1 //== DynamicTypeChecker.cpp ------------------------------------ -*- C++ -*--=//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This checker looks for cases where the dynamic type of an object is unrelated
10 // to its static type. The type information utilized by this check is collected
11 // by the DynamicTypePropagation checker. This check does not report any type
12 // error for ObjC Generic types, in order to avoid duplicate erros from the
13 // ObjC Generics checker. This checker is not supposed to modify the program
14 // state, it is just the observer of the type information provided by other
15 // checkers.
16 //
17 //===----------------------------------------------------------------------===//
18 
19 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
20 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
21 #include "clang/StaticAnalyzer/Core/Checker.h"
22 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
23 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
24 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
25 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
26 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
27 
28 using namespace clang;
29 using namespace ento;
30 
31 namespace {
32 class DynamicTypeChecker : public Checker<check::PostStmt<ImplicitCastExpr>> {
33   const BugType BT{this, "Dynamic and static type mismatch", "Type Error"};
34 
35   class DynamicTypeBugVisitor : public BugReporterVisitor {
36   public:
DynamicTypeBugVisitor(const MemRegion * Reg)37     DynamicTypeBugVisitor(const MemRegion *Reg) : Reg(Reg) {}
38 
Profile(llvm::FoldingSetNodeID & ID) const39     void Profile(llvm::FoldingSetNodeID &ID) const override {
40       static int X = 0;
41       ID.AddPointer(&X);
42       ID.AddPointer(Reg);
43     }
44 
45     PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
46                                      BugReporterContext &BRC,
47                                      PathSensitiveBugReport &BR) override;
48 
49   private:
50     // The tracked region.
51     const MemRegion *Reg;
52   };
53 
54   void reportTypeError(QualType DynamicType, QualType StaticType,
55                        const MemRegion *Reg, const Stmt *ReportedNode,
56                        CheckerContext &C) const;
57 
58 public:
59   void checkPostStmt(const ImplicitCastExpr *CE, CheckerContext &C) const;
60 };
61 }
62 
reportTypeError(QualType DynamicType,QualType StaticType,const MemRegion * Reg,const Stmt * ReportedNode,CheckerContext & C) const63 void DynamicTypeChecker::reportTypeError(QualType DynamicType,
64                                          QualType StaticType,
65                                          const MemRegion *Reg,
66                                          const Stmt *ReportedNode,
67                                          CheckerContext &C) const {
68   SmallString<192> Buf;
69   llvm::raw_svector_ostream OS(Buf);
70   OS << "Object has a dynamic type '";
71   QualType::print(DynamicType.getTypePtr(), Qualifiers(), OS, C.getLangOpts(),
72                   llvm::Twine());
73   OS << "' which is incompatible with static type '";
74   QualType::print(StaticType.getTypePtr(), Qualifiers(), OS, C.getLangOpts(),
75                   llvm::Twine());
76   OS << "'";
77   auto R = std::make_unique<PathSensitiveBugReport>(
78       BT, OS.str(), C.generateNonFatalErrorNode());
79   R->markInteresting(Reg);
80   R->addVisitor(std::make_unique<DynamicTypeBugVisitor>(Reg));
81   R->addRange(ReportedNode->getSourceRange());
82   C.emitReport(std::move(R));
83 }
84 
VisitNode(const ExplodedNode * N,BugReporterContext & BRC,PathSensitiveBugReport &)85 PathDiagnosticPieceRef DynamicTypeChecker::DynamicTypeBugVisitor::VisitNode(
86     const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) {
87   ProgramStateRef State = N->getState();
88   ProgramStateRef StatePrev = N->getFirstPred()->getState();
89 
90   DynamicTypeInfo TrackedType = getDynamicTypeInfo(State, Reg);
91   DynamicTypeInfo TrackedTypePrev = getDynamicTypeInfo(StatePrev, Reg);
92   if (!TrackedType.isValid())
93     return nullptr;
94 
95   if (TrackedTypePrev.isValid() &&
96       TrackedTypePrev.getType() == TrackedType.getType())
97     return nullptr;
98 
99   // Retrieve the associated statement.
100   const Stmt *S = N->getStmtForDiagnostics();
101   if (!S)
102     return nullptr;
103 
104   const LangOptions &LangOpts = BRC.getASTContext().getLangOpts();
105 
106   SmallString<256> Buf;
107   llvm::raw_svector_ostream OS(Buf);
108   OS << "Type '";
109   QualType::print(TrackedType.getType().getTypePtr(), Qualifiers(), OS,
110                   LangOpts, llvm::Twine());
111   OS << "' is inferred from ";
112 
113   if (const auto *ExplicitCast = dyn_cast<ExplicitCastExpr>(S)) {
114     OS << "explicit cast (from '";
115     QualType::print(ExplicitCast->getSubExpr()->getType().getTypePtr(),
116                     Qualifiers(), OS, LangOpts, llvm::Twine());
117     OS << "' to '";
118     QualType::print(ExplicitCast->getType().getTypePtr(), Qualifiers(), OS,
119                     LangOpts, llvm::Twine());
120     OS << "')";
121   } else if (const auto *ImplicitCast = dyn_cast<ImplicitCastExpr>(S)) {
122     OS << "implicit cast (from '";
123     QualType::print(ImplicitCast->getSubExpr()->getType().getTypePtr(),
124                     Qualifiers(), OS, LangOpts, llvm::Twine());
125     OS << "' to '";
126     QualType::print(ImplicitCast->getType().getTypePtr(), Qualifiers(), OS,
127                     LangOpts, llvm::Twine());
128     OS << "')";
129   } else {
130     OS << "this context";
131   }
132 
133   // Generate the extra diagnostic.
134   PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
135                              N->getLocationContext());
136   return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true);
137 }
138 
hasDefinition(const ObjCObjectPointerType * ObjPtr)139 static bool hasDefinition(const ObjCObjectPointerType *ObjPtr) {
140   const ObjCInterfaceDecl *Decl = ObjPtr->getInterfaceDecl();
141   if (!Decl)
142     return false;
143 
144   return Decl->getDefinition();
145 }
146 
147 // TODO: consider checking explicit casts?
checkPostStmt(const ImplicitCastExpr * CE,CheckerContext & C) const148 void DynamicTypeChecker::checkPostStmt(const ImplicitCastExpr *CE,
149                                        CheckerContext &C) const {
150   // TODO: C++ support.
151   if (CE->getCastKind() != CK_BitCast)
152     return;
153 
154   const MemRegion *Region = C.getSVal(CE).getAsRegion();
155   if (!Region)
156     return;
157 
158   ProgramStateRef State = C.getState();
159   DynamicTypeInfo DynTypeInfo = getDynamicTypeInfo(State, Region);
160 
161   if (!DynTypeInfo.isValid())
162     return;
163 
164   QualType DynType = DynTypeInfo.getType();
165   QualType StaticType = CE->getType();
166 
167   const auto *DynObjCType = DynType->getAs<ObjCObjectPointerType>();
168   const auto *StaticObjCType = StaticType->getAs<ObjCObjectPointerType>();
169 
170   if (!DynObjCType || !StaticObjCType)
171     return;
172 
173   if (!hasDefinition(DynObjCType) || !hasDefinition(StaticObjCType))
174     return;
175 
176   ASTContext &ASTCtxt = C.getASTContext();
177 
178   // Strip kindeofness to correctly detect subtyping relationships.
179   DynObjCType = DynObjCType->stripObjCKindOfTypeAndQuals(ASTCtxt);
180   StaticObjCType = StaticObjCType->stripObjCKindOfTypeAndQuals(ASTCtxt);
181 
182   // Specialized objects are handled by the generics checker.
183   if (StaticObjCType->isSpecialized())
184     return;
185 
186   if (ASTCtxt.canAssignObjCInterfaces(StaticObjCType, DynObjCType))
187     return;
188 
189   if (DynTypeInfo.canBeASubClass() &&
190       ASTCtxt.canAssignObjCInterfaces(DynObjCType, StaticObjCType))
191     return;
192 
193   reportTypeError(DynType, StaticType, Region, CE, C);
194 }
195 
registerDynamicTypeChecker(CheckerManager & mgr)196 void ento::registerDynamicTypeChecker(CheckerManager &mgr) {
197   mgr.registerChecker<DynamicTypeChecker>();
198 }
199 
shouldRegisterDynamicTypeChecker(const CheckerManager & mgr)200 bool ento::shouldRegisterDynamicTypeChecker(const CheckerManager &mgr) {
201   return true;
202 }
203