[
https://issues.apache.org/jira/browse/GROOVY-11983?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul King updated GROOVY-11983:
-------------------------------
Description:
{{@CompileStatic}} unsoundly smart-casts a variable in the {{else}} branch when
the {{if}} condition has the shape {{cond && !(x instanceof Y)}}. The else
block is reached whenever {{cond}} is false (regardless of {{x}}'s type), but
STC narrows {{x}} to {{Y}} and codegen emits {{checkcast Y}}, throwing
{{ClassCastException}} at runtime.
h3. Reproducer
{code:groovy}
import groovy.transform.CompileStatic
abstract class Animal { String name; boolean tame }
class Cat extends Animal {}
@CompileStatic
class Tester {
static String describe(Animal a) {
if (a.tame && !(a instanceof Cat)) {
return "tame non-cat $a.name"
} else {
return "other $a.name" // <-- a smart-cast to Cat here
}
}
}
Animal mystery = new Animal() {{ name = 'x'; tame = false }}
Tester.describe(mystery) // ClassCastException: ... cannot be cast to Cat
{code}
{{javap}} of {{describe}} shows {{checkcast Cat}} on {{a}} in the else block
before {{getName()}}.
h3. Expected
The else branch should not narrow {{a}} to {{Cat}}: it is reached when
{{!a.tame || a instanceof Cat}}, so {{a}} is not guaranteed to be a {{Cat}}.
h3. Workarounds
* Replace {{!(x instanceof Y)}} with {{!Y.isAssignableFrom(x.getClass())}}
* Split the conditional so the {{!instanceof}} stands alone
h3. Root cause
{{StaticTypeCheckingVisitor.visitIfElse}} inverts captured tti entries with
{{tti.forEach(this::putNotInstanceOfTypeInfo)}}. The inversion is structurally
blind: a {{!instanceof}} entry contributed by one operand of {{&&}} is
unwrapped into the positive smart-cast bucket for the else branch, even though
the else does not imply that operand was false. Sound for a single-operand
boolean; unsound for compound conditions mixing {{&&}} with {{!instanceof}}.
Related: GROOVY-6429, GROOVY-8412, GROOVY-8523, GROOVY-9931, GROOVY-11864 (same
{{tti}} plumbing); GROOVY-7971 fixed the symmetric then-branch issue for {{||}}.
h3. Affects
Groovy 5.0.x and 6.0.0-SNAPSHOT (master). Not present in 4.0.x.
> STC: unsound smart-cast in else branch of if (cond && !(x instanceof Y))
> ------------------------------------------------------------------------
>
> Key: GROOVY-11983
> URL: https://issues.apache.org/jira/browse/GROOVY-11983
> Project: Groovy
> Issue Type: Bug
> Reporter: Paul King
> Assignee: Paul King
> Priority: Major
>
> {{@CompileStatic}} unsoundly smart-casts a variable in the {{else}} branch
> when the {{if}} condition has the shape {{cond && !(x instanceof Y)}}. The
> else block is reached whenever {{cond}} is false (regardless of {{x}}'s
> type), but STC narrows {{x}} to {{Y}} and codegen emits {{checkcast Y}},
> throwing {{ClassCastException}} at runtime.
> h3. Reproducer
> {code:groovy}
> import groovy.transform.CompileStatic
> abstract class Animal { String name; boolean tame }
> class Cat extends Animal {}
> @CompileStatic
> class Tester {
> static String describe(Animal a) {
> if (a.tame && !(a instanceof Cat)) {
> return "tame non-cat $a.name"
> } else {
> return "other $a.name" // <-- a smart-cast to Cat here
> }
> }
> }
> Animal mystery = new Animal() {{ name = 'x'; tame = false }}
> Tester.describe(mystery) // ClassCastException: ... cannot be cast to Cat
> {code}
> {{javap}} of {{describe}} shows {{checkcast Cat}} on {{a}} in the else block
> before {{getName()}}.
> h3. Expected
> The else branch should not narrow {{a}} to {{Cat}}: it is reached when
> {{!a.tame || a instanceof Cat}}, so {{a}} is not guaranteed to be a {{Cat}}.
> h3. Workarounds
> * Replace {{!(x instanceof Y)}} with {{!Y.isAssignableFrom(x.getClass())}}
> * Split the conditional so the {{!instanceof}} stands alone
> h3. Root cause
> {{StaticTypeCheckingVisitor.visitIfElse}} inverts captured tti entries with
> {{tti.forEach(this::putNotInstanceOfTypeInfo)}}. The inversion is
> structurally blind: a {{!instanceof}} entry contributed by one operand of
> {{&&}} is unwrapped into the positive smart-cast bucket for the else branch,
> even though the else does not imply that operand was false. Sound for a
> single-operand boolean; unsound for compound conditions mixing {{&&}} with
> {{!instanceof}}.
> Related: GROOVY-6429, GROOVY-8412, GROOVY-8523, GROOVY-9931, GROOVY-11864
> (same {{tti}} plumbing); GROOVY-7971 fixed the symmetric then-branch issue
> for {{||}}.
> h3. Affects
> Groovy 5.0.x and 6.0.0-SNAPSHOT (master). Not present in 4.0.x.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
