doxygen/OSObjectCStyleCast_8cpp_source.html

//===- OSObjectCStyleCast.cpp ------------------------------------*- C++ -*-==//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This file defines OSObjectCStyleCast checker, which checks for C-style casts

// of OSObjects. Such casts almost always indicate a code smell,

// as an explicit static or dynamic cast should be used instead.

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/ASTMatchers/ASTMatchFinder.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"

#include "llvm/Support/Debug.h"


using namespace clang;

using namespace ento;

using namespace ast_matchers;


namespace {

static constexpr const char *const WarnAtNode = "WarnAtNode";

static constexpr const char *const WarnRecordDecl = "WarnRecordDecl";


class OSObjectCStyleCastChecker : public Checker<check::ASTCodeBody> {

public:

  void checkASTCodeBody(const Decl *D, AnalysisManager &AM,

                        BugReporter &BR) const;

};

} // namespace


namespace clang {

namespace ast_matchers {

AST_MATCHER_P(StringLiteral, mentionsBoundType, std::string, BindingID) {

  return Builder->removeBindings([this, &Node](const BoundNodesMap &Nodes) {

    const auto &BN = Nodes.getNode(this->BindingID);

    if (const auto *ND = BN.get<NamedDecl>()) {

      return ND->getName() != Node.getString();

    }

    return true;

  });

}

} // end namespace ast_matchers

} // end namespace clang


static void emitDiagnostics(const BoundNodes &Nodes,

                            BugReporter &BR,

                            AnalysisDeclContext *ADC,

                            const OSObjectCStyleCastChecker *Checker) {

  const auto *CE = Nodes.getNodeAs<CastExpr>(WarnAtNode);

  const CXXRecordDecl *RD = Nodes.getNodeAs<CXXRecordDecl>(WarnRecordDecl);

  assert(CE && RD);


  std::string Diagnostics;

  llvm::raw_string_ostream OS(Diagnostics);

  OS << "C-style cast of an OSObject is prone to type confusion attacks; "

     << "use 'OSRequiredCast' if the object is definitely of type '"

     << RD->getNameAsString() << "', or 'OSDynamicCast' followed by "

     << "a null check if unsure",


  BR.EmitBasicReport(

    ADC->getDecl(),

    Checker,

    /*Name=*/"OSObject C-Style Cast",

    categories::SecurityError,

    OS.str(),

    PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), ADC),

    CE->getSourceRange());

}


static decltype(auto) hasTypePointingTo(DeclarationMatcher DeclM) {

  return hasType(pointerType(pointee(hasDeclaration(DeclM))));

}


void OSObjectCStyleCastChecker::checkASTCodeBody(const Decl *D,

                                                 AnalysisManager &AM,

                                                 BugReporter &BR) const {


  AnalysisDeclContext *ADC = AM.getAnalysisDeclContext(D);


  auto DynamicCastM = callExpr(callee(functionDecl(hasName("safeMetaCast"))));

  // 'allocClassWithName' allocates an object with the given type.

  // The type is actually provided as a string argument (type's name).

  // This makes the following pattern possible:

  //

  // Foo *object = (Foo *)allocClassWithName("Foo");

  //

  // While OSRequiredCast can be used here, it is still not a useful warning.

  auto AllocClassWithNameM = callExpr(

      callee(functionDecl(hasName("allocClassWithName"))),

      // Here we want to make sure that the string argument matches the

      // type in the cast expression.

      hasArgument(0, stringLiteral(mentionsBoundType(WarnRecordDecl))));


  auto OSObjTypeM =

      hasTypePointingTo(cxxRecordDecl(isDerivedFrom("OSMetaClassBase")));

  auto OSObjSubclassM = hasTypePointingTo(

      cxxRecordDecl(isDerivedFrom("OSObject")).bind(WarnRecordDecl));


  auto CastM =

      cStyleCastExpr(

          allOf(OSObjSubclassM,

                hasSourceExpression(

                    allOf(OSObjTypeM,

                          unless(anyOf(DynamicCastM, AllocClassWithNameM))))))

          .bind(WarnAtNode);


  auto Matches =

      match(stmt(forEachDescendant(CastM)), *D->getBody(), AM.getASTContext());

  for (BoundNodes Match : Matches)

    emitDiagnostics(Match, BR, ADC, this);

}


void ento::registerOSObjectCStyleCast(CheckerManager &Mgr) {

  Mgr.registerChecker<OSObjectCStyleCastChecker>();

}


bool ento::shouldRegisterOSObjectCStyleCast(const CheckerManager &mgr) {

  return true;

}

Nodes
BoundNodesTreeBuilder Nodes
Definition: ASTMatchFinder.cpp:85

Node
DynTypedNode Node
Definition: ASTMatchFinder.cpp:70

ASTMatchFinder.h

AST_MATCHER_P
#define AST_MATCHER_P(Type, DefineMatcher, ParamType, Param)
AST_MATCHER_P(Type, DefineMatcher, ParamType, Param) { ... } defines a single-parameter function name...
Definition: ASTMatchersMacros.h:128

AnalysisManager.h

BugReporter.h

BugType.h

BuiltinCheckerRegistration.h

D
const Decl * D
Definition: CheckExprLifetime.cpp:200

Checker.h

hasTypePointingTo
static decltype(auto) hasTypePointingTo(DeclarationMatcher DeclM)
Definition: OSObjectCStyleCast.cpp:76

emitDiagnostics
static void emitDiagnostics(const BoundNodes &Nodes, BugReporter &BR, AnalysisDeclContext *ADC, const OSObjectCStyleCastChecker *Checker)
Definition: OSObjectCStyleCast.cpp:51

clang::AnalysisDeclContext
AnalysisDeclContext contains the context data for the function, method or block under analysis.
Definition: AnalysisDeclContext.h:72

clang::AnalysisDeclContext::getDecl
const Decl * getDecl() const
Definition: AnalysisDeclContext.h:106

clang::CXXRecordDecl
Represents a C++ struct/union/class.
Definition: DeclCXX.h:258

clang::CastExpr
CastExpr - Base class for type casts, including both implicit casts (ImplicitCastExpr) and explicit c...
Definition: Expr.h:3498

clang::Decl
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:86

clang::Decl::getBody
virtual Stmt * getBody() const
getBody - If this Decl represents a declaration for a body of code, such as a function or method defi...
Definition: DeclBase.h:1077

clang::NamedDecl
This represents a decl that may have a name.
Definition: Decl.h:249

clang::StringLiteral
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1778

clang::ast_matchers::BoundNodes
Maps string IDs to AST nodes matched by parts of a matcher.
Definition: ASTMatchers.h:109

clang::ento::AnalysisManager
Definition: AnalysisManager.h:31

clang::ento::AnalysisManager::getASTContext
ASTContext & getASTContext() override
Definition: AnalysisManager.h:82

clang::ento::AnalysisManager::getAnalysisDeclContext
AnalysisDeclContext * getAnalysisDeclContext(const Decl *D)
Definition: AnalysisManager.h:121

clang::ento::BugReporter
BugReporter is a utility class for generating PathDiagnostics for analysis.
Definition: BugReporter.h:585

clang::ento::BugReporter::getSourceManager
const SourceManager & getSourceManager()
Definition: BugReporter.h:623

clang::ento::BugReporter::EmitBasicReport
void EmitBasicReport(const Decl *DeclWithIssue, const CheckerBase *Checker, StringRef BugName, StringRef BugCategory, StringRef BugStr, PathDiagnosticLocation Loc, ArrayRef< SourceRange > Ranges=std::nullopt, ArrayRef< FixItHint > Fixits=std::nullopt)
Definition: BugReporter.cpp:3362

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:512

clang::ento::PathDiagnosticLocation::createBegin
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Definition: PathDiagnostic.cpp:579

clang::ast_matchers::cStyleCastExpr
const internal::VariadicDynCastAllOfMatcher< Stmt, CStyleCastExpr > cStyleCastExpr
Matches a C-style cast expression.
Definition: ASTMatchersInternal.cpp:991

clang::ast_matchers::unless
const internal::VariadicOperatorMatcherFunc< 1, 1 > unless
Matches if the provided matcher does not match.
Definition: ASTMatchersInternal.cpp:1046

clang::ast_matchers::DeclarationMatcher
internal::Matcher< Decl > DeclarationMatcher
Types of matchers for the top-level classes in the AST class hierarchy.
Definition: ASTMatchers.h:143

clang::ast_matchers::stringLiteral
const internal::VariadicDynCastAllOfMatcher< Stmt, StringLiteral > stringLiteral
Matches string literals (also matches wide string literals).
Definition: ASTMatchersInternal.cpp:937

clang::ast_matchers::pointerType
const AstTypeMatcher< PointerType > pointerType
Matches pointer types, but does not match Objective-C object pointer types.
Definition: ASTMatchersInternal.cpp:1073

clang::ast_matchers::hasName
internal::Matcher< NamedDecl > hasName(StringRef Name)
Matches NamedDecl nodes that have the specified name.
Definition: ASTMatchers.h:3079

clang::ast_matchers::callExpr
const internal::VariadicDynCastAllOfMatcher< Stmt, CallExpr > callExpr
Matches call expressions.
Definition: ASTMatchersInternal.cpp:828

clang::ast_matchers::forEachDescendant
const internal::ArgumentAdaptingMatcherFunc< internal::ForEachDescendantMatcher > forEachDescendant
Matches AST nodes that have descendant AST nodes that match the provided matcher.
Definition: ASTMatchersInternal.cpp:1035

clang::ast_matchers::match
SmallVector< BoundNodes, 1 > match(MatcherT Matcher, const NodeT &Node, ASTContext &Context)
Returns the results of matching Matcher on Node.
Definition: ASTMatchFinder.h:313

clang::ast_matchers::allOf
const internal::VariadicOperatorMatcherFunc< 2, std::numeric_limits< unsigned >::max()> allOf
Matches if all given matchers match.
Definition: ASTMatchersInternal.cpp:1013

clang::ast_matchers::functionDecl
const internal::VariadicDynCastAllOfMatcher< Decl, FunctionDecl > functionDecl
Matches function declarations.
Definition: ASTMatchersInternal.cpp:817

clang::ast_matchers::cxxRecordDecl
const internal::VariadicDynCastAllOfMatcher< Decl, CXXRecordDecl > cxxRecordDecl
Matches C++ class declarations.
Definition: ASTMatchersInternal.cpp:755

clang::ast_matchers::hasDeclaration
internal::PolymorphicMatcher< internal::HasDeclarationMatcher, void(internal::HasDeclarationSupportedTypes), internal::Matcher< Decl > > hasDeclaration(const internal::Matcher< Decl > &InnerMatcher)
Matches a node if the declaration associated with that node matches the given matcher.
Definition: ASTMatchers.h:3653

clang::ast_matchers::stmt
const internal::VariadicAllOfMatcher< Stmt > stmt
Matches statements.
Definition: ASTMatchersInternal.cpp:821

clang::ast_matchers::anyOf
const internal::VariadicOperatorMatcherFunc< 2, std::numeric_limits< unsigned >::max()> anyOf
Matches if any of the given matchers matches.
Definition: ASTMatchersInternal.cpp:1010

clang::ento::categories::SecurityError
const char *const SecurityError
Definition: CommonBugCategories.cpp:25

clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17