1//== DynamicTypeChecker.cpp ------------------------------------ -*- C++ -*--=//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This checker looks for cases where the dynamic type of an object is unrelated
10// to its static type. The type information utilized by this check is collected
11// by the DynamicTypePropagation checker. This check does not report any type
12// error for ObjC Generic types, in order to avoid duplicate erros from the
13// ObjC Generics checker. This checker is not supposed to modify the program
14// state, it is just the observer of the type information provided by other
15// checkers.
16//
17//===----------------------------------------------------------------------===//
18
19#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
20#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
21#include "clang/StaticAnalyzer/Core/Checker.h"
22#include "clang/StaticAnalyzer/Core/CheckerManager.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
25
26using namespace clang;
27using namespace ento;
28
29namespace {
30class DynamicTypeChecker : public Checker<check::PostStmt<ImplicitCastExpr>> {
31 const BugType BT{this, "Dynamic and static type mismatch", "Type Error"};
32
33 class DynamicTypeBugVisitor : public BugReporterVisitor {
34 public:
35 DynamicTypeBugVisitor(const MemRegion *Reg) : Reg(Reg) {}
36
37 void Profile(llvm::FoldingSetNodeID &ID) const override {
38 static int X = 0;
39 ID.AddPointer(Ptr: &X);
40 ID.AddPointer(Ptr: Reg);
41 }
42
43 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
44 BugReporterContext &BRC,
45 PathSensitiveBugReport &BR) override;
46
47 private:
48 // The tracked region.
49 const MemRegion *Reg;
50 };
51
52 void reportTypeError(QualType DynamicType, QualType StaticType,
53 const MemRegion *Reg, const Stmt *ReportedNode,
54 CheckerContext &C) const;
55
56public:
57 void checkPostStmt(const ImplicitCastExpr *CE, CheckerContext &C) const;
58};
59}
60
61void DynamicTypeChecker::reportTypeError(QualType DynamicType,
62 QualType StaticType,
63 const MemRegion *Reg,
64 const Stmt *ReportedNode,
65 CheckerContext &C) const {
66 SmallString<192> Buf;
67 llvm::raw_svector_ostream OS(Buf);
68 OS << "Object has a dynamic type '";
69 QualType::print(ty: DynamicType.getTypePtr(), qs: Qualifiers(), OS, policy: C.getLangOpts(),
70 PlaceHolder: llvm::Twine());
71 OS << "' which is incompatible with static type '";
72 QualType::print(ty: StaticType.getTypePtr(), qs: Qualifiers(), OS, policy: C.getLangOpts(),
73 PlaceHolder: llvm::Twine());
74 OS << "'";
75 auto R = std::make_unique<PathSensitiveBugReport>(
76 args: BT, args: OS.str(), args: C.generateNonFatalErrorNode());
77 R->markInteresting(R: Reg);
78 R->addVisitor(visitor: std::make_unique<DynamicTypeBugVisitor>(args&: Reg));
79 R->addRange(R: ReportedNode->getSourceRange());
80 C.emitReport(R: std::move(R));
81}
82
83PathDiagnosticPieceRef DynamicTypeChecker::DynamicTypeBugVisitor::VisitNode(
84 const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) {
85 ProgramStateRef State = N->getState();
86 ProgramStateRef StatePrev = N->getFirstPred()->getState();
87
88 DynamicTypeInfo TrackedType = getDynamicTypeInfo(State, MR: Reg);
89 DynamicTypeInfo TrackedTypePrev = getDynamicTypeInfo(State: StatePrev, MR: Reg);
90 if (!TrackedType.isValid())
91 return nullptr;
92
93 if (TrackedTypePrev.isValid() &&
94 TrackedTypePrev.getType() == TrackedType.getType())
95 return nullptr;
96
97 // Retrieve the associated statement.
98 const Stmt *S = N->getStmtForDiagnostics();
99 if (!S)
100 return nullptr;
101
102 const LangOptions &LangOpts = BRC.getASTContext().getLangOpts();
103
104 SmallString<256> Buf;
105 llvm::raw_svector_ostream OS(Buf);
106 OS << "Type '";
107 QualType::print(ty: TrackedType.getType().getTypePtr(), qs: Qualifiers(), OS,
108 policy: LangOpts, PlaceHolder: llvm::Twine());
109 OS << "' is inferred from ";
110
111 if (const auto *ExplicitCast = dyn_cast<ExplicitCastExpr>(Val: S)) {
112 OS << "explicit cast (from '";
113 QualType::print(ty: ExplicitCast->getSubExpr()->getType().getTypePtr(),
114 qs: Qualifiers(), OS, policy: LangOpts, PlaceHolder: llvm::Twine());
115 OS << "' to '";
116 QualType::print(ty: ExplicitCast->getType().getTypePtr(), qs: Qualifiers(), OS,
117 policy: LangOpts, PlaceHolder: llvm::Twine());
118 OS << "')";
119 } else if (const auto *ImplicitCast = dyn_cast<ImplicitCastExpr>(Val: S)) {
120 OS << "implicit cast (from '";
121 QualType::print(ty: ImplicitCast->getSubExpr()->getType().getTypePtr(),
122 qs: Qualifiers(), OS, policy: LangOpts, PlaceHolder: llvm::Twine());
123 OS << "' to '";
124 QualType::print(ty: ImplicitCast->getType().getTypePtr(), qs: Qualifiers(), OS,
125 policy: LangOpts, PlaceHolder: llvm::Twine());
126 OS << "')";
127 } else {
128 OS << "this context";
129 }
130
131 // Generate the extra diagnostic.
132 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), N->getStackFrame());
133 return std::make_shared<PathDiagnosticEventPiece>(args&: Pos, args: OS.str(), args: true);
134}
135
136static bool hasDefinition(const ObjCObjectPointerType *ObjPtr) {
137 const ObjCInterfaceDecl *Decl = ObjPtr->getInterfaceDecl();
138 if (!Decl)
139 return false;
140
141 return Decl->getDefinition();
142}
143
144// TODO: consider checking explicit casts?
145void DynamicTypeChecker::checkPostStmt(const ImplicitCastExpr *CE,
146 CheckerContext &C) const {
147 // TODO: C++ support.
148 if (CE->getCastKind() != CK_BitCast)
149 return;
150
151 const MemRegion *Region = C.getSVal(E: CE).getAsRegion();
152 if (!Region)
153 return;
154
155 ProgramStateRef State = C.getState();
156 DynamicTypeInfo DynTypeInfo = getDynamicTypeInfo(State, MR: Region);
157
158 if (!DynTypeInfo.isValid())
159 return;
160
161 QualType DynType = DynTypeInfo.getType();
162 QualType StaticType = CE->getType();
163
164 const auto *DynObjCType = DynType->getAs<ObjCObjectPointerType>();
165 const auto *StaticObjCType = StaticType->getAs<ObjCObjectPointerType>();
166
167 if (!DynObjCType || !StaticObjCType)
168 return;
169
170 if (!hasDefinition(ObjPtr: DynObjCType) || !hasDefinition(ObjPtr: StaticObjCType))
171 return;
172
173 ASTContext &ASTCtxt = C.getASTContext();
174
175 // Strip kindeofness to correctly detect subtyping relationships.
176 DynObjCType = DynObjCType->stripObjCKindOfTypeAndQuals(ctx: ASTCtxt);
177 StaticObjCType = StaticObjCType->stripObjCKindOfTypeAndQuals(ctx: ASTCtxt);
178
179 // Specialized objects are handled by the generics checker.
180 if (StaticObjCType->isSpecialized())
181 return;
182
183 if (ASTCtxt.canAssignObjCInterfaces(LHSOPT: StaticObjCType, RHSOPT: DynObjCType))
184 return;
185
186 if (DynTypeInfo.canBeASubClass() &&
187 ASTCtxt.canAssignObjCInterfaces(LHSOPT: DynObjCType, RHSOPT: StaticObjCType))
188 return;
189
190 reportTypeError(DynamicType: DynType, StaticType, Reg: Region, ReportedNode: CE, C);
191}
192
193void ento::registerDynamicTypeChecker(CheckerManager &mgr) {
194 mgr.registerChecker<DynamicTypeChecker>();
195}
196
197bool ento::shouldRegisterDynamicTypeChecker(const CheckerManager &mgr) {
198 return true;
199}
200