This CXXMemberCallExpr business is necessary? I am not sure as I have not seen it widely used.

Kinda nice, but a simple pointer-to-member would have been sufficient and much more lightweight:

using CastCheck = void (CastValueChecker::*)(const CallExpr *,
                         DefinedOrUnknownSVal, CheckerContext &);

(not sure, i don't fully understand the performance implications of using std::function)

Please add an argument count check to your CallDescriptions.

Otherwise accessing argument 0 may result in a crash when we're analyzing code that isn't LLVM but defines a function with the same name which also has no arguments.

That's a fairly common source of crashes.

The assume operation is expensive. Let's avoid doing it twice:

State = State->assume(ParamDV, true);
if (!State)
  return;

Let's do ...getType()->getPointeeCXXRecordDecl()->getNameAsString(). It's shorter and more on point. (might need to check for null decl though).

This statement needs a predicate.

I suggest: Assuming dynamic cast from 'A' to 'B' succeeds.

true! We don't want a note about every random cast to bring in dozens of nested stack frames.

Just drop Invalidate. Situations where you actually notice the difference are extremely rare. In this case there's nothing to invalidate because there's no existing value for the call-expression.

Assuming dynamic cast from 'A' to 'B' fails.

Later when we add support for dynamic type tracking, we may as well add a "Knowing..." piece :)

It definitely needs different handling because this cannot ever be null.

If you haven't seen it widely used, it's probably not necessary; i too rarely see those.

Call.getArgSVal(0).

debug.ExprInspection is your friend!

I'd also call for making the tests more isolated. In this test you're hardcoding a fairly arbitrary and random execution path that the analyzer chose through your function. It's generally interesting what paths do we explore first, but that's not what the patch is about.

Here's an example of a test that i would have written:

void foo(Shape *S) {
  Circle *C = dyn_cast_or_null<Circle>(S);
  clang_analyzer_numTimesReached(); // expected-warning{{3}}
  if (S && C)
    clang_analyzer_eval(C == S); // expected-warning{{TRUE}}
  if (!S)
    clang_analyzer_eval(!C); // expected-warning{{TRUE}}
  if (S && !C)
    clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
}

(you might want to test notes separately)

Assuming null pointer is passed into cast o.o

It took me an hour to realize I have to push the class as the signature of the function to create a member-callback. I think it is not that lightweight, but it is modern. I believe it is made for that purpose when you could write Foo[13] or *(13 + P), where the latter creeps me out.

Thanks for the copy-pasteable code, I really enjoy to see what do you think exactly, but this is the first time when I would pick my idea. (I would had recommended that modern way in your patch just I thought it is not working with methods.)

Great idea, thanks!

"Model implementation of custom RTTIs."

Great! I recognize the need for such function now.

Ok then!

I suspect that this may crash if CD is an anonymous structure. So you should use getNameAsString() instead.

Use after free! QualType::getAsString() returns a temporary std::string. You're returning a StringRef that outlives the string it refers to. The solution is usually to return the std::string by value.

*summons @rnkovacs*

Generally, i'd rather bail out on this branch. If we're seeing a dyn_cast of something that isn't a class, we're already doing something wrong.

Nice!

I guess putting them into separate files would have been easier this time.

This checker only does modeling, but isn't hidden. Should we hide it?

I believe we want to put this checker as well as the return value checker into apiModeling.llvm.

This doesn't prevent the checkers from being generally useful for other packages: if we want to add support for other APIs, we'll simply reserve a different checker name for the same checker object (with internal flags to enable/disable particular API groups).

Dunno :)

I think we should hide the checkers that model core language functionality (including standard library functionality, as defining your own stuff in namespace std has undefined behavior in most cases, at least in c++) but we shouldn't hide checkers for specific user-made APIs because people may want to disable them simply because they have their own conflicting API.

Also, btw, the whole apiModeling package is currently hidden.

Let's mention RTTI here as well. Otherwise it sounds weird, as all actual casts are applied by ExprEngine.

And here.

No, it's not the same story. It's not "some valid situation that we don't support yet". It's "a normally impossible situation that indicates that we should not try to model this function because there's no reason for us to believe we know what it does".

(yay, i understood what you mean without a reference; that was hard^^)

You should still check if Cast->getType()->getPointeeCXXRecordDecl() returns null, otherwise you can crash.

But when it's null, you should immediately return false from your evalCall.

If we cannot obtain any of the CXXRecordDecls then we bail out. You are right about that feature, and I like it.