// do is 'From'.
return From;
}
const auto *SuperOfTo =
To->getObjectType()->getSuperClassType()->castAs<ObjCObjectType>();
assert(SuperOfTo);
QualType SuperPtrOfToQual =
C.getObjCObjectPointerType(QualType(SuperOfTo, 0));
const auto *SuperPtrOfTo = SuperPtrOfToQual->castAs<ObjCObjectPointerType>();
if (To->isUnspecialized())
return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo, SuperPtrOfTo,
C);
else
return getMostInformativeDerivedClassImpl(From, SuperPtrOfTo,
MostInformativeCandidate, C);
}
/// A downcast may loose specialization information. E. g.:
/// MutableMap<T, U> : Map
/// The downcast to MutableMap looses the information about the types of the
/// Map (due to the type parameters are not being forwarded to Map), and in
/// general there is no way to recover that information from the
/// declaration. In order to have to most information, lets find the most
/// derived type that has all the type parameters forwarded.
///
/// Get the a subclass of \p From (which has a lower bound \p To) that do not
/// loose information about type parameters. \p To has to be a subclass of
/// \p From. From has to be specialized.
static const ObjCObjectPointerType *
getMostInformativeDerivedClass(const ObjCObjectPointerType *From,
const ObjCObjectPointerType *To, ASTContext &C) {
return getMostInformativeDerivedClassImpl(From, To, To, C);
}
/// Inputs:
/// \param StaticLowerBound Static lower bound for a symbol. The dynamic lower
/// bound might be the subclass of this type.
/// \param StaticUpperBound A static upper bound for a symbol.
/// \p StaticLowerBound expected to be the subclass of \p StaticUpperBound.
/// \param Current The type that was inferred for a symbol in a previous
/// context. Might be null when this is the first time that inference happens.
/// Precondition:
/// \p StaticLowerBound or \p StaticUpperBound is specialized. If \p Current
/// is not null, it is specialized.
/// Possible cases:
/// (1) The \p Current is null and \p StaticLowerBound <: \p StaticUpperBound
/// (2) \p StaticLowerBound <: \p Current <: \p StaticUpperBound
/// (3) \p Current <: \p StaticLowerBound <: \p StaticUpperBound
/// (4) \p StaticLowerBound <: \p StaticUpperBound <: \p Current
/// Effect:
/// Use getMostInformativeDerivedClass with the upper and lower bound of the
/// set {\p StaticLowerBound, \p Current, \p StaticUpperBound}. The computed
/// lower bound must be specialized. If the result differs from \p Current or
/// \p Current is null, store the result.
static bool
storeWhenMoreInformative(ProgramStateRef &State, SymbolRef Sym,
const ObjCObjectPointerType *const *Current,
const ObjCObjectPointerType *StaticLowerBound,
const ObjCObjectPointerType *StaticUpperBound,
ASTContext &C) {
// TODO: The above 4 cases are not exhaustive. In particular, it is possible
// for Current to be incomparable with StaticLowerBound, StaticUpperBound,
// or both.
//
// For example, suppose Foo<T> and Bar<T> are unrelated types.
//
// Foo<T> *f = ...
// Bar<T> *b = ...
//
// id t1 = b;
// f = t1;
// id t2 = f; // StaticLowerBound is Foo<T>, Current is Bar<T>
//
// We should either constrain the callers of this function so that the stated
// preconditions hold (and assert it) or rewrite the function to expicitly
// handle the additional cases.
// Precondition
assert(StaticUpperBound->isSpecialized() ||
StaticLowerBound->isSpecialized());
assert(!Current || (*Current)->isSpecialized());
// Case (1)
if (!Current) {
if (StaticUpperBound->isUnspecialized()) {
State = State->set<MostSpecializedTypeArgsMap>(Sym, StaticLowerBound);
return true;
}
// Upper bound is specialized.
const ObjCObjectPointerType *WithMostInfo =
getMostInformativeDerivedClass(StaticUpperBound, StaticLowerBound, C);
State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
return true;
}
// Case (3)
if (C.canAssignObjCInterfaces(StaticLowerBound, *Current)) {
return false;
}
// Case (4)
if (C.canAssignObjCInterfaces(*Current, StaticUpperBound)) {
// The type arguments might not be forwarded at any point of inheritance.
const ObjCObjectPointerType *WithMostInfo =
getMostInformativeDerivedClass(*Current, StaticUpperBound, C);
WithMostInfo =
getMostInformativeDerivedClass(WithMostInfo, StaticLowerBound, C);
if (WithMostInfo == *Current)
return false;
State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
return true;
}
// Case (2)
const ObjCObjectPointerType *WithMostInfo =
getMostInformativeDerivedClass(*Current, StaticLowerBound, C);
if (WithMostInfo != *Current) {
State = State->set<MostSpecializedTypeArgsMap>(Sym, WithMostInfo);
return true;
}
return false;
}
/// Type inference based on static type information that is available for the
/// cast and the tracked type information for the given symbol. When the tracked
/// symbol and the destination type of the cast are unrelated, report an error.
void DynamicTypePropagation::checkPostStmt(const CastExpr *CE,
CheckerContext &C) const {
if (CE->getCastKind() != CK_BitCast)
return;
QualType OriginType = CE->getSubExpr()->getType();
QualType DestType = CE->getType();
const auto *OrigObjectPtrType = OriginType->getAs<ObjCObjectPointerType>();
const auto *DestObjectPtrType = DestType->getAs<ObjCObjectPointerType>();
if (!OrigObjectPtrType || !DestObjectPtrType)
return;
ProgramStateRef State = C.getState();
ExplodedNode *AfterTypeProp = dynamicTypePropagationOnCasts(CE, State, C);
ASTContext &ASTCtxt = C.getASTContext();
// This checker detects the subtyping relationships using the assignment
// rules. In order to be able to do this the kindofness must be stripped
// first. The checker treats every type as kindof type anyways: when the
// tracked type is the subtype of the static type it tries to look up the
// methods in the tracked type first.
OrigObjectPtrType = OrigObjectPtrType->stripObjCKindOfTypeAndQuals(ASTCtxt);
DestObjectPtrType = DestObjectPtrType->stripObjCKindOfTypeAndQuals(ASTCtxt);
if (OrigObjectPtrType->isUnspecialized() &&
DestObjectPtrType->isUnspecialized())
return;
SymbolRef Sym = C.getSVal(CE).getAsSymbol();
if (!Sym)
return;
const ObjCObjectPointerType *const *TrackedType =
State->get<MostSpecializedTypeArgsMap>(Sym);
if (isa<ExplicitCastExpr>(CE)) {
// Treat explicit casts as an indication from the programmer that the
// Objective-C type system is not rich enough to express the needed
// invariant. In such cases, forget any existing information inferred
// about the type arguments. We don't assume the casted-to specialized
// type here because the invariant the programmer specifies in the cast
// may only hold at this particular program point and not later ones.
// We don't want a suppressing cast to require a cascade of casts down the
// line.
if (TrackedType) {
State = State->remove<MostSpecializedTypeArgsMap>(Sym);
C.addTransition(State, AfterTypeProp);
}
return;
}
// Check which assignments are legal.
bool OrigToDest =
ASTCtxt.canAssignObjCInterfaces(DestObjectPtrType, OrigObjectPtrType);
bool DestToOrig =
ASTCtxt.canAssignObjCInterfaces(OrigObjectPtrType, DestObjectPtrType);
// The tracked type should be the sub or super class of the static destination
// type. When an (implicit) upcast or a downcast happens according to static
// types, and there is no subtyping relationship between the tracked and the
// static destination types, it indicates an error.
if (TrackedType &&
!ASTCtxt.canAssignObjCInterfaces(DestObjectPtrType, *TrackedType) &&
!ASTCtxt.canAssignObjCInterfaces(*TrackedType, DestObjectPtrType)) {
static CheckerProgramPointTag IllegalConv(this, "IllegalConversion");
ExplodedNode *N = C.addTransition(State, AfterTypeProp, &IllegalConv);
reportGenericsBug(*TrackedType, DestObjectPtrType, N, Sym, C);
return;
}
// Handle downcasts and upcasts.
const ObjCObjectPointerType *LowerBound = DestObjectPtrType;
const ObjCObjectPointerType *UpperBound = OrigObjectPtrType;
if (OrigToDest && !DestToOrig)
std::swap(LowerBound, UpperBound);
// The id type is not a real bound. Eliminate it.
LowerBound = LowerBound->isObjCIdType() ? UpperBound : LowerBound;
UpperBound = UpperBound->isObjCIdType() ? LowerBound : UpperBound;
if (storeWhenMoreInformative(State, Sym, TrackedType, LowerBound, UpperBound,
ASTCtxt)) {
C.addTransition(State, AfterTypeProp);
}
}
static const Expr *stripCastsAndSugar(const Expr *E) {
E = E->IgnoreParenImpCasts();
if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(E))
E = POE->getSyntacticForm()->IgnoreParenImpCasts();
if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E))
E = OVE->getSourceExpr()->IgnoreParenImpCasts();
return E;
}
static bool isObjCTypeParamDependent(QualType Type) {
// It is illegal to typedef parameterized types inside an interface. Therefore
// an Objective-C type can only be dependent on a type parameter when the type
// parameter structurally present in the type itself.
class IsObjCTypeParamDependentTypeVisitor
: public RecursiveASTVisitor<IsObjCTypeParamDependentTypeVisitor> {
public:
IsObjCTypeParamDependentTypeVisitor() : Result(false) {}
bool VisitObjCTypeParamType(const ObjCTypeParamType *Type) {
if (isa<ObjCTypeParamDecl>(Type->getDecl())) {
Result = true;
return false;
}
return true;
}
bool Result;
};
IsObjCTypeParamDependentTypeVisitor Visitor;
Visitor.TraverseType(Type);
return Visitor.Result;
}
/// A method might not be available in the interface indicated by the static
/// type. However it might be available in the tracked type. In order to
/// properly substitute the type parameters we need the declaration context of
/// the method. The more specialized the enclosing class of the method is, the
/// more likely that the parameter substitution will be successful.
static const ObjCMethodDecl *
findMethodDecl(const ObjCMessageExpr *MessageExpr,
const ObjCObjectPointerType *TrackedType, ASTContext &ASTCtxt) {
const ObjCMethodDecl *Method = nullptr;
QualType ReceiverType = MessageExpr->getReceiverType();
const auto *ReceiverObjectPtrType =
ReceiverType->getAs<ObjCObjectPointerType>();
// Do this "devirtualization" on instance and class methods only. Trust the
// static type on super and super class calls.
if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Instance ||
MessageExpr->getReceiverKind() == ObjCMessageExpr::Class) {
// When the receiver type is id, Class, or some super class of the tracked
// type, look up the method in the tracked type, not in the receiver type.
// This way we preserve more information.
if (ReceiverType->isObjCIdType() || ReceiverType->isObjCClassType() ||
ASTCtxt.canAssignObjCInterfaces(ReceiverObjectPtrType, TrackedType)) {
const ObjCInterfaceDecl *InterfaceDecl = TrackedType->getInterfaceDecl();
// The method might not be found.
Selector Sel = MessageExpr->getSelector();
Method = InterfaceDecl->lookupInstanceMethod(Sel);
if (!Method)
Method = InterfaceDecl->lookupClassMethod(Sel);
}
}
// Fallback to statick method lookup when the one based on the tracked type
// failed.
return Method ? Method : MessageExpr->getMethodDecl();
}
/// Get the returned ObjCObjectPointerType by a method based on the tracked type
/// information, or null pointer when the returned type is not an
/// ObjCObjectPointerType.
static QualType getReturnTypeForMethod(
const ObjCMethodDecl *Method, ArrayRef<QualType> TypeArgs,
const ObjCObjectPointerType *SelfType, ASTContext &C) {
QualType StaticResultType = Method->getReturnType();
// Is the return type declared as instance type?
if (StaticResultType == C.getObjCInstanceType())
return QualType(SelfType, 0);
// Check whether the result type depends on a type parameter.
if (!isObjCTypeParamDependent(StaticResultType))
return QualType();
QualType ResultType = StaticResultType.substObjCTypeArgs(
C, TypeArgs, ObjCSubstitutionContext::Result);
return ResultType;
}
/// When the receiver has a tracked type, use that type to validate the
/// argumments of the message expression and the return value.
void DynamicTypePropagation::checkPreObjCMessage(const ObjCMethodCall &M,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
SymbolRef Sym = M.getReceiverSVal().getAsSymbol();
if (!Sym)
return;
const ObjCObjectPointerType *const *TrackedType =
State->get<MostSpecializedTypeArgsMap>(Sym);
if (!TrackedType)
return;
// Get the type arguments from tracked type and substitute type arguments
// before do the semantic check.
ASTContext &ASTCtxt = C.getASTContext();
const ObjCMessageExpr *MessageExpr = M.getOriginExpr();
const ObjCMethodDecl *Method =
findMethodDecl(MessageExpr, *TrackedType, ASTCtxt);
// It is possible to call non-existent methods in Obj-C.
if (!Method)
return;
// If the method is declared on a class that has a non-invariant
// type parameter, don't warn about parameter mismatches after performing
// substitution. This prevents warning when the programmer has purposely
// casted the receiver to a super type or unspecialized type but the analyzer
// has a more precise tracked type than the programmer intends at the call
// site.
//
// For example, consider NSArray (which has a covariant type parameter)
// and NSMutableArray (a subclass of NSArray where the type parameter is
// invariant):
// NSMutableArray *a = [[NSMutableArray<NSString *> alloc] init;
//
// [a containsObject:number]; // Safe: -containsObject is defined on NSArray.
// NSArray<NSObject *> *other = [a arrayByAddingObject:number] // Safe
//
// [a addObject:number] // Unsafe: -addObject: is defined on NSMutableArray
//
const ObjCInterfaceDecl *Interface = Method->getClassInterface();
if (!Interface)
return;
ObjCTypeParamList *TypeParams = Interface->getTypeParamList();
if (!TypeParams)
return;
for (ObjCTypeParamDecl *TypeParam : *TypeParams) {
if (TypeParam->getVariance() != ObjCTypeParamVariance::Invariant)
return;
}
Optional<ArrayRef<QualType>> TypeArgs =
(*TrackedType)->getObjCSubstitutions(Method->getDeclContext());
// This case might happen when there is an unspecialized override of a
// specialized method.
if (!TypeArgs)
return;
for (unsigned i = 0; i < Method->param_size(); i++) {
const Expr *Arg = MessageExpr->getArg(i);
const ParmVarDecl *Param = Method->parameters()[i];
QualType OrigParamType = Param->getType();
if (!isObjCTypeParamDependent(OrigParamType))
continue;
QualType ParamType = OrigParamType.substObjCTypeArgs(
ASTCtxt, *TypeArgs, ObjCSubstitutionContext::Parameter);
// Check if it can be assigned
const auto *ParamObjectPtrType = ParamType->getAs<ObjCObjectPointerType>();
const auto *ArgObjectPtrType =
stripCastsAndSugar(Arg)->getType()->getAs<ObjCObjectPointerType>();
if (!ParamObjectPtrType || !ArgObjectPtrType)
continue;
// Check if we have more concrete tracked type that is not a super type of
// the static argument type.
SVal ArgSVal = M.getArgSVal(i);
SymbolRef ArgSym = ArgSVal.getAsSymbol();
if (ArgSym) {
const ObjCObjectPointerType *const *TrackedArgType =
State->get<MostSpecializedTypeArgsMap>(ArgSym);
if (TrackedArgType &&
ASTCtxt.canAssignObjCInterfaces(ArgObjectPtrType, *TrackedArgType)) {
ArgObjectPtrType = *TrackedArgType;
}
}
// Warn when argument is incompatible with the parameter.
if (!ASTCtxt.canAssignObjCInterfaces(ParamObjectPtrType,
ArgObjectPtrType)) {
static CheckerProgramPointTag Tag(this, "ArgTypeMismatch");
ExplodedNode *N = C.addTransition(State, &Tag);
reportGenericsBug(ArgObjectPtrType, ParamObjectPtrType, N, Sym, C, Arg);
return;
}
}
}
/// This callback is used to infer the types for Class variables. This info is
/// used later to validate messages that sent to classes. Class variables are
/// initialized with by invoking the 'class' method on a class.
/// This method is also used to infer the type information for the return
/// types.
// TODO: right now it only tracks generic types. Extend this to track every
// type in the DynamicTypeMap and diagnose type errors!
void DynamicTypePropagation::checkPostObjCMessage(const ObjCMethodCall &M,
CheckerContext &C) const {
const ObjCMessageExpr *MessageExpr = M.getOriginExpr();
SymbolRef RetSym = M.getReturnValue().getAsSymbol();
if (!RetSym)
return;
Selector Sel = MessageExpr->getSelector();
ProgramStateRef State = C.getState();
// Here we try to propagate information on Class objects.
if (Sel.getAsString() == "class") {
// We try to figure out the type from the receiver of the 'class' message.
if (RuntimeType ReceiverRuntimeType = inferReceiverType(M, C)) {
ReceiverRuntimeType.Type->getSuperClassType();
QualType ReceiverClassType(ReceiverRuntimeType.Type, 0);
// We want to consider only precise information on generics.
if (ReceiverRuntimeType.Type->isSpecialized() &&
ReceiverRuntimeType.Precise) {
QualType ReceiverClassPointerType =
C.getASTContext().getObjCObjectPointerType(ReceiverClassType);
const auto *InferredType =
ReceiverClassPointerType->castAs<ObjCObjectPointerType>();
State = State->set<MostSpecializedTypeArgsMap>(RetSym, InferredType);
}
// Constrain the resulting class object to the inferred type.
State = setClassObjectDynamicTypeInfo(State, RetSym, ReceiverClassType,
!ReceiverRuntimeType.Precise);
C.addTransition(State);
return;
}
}
if (Sel.getAsString() == "superclass") {
// We try to figure out the type from the receiver of the 'superclass'
// message.
if (RuntimeType ReceiverRuntimeType = inferReceiverType(M, C)) {
// Result type would be a super class of the receiver's type.
QualType ReceiversSuperClass =
ReceiverRuntimeType.Type->getSuperClassType();
// Check if it really had super class.
//
// TODO: we can probably pay closer attention to cases when the class
// object can be 'nil' as the result of such message.
if (!ReceiversSuperClass.isNull()) {
// Constrain the resulting class object to the inferred type.
State = setClassObjectDynamicTypeInfo(
State, RetSym, ReceiversSuperClass, !ReceiverRuntimeType.Precise);
C.addTransition(State);
}
return;
}
}
// Tracking for return types.
SymbolRef RecSym = M.getReceiverSVal().getAsSymbol();
if (!RecSym)
return;
const ObjCObjectPointerType *const *TrackedType =
State->get<MostSpecializedTypeArgsMap>(RecSym);
if (!TrackedType)
return;
ASTContext &ASTCtxt = C.getASTContext();
const ObjCMethodDecl *Method =
findMethodDecl(MessageExpr, *TrackedType, ASTCtxt);
if (!Method)
return;
Optional<ArrayRef<QualType>> TypeArgs =
(*TrackedType)->getObjCSubstitutions(Method->getDeclContext());
if (!TypeArgs)
return;
QualType ResultType =
getReturnTypeForMethod(Method, *TypeArgs, *TrackedType, ASTCtxt);
// The static type is the same as the deduced type.
if (ResultType.isNull())
return;
const MemRegion *RetRegion = M.getReturnValue().getAsRegion();
ExplodedNode *Pred = C.getPredecessor();
// When there is an entry available for the return symbol in DynamicTypeMap,
// the call was inlined, and the information in the DynamicTypeMap is should
// be precise.
if (RetRegion && !getRawDynamicTypeInfo(State, RetRegion)) {
// TODO: we have duplicated information in DynamicTypeMap and
// MostSpecializedTypeArgsMap. We should only store anything in the later if
// the stored data differs from the one stored in the former.
State = setDynamicTypeInfo(State, RetRegion, ResultType,
/*CanBeSubClassed=*/true);
Pred = C.addTransition(State);
}
const auto *ResultPtrType = ResultType->getAs<ObjCObjectPointerType>();
if (!ResultPtrType || ResultPtrType->isUnspecialized())
return;
// When the result is a specialized type and it is not tracked yet, track it
// for the result symbol.
if (!State->get<MostSpecializedTypeArgsMap>(RetSym)) {
State = State->set<MostSpecializedTypeArgsMap>(RetSym, ResultPtrType);
C.addTransition(State, Pred);
}
}
void DynamicTypePropagation::reportGenericsBug(
const ObjCObjectPointerType *From, const ObjCObjectPointerType *To,
ExplodedNode *N, SymbolRef Sym, CheckerContext &C,
const Stmt *ReportedNode) const {
if (!CheckGenerics)
return;
initBugType();
SmallString<192> Buf;
llvm::raw_svector_ostream OS(Buf);
OS << "Conversion from value of type '";
QualType::print(From, Qualifiers(), OS, C.getLangOpts(), llvm::Twine());
OS << "' to incompatible type '";
QualType::print(To, Qualifiers(), OS, C.getLangOpts(), llvm::Twine());
OS << "'";
auto R = std::make_unique<PathSensitiveBugReport>(*ObjCGenericsBugType,
OS.str(), N);
R->markInteresting(Sym);
R->addVisitor(std::make_unique<GenericsBugVisitor>(Sym));
if (ReportedNode)
R->addRange(ReportedNode->getSourceRange());
C.emitReport(std::move(R));
}
PathDiagnosticPieceRef DynamicTypePropagation::GenericsBugVisitor::VisitNode(
const ExplodedNode *N, BugReporterContext &BRC,
PathSensitiveBugReport &BR) {
ProgramStateRef state = N->getState();
ProgramStateRef statePrev = N->getFirstPred()->getState();
const ObjCObjectPointerType *const *TrackedType =
state->get<MostSpecializedTypeArgsMap>(Sym);
const ObjCObjectPointerType *const *TrackedTypePrev =
statePrev->get<MostSpecializedTypeArgsMap>(Sym);
if (!TrackedType)
return nullptr;
if (TrackedTypePrev && *TrackedTypePrev == *TrackedType)
return nullptr;
// Retrieve the associated statement.
const Stmt *S = N->getStmtForDiagnostics();
if (!S)
return nullptr;
const LangOptions &LangOpts = BRC.getASTContext().getLangOpts();
SmallString<256> Buf;
llvm::raw_svector_ostream OS(Buf);
OS << "Type '";
QualType::print(*TrackedType, Qualifiers(), OS, LangOpts, llvm::Twine());
OS << "' is inferred from ";
if (const auto *ExplicitCast = dyn_cast<ExplicitCastExpr>(S)) {
OS << "explicit cast (from '";
QualType::print(ExplicitCast->getSubExpr()->getType().getTypePtr(),
Qualifiers(), OS, LangOpts, llvm::Twine());
OS << "' to '";
QualType::print(ExplicitCast->getType().getTypePtr(), Qualifiers(), OS,
LangOpts, llvm::Twine());
OS << "')";
} else if (const auto *ImplicitCast = dyn_cast<ImplicitCastExpr>(S)) {
OS << "implicit cast (from '";
QualType::print(ImplicitCast->getSubExpr()->getType().getTypePtr(),
Qualifiers(), OS, LangOpts, llvm::Twine());
OS << "' to '";
QualType::print(ImplicitCast->getType().getTypePtr(), Qualifiers(), OS,
LangOpts, llvm::Twine());
OS << "')";
} else {
OS << "this context";
}
// Generate the extra diagnostic.
PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
N->getLocationContext());
return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true);
}
/// Register checkers.
void ento::registerObjCGenericsChecker(CheckerManager &mgr) {
DynamicTypePropagation *checker = mgr.getChecker<DynamicTypePropagation>();
checker->CheckGenerics = true;
checker->GenericCheckName = mgr.getCurrentCheckerName();
}
bool ento::shouldRegisterObjCGenericsChecker(const CheckerManager &mgr) {
return true;
}
void ento::registerDynamicTypePropagation(CheckerManager &mgr) {
mgr.registerChecker<DynamicTypePropagation>();
}
bool ento::shouldRegisterDynamicTypePropagation(const CheckerManager &mgr) {
return true;
}