[clang] [analyzer] Trust base to derived casts for dynamic types (PR #69057)

[Balazs Benics via cfe-commits]

================
@@ -392,19 +393,26 @@ void DynamicTypePropagation::checkPostCall(const CallEvent &Call,
   }
 }
 
-/// TODO: Handle explicit casts.
-///       Handle C++ casts.
-///
-/// Precondition: the cast is between ObjCObjectPointers.
 ExplodedNode *DynamicTypePropagation::dynamicTypePropagationOnCasts(
     const CastExpr *CE, ProgramStateRef &State, CheckerContext &C) const {
   // We only track type info for regions.
   const MemRegion *ToR = C.getSVal(CE).getAsRegion();
   if (!ToR)
     return C.getPredecessor();
 
-  if (isa<ExplicitCastExpr>(CE))
+  if (CE->getCastKind() == CK_BaseToDerived) {
+    bool CastSucceeds = true;
----------------
steakhal wrote:

Indeed, it would make sense.
It's not currently the behavior, and I think this [TODO comment ](https://github.com/llvm/llvm-project/blob/main/clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp#L11-L15) might relate to this subject.
```C++
// From CastValueChecker.cpp:
// TODO list:
// - It only allows one succesful cast between two types however in the wild
//   the object could be casted to multiple types.
// - It needs to check the most likely type information from the dynamic type
//   map to increase precision of dynamic casting.
```
I haven't looked at the details of the dynamic type tracking either, but it feels like my patch makes one baby step to the right direction. I added a test demonstrating the same issue using that checker to confirm that it also mishandles this case.

However, one important differentiating factor is that such mishandling could happen much more frequently after this patch; on the other hand, fixing this at a wider scope (including DynamicTypePropagation, CastValueChecker, and how they interact with call inlining) would be a considerable amount of work.
IDK. Maybe @haoNoQ has opinions, given he was probably there when both of these classes were developed.

https://github.com/llvm/llvm-project/pull/69057