/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Checkers/OSObjectCStyleCast.cpp

Source
//===- OSObjectCStyleCast.cpp ------------------------------------*- C++ -*-==//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines OSObjectCStyleCast checker, which checks for C-style casts
// of OSObjects. Such casts almost always indicate a code smell,
// as an explicit static or dynamic cast should be used instead.
//===----------------------------------------------------------------------===//

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "llvm/Support/Debug.h"

using namespace clang;
using namespace ento;
using namespace ast_matchers;

namespace {
static constexpr const char *const WarnAtNode = "WarnAtNode";
static constexpr const char *const WarnRecordDecl = "WarnRecordDecl";

class OSObjectCStyleCastChecker : public Checker<check::ASTCodeBody> {
public:
  void checkASTCodeBody(const Decl *D, AnalysisManager &AM,
                        BugReporter &BR) const;
};
}

static void emitDiagnostics(const BoundNodes &Nodes,
                            BugReporter &BR,
                            AnalysisDeclContext *ADC,
                            const OSObjectCStyleCastChecker *Checker) {
  const auto *CE = Nodes.getNodeAs<CastExpr>(WarnAtNode);
  const CXXRecordDecl *RD = Nodes.getNodeAs<CXXRecordDecl>(WarnRecordDecl);
  assert(CE && RD);

  std::string Diagnostics;
  llvm::raw_string_ostream OS(Diagnostics);
  OS << "C-style cast of an OSObject is prone to type confusion attacks; "
     << "use 'OSRequiredCast' if the object is definitely of type '"
     << RD->getNameAsString() << "', or 'OSDynamicCast' followed by "
     << "a null check if unsure",

  BR.EmitBasicReport(
    ADC->getDecl(),
    Checker,
    /*Name=*/"OSObject C-Style Cast",
    categories::SecurityError,
    OS.str(),
    PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), ADC),
    CE->getSourceRange());
}

static decltype(auto) hasTypePointingTo(DeclarationMatcher DeclM) {
  return hasType(pointerType(pointee(hasDeclaration(DeclM))));
}

void OSObjectCStyleCastChecker::checkASTCodeBody(const Decl *D, AnalysisManager &AM,
                                                 BugReporter &BR) const {

  AnalysisDeclContext *ADC = AM.getAnalysisDeclContext(D);

  auto DynamicCastM = callExpr(callee(functionDecl(hasName("safeMetaCast"))));

  auto OSObjTypeM = hasTypePointingTo(cxxRecordDecl(isDerivedFrom("OSMetaClassBase")));
  auto OSObjSubclassM = hasTypePointingTo(
    cxxRecordDecl(isDerivedFrom("OSObject")).bind(WarnRecordDecl));

  auto CastM = cStyleCastExpr(
          allOf(hasSourceExpression(allOf(OSObjTypeM, unless(DynamicCastM))),
          OSObjSubclassM)).bind(WarnAtNode);

  auto Matches = match(stmt(forEachDescendant(CastM)), *D->getBody(), AM.getASTContext());
  for (BoundNodes Match : Matches)
    emitDiagnostics(Match, BR, ADC, this);
}

void ento::registerOSObjectCStyleCast(CheckerManager &Mgr) {
  Mgr.registerChecker<OSObjectCStyleCastChecker>();
}

bool ento::shouldRegisterOSObjectCStyleCast(const CheckerManager &mgr) {
  return true;
}

Line	Count	Source
1		//===- OSObjectCStyleCast.cpp ------------------------------------- C++ --==//
2		//
3		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4		// See https://llvm.org/LICENSE.txt for license information.
5		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6		//
7		//===----------------------------------------------------------------------===//
8		//
9		// This file defines OSObjectCStyleCast checker, which checks for C-style casts
10		// of OSObjects. Such casts almost always indicate a code smell,
11		// as an explicit static or dynamic cast should be used instead.
12		//===----------------------------------------------------------------------===//
13
14		#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15		#include "clang/ASTMatchers/ASTMatchFinder.h"
16		#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
17		#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18		#include "clang/StaticAnalyzer/Core/Checker.h"
19		#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
20		#include "llvm/Support/Debug.h"
21
22		using namespace clang;
23		using namespace ento;
24		using namespace ast_matchers;
25
26		namespace {
27		static constexpr const char *const WarnAtNode = "WarnAtNode";
28		static constexpr const char *const WarnRecordDecl = "WarnRecordDecl";
29
30		class OSObjectCStyleCastChecker : public Checker<check::ASTCodeBody> {
31		public:
32		void checkASTCodeBody(const Decl *D, AnalysisManager &AM,
33		BugReporter &BR) const;
34		};
35		}
36
37		static void emitDiagnostics(const BoundNodes &Nodes,
38		BugReporter &BR,
39		AnalysisDeclContext *ADC,
40	1	const OSObjectCStyleCastChecker *Checker) {
41	1	const auto *CE = Nodes.getNodeAs<CastExpr>(WarnAtNode);
42	1	const CXXRecordDecl *RD = Nodes.getNodeAs<CXXRecordDecl>(WarnRecordDecl);
43	1	assert(CE && RD);
44
45	1	std::string Diagnostics;
46	1	llvm::raw_string_ostream OS(Diagnostics);
47	1	OS << "C-style cast of an OSObject is prone to type confusion attacks; "
48	1	<< "use 'OSRequiredCast' if the object is definitely of type '"
49	1	<< RD->getNameAsString() << "', or 'OSDynamicCast' followed by "
50	1	<< "a null check if unsure",
51
52	1	BR.EmitBasicReport(
53	1	ADC->getDecl(),
54	1	Checker,
55	1	/Name=/"OSObject C-Style Cast",
56	1	categories::SecurityError,
57	1	OS.str(),
58	1	PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), ADC),
59	1	CE->getSourceRange());
60	1	}
61
62	18	static decltype(auto) hasTypePointingTo(DeclarationMatcher DeclM) {
63	18	return hasType(pointerType(pointee(hasDeclaration(DeclM))));
64	18	}
65
66		void OSObjectCStyleCastChecker::checkASTCodeBody(const Decl *D, AnalysisManager &AM,
67	9	BugReporter &BR) const {
68
69	9	AnalysisDeclContext *ADC = AM.getAnalysisDeclContext(D);
70
71	9	auto DynamicCastM = callExpr(callee(functionDecl(hasName("safeMetaCast"))));
72
73	9	auto OSObjTypeM = hasTypePointingTo(cxxRecordDecl(isDerivedFrom("OSMetaClassBase")));
74	9	auto OSObjSubclassM = hasTypePointingTo(
75	9	cxxRecordDecl(isDerivedFrom("OSObject")).bind(WarnRecordDecl));
76
77	9	auto CastM = cStyleCastExpr(
78	9	allOf(hasSourceExpression(allOf(OSObjTypeM, unless(DynamicCastM))),
79	9	OSObjSubclassM)).bind(WarnAtNode);
80
81	9	auto Matches = match(stmt(forEachDescendant(CastM)), *D->getBody(), AM.getASTContext());
82	9	for (BoundNodes Match : Matches)
83	1	emitDiagnostics(Match, BR, ADC, this);
84	9	}
85
86	1	void ento::registerOSObjectCStyleCast(CheckerManager &Mgr) {
87	1	Mgr.registerChecker<OSObjectCStyleCastChecker>();
88	1	}
89
90	2	bool ento::shouldRegisterOSObjectCStyleCast(const CheckerManager &mgr) {
91	2	return true;
92	2	}

Coverage Report

Created: 2021-01-16 07:00