Please, provide better description of the checker.

"was" -> "were"

Please, add some documentation on what this checker is trying to catch and how it works.

"type with specified params" -> "specialized type"?

Also, maybe we should move this above the GenericsBugVisitor declaration for greater visibility?

"two" -> "to"

Could you add a comment on what this does?
Is there a precondition on the arguments (To and From)? We seem to be walking up the hierarchy of To.
Is To always guaranteed to have a super class? What ensures that?

Move this after the check?

Could you explain more why are we skipping kindoff?
Is there a test case for this?
Let's add more __kindof tests.

Comment does not seem to match the code below.

Should the Map be specialized in this example?

We ignore the cast on the else branch (mismatched type)?

Simplify the code by using early returns.

Also, try to add comments with intuition on what cases are covered.

This will not get caught by the check below?

Shouldn't we strip more than id casts?

I'd prefer if these were copied directly from the headers, without modifications. Ex:
@interface NSMutableArray<ObjectType> : NSArray<ObjectType>

• (void)addObject:(ObjectType)anObject;

Add comment explaining that this callback is used to infer the types. Specifically, if a class method is called on a symbol, we use it to infer the type of the symbol.

Move State down, where it's used.

Clarify what you are doing here.

Split funding a tighter method definition into a subroutine.

Should checking for id, class and kindof be a helper method?

What if ASTCtxt.canAssignObjCInterfaces is false here? Shouldn't we warn?
Will we warn elsewhere? Let's make sure we have a test case. And add a comment.

Should we use the type on which this is defined and not the tracked type?

Why are we not checking other parameter types? Will those bugs get caught by casts? I guess yes..

Why isObjCTypeParamDependent is not used here?

Let's not shadow TrackedType.

This would be simplified if you pull out the negation; you essentially, list the cases where we do not warn on parameters:

1. arg can be assigned to (subtype of) param
2. covariant parameter types and param is a subtype of arg

This just returns the previous state.

If you want to create a node, you need to tag it; see the tags on leak reports.

We should not use TrackedType in the case lookup failed.
Can the TrackedType be less specialized that the return type?
Maybe rename as IsDeclaredAsInstanceType?

What are we doing here?
I prefer not to have any AST pattern matching.

This returns predecessor..

No, this case handles buggy implementations, when the type parameters are not forwarded. I reworded the comments to make this more clear.

You are right, I refactored the code.

We should. And we also should strip some sugar. I rewrote that function.

The tracked type might be the super class of the static type (for example when the super type is specialized but the subtype is not). We should not warn in that case. When the tracked type is not in subtyping relationship with the static type, there was a cast somewhere, and the checker issued the warning there. I already have testcase for these cases. I updated the names of the tests to reflect this.

The type arguments might be only available for the tracked type.

The analyzer does not visit template definitions, only the instantiations. I removed this redundant check.

The check there was overcomplicated. Passing a subtype of a parameter as argument should always be safe.

The lookup might fail when the tracked type is the super of the dynamic type (which might be the subtype of the static type). In some cases the tracked type might even end up be the super type of the static type (when that super type has more information about the type parameters.)

Right now in order to keep the state as low as possible, only generic types are tracked. If it is not a problem to have bigger state, a future improvement would be to track the dynamic type of every object, and utilize that info in this checker. Alternatively that could utilize the get/setDynamicTypeInfo API of ProgramState.

I added some additional methods for NSArray to do some additional testing, but I made the rest of the methods more similar to the ones in the actual header files.