| blob | 6f26842e62c78a9c58ce6a230a560a7f1ab7790d |
1 //===- DynamicTypePropagation.cpp ------------------------------*- C++ -*--===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file contains two checkers. One helps the static analyzer core to track
10 // types, the other does type inference on Obj-C generics and report type
11 // errors.
12 //
13 // Dynamic Type Propagation:
14 // This checker defines the rules for dynamic type gathering and propagation.
15 //
16 // Generics Checker for Objective-C:
17 // This checker tries to find type errors that the compiler is not able to catch
18 // due to the implicit conversions that were introduced for backward
19 // compatibility.
20 //
21 //===----------------------------------------------------------------------===//
34 #include <optional>
39 // ProgramState trait - The type inflation is tracked by DynamicTypeMap. This is
40 // an auxiliary map that tracks more information about generic types, because in
41 // some cases the most derived type is not the most informative one about the
42 // type parameters. This types that are stored for each symbol in this map must
43 // be specialized.
44 // TODO: In some case the type stored in this map is exactly the same that is
45 // stored in DynamicTypeMap. We should no store duplicated information in those
46 // cases.
60 /// Return a better dynamic type if one can be derived from the cast.
73 }
83 }
90 // The tracked symbol.
91 SymbolRef Sym;
92 };
108 /// This value is set to true, when the Generics checker is turned on.
110 CheckerNameRef GenericCheckName;
111 };
116 }
118 }
125 };
131 // Check if we can statically infer the actual type precisely.
132 //
133 // 1. Class is written directly in the message:
134 // \code
135 // [ActualClass classMethod];
136 // \endcode
140 }
142 // 2. Receiver is 'super' from a class method (a.k.a 'super' is a
143 // class object).
144 // \code
145 // [super classMethod];
146 // \endcode
150 }
152 // 3. Receiver is 'super' from an instance method (a.k.a 'super' is an
153 // instance of a super class).
154 // \code
155 // [super instanceMethod];
156 // \encode
161 }
168 // Otherwise, let's try to get type information from our estimations of
169 // runtime types.
170 QualType InferredType;
177 }
178 }
183 }
185 // If receiver is a Class object, we want to figure out the type it
186 // represents.
188 // We actually might have some info on what type is contained in there.
192 // Types in Class objects can be ONLY Objective-C types
194 }
198 // Another way we can guess what is in Class object, is when it is a
199 // 'self' variable of the current class method.
201 // In this case, we should return the type of the enclosing class
202 // declaration.
208 }
209 }
210 }
212 // Unfortunately, it seems like we have no idea what that type is.
215 }
217 // We can end up here if we got some dynamic type info and the
218 // receiver is not one of the known Class objects.
222 }
224 // Any other type (like 'Class') is not really useful at this point.
226 }
234 MostSpecializedTypeArgsMapTy TyArgMap =
241 }
242 }
245 }
258 }
263 // C++11 [class.cdtor]p4: When a virtual function is called directly or
264 // indirectly from a constructor or from a destructor, including during
265 // the construction or destruction of the class's non-static data members,
266 // and the object to which the call applies is the object under
267 // construction or destruction, the function called is the final overrider
268 // in the constructor's or destructor's class and not one overriding it in
269 // a more-derived class.
274 // No additional type info necessary.
281 }
284 }
287 // C++11 [class.cdtor]p4 (see above)
301 }
302 }
306 // We can obtain perfect type info for return values from some calls.
309 // Get the returned value if it's a region.
322 // We assume that the type of the object returned by alloc and new are the
323 // pointer to the object of the class specified in the receiver of the
324 // message.
327 // Get the type of object that will get created.
333 QualType DynResTy =
335 // We used to assume that whatever type we got from inferring the
336 // type is actually precise (and it is not exactly correct).
337 // A big portion of the existing behavior depends on that assumption
338 // (e.g. certain inlining won't take place). For this reason, we don't
339 // use ObjTy.Precise flag here.
340 //
341 // TODO: We should mitigate this problem some time in the future
342 // and replace hardcoded 'false' with '!ObjTy.Precise'.
345 }
347 // Assume, the result of the init method has the same dynamic type as
348 // the receiver and propagate the dynamic type info.
355 }
356 }
357 }
359 }
362 // We may need to undo the effects of our pre-call check.
366 // No additional work necessary.
367 // Note: This will leave behind the actual type of the object for
368 // complete constructors, but arguably that's a good thing, since it
369 // means the dynamic type info will be correct even for objects
370 // constructed with operator new.
375 // We just finished a base constructor. Now we can use the subclass's
376 // type when resolving virtual calls.
379 // FIXME: In C++17 classes with non-virtual bases may be treated as
380 // aggregates, and in such case no top-frame constructor will be called.
381 // Figure out if we need to do anything in this case.
382 // FIXME: Instead of relying on the ParentMap, we should have the
383 // trigger-statement (InitListExpr in this case) available in this
384 // callback, ideally as part of CallEvent.
390 }
392 }
393 }
394 }
396 /// TODO: Handle explicit casts.
397 /// Handle C++ casts.
398 ///
399 /// Precondition: the cast is between ObjCObjectPointers.
402 // We only track type info for regions.
413 }
415 }
422 // We only track dynamic type info for regions.
429 }
431 // Return a better dynamic type if one can be derived from the cast.
432 // Compare the current dynamic type of the region and the new type to which we
433 // are casting. If the new type is lower in the inheritance hierarchy, pick it.
440 // Get the old and new types.
448 }
454 // Id the old type is 'id', the new one is more precise.
458 // Return new if it's a subclass of old.
465 }
470 // Checking if from and to are the same classes modulo specialization.
476 }
478 }
481 // If To has no super class and From and To aren't the same then
482 // To was not actually a descendent of From. In this case the best we can
483 // do is 'From'.
485 }
490 QualType SuperPtrOfToQual =
495 C);
496 else
499 }
501 /// A downcast may loose specialization information. E. g.:
502 /// MutableMap<T, U> : Map
503 /// The downcast to MutableMap looses the information about the types of the
504 /// Map (due to the type parameters are not being forwarded to Map), and in
505 /// general there is no way to recover that information from the
506 /// declaration. In order to have to most information, lets find the most
507 /// derived type that has all the type parameters forwarded.
508 ///
509 /// Get the a subclass of \p From (which has a lower bound \p To) that do not
510 /// loose information about type parameters. \p To has to be a subclass of
511 /// \p From. From has to be specialized.
516 }
518 /// Inputs:
519 /// \param StaticLowerBound Static lower bound for a symbol. The dynamic lower
520 /// bound might be the subclass of this type.
521 /// \param StaticUpperBound A static upper bound for a symbol.
522 /// \p StaticLowerBound expected to be the subclass of \p StaticUpperBound.
523 /// \param Current The type that was inferred for a symbol in a previous
524 /// context. Might be null when this is the first time that inference happens.
525 /// Precondition:
526 /// \p StaticLowerBound or \p StaticUpperBound is specialized. If \p Current
527 /// is not null, it is specialized.
528 /// Possible cases:
529 /// (1) The \p Current is null and \p StaticLowerBound <: \p StaticUpperBound
530 /// (2) \p StaticLowerBound <: \p Current <: \p StaticUpperBound
531 /// (3) \p Current <: \p StaticLowerBound <: \p StaticUpperBound
532 /// (4) \p StaticLowerBound <: \p StaticUpperBound <: \p Current
533 /// Effect:
534 /// Use getMostInformativeDerivedClass with the upper and lower bound of the
535 /// set {\p StaticLowerBound, \p Current, \p StaticUpperBound}. The computed
536 /// lower bound must be specialized. If the result differs from \p Current or
537 /// \p Current is null, store the result.
538 static bool
544 // TODO: The above 4 cases are not exhaustive. In particular, it is possible
545 // for Current to be incomparable with StaticLowerBound, StaticUpperBound,
546 // or both.
547 //
548 // For example, suppose Foo<T> and Bar<T> are unrelated types.
549 //
550 // Foo<T> *f = ...
551 // Bar<T> *b = ...
552 //
553 // id t1 = b;
554 // f = t1;
555 // id t2 = f; // StaticLowerBound is Foo<T>, Current is Bar<T>
556 //
557 // We should either constrain the callers of this function so that the stated
558 // preconditions hold (and assert it) or rewrite the function to expicitly
559 // handle the additional cases.
561 // Precondition
566 // Case (1)
571 }
572 // Upper bound is specialized.
577 }
579 // Case (3)
582 }
584 // Case (4)
586 // The type arguments might not be forwarded at any point of inheritance.
589 WithMostInfo =
595 }
597 // Case (2)
603 }
606 }
608 /// Type inference based on static type information that is available for the
609 /// cast and the tracked type information for the given symbol. When the tracked
610 /// symbol and the destination type of the cast are unrelated, report an error.
630 // This checker detects the subtyping relationships using the assignment
631 // rules. In order to be able to do this the kindofness must be stripped
632 // first. The checker treats every type as kindof type anyways: when the
633 // tracked type is the subtype of the static type it tries to look up the
634 // methods in the tracked type first.
650 // Treat explicit casts as an indication from the programmer that the
651 // Objective-C type system is not rich enough to express the needed
652 // invariant. In such cases, forget any existing information inferred
653 // about the type arguments. We don't assume the casted-to specialized
654 // type here because the invariant the programmer specifies in the cast
655 // may only hold at this particular program point and not later ones.
656 // We don't want a suppressing cast to require a cascade of casts down the
657 // line.
661 }
663 }
665 // Check which assignments are legal.
671 // The tracked type should be the sub or super class of the static destination
672 // type. When an (implicit) upcast or a downcast happens according to static
673 // types, and there is no subtyping relationship between the tracked and the
674 // static destination types, it indicates an error.
682 }
684 // Handle downcasts and upcasts.
691 // The id type is not a real bound. Eliminate it.
696 ASTCtxt)) {
698 }
699 }
708 }
711 // It is illegal to typedef parameterized types inside an interface. Therefore
712 // an Objective-C type can only be dependent on a type parameter when the type
713 // parameter structurally present in the type itself.
714 class IsObjCTypeParamDependentTypeVisitor
722 }
724 }
727 };
729 IsObjCTypeParamDependentTypeVisitor Visitor;
732 }
734 /// A method might not be available in the interface indicated by the static
735 /// type. However it might be available in the tracked type. In order to
736 /// properly substitute the type parameters we need the declaration context of
737 /// the method. The more specialized the enclosing class of the method is, the
738 /// more likely that the parameter substitution will be successful.
748 // Do this "devirtualization" on instance and class methods only. Trust the
749 // static type on super and super class calls.
752 // When the receiver type is id, Class, or some super class of the tracked
753 // type, look up the method in the tracked type, not in the receiver type.
754 // This way we preserve more information.
758 // The method might not be found.
763 }
764 }
766 // Fallback to statick method lookup when the one based on the tracked type
767 // failed.
769 }
771 /// Get the returned ObjCObjectPointerType by a method based on the tracked type
772 /// information, or null pointer when the returned type is not an
773 /// ObjCObjectPointerType.
779 // Is the return type declared as instance type?
783 // Check whether the result type depends on a type parameter.
791 }
793 /// When the receiver has a tracked type, use that type to validate the
794 /// argumments of the message expression and the return value.
807 // Get the type arguments from tracked type and substitute type arguments
808 // before do the semantic check.
815 // It is possible to call non-existent methods in Obj-C.
819 // If the method is declared on a class that has a non-invariant
820 // type parameter, don't warn about parameter mismatches after performing
821 // substitution. This prevents warning when the programmer has purposely
822 // casted the receiver to a super type or unspecialized type but the analyzer
823 // has a more precise tracked type than the programmer intends at the call
824 // site.
825 //
826 // For example, consider NSArray (which has a covariant type parameter)
827 // and NSMutableArray (a subclass of NSArray where the type parameter is
828 // invariant):
829 // NSMutableArray *a = [[NSMutableArray<NSString *> alloc] init;
830 //
831 // [a containsObject:number]; // Safe: -containsObject is defined on NSArray.
832 // NSArray<NSObject *> *other = [a arrayByAddingObject:number] // Safe
833 //
834 // [a addObject:number] // Unsafe: -addObject: is defined on NSMutableArray
835 //
848 }
852 // This case might happen when there is an unspecialized override of a
853 // specialized method.
867 // Check if it can be assigned
874 // Check if we have more concrete tracked type that is not a super type of
875 // the static argument type.
884 }
885 }
887 // Warn when argument is incompatible with the parameter.
889 ArgObjectPtrType)) {
894 }
895 }
896 }
898 /// This callback is used to infer the types for Class variables. This info is
899 /// used later to validate messages that sent to classes. Class variables are
900 /// initialized with by invoking the 'class' method on a class.
901 /// This method is also used to infer the type information for the return
902 /// types.
903 // TODO: right now it only tracks generic types. Extend this to track every
904 // type in the DynamicTypeMap and diagnose type errors!
916 // Here we try to propagate information on Class objects.
918 // We try to figure out the type from the receiver of the 'class' message.
924 // We want to consider only precise information on generics.
927 QualType ReceiverClassPointerType =
932 }
934 // Constrain the resulting class object to the inferred type.
940 }
941 }
944 // We try to figure out the type from the receiver of the 'superclass'
945 // message.
948 // Result type would be a super class of the receiver's type.
949 QualType ReceiversSuperClass =
952 // Check if it really had super class.
953 //
954 // TODO: we can probably pay closer attention to cases when the class
955 // object can be 'nil' as the result of such message.
957 // Constrain the resulting class object to the inferred type.
962 }
964 }
965 }
967 // Tracking for return types.
988 QualType ResultType =
990 // The static type is the same as the deduced type.
996 // When there is an entry available for the return symbol in DynamicTypeMap,
997 // the call was inlined, and the information in the DynamicTypeMap is should
998 // be precise.
1000 // TODO: we have duplicated information in DynamicTypeMap and
1001 // MostSpecializedTypeArgsMap. We should only store anything in the later if
1002 // the stored data differs from the one stored in the former.
1006 }
1013 // When the result is a specialized type and it is not tracked yet, track it
1014 // for the result symbol.
1018 }
1019 }
1043 }
1061 // Retrieve the associated statement.
1092 }
1094 // Generate the extra diagnostic.
1098 }
1100 /// Register checkers.
1105 }
1109 }
1113 }
1117 }