[analyzer] Fix null pointer deref in CastValueChecker

A crash was seen in CastValueChecker due to a null pointer dereference.

The fix uses QualType::getAsString to avoid the null dereference
when a CXXRecordDecl cannot be obtained. A small reproducer is added,
and cast value notes LITs are updated for the new debug messages.

Reviewed By: steakhal

Differential Revision: https://reviews.llvm.org/D127105

(cherry picked from commit c7fa4e8)

Author: vabridgers

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp

@@ -108,7 +108,7 @@ static const NoteTag *getNoteTag(CheckerContext &C,
                                  bool CastSucceeds, bool IsKnownCast) {
   std::string CastToName =
       CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
-               : CastToTy->getPointeeCXXRecordDecl()->getNameAsString();
+               : CastToTy.getAsString();
   Object = Object->IgnoreParenImpCasts();
 
   return C.getNoteTag(
@@ -163,9 +163,9 @@ static const NoteTag *getNoteTag(CheckerContext &C,
         bool First = true;
         for (QualType CastToTy: CastToTyVec) {
           std::string CastToName =
-            CastToTy->getAsCXXRecordDecl() ?
-            CastToTy->getAsCXXRecordDecl()->getNameAsString() :
-            CastToTy->getPointeeCXXRecordDecl()->getNameAsString();
+              CastToTy->getAsCXXRecordDecl()
+                  ? CastToTy->getAsCXXRecordDecl()->getNameAsString()
+                  : CastToTy.getAsString();
           Out << ' ' << ((CastToTyVec.size() == 1) ? "not" :
                          (First ? "neither" : "nor")) << " a '" << CastToName
               << '\'';

clang/test/Analysis/cast-value-notes.cpp

@@ -23,7 +23,7 @@ using namespace clang;
 
 void evalReferences(const Shape &S) {
   const auto &C = dyn_cast<Circle>(S);
-  // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
+  // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle &'}}
   // expected-note@-2 {{Dereference of null pointer}}
   // expected-warning@-3 {{Dereference of null pointer}}
 }
@@ -33,25 +33,25 @@ void evalNonNullParamNonNullReturnReference(const Shape &S) {
   // expected-note@-1 {{'C' initialized here}}
 
   if (!dyn_cast_or_null<Circle>(C)) {
-    // expected-note@-1 {{'C' is a 'Circle'}}
+    // expected-note@-1 {{Assuming 'C' is a 'const class clang::Circle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Triangle>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Triangle'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Triangle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Rectangle>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Rectangle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Hexagon>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Hexagon *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
@@ -87,29 +87,29 @@ void evalNonNullParamNonNullReturnReference(const Shape &S) {
 
 void evalNonNullParamNonNullReturn(const Shape *S) {
   const auto *C = cast<Circle>(S);
-  // expected-note@-1 {{'S' is a 'Circle'}}
+  // expected-note@-1 {{'S' is a 'const class clang::Circle *'}}
   // expected-note@-2 {{'C' initialized here}}
 
   if (!dyn_cast_or_null<Circle>(C)) {
-    // expected-note@-1 {{'C' is a 'Circle'}}
+    // expected-note@-1 {{Assuming 'C' is a 'const class clang::Circle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Triangle>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Triangle'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Triangle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Rectangle>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Rectangle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Hexagon>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Hexagon *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
@@ -145,10 +145,10 @@ void evalNonNullParamNonNullReturn(const Shape *S) {
 
 void evalNonNullParamNullReturn(const Shape *S) {
   const auto *C = dyn_cast_or_null<Circle>(S);
-  // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
+  // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle *'}}
 
   if (const auto *T = dyn_cast_or_null<Triangle>(S)) {
-    // expected-note@-1 {{Assuming 'S' is a 'Triangle'}}
+    // expected-note@-1 {{Assuming 'S' is a 'const class clang::Triangle *'}}
     // expected-note@-2 {{'T' initialized here}}
     // expected-note@-3 {{'T' is non-null}}
     // expected-note@-4 {{Taking true branch}}
@@ -172,7 +172,7 @@ void evalNullParamNullReturn(const Shape *S) {
 
 void evalZeroParamNonNullReturnPointer(const Shape *S) {
   const auto *C = S->castAs<Circle>();
-  // expected-note@-1 {{'S' is a 'Circle'}}
+  // expected-note@-1 {{'S' is a 'const class clang::Circle *'}}
   // expected-note@-2 {{'C' initialized here}}
 
   (void)(1 / !C);
@@ -193,12 +193,12 @@ void evalZeroParamNonNullReturn(const Shape &S) {
 
 void evalZeroParamNullReturn(const Shape *S) {
   const auto &C = S->getAs<Circle>();
-  // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
+  // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle *'}}
   // expected-note@-2 {{Storing null pointer value}}
   // expected-note@-3 {{'C' initialized here}}
 
   if (!dyn_cast_or_null<Triangle>(S)) {
-    // expected-note@-1 {{Assuming 'S' is a 'Triangle'}}
+    // expected-note@-1 {{Assuming 'S' is a 'const class clang::Triangle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
@@ -213,3 +213,32 @@ void evalZeroParamNullReturn(const Shape *S) {
   // expected-note@-1 {{Division by zero}}
   // expected-warning@-2 {{Division by zero}}
 }
+
+// don't crash
+// CastValueChecker was using QualType()->getPointeeCXXRecordDecl(), in
+// getNoteTag which evaluated to nullptr, then crashed when attempting to
+// deref an invocation to getNameAsString(). The fix is to use
+// QualType().getAsString().
+//
+// Example:
+// std::string CastToName =
+//       CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
+//                : CastToTy->getPointeeCXXRecordDecl()->getNameAsString();
+// Changed to:
+// std::string CastToName =
+//       CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
+//                : CastToTy.getAsString();
+namespace llvm {
+template <typename, typename a> void isa(a &);
+template <typename> class PointerUnion {
+public:
+  template <typename T> T *getAs() {
+    (void)isa<int>(*this);
+    return nullptr;
+  }
+};
+class LLVMContext {
+  PointerUnion<LLVMContext> c;
+  void d() { c.getAs<int>(); }
+};
+} // namespace llvm

clang/test/Analysis/cast-value-state-dump.cpp

@@ -18,12 +18,12 @@ using namespace clang;
 
 void evalNonNullParamNonNullReturn(const Shape *S) {
   const auto *C = dyn_cast_or_null<Circle>(S);
-  // expected-note@-1 {{Assuming 'S' is a 'Circle'}}
+  // expected-note@-1 {{Assuming 'S' is a 'const class clang::Circle *'}}
   // expected-note@-2 {{'C' initialized here}}
 
   // FIXME: We assumed that 'S' is a 'Circle' therefore it is not a 'Square'.
   if (dyn_cast_or_null<Square>(S)) {
-    // expected-note@-1 {{Assuming 'S' is not a 'Square'}}
+    // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Square *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }