[clang] [analyzer] Trust base to derived casts for dynamic types (PR #69057)

[Artem Dergachev via cfe-commits]

================
@@ -392,19 +393,26 @@ void DynamicTypePropagation::checkPostCall(const CallEvent &Call,
   }
 }
 
-/// TODO: Handle explicit casts.
-///       Handle C++ casts.
-///
-/// Precondition: the cast is between ObjCObjectPointers.
 ExplodedNode *DynamicTypePropagation::dynamicTypePropagationOnCasts(
     const CastExpr *CE, ProgramStateRef &State, CheckerContext &C) const {
   // We only track type info for regions.
   const MemRegion *ToR = C.getSVal(CE).getAsRegion();
   if (!ToR)
     return C.getPredecessor();
 
-  if (isa<ExplicitCastExpr>(CE))
+  if (CE->getCastKind() == CK_BaseToDerived) {
+    bool CastSucceeds = true;
----------------
haoNoQ wrote:

Yeah looks like `setDynamicTypeAndCastInfo()` is a very low-level primitive that blindly sets the state to whatever you think it should be. Judging by CastValueChecker's `addCastTransition()`, the caller is supposed to fully figure out whether the cast succeeds, judging by the rest of the dynamic type map state, the static types in the AST and in regions, and the nature of the cast, and there's no reusable utility provided for that.

In our case this means that if we know the cast fails (eg., the dynamic type is already incompatible, or a similar cast has failed on the same object previously), we should probably sink the analysis. (Ideally we'd emit a warning about it.) I'm not sure how urgent such improvement is, but it's quite likely that lack of support for failed casts may leave the cast maps in an inconsistent state which would produce more weird issues later in the analysis.

https://github.com/llvm/llvm-project/pull/69057