doxygen/DynamicTypeChecker_8cpp_source.html

//== DynamicTypeChecker.cpp ------------------------------------ -*- C++ -*--=//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This checker looks for cases where the dynamic type of an object is unrelated

// to its static type. The type information utilized by this check is collected

// by the DynamicTypePropagation checker. This check does not report any type

// error for ObjC Generic types, in order to avoid duplicate erros from the

// ObjC Generics checker. This checker is not supposed to modify the program

// state, it is just the observer of the type information provided by other

// checkers.

//

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"


using namespace clang;

using namespace ento;


namespace {

class DynamicTypeChecker : public Checker<check::PostStmt<ImplicitCastExpr>> {

  mutable std::unique_ptr<BugType> BT;

  void initBugType() const {

    if (!BT)

      BT.reset(

          new BugType(this, "Dynamic and static type mismatch", "Type Error"));

  }


  class DynamicTypeBugVisitor : public BugReporterVisitor {

  public:

    DynamicTypeBugVisitor(const MemRegion *Reg) : Reg(Reg) {}


    void Profile(llvm::FoldingSetNodeID &ID) const override {

      static int X = 0;

      ID.AddPointer(&X);

      ID.AddPointer(Reg);

    }


    PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,

                                     BugReporterContext &BRC,

                                     PathSensitiveBugReport &BR) override;


  private:

    // The tracked region.

    const MemRegion *Reg;

  };


  void reportTypeError(QualType DynamicType, QualType StaticType,

                       const MemRegion *Reg, const Stmt *ReportedNode,

                       CheckerContext &C) const;


public:

  void checkPostStmt(const ImplicitCastExpr *CE, CheckerContext &C) const;

};

}


void DynamicTypeChecker::reportTypeError(QualType DynamicType,

                                         QualType StaticType,

                                         const MemRegion *Reg,

                                         const Stmt *ReportedNode,

                                         CheckerContext &C) const {

  initBugType();

  SmallString<192> Buf;

  llvm::raw_svector_ostream OS(Buf);

  OS << "Object has a dynamic type '";

  QualType::print(DynamicType.getTypePtr(), Qualifiers(), OS, C.getLangOpts(),

                  llvm::Twine());

  OS << "' which is incompatible with static type '";

  QualType::print(StaticType.getTypePtr(), Qualifiers(), OS, C.getLangOpts(),

                  llvm::Twine());

  OS << "'";

  auto R = std::make_unique<PathSensitiveBugReport>(

      *BT, OS.str(), C.generateNonFatalErrorNode());

  R->markInteresting(Reg);

  R->addVisitor(std::make_unique<DynamicTypeBugVisitor>(Reg));

  R->addRange(ReportedNode->getSourceRange());

  C.emitReport(std::move(R));

}


PathDiagnosticPieceRef DynamicTypeChecker::DynamicTypeBugVisitor::VisitNode(

    const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) {

  ProgramStateRef State = N->getState();

  ProgramStateRef StatePrev = N->getFirstPred()->getState();


  DynamicTypeInfo TrackedType = getDynamicTypeInfo(State, Reg);

  DynamicTypeInfo TrackedTypePrev = getDynamicTypeInfo(StatePrev, Reg);

  if (!TrackedType.isValid())

    return nullptr;


  if (TrackedTypePrev.isValid() &&

      TrackedTypePrev.getType() == TrackedType.getType())

    return nullptr;


  // Retrieve the associated statement.

  const Stmt *S = N->getStmtForDiagnostics();

  if (!S)

    return nullptr;


  const LangOptions &LangOpts = BRC.getASTContext().getLangOpts();


  SmallString<256> Buf;

  llvm::raw_svector_ostream OS(Buf);

  OS << "Type '";

  QualType::print(TrackedType.getType().getTypePtr(), Qualifiers(), OS,

                  LangOpts, llvm::Twine());

  OS << "' is inferred from ";


  if (const auto *ExplicitCast = dyn_cast<ExplicitCastExpr>(S)) {

    OS << "explicit cast (from '";

    QualType::print(ExplicitCast->getSubExpr()->getType().getTypePtr(),

                    Qualifiers(), OS, LangOpts, llvm::Twine());

    OS << "' to '";

    QualType::print(ExplicitCast->getType().getTypePtr(), Qualifiers(), OS,

                    LangOpts, llvm::Twine());

    OS << "')";

  } else if (const auto *ImplicitCast = dyn_cast<ImplicitCastExpr>(S)) {

    OS << "implicit cast (from '";

    QualType::print(ImplicitCast->getSubExpr()->getType().getTypePtr(),

                    Qualifiers(), OS, LangOpts, llvm::Twine());

    OS << "' to '";

    QualType::print(ImplicitCast->getType().getTypePtr(), Qualifiers(), OS,

                    LangOpts, llvm::Twine());

    OS << "')";

  } else {

    OS << "this context";

  }


  // Generate the extra diagnostic.

  PathDiagnosticLocation Pos(S, BRC.getSourceManager(),

                             N->getLocationContext());

  return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true);

}


static bool hasDefinition(const ObjCObjectPointerType *ObjPtr) {

  const ObjCInterfaceDecl *Decl = ObjPtr->getInterfaceDecl();

  if (!Decl)

    return false;


  return Decl->getDefinition();

}


// TODO: consider checking explicit casts?

void DynamicTypeChecker::checkPostStmt(const ImplicitCastExpr *CE,

                                       CheckerContext &C) const {

  // TODO: C++ support.

  if (CE->getCastKind() != CK_BitCast)

    return;


  const MemRegion *Region = C.getSVal(CE).getAsRegion();

  if (!Region)

    return;


  ProgramStateRef State = C.getState();

  DynamicTypeInfo DynTypeInfo = getDynamicTypeInfo(State, Region);


  if (!DynTypeInfo.isValid())

    return;


  QualType DynType = DynTypeInfo.getType();

  QualType StaticType = CE->getType();


  const auto *DynObjCType = DynType->getAs<ObjCObjectPointerType>();

  const auto *StaticObjCType = StaticType->getAs<ObjCObjectPointerType>();


  if (!DynObjCType || !StaticObjCType)

    return;


  if (!hasDefinition(DynObjCType) || !hasDefinition(StaticObjCType))

    return;


  ASTContext &ASTCtxt = C.getASTContext();


  // Strip kindeofness to correctly detect subtyping relationships.

  DynObjCType = DynObjCType->stripObjCKindOfTypeAndQuals(ASTCtxt);

  StaticObjCType = StaticObjCType->stripObjCKindOfTypeAndQuals(ASTCtxt);


  // Specialized objects are handled by the generics checker.

  if (StaticObjCType->isSpecialized())

    return;


  if (ASTCtxt.canAssignObjCInterfaces(StaticObjCType, DynObjCType))

    return;


  if (DynTypeInfo.canBeASubClass() &&

      ASTCtxt.canAssignObjCInterfaces(DynObjCType, StaticObjCType))

    return;


  reportTypeError(DynType, StaticType, Region, CE, C);

}


void ento::registerDynamicTypeChecker(CheckerManager &mgr) {

  mgr.registerChecker<DynamicTypeChecker>();

}


bool ento::shouldRegisterDynamicTypeChecker(const CheckerManager &mgr) {

  return true;

}

BugType.h

BuiltinCheckerRegistration.h

CallEvent.h

CheckerContext.h

CheckerManager.h

Checker.h

hasDefinition
static bool hasDefinition(const ObjCObjectPointerType *ObjPtr)
Definition: DynamicTypeChecker.cpp:145

DynamicType.h

X
#define X(type, name)
Definition: Value.h:142

ProgramStateTrait.h

clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:182

clang::ASTContext::canAssignObjCInterfaces
bool canAssignObjCInterfaces(const ObjCObjectPointerType *LHSOPT, const ObjCObjectPointerType *RHSOPT)
canAssignObjCInterfaces - Return true if the two interface types are compatible for assignment from R...
Definition: ASTContext.cpp:9767

clang::ASTContext::getLangOpts
const LangOptions & getLangOpts() const
Definition: ASTContext.h:767

clang::CastExpr::getCastKind
CastKind getCastKind() const
Definition: Expr.h:3561

clang::Decl
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:85

clang::Expr::getType
QualType getType() const
Definition: Expr.h:142

clang::ImplicitCastExpr
ImplicitCastExpr - Allows us to explicitly represent implicit type conversions, which have no direct ...
Definition: Expr.h:3677

clang::LangOptions
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:83

clang::ObjCInterfaceDecl
Represents an ObjC class declaration.
Definition: DeclObjC.h:1150

clang::ObjCObjectPointerType
Represents a pointer to an Objective C object.
Definition: Type.h:6430

clang::ObjCObjectPointerType::isSpecialized
bool isSpecialized() const
Whether this type is specialized, meaning that it has type arguments.
Definition: Type.h:6519

clang::ObjCObjectPointerType::stripObjCKindOfTypeAndQuals
const ObjCObjectPointerType * stripObjCKindOfTypeAndQuals(const ASTContext &ctx) const
Strip off the Objective-C "kindof" type and (with it) any protocol qualifiers.
Definition: Type.cpp:856

clang::ObjCObjectPointerType::getInterfaceDecl
ObjCInterfaceDecl * getInterfaceDecl() const
If this pointer points to an Objective @interface type, gets the declaration for that interface.
Definition: Type.h:6482

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:736

clang::QualType::getTypePtr
const Type * getTypePtr() const
Retrieves a pointer to the underlying (unqualified) type.
Definition: Type.h:6781

clang::QualType::print
void print(raw_ostream &OS, const PrintingPolicy &Policy, const Twine &PlaceHolder=Twine(), unsigned Indentation=0) const
Definition: TypePrinter.cpp:2438

clang::Qualifiers
The collection of all-type qualifiers we support.
Definition: Type.h:146

clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325

clang::Type::getAs
const T * getAs() const
Member-template getAs<specific type>'.
Definition: Type.h:7558

clang::ento::BugReporterContext
Definition: BugReporter.h:701

clang::ento::BugReporterContext::getASTContext
ASTContext & getASTContext() const
Definition: BugReporter.h:717

clang::ento::BugReporterContext::getSourceManager
const SourceManager & getSourceManager() const
Definition: BugReporter.h:721

clang::ento::BugReporterVisitor
BugReporterVisitors are used to add custom diagnostics along a path.
Definition: BugReporterVisitors.h:49

clang::ento::BugType
Definition: BugType.h:27

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:516

clang::ento::DynamicTypeInfo
Stores the currently inferred strictest bound on the runtime type of a region in a given state along ...
Definition: DynamicTypeInfo.h:19

clang::ento::DynamicTypeInfo::canBeASubClass
bool canBeASubClass() const
Returns false if the type information is precise (the type 'DynTy' is the only type in the lattice),...
Definition: DynamicTypeInfo.h:28

clang::ento::DynamicTypeInfo::getType
QualType getType() const
Returns the currently inferred upper bound on the runtime type.
Definition: DynamicTypeInfo.h:34

clang::ento::DynamicTypeInfo::isValid
bool isValid() const
Returns true if the dynamic type info is available.
Definition: DynamicTypeInfo.h:31

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:66

clang::ento::ExplodedNode::getState
const ProgramStateRef & getState() const
Definition: ExplodedGraph.h:169

clang::ento::ExplodedNode::getStmtForDiagnostics
const Stmt * getStmtForDiagnostics() const
If the node's program point corresponds to a statement, retrieve that statement.
Definition: ExplodedGraph.cpp:319

clang::ento::ExplodedNode::getLocationContext
const LocationContext * getLocationContext() const
Definition: ExplodedGraph.h:147

clang::ento::ExplodedNode::getFirstPred
ExplodedNode * getFirstPred()
Definition: ExplodedGraph.h:209

clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96

clang::ento::PathDiagnosticLocation
Definition: PathDiagnostic.h:195

clang::ento::PathSensitiveBugReport
Definition: BugReporter.h:288

llvm::IntrusiveRefCntPtr< const ProgramState >

llvm::SmallString
Definition: LLVM.h:34

clang::Builtin::ID
ID
Definition: Builtins.h:64

clang::ento::getDynamicTypeInfo
DynamicTypeInfo getDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR)
Get dynamic type information for the region MR.

clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition: PathDiagnostic.h:492

clang
Definition: CalledOnceCheck.h:17

clang::LinkageSpecLanguageIDs::C
@ C

DynamicType
Definition: ExprConstant.cpp:5716