1//== DynamicTypeChecker.cpp ------------------------------------ -*- C++ -*--=//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This checker looks for cases where the dynamic type of an object is unrelated
10// to its static type. The type information utilized by this check is collected
11// by the DynamicTypePropagation checker. This check does not report any type
12// error for ObjC Generic types, in order to avoid duplicate erros from the
13// ObjC Generics checker. This checker is not supposed to modify the program
14// state, it is just the observer of the type information provided by other
15// checkers.
16//
17//===----------------------------------------------------------------------===//
18
19#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
20#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
21#include "clang/StaticAnalyzer/Core/Checker.h"
22#include "clang/StaticAnalyzer/Core/CheckerManager.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
25
26using namespace clang;
27using namespace ento;
28
29namespace {
30class DynamicTypeChecker : public Checker<check::PostStmt<ImplicitCastExpr>> {
31 const BugType BT{this, "Dynamic and static type mismatch", "Type Error"};
32
33 class DynamicTypeBugVisitor : public BugReporterVisitor {
34 public:
35 DynamicTypeBugVisitor(const MemRegion *Reg) : Reg(Reg) {}
36
37 void Profile(llvm::FoldingSetNodeID &ID) const override {
38 static int X = 0;
39 ID.AddPointer(Ptr: &X);
40 ID.AddPointer(Ptr: Reg);
41 }
42
43 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
44 BugReporterContext &BRC,
45 PathSensitiveBugReport &BR) override;
46
47 private:
48 // The tracked region.
49 const MemRegion *Reg;
50 };
51
52 void reportTypeError(QualType DynamicType, QualType StaticType,
53 const MemRegion *Reg, const Stmt *ReportedNode,
54 CheckerContext &C) const;
55
56public:
57 void checkPostStmt(const ImplicitCastExpr *CE, CheckerContext &C) const;
58};
59}
60
61void DynamicTypeChecker::reportTypeError(QualType DynamicType,
62 QualType StaticType,
63 const MemRegion *Reg,
64 const Stmt *ReportedNode,
65 CheckerContext &C) const {
66 SmallString<192> Buf;
67 llvm::raw_svector_ostream OS(Buf);
68 OS << "Object has a dynamic type '";
69 QualType::print(ty: DynamicType.getTypePtr(), qs: Qualifiers(), OS, policy: C.getLangOpts(),
70 PlaceHolder: llvm::Twine());
71 OS << "' which is incompatible with static type '";
72 QualType::print(ty: StaticType.getTypePtr(), qs: Qualifiers(), OS, policy: C.getLangOpts(),
73 PlaceHolder: llvm::Twine());
74 OS << "'";
75 auto R = std::make_unique<PathSensitiveBugReport>(
76 args: BT, args: OS.str(), args: C.generateNonFatalErrorNode());
77 R->markInteresting(R: Reg);
78 R->addVisitor(visitor: std::make_unique<DynamicTypeBugVisitor>(args&: Reg));
79 R->addRange(R: ReportedNode->getSourceRange());
80 C.emitReport(R: std::move(R));
81}
82
83PathDiagnosticPieceRef DynamicTypeChecker::DynamicTypeBugVisitor::VisitNode(
84 const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) {
85 ProgramStateRef State = N->getState();
86 ProgramStateRef StatePrev = N->getFirstPred()->getState();
87
88 DynamicTypeInfo TrackedType = getDynamicTypeInfo(State, MR: Reg);
89 DynamicTypeInfo TrackedTypePrev = getDynamicTypeInfo(State: StatePrev, MR: Reg);
90 if (!TrackedType.isValid())
91 return nullptr;
92
93 if (TrackedTypePrev.isValid() &&
94 TrackedTypePrev.getType() == TrackedType.getType())
95 return nullptr;
96
97 // Retrieve the associated statement.
98 const Stmt *S = N->getStmtForDiagnostics();
99 if (!S)
100 return nullptr;
101
102 const LangOptions &LangOpts = BRC.getASTContext().getLangOpts();
103
104 SmallString<256> Buf;
105 llvm::raw_svector_ostream OS(Buf);
106 OS << "Type '";
107 QualType::print(ty: TrackedType.getType().getTypePtr(), qs: Qualifiers(), OS,
108 policy: LangOpts, PlaceHolder: llvm::Twine());
109 OS << "' is inferred from ";
110
111 if (const auto *ExplicitCast = dyn_cast<ExplicitCastExpr>(Val: S)) {
112 OS << "explicit cast (from '";
113 QualType::print(ty: ExplicitCast->getSubExpr()->getType().getTypePtr(),
114 qs: Qualifiers(), OS, policy: LangOpts, PlaceHolder: llvm::Twine());
115 OS << "' to '";
116 QualType::print(ty: ExplicitCast->getType().getTypePtr(), qs: Qualifiers(), OS,
117 policy: LangOpts, PlaceHolder: llvm::Twine());
118 OS << "')";
119 } else if (const auto *ImplicitCast = dyn_cast<ImplicitCastExpr>(Val: S)) {
120 OS << "implicit cast (from '";
121 QualType::print(ty: ImplicitCast->getSubExpr()->getType().getTypePtr(),
122 qs: Qualifiers(), OS, policy: LangOpts, PlaceHolder: llvm::Twine());
123 OS << "' to '";
124 QualType::print(ty: ImplicitCast->getType().getTypePtr(), qs: Qualifiers(), OS,
125 policy: LangOpts, PlaceHolder: llvm::Twine());
126 OS << "')";
127 } else {
128 OS << "this context";
129 }
130
131 // Generate the extra diagnostic.
132 PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
133 N->getLocationContext());
134 return std::make_shared<PathDiagnosticEventPiece>(args&: Pos, args: OS.str(), args: true);
135}
136
137static bool hasDefinition(const ObjCObjectPointerType *ObjPtr) {
138 const ObjCInterfaceDecl *Decl = ObjPtr->getInterfaceDecl();
139 if (!Decl)
140 return false;
141
142 return Decl->getDefinition();
143}
144
145// TODO: consider checking explicit casts?
146void DynamicTypeChecker::checkPostStmt(const ImplicitCastExpr *CE,
147 CheckerContext &C) const {
148 // TODO: C++ support.
149 if (CE->getCastKind() != CK_BitCast)
150 return;
151
152 const MemRegion *Region = C.getSVal(S: CE).getAsRegion();
153 if (!Region)
154 return;
155
156 ProgramStateRef State = C.getState();
157 DynamicTypeInfo DynTypeInfo = getDynamicTypeInfo(State, MR: Region);
158
159 if (!DynTypeInfo.isValid())
160 return;
161
162 QualType DynType = DynTypeInfo.getType();
163 QualType StaticType = CE->getType();
164
165 const auto *DynObjCType = DynType->getAs<ObjCObjectPointerType>();
166 const auto *StaticObjCType = StaticType->getAs<ObjCObjectPointerType>();
167
168 if (!DynObjCType || !StaticObjCType)
169 return;
170
171 if (!hasDefinition(ObjPtr: DynObjCType) || !hasDefinition(ObjPtr: StaticObjCType))
172 return;
173
174 ASTContext &ASTCtxt = C.getASTContext();
175
176 // Strip kindeofness to correctly detect subtyping relationships.
177 DynObjCType = DynObjCType->stripObjCKindOfTypeAndQuals(ctx: ASTCtxt);
178 StaticObjCType = StaticObjCType->stripObjCKindOfTypeAndQuals(ctx: ASTCtxt);
179
180 // Specialized objects are handled by the generics checker.
181 if (StaticObjCType->isSpecialized())
182 return;
183
184 if (ASTCtxt.canAssignObjCInterfaces(LHSOPT: StaticObjCType, RHSOPT: DynObjCType))
185 return;
186
187 if (DynTypeInfo.canBeASubClass() &&
188 ASTCtxt.canAssignObjCInterfaces(LHSOPT: DynObjCType, RHSOPT: StaticObjCType))
189 return;
190
191 reportTypeError(DynamicType: DynType, StaticType, Reg: Region, ReportedNode: CE, C);
192}
193
194void ento::registerDynamicTypeChecker(CheckerManager &mgr) {
195 mgr.registerChecker<DynamicTypeChecker>();
196}
197
198bool ento::shouldRegisterDynamicTypeChecker(const CheckerManager &mgr) {
199 return true;
200}
201