[analyzer] Handle dynamic_casts that turn out to be upcasts.

This can occur with multiple inheritance, which jumps from one parent to
the other, and with virtual inheritance, since virtual base regions always
wrap the actual object and can't be nested within other base regions.

This also exposed some incorrect logic for multiple inheritance: even if B
is known not to derive from C, D might still derive from both of them.

llvm-svn: 161798

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

@@ -17,6 +17,7 @@
 #include "clang/AST/CharUnits.h"
 #include "clang/AST/DeclCXX.h"
 #include "clang/AST/ExprCXX.h"
+#include "clang/AST/CXXInheritance.h"
 #include "clang/Analysis/Analyses/LiveVariables.h"
 #include "clang/Analysis/AnalysisContext.h"
 #include "clang/Basic/TargetInfo.h"
@@ -960,19 +961,16 @@ SVal RegionStoreManager::evalDynamicCast(SVal base, QualType derivedType,
     if (!derivedType->isVoidType()) {
       // Static upcasts are marked as DerivedToBase casts by Sema, so this will
       // only happen when multiple or virtual inheritance is involved.
-      // FIXME: We should build the correct stack of CXXBaseObjectRegions here,
+      CXXBasePaths Paths(/*FindAmbiguities=*/false, /*RecordPaths=*/true,
-      // instead of just punting.
+                         /*DetectVirtual=*/false);
-      if (SRDecl->isDerivedFrom(DerivedDecl))
+      if (SRDecl->isDerivedFrom(DerivedDecl, Paths)) {
-        return UnknownVal();
+        SVal Result = loc::MemRegionVal(TSR);
-
+        const CXXBasePath &Path = *Paths.begin();
-      // If super region is not a parent of derived class, the cast definitely
+        for (CXXBasePath::const_iterator I = Path.begin(), E = Path.end();
-      // fails.
+             I != E; ++I) {
-      // FIXME: This and the above test each require walking the entire
+          Result = evalDerivedToBase(Result, I->Base->getType());
-      // inheritance hierarchy, and this will happen for each
+        }
-      // CXXBaseObjectRegion wrapper. We should probably be combining the two.
+        return Result;
-      if (DerivedDecl->isProvablyNotDerivedFrom(SRDecl)) {
-        Failed = true;
-        return UnknownVal();
       }
     }
 

clang/test/Analysis/derived-to-base.cpp

@@ -85,3 +85,53 @@ namespace VirtualBaseClasses {
     clang_analyzer_eval(d.getX() == 42); // expected-warning{{TRUE}}
   }
 }
+
+
+namespace DynamicVirtualUpcast {
+  class A {
+  public:
+    virtual ~A();
+  };
+
+  class B : virtual public A {};
+  class C : virtual public B {};
+  class D : virtual public C {};
+
+  bool testCast(A *a) {
+    return dynamic_cast<B*>(a) && dynamic_cast<C*>(a);
+  }
+
+  void test() {
+    D d;
+    clang_analyzer_eval(testCast(&d)); // expected-warning{{TRUE}}
+  }
+}
+
+namespace DynamicMultipleInheritanceUpcast {
+  class B {
+  public:
+    virtual ~B();
+  };
+  class C {
+  public:
+    virtual ~C();
+  };
+  class D : public B, public C {};
+
+  bool testCast(B *a) {
+    return dynamic_cast<C*>(a);
+  }
+
+  void test() {
+    D d;
+    clang_analyzer_eval(testCast(&d)); // expected-warning{{TRUE}}
+  }
+
+
+  class DV : virtual public B, virtual public C {};
+
+  void testVirtual() {
+    DV d;
+    clang_analyzer_eval(testCast(&d)); // expected-warning{{TRUE}}
+  }
+}