[analyzer] Use the static type for a virtual call if the dynamic type is worse.

reinterpret_cast does not provide any of the usual type information that
static_cast or dynamic_cast provide -- only the new type. This can get us
in a situation where the dynamic type info for an object is actually a
superclass of the static type, which does not match what CodeGen does at all.
In these cases, just fall back to the static type as the best possible type
for devirtualization.

Should fix the crashes on our internal buildbot.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163644 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/StaticAnalyzer/Core/CallEvent.cpp b/lib/StaticAnalyzer/Core/CallEvent.cpp
index 09ba21173ba5404ff53f37beb0ba6835f41a814b..0f71a76842e01b863d1a34d4863463deb14e7725 100644 (file)
--- a/lib/StaticAnalyzer/Core/CallEvent.cpp
+++ b/lib/StaticAnalyzer/Core/CallEvent.cpp
@@ -433,14 +433,21 @@ RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const {
   if (!RD || !RD->hasDefinition())
     return RuntimeDefinition();
 
-  // Find the decl for this method in that class.
-  const CXXMethodDecl *Result = MD->getCorrespondingMethodInClass(RD, true);
+  const CXXMethodDecl *Result;
+  if (MD->getParent()->isDerivedFrom(RD)) {
+    // If our static type info is better than our dynamic type info, don't
+    // bother doing a search. Just use the static method.
+    Result = MD;
+  } else {
+    // Otherwise, find the decl for the method in the dynamic class.
+    Result = MD->getCorrespondingMethodInClass(RD, true);
+  }
+
   if (!Result) {
     // We might not even get the original statically-resolved method due to
     // some particularly nasty casting (e.g. casts to sister classes).
     // However, we should at least be able to search up and down our own class
     // hierarchy, and some real bugs have been caught by checking this.
-    assert(!MD->getParent()->isDerivedFrom(RD) && "Bad DynamicTypeInfo");
     assert(!RD->isDerivedFrom(MD->getParent()) && "Couldn't find known method");
     return RuntimeDefinition();
   }

diff --git a/test/Analysis/inlining/dyn-dispatch-bifurcate.cpp b/test/Analysis/inlining/dyn-dispatch-bifurcate.cpp
index fa473aebce324f7cbf069d7ff201caf3699c2b85..12dad79433948becd01b9a3dba157cc40f2628d7 100644 (file)
--- a/test/Analysis/inlining/dyn-dispatch-bifurcate.cpp
+++ b/test/Analysis/inlining/dyn-dispatch-bifurcate.cpp
@@ -15,3 +15,19 @@ void testKnown() {
   A a;
   clang_analyzer_eval(a.get() == 0); // expected-warning{{TRUE}}
 }
+
+
+namespace ReinterpretDisruptsDynamicTypeInfo {
+  class Parent {};
+
+  class Child : public Parent {
+  public:
+    virtual int foo() { return 42; }
+  };
+
+  void test(Parent *a) {
+    Child *b = reinterpret_cast<Child *>(a);
+    if (!b) return;
+    clang_analyzer_eval(b->foo() == 42); // expected-warning{{TRUE}} expected-warning{{UNKNOWN}}
+  }
+}