[clang] [analyzer] Trust base to derived casts for dynamic types (PR #69057)

[Tom Ritter via cfe-commits]

tomrittervg wrote:

This sounds crazy, but I think I found a bug in this patchset.  I applied it on top of the 17.0.2 tag, and then ran the whole analysis on mozilla-central.  I got segfaults on about 4000 executions, all with the same stack trace:

```
1.	<eof> parser at end of file
2.	While analyzing stack: 
	#0 Calling mozilla::FailureLatch::SetFailureFrom(const FailureLatch &) at line /home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/BaseProfileJSONWriter.h:151:5
	#1 Calling mozilla::baseprofiler::ChunkedJSONWriteFunc::ChangeFailureLatchAndForwardState(FailureLatch &) at line /home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/BaseProfileJSONWriter.h:465:12
	#2 Calling mozilla::baseprofiler::SpliceableChunkedJSONWriter::ChangeFailureLatchAndForwardState(FailureLatch &) at line /home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/BaseProfileJSONWriter.h:570:5
	#3 Calling mozilla::baseprofiler::UniqueJSONStrings::ChangeFailureLatchAndForwardState(FailureLatch &)
3.	/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/FailureLatch.h:65:36: Error evaluating statement
4.	/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/FailureLatch.h:65:36: Error evaluating statement
 #0 0x00007f9378f09cb8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libLLVM-17.so+0x2782cb8)
 #1 0x00007f9378f09813 llvm::sys::CleanupOnSignal(unsigned long) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libLLVM-17.so+0x2782813)
 #2 0x00007f9378ea11fe (anonymous namespace)::CrashRecoveryContextImpl::HandleCrash(int, unsigned long) CrashRecoveryContext.cpp:0:0
 #3 0x00007f9378ea13ae CrashRecoverySignalHandler(int) CrashRecoveryContext.cpp:0:0
 #4 0x00007f937626c520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #5 0x00007f937da6ed08 clang::ento::CXXInstanceCall::getRuntimeDefinition() const (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f09d08)
 #6 0x00007f937da6f038 clang::ento::CXXMemberCall::getRuntimeDefinition() const (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f0a038)
 #7 0x00007f937daa9796 clang::ento::ExprEngine::defaultEvalCall(clang::ento::NodeBuilder&, clang::ento::ExplodedNode*, clang::ento::CallEvent const&, clang::ento::EvalCallOptions const&) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f44796)
 #8 0x00007f937da776ea clang::ento::CheckerManager::runCheckersForEvalCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&, clang::ento::ExprEngine&, clang::ento::EvalCallOptions const&) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f126ea)
 #9 0x00007f937daa7c64 clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNode*, clang::ento::CallEvent const&) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f42c64)
#10 0x00007f937daa7a67 clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f42a67)
#11 0x00007f937da8d503 clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f28503)
#12 0x00007f937da8abec clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f25bec)
#13 0x00007f937da8a9bd clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f259bd)
#14 0x00007f937da7bb7c clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned int, clang::ento::ExplodedNode*) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f16b7c)
#15 0x00007f937da7ae62 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f15e62)
#16 0x00007f937dcf3206 (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) AnalysisConsumer.cpp:0:0
#17 0x00007f937dce8e5d (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) AnalysisConsumer.cpp:0:0
#18 0x00007f937d8e19d1 clang::MultiplexConsumer::HandleTranslationUnit(clang::ASTContext&) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2d7c9d1)
#19 0x00007f937c420920 clang::ParseAST(clang::Sema&, bool, bool) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x18bb920)
#20 0x00007f937c43431c clang::FrontendAction::Execute() (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x18cf31c)
#21 0x00007f937c433e51 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x18cee51)
#22 0x00007f937d902e8d clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2d9de8d)
#23 0x0000560e18adb1fe cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/clang-17+0x121fe)
#24 0x0000560e18ad418e ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) driver.cpp:0:0
#25 0x00007f937d542299 void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const::$_0>(long) Job.cpp:0:0
#26 0x00007f9378ea1197 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libLLVM-17.so+0x271a197)
#27 0x00007f937c42455e clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x18bf55e)
#28 0x00007f937c3edca4 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x1888ca4)
#29 0x00007f937c3ed398 clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x1888398)
#30 0x0000560e18ad7da2 clang_main(int, char**, llvm::ToolContext const&) (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/clang-17+0xeda2)
#31 0x0000560e18ad4d9e main (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/clang-17+0xbd9e)
#32 0x00007f9376253d90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#33 0x00007f9376253e40 call_init ./csu/../csu/libc-start.c:128:20
#34 0x00007f9376253e40 __libc_start_main ./csu/../csu/libc-start.c:379:5
#35 0x0000560e18ad95d3 _start (/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/clang-17+0x105d3)

```

I took the smallest file, minimized it, and came up with this reproduction, which, admittedly, seems crazy to me.  (What does `ObjCGenerics` have to do with anything - and yet, it seems to be one of a certain combination that causes the crash...)

```
# 5 "/home/tom/Documents/moz/staticanalysis/mozillaunified/objdir/dist/include/mozilla/FailureLatch.h"
class a {
public:
  virtual char b();
};
class c {};
class C {
protected:
  c &d();
};
class e : public c, a {
public:
  void f() { b(); }
};
class g : C {
  void h() { i().f(); }
  e &i() { return static_cast<e &>(d()); }
};
```
And the command:
```
#!/bin/sh


"/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/clang-17" \
"-cc1" \
"-triple" \
"x86_64-unknown-linux-gnu" \
"-analyze" \
"-w" \
"-analyzer-checker=osx.cocoa.ObjCGenerics" \
"-x" \
"c++" \
"ProfileJSONWriter-991aed.cpp"

# Several other checker tests did not cause the error, but osx.cocoa.ObjCGenerics did.
# Although on the unminified command, removing that one check did not resolve the issue.
# So maybe it's more like certain checks cause a traversal in a way that causes the
# crash, and this is one of them...?
```

Again, this is these 4 patches, put atop 17.0.2 (6009708b4367171ccdbf4b5905cb6a803753fe18).   You can even download the compiler [here](https://treeherder.mozilla.org/jobs?repo=try&revision=da8a9bbfe932fb7f0ed0744728b9bf7b342f4f97&selectedTaskRun=b5i9WgpvTNiEuhIYdqN3eQ.0) (in the Artifacts tab of the clang-17 job). [This shows the patch additions](https://hg.mozilla.org/try/rev/ecb5169d852befe0954ef7c45dc39177515a9155). If I run it using 17.0.2 without the patches, it does not fail.

https://github.com/llvm/llvm-project/pull/69057