OSObjectCStyleCast.cpp Source File (original) (raw)

20#include "llvm/Support/Debug.h"

22using namespace clang;

23using namespace ento;

26namespace {

27static constexpr const char *const WarnAtNode = "WarnAtNode";

28static constexpr const char *const WarnRecordDecl = "WarnRecordDecl";

30class OSObjectCStyleCastChecker : public Checker check::ASTCodeBody {

31public:

32 void checkASTCodeBody(const Decl *D, AnalysisManager &AM,

33 BugReporter &BR) const;

34};

35}

40 return Builder->removeBindings([this, &Node](const BoundNodesMap &Nodes) {

41 const DynTypedNode &BN = Nodes.getNode(this->BindingID);

43 return ND->getName() != Node.getString();

44 }

45 return true;

46 });

47}

48}

49}

54 const OSObjectCStyleCastChecker *Checker) {

57 assert(CE && RD);

59 std::string Diagnostics;

60 llvm::raw_string_ostream OS(Diagnostics);

61 OS << "C-style cast of an OSObject is prone to type confusion attacks; "

62 << "use 'OSRequiredCast' if the object is definitely of type '"

63 << RD->getNameAsString() << "', or 'OSDynamicCast' followed by "

64 << "a null check if unsure",

69 "OSObject C-Style Cast",

71 Diagnostics,

73 CE->getSourceRange());

74}

80void OSObjectCStyleCastChecker::checkASTCodeBody(const Decl *D,

94 auto AllocClassWithNameM = callExpr(

98 hasArgument(0, stringLiteral(mentionsBoundType(WarnRecordDecl))));

100 auto OSObjTypeM =

103 cxxRecordDecl(isDerivedFrom("OSObject")).bind(WarnRecordDecl));

104

105 auto CastM =

107 allOf(OSObjSubclassM,

108 hasSourceExpression(

109 allOf(OSObjTypeM,

110 unless(anyOf(DynamicCastM, AllocClassWithNameM))))))

111 .bind(WarnAtNode);

112

113 auto Matches =

115 for (BoundNodes Match : Matches)

117}

118

119void ento::registerOSObjectCStyleCast(CheckerManager &Mgr) {

121}

122

123bool ento::shouldRegisterOSObjectCStyleCast(const CheckerManager &mgr) {

124 return true;

125}

#define AST_MATCHER_P(Type, DefineMatcher, ParamType, Param)

AST_MATCHER_P(Type, DefineMatcher, ParamType, Param) { ... } defines a single-parameter function name...

static decltype(auto) hasTypePointingTo(DeclarationMatcher DeclM)

Definition OSObjectCStyleCast.cpp:76

static void emitDiagnostics(const BoundNodes &Nodes, BugReporter &BR, AnalysisDeclContext *ADC, const OSObjectCStyleCastChecker *Checker)

Definition OSObjectCStyleCast.cpp:51

static void emitDiagnostics(BoundNodes &Match, const Decl *D, BugReporter &BR, AnalysisManager &AM, const ObjCAutoreleaseWriteChecker *Checker)

AnalysisDeclContext contains the context data for the function, method or block under analysis.

const Decl * getDecl() const

Represents a C++ struct/union/class.

CastExpr - Base class for type casts, including both implicit casts (ImplicitCastExpr) and explicit c...

Decl - This represents one declaration (or definition), e.g.

virtual Stmt * getBody() const

getBody - If this Decl represents a declaration for a body of code, such as a function or method defi...

A dynamically typed AST node container.

const T * get() const

Retrieve the stored node as type T.

This represents a decl that may have a name.

StringLiteral - This represents a string literal expression, e.g.

Maps string IDs to AST nodes matched by parts of a matcher.

const T * getNodeAs(StringRef ID) const

Returns the AST node bound to ID.

ASTContext & getASTContext() override

AnalysisDeclContext * getAnalysisDeclContext(const Decl *D)

BugReporter is a utility class for generating PathDiagnostics for analysis.

const SourceManager & getSourceManager()

void EmitBasicReport(const Decl *DeclWithIssue, const CheckerFrontend *Checker, StringRef BugName, StringRef BugCategory, StringRef BugStr, PathDiagnosticLocation Loc, ArrayRef< SourceRange > Ranges={}, ArrayRef< FixItHint > Fixits={})

CHECKER * registerChecker(AT &&...Args)

Simple checker classes that implement one frontend (i.e.

static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)

Create a location for the beginning of the declaration.

const internal::VariadicDynCastAllOfMatcher< Stmt, CStyleCastExpr > cStyleCastExpr

Matches a C-style cast expression.

const internal::VariadicOperatorMatcherFunc< 1, 1 > unless

Matches if the provided matcher does not match.

internal::Matcher< Decl > DeclarationMatcher

Types of matchers for the top-level classes in the AST class hierarchy.

const internal::VariadicDynCastAllOfMatcher< Stmt, StringLiteral > stringLiteral

Matches string literals (also matches wide string literals).

internal::Matcher< NamedDecl > hasName(StringRef Name)

Matches NamedDecl nodes that have the specified name.

const internal::VariadicDynCastAllOfMatcher< Stmt, CallExpr > callExpr

Matches call expressions.

const internal::ArgumentAdaptingMatcherFunc< internal::ForEachDescendantMatcher > forEachDescendant

Matches AST nodes that have descendant AST nodes that match the provided matcher.

SmallVector< BoundNodes, 1 > match(MatcherT Matcher, const NodeT &Node, ASTContext &Context)

Returns the results of matching Matcher on Node.

const AstTypeMatcher< PointerType > pointerType

const internal::VariadicOperatorMatcherFunc< 2, std::numeric_limits< unsigned >::max()> allOf

Matches if all given matchers match.

const internal::VariadicDynCastAllOfMatcher< Decl, FunctionDecl > functionDecl

Matches function declarations.

const internal::VariadicDynCastAllOfMatcher< Decl, CXXRecordDecl > cxxRecordDecl

Matches C++ class declarations.

internal::PolymorphicMatcher< internal::HasDeclarationMatcher, void(internal::HasDeclarationSupportedTypes), internal::Matcher< Decl > > hasDeclaration(const internal::Matcher< Decl > &InnerMatcher)

Matches a node if the declaration associated with that node matches the given matcher.

const internal::VariadicAllOfMatcher< Stmt > stmt

Matches statements.

const internal::VariadicOperatorMatcherFunc< 2, std::numeric_limits< unsigned >::max()> anyOf

Matches if any of the given matchers matches.

const char *const SecurityError

@ OS

Indicates that the tracking object is a descendant of a referenced-counted OSObject,...

The JSON file list parser is used to communicate input to InstallAPI.

@ Match

This is not an overload because the signature exactly matches an existing declaration.