doxygen/OSObjectCStyleCast_8cpp_source.html

//===- OSObjectCStyleCast.cpp ------------------------------------*- C++ -*-==//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This file defines OSObjectCStyleCast checker, which checks for C-style casts

// of OSObjects. Such casts almost always indicate a code smell,

// as an explicit static or dynamic cast should be used instead.

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/ASTMatchers/ASTMatchFinder.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"

#include "llvm/Support/Debug.h"


using namespace clang;

using namespace ento;

using namespace ast_matchers;


namespace {

static constexpr const char *const WarnAtNode = "WarnAtNode";

static constexpr const char *const WarnRecordDecl = "WarnRecordDecl";


class OSObjectCStyleCastChecker : public Checker<check::ASTCodeBody> {

public:

  void checkASTCodeBody(const Decl *D, AnalysisManager &AM,

                        BugReporter &BR) const;

};

} // namespace


namespace clang {

namespace ast_matchers {


AST_MATCHER_P(StringLiteral, mentionsBoundType, std::string, BindingID) {

  return Builder->removeBindings([this, &Node](const BoundNodesMap &Nodes) {

    const DynTypedNode &BN = Nodes.getNode(this->BindingID);

    if (const auto *ND = BN.get<NamedDecl>()) {

      return ND->getName() != Node.getString();

    }

    return true;

  });

}


} // end namespace ast_matchers

} // end namespace clang


static void emitDiagnostics(const BoundNodes &Nodes,

                            BugReporter &BR,

                            AnalysisDeclContext *ADC,

                            const OSObjectCStyleCastChecker *Checker) {

  const auto *CE = Nodes.getNodeAs<CastExpr>(WarnAtNode);

  const CXXRecordDecl *RD = Nodes.getNodeAs<CXXRecordDecl>(WarnRecordDecl);

  assert(CE && RD);


  std::string Diagnostics;

  llvm::raw_string_ostream OS(Diagnostics);

  OS << "C-style cast of an OSObject is prone to type confusion attacks; "

     << "use 'OSRequiredCast' if the object is definitely of type '"

     << RD->getNameAsString() << "', or 'OSDynamicCast' followed by "

     << "a null check if unsure",


  BR.EmitBasicReport(

    ADC->getDecl(),

    Checker,

    /*Name=*/"OSObject C-Style Cast",

    categories::SecurityError,

    Diagnostics,

    PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), ADC),

    CE->getSourceRange());

}


static decltype(auto) hasTypePointingTo(DeclarationMatcher DeclM) {

  return hasType(pointerType(pointee(hasDeclaration(DeclM))));

}


void OSObjectCStyleCastChecker::checkASTCodeBody(const Decl *D,

                                                 AnalysisManager &AM,

                                                 BugReporter &BR) const {


  AnalysisDeclContext *ADC = AM.getAnalysisDeclContext(D);


  auto DynamicCastM = callExpr(callee(functionDecl(hasName("safeMetaCast"))));

  // 'allocClassWithName' allocates an object with the given type.

  // The type is actually provided as a string argument (type's name).

  // This makes the following pattern possible:

  //

  // Foo *object = (Foo *)allocClassWithName("Foo");

  //

  // While OSRequiredCast can be used here, it is still not a useful warning.

  auto AllocClassWithNameM = callExpr(

      callee(functionDecl(hasName("allocClassWithName"))),

      // Here we want to make sure that the string argument matches the

      // type in the cast expression.

      hasArgument(0, stringLiteral(mentionsBoundType(WarnRecordDecl))));


  auto OSObjTypeM =

      hasTypePointingTo(cxxRecordDecl(isDerivedFrom("OSMetaClassBase")));

  auto OSObjSubclassM = hasTypePointingTo(

      cxxRecordDecl(isDerivedFrom("OSObject")).bind(WarnRecordDecl));


  auto CastM =

      cStyleCastExpr(

          allOf(OSObjSubclassM,

                hasSourceExpression(

                    allOf(OSObjTypeM,

                          unless(anyOf(DynamicCastM, AllocClassWithNameM))))))

          .bind(WarnAtNode);


  auto Matches =

      match(stmt(forEachDescendant(CastM)), *D->getBody(), AM.getASTContext());

  for (BoundNodes Match : Matches)

    emitDiagnostics(Match, BR, ADC, this);

}


void ento::registerOSObjectCStyleCast(CheckerManager &Mgr) {

  Mgr.registerChecker<OSObjectCStyleCastChecker>();

}


bool ento::shouldRegisterOSObjectCStyleCast(const CheckerManager &mgr) {

  return true;

}

ASTMatchFinder.h

AST_MATCHER_P
#define AST_MATCHER_P(Type, DefineMatcher, ParamType, Param)
AST_MATCHER_P(Type, DefineMatcher, ParamType, Param) { ... } defines a single-parameter function name...
Definition ASTMatchersMacros.h:130

AnalysisManager.h

BugReporter.h

BugType.h

BuiltinCheckerRegistration.h

hasTypePointingTo
static decltype(auto) hasTypePointingTo(DeclarationMatcher DeclM)
Definition OSObjectCStyleCast.cpp:76

emitDiagnostics
static void emitDiagnostics(const BoundNodes &Nodes, BugReporter &BR, AnalysisDeclContext *ADC, const OSObjectCStyleCastChecker *Checker)
Definition OSObjectCStyleCast.cpp:51

emitDiagnostics
static void emitDiagnostics(BoundNodes &Match, const Decl *D, BugReporter &BR, AnalysisManager &AM, const ObjCAutoreleaseWriteChecker *Checker)
Definition ObjCAutoreleaseWriteChecker.cpp:111

Checker.h

clang::AnalysisDeclContext
AnalysisDeclContext contains the context data for the function, method or block under analysis.
Definition AnalysisDeclContext.h:72

clang::AnalysisDeclContext::getDecl
const Decl * getDecl() const
Definition AnalysisDeclContext.h:106

clang::CXXRecordDecl
Represents a C++ struct/union/class.
Definition DeclCXX.h:258

clang::CastExpr
CastExpr - Base class for type casts, including both implicit casts (ImplicitCastExpr) and explicit c...
Definition Expr.h:3610

clang::Decl
Decl - This represents one declaration (or definition), e.g.
Definition DeclBase.h:86

clang::Decl::getBody
virtual Stmt * getBody() const
getBody - If this Decl represents a declaration for a body of code, such as a function or method defi...
Definition DeclBase.h:1087

clang::DynTypedNode
A dynamically typed AST node container.
Definition ASTTypeTraits.h:257

clang::DynTypedNode::get
const T * get() const
Retrieve the stored node as type T.
Definition ASTTypeTraits.h:277

clang::NamedDecl
This represents a decl that may have a name.
Definition Decl.h:274

clang::StringLiteral
StringLiteral - This represents a string literal expression, e.g.
Definition Expr.h:1799

clang::ast_matchers::BoundNodes
Maps string IDs to AST nodes matched by parts of a matcher.
Definition ASTMatchers.h:111

clang::ast_matchers::BoundNodes::getNodeAs
const T * getNodeAs(StringRef ID) const
Returns the AST node bound to ID.
Definition ASTMatchers.h:118

clang::ento::AnalysisManager
Definition AnalysisManager.h:31

clang::ento::AnalysisManager::getASTContext
ASTContext & getASTContext() override
Definition AnalysisManager.h:82

clang::ento::AnalysisManager::getAnalysisDeclContext
AnalysisDeclContext * getAnalysisDeclContext(const Decl *D)
Definition AnalysisManager.h:122

clang::ento::BugReporter
BugReporter is a utility class for generating PathDiagnostics for analysis.
Definition BugReporter.h:586

clang::ento::BugReporter::getSourceManager
const SourceManager & getSourceManager()
Definition BugReporter.h:625

clang::ento::BugReporter::EmitBasicReport
void EmitBasicReport(const Decl *DeclWithIssue, const CheckerFrontend *Checker, StringRef BugName, StringRef BugCategory, StringRef BugStr, PathDiagnosticLocation Loc, ArrayRef< SourceRange > Ranges={}, ArrayRef< FixItHint > Fixits={})
Definition BugReporter.cpp:3408

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&...Args)
Register a single-part checker (derived from Checker): construct its singleton instance,...
Definition CheckerManager.h:218

clang::ento::Checker
Simple checker classes that implement one frontend (i.e.
Definition Checker.h:553

clang::ento::PathDiagnosticLocation::createBegin
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Definition PathDiagnostic.cpp:575

clang::ast_matchers
Definition ASTMatchers.h:102

clang::ast_matchers::cStyleCastExpr
const internal::VariadicDynCastAllOfMatcher< Stmt, CStyleCastExpr > cStyleCastExpr
Matches a C-style cast expression.
Definition ASTMatchersInternal.cpp:1015

clang::ast_matchers::unless
const internal::VariadicOperatorMatcherFunc< 1, 1 > unless
Matches if the provided matcher does not match.
Definition ASTMatchersInternal.cpp:1070

clang::ast_matchers::DeclarationMatcher
internal::Matcher< Decl > DeclarationMatcher
Types of matchers for the top-level classes in the AST class hierarchy.
Definition ASTMatchers.h:145

clang::ast_matchers::stringLiteral
const internal::VariadicDynCastAllOfMatcher< Stmt, StringLiteral > stringLiteral
Matches string literals (also matches wide string literals).
Definition ASTMatchersInternal.cpp:959

clang::ast_matchers::hasName
internal::Matcher< NamedDecl > hasName(StringRef Name)
Matches NamedDecl nodes that have the specified name.
Definition ASTMatchers.h:3177

clang::ast_matchers::callExpr
const internal::VariadicDynCastAllOfMatcher< Stmt, CallExpr > callExpr
Matches call expressions.
Definition ASTMatchersInternal.cpp:848

clang::ast_matchers::forEachDescendant
const internal::ArgumentAdaptingMatcherFunc< internal::ForEachDescendantMatcher > forEachDescendant
Matches AST nodes that have descendant AST nodes that match the provided matcher.
Definition ASTMatchersInternal.cpp:1059

clang::ast_matchers::match
SmallVector< BoundNodes, 1 > match(MatcherT Matcher, const NodeT &Node, ASTContext &Context)
Returns the results of matching Matcher on Node.
Definition ASTMatchFinder.h:318

clang::ast_matchers::pointerType
const AstTypeMatcher< PointerType > pointerType
Definition ASTMatchersInternal.cpp:1097

clang::ast_matchers::allOf
const internal::VariadicOperatorMatcherFunc< 2, std::numeric_limits< unsigned >::max()> allOf
Matches if all given matchers match.
Definition ASTMatchersInternal.cpp:1037

clang::ast_matchers::functionDecl
const internal::VariadicDynCastAllOfMatcher< Decl, FunctionDecl > functionDecl
Matches function declarations.
Definition ASTMatchersInternal.cpp:837

clang::ast_matchers::cxxRecordDecl
const internal::VariadicDynCastAllOfMatcher< Decl, CXXRecordDecl > cxxRecordDecl
Matches C++ class declarations.
Definition ASTMatchersInternal.cpp:773

clang::ast_matchers::hasDeclaration
internal::PolymorphicMatcher< internal::HasDeclarationMatcher, void(internal::HasDeclarationSupportedTypes), internal::Matcher< Decl > > hasDeclaration(const internal::Matcher< Decl > &InnerMatcher)
Matches a node if the declaration associated with that node matches the given matcher.
Definition ASTMatchers.h:3774

clang::ast_matchers::stmt
const internal::VariadicAllOfMatcher< Stmt > stmt
Matches statements.
Definition ASTMatchersInternal.cpp:841

clang::ast_matchers::anyOf
const internal::VariadicOperatorMatcherFunc< 2, std::numeric_limits< unsigned >::max()> anyOf
Matches if any of the given matchers matches.
Definition ASTMatchersInternal.cpp:1034

clang::ento::categories::SecurityError
const char *const SecurityError
Definition CommonBugCategories.cpp:25

clang::ento
Definition CocoaConventions.h:23

clang::ento::ObjKind::OS
@ OS
Indicates that the tracking object is a descendant of a referenced-counted OSObject,...
Definition RetainSummaryManager.h:51

clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition CalledOnceCheck.h:17

clang::OverloadKind::Match
@ Match
This is not an overload because the signature exactly matches an existing declaration.
Definition Sema.h:816