doxygen/CastToStructChecker_8cpp_source.html

 //=== CastToStructChecker.cpp ----------------------------------*- C++ -*--===//
 //
 //                     The LLVM Compiler Infrastructure
 //
 // This file is distributed under the University of Illinois Open Source
 // License. See LICENSE.TXT for details.
 //
 //===----------------------------------------------------------------------===//
 //
 // This files defines CastToStructChecker, a builtin checker that checks for
 // cast from non-struct pointer to struct pointer and widening struct data cast.
 // This check corresponds to CWE-588.
 //
 //===----------------------------------------------------------------------===//

 #include "ClangSACheckers.h"
 #include "clang/AST/RecursiveASTVisitor.h"
 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
 #include "clang/StaticAnalyzer/Core/Checker.h"
 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

 using namespace clang;
 using namespace ento;

 namespace {
 class CastToStructVisitor : public RecursiveASTVisitor<CastToStructVisitor> {
   BugReporter &BR;
   const CheckerBase *Checker;
   AnalysisDeclContext *AC;

 public:
   explicit CastToStructVisitor(BugReporter &B, const CheckerBase *Checker,
                                AnalysisDeclContext *A)
       : BR(B), Checker(Checker), AC(A) {}
   bool VisitCastExpr(const CastExpr *CE);
 };
 }

 bool CastToStructVisitor::VisitCastExpr(const CastExpr *CE) {
   const Expr *E = CE->getSubExpr();
   ASTContext &Ctx = AC->getASTContext();
   QualType OrigTy = Ctx.getCanonicalType(E->getType());
   QualType ToTy = Ctx.getCanonicalType(CE->getType());

   const PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr());
   const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());

   if (!ToPTy || !OrigPTy)
     return true;

   QualType OrigPointeeTy = OrigPTy->getPointeeType();
   QualType ToPointeeTy = ToPTy->getPointeeType();

   if (!ToPointeeTy->isStructureOrClassType())
     return true;

   // We allow cast from void*.
   if (OrigPointeeTy->isVoidType())
     return true;

   // Now the cast-to-type is struct pointer, the original type is not void*.
   if (!OrigPointeeTy->isRecordType()) {
     SourceRange Sr[1] = {CE->getSourceRange()};
     PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
     BR.EmitBasicReport(
         AC->getDecl(), Checker, "Cast from non-struct type to struct type",
         categories::LogicError, "Casting a non-structure type to a structure "
                                 "type and accessing a field can lead to memory "
                                 "access errors or data corruption.",
         Loc, Sr);
   } else {
     // Don't warn when size of data is unknown.
     const auto *U = dyn_cast<UnaryOperator>(E);
     if (!U || U->getOpcode() != UO_AddrOf)
       return true;

     // Don't warn for references
     const ValueDecl *VD = nullptr;
     if (const auto *SE = dyn_cast<DeclRefExpr>(U->getSubExpr()))
       VD = SE->getDecl();
     else if (const auto *SE = dyn_cast<MemberExpr>(U->getSubExpr()))
       VD = SE->getMemberDecl();
     if (!VD || VD->getType()->isReferenceType())
       return true;

     if (ToPointeeTy->isIncompleteType() ||
         OrigPointeeTy->isIncompleteType())
       return true;

     // Warn when there is widening cast.
     unsigned ToWidth = Ctx.getTypeInfo(ToPointeeTy).Width;
     unsigned OrigWidth = Ctx.getTypeInfo(OrigPointeeTy).Width;
     if (ToWidth <= OrigWidth)
       return true;

     PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
     BR.EmitBasicReport(AC->getDecl(), Checker, "Widening cast to struct type",
                        categories::LogicError,
                        "Casting data to a larger structure type and accessing "
                        "a field can lead to memory access errors or data "
                        "corruption.",
                        Loc, CE->getSourceRange());
   }

   return true;
 }

 namespace {
 class CastToStructChecker : public Checker<check::ASTCodeBody> {
 public:
   void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr,
                         BugReporter &BR) const {
     CastToStructVisitor Visitor(BR, this, Mgr.getAnalysisDeclContext(D));
     Visitor.TraverseDecl(const_cast<Decl *>(D));
   }
 };
 } // end anonymous namespace

 void ento::registerCastToStructChecker(CheckerManager &mgr) {
   mgr.registerChecker<CastToStructChecker>();
 }
ento

clang::PointerType
PointerType - C99 6.7.5.1 - Pointer Declarators.
Definition: Type.h:2533

clang::PointerType::getPointeeType
QualType getPointeeType() const
Definition: Type.h:2546

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:642

clang::Type::getPointeeType
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:497

clang::Type::isRecordType
bool isRecordType() const
Definition: Type.h:6343

clang::Decl
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:87

BugType.h

clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:154

clang::AnalysisDeclContext
AnalysisDeclContext contains the context data for the function or method under analysis.
Definition: AnalysisDeclContext.h:70

Checker.h

clang::Type::isReferenceType
bool isReferenceType() const
Definition: Type.h:6282

CheckerManager.h

clang::CastExpr::getSubExpr
Expr * getSubExpr()
Definition: Expr.h:2855

clang::ento::categories::LogicError
const char *const LogicError
Definition: CommonBugCategories.cpp:16

clang::QualType::getTypePtr
const Type * getTypePtr() const
Retrieves a pointer to the underlying (unqualified) type.
Definition: Type.h:6046

clang::CastExpr
CastExpr - Base class for type casts, including both implicit casts (ImplicitCastExpr) and explicit c...
Definition: Expr.h:2790

clang::RecursiveASTVisitor
A class that does preorder or postorder depth-first traversal on the entire Clang AST and visits each...
Definition: RecursiveASTVisitor.h:151

clang::ValueDecl
Represent the declaration of a variable (in which case it is an lvalue) a function (in which case it ...
Definition: Decl.h:636

clang::Expr
This represents one expression.
Definition: Expr.h:105

clang::Expr::getType
QualType getType() const
Definition: Expr.h:127

clang::UnaryOperator
UnaryOperator - This represents the unary-expression&#39;s (except sizeof and alignof), the postinc/postdec operators from postfix-expression, and various extensions.
Definition: Expr.h:1784

RecursiveASTVisitor.h

clang::Type::isStructureOrClassType
bool isStructureOrClassType() const
Definition: Type.cpp:453

clang
Dataflow Directional Tag Classes.
Definition: CFGReachabilityAnalysis.h:22

ClangSACheckers.h

clang::Type::isIncompleteType
bool isIncompleteType(NamedDecl **Def=nullptr) const
Types are partitioned into 3 broad categories (C99 6.2.5p1): object types, function types...
Definition: Type.cpp:2023

clang::ASTContext::getCanonicalType
CanQualType getCanonicalType(QualType T) const
Return the canonical (structural) type corresponding to the specified potentially non-canonical type ...
Definition: ASTContext.h:2259

clang::Type::isVoidType
bool isVoidType() const
Definition: Type.h:6497

clang::ASTContext::getTypeInfo
TypeInfo getTypeInfo(const Type *T) const
Get the size and alignment of the specified complete type in bits.
Definition: ASTContext.cpp:1676

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:268

clang::TypeInfo::Width
uint64_t Width
Definition: ASTContext.h:143

clang::ValueDecl::getType
QualType getType() const
Definition: Decl.h:647

clang::SourceRange
A trivial tuple used to represent a source range.
Definition: SourceLocation.h:198

CheckerContext.h