/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp

Source (jump to first uncovered line)
//=== CastToStructChecker.cpp ----------------------------------*- C++ -*--===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This files defines CastToStructChecker, a builtin checker that checks for
// cast from non-struct pointer to struct pointer and widening struct data cast.
// This check corresponds to CWE-588.
//
//===----------------------------------------------------------------------===//

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/RecursiveASTVisitor.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

using namespace clang;
using namespace ento;

namespace {
class CastToStructVisitor : public RecursiveASTVisitor<CastToStructVisitor> {
  BugReporter &BR;
  const CheckerBase *Checker;
  AnalysisDeclContext *AC;

public:
  explicit CastToStructVisitor(BugReporter &B, const CheckerBase *Checker,
                               AnalysisDeclContext *A)
      : BR(B), Checker(Checker), AC(A) {}
  bool VisitCastExpr(const CastExpr *CE);
};
}

bool CastToStructVisitor::VisitCastExpr(const CastExpr *CE) {
  const Expr *E = CE->getSubExpr();
  ASTContext &Ctx = AC->getASTContext();
  QualType OrigTy = Ctx.getCanonicalType(E->getType());
  QualType ToTy = Ctx.getCanonicalType(CE->getType());

  const PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr());
  const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());

  if (!ToPTy || !OrigPTy3.89k)
    return true;

  QualType OrigPointeeTy = OrigPTy->getPointeeType();
  QualType ToPointeeTy = ToPTy->getPointeeType();

  if (!ToPointeeTy->isStructureOrClassType())
    return true;

  // We allow cast from void*.
  if (OrigPointeeTy->isVoidType())
    return true;

  // Now the cast-to-type is struct pointer, the original type is not void*.
  if (!OrigPointeeTy->isRecordType()) {
    SourceRange Sr[1] = {CE->getSourceRange()};
    PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
    BR.EmitBasicReport(
        AC->getDecl(), Checker, "Cast from non-struct type to struct type",
        categories::LogicError, "Casting a non-structure type to a structure "
                                "type and accessing a field can lead to memory "
                                "access errors or data corruption.",
        Loc, Sr);
  } else {
    // Don't warn when size of data is unknown.
    const auto *U = dyn_cast<UnaryOperator>(E);
    if (!U || U->getOpcode() != UO_AddrOf30)
      return true;

    // Don't warn for references
    const ValueDecl *VD = nullptr;
    if (const auto *SE = dyn_cast<DeclRefExpr>(U->getSubExpr()))
      VD = SE->getDecl();
    else if (const auto *SE = dyn_cast<MemberExpr>(U->getSubExpr()))
      VD = SE->getMemberDecl();
    if (!VD || VD->getType()->isReferenceType()25)
      return true;

    if (ToPointeeTy->isIncompleteType() ||
        OrigPointeeTy->isIncompleteType()21)
      return true;

    // Warn when there is widening cast.
    unsigned ToWidth = Ctx.getTypeInfo(ToPointeeTy).Width;
    unsigned OrigWidth = Ctx.getTypeInfo(OrigPointeeTy).Width;
    if (ToWidth <= OrigWidth)
      return true;

    PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
    BR.EmitBasicReport(AC->getDecl(), Checker, "Widening cast to struct type",
                       categories::LogicError,
                       "Casting data to a larger structure type and accessing "
                       "a field can lead to memory access errors or data "
                       "corruption.",
                       Loc, CE->getSourceRange());
  }

  return true;
}

namespace {
class CastToStructChecker : public Checker<check::ASTCodeBody> {
public:
  void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr,
                        BugReporter &BR) const {
    CastToStructVisitor Visitor(BR, this, Mgr.getAnalysisDeclContext(D));
    Visitor.TraverseDecl(const_cast<Decl *>(D));
  }
};
} // end anonymous namespace

void ento::registerCastToStructChecker(CheckerManager &mgr) {
  mgr.registerChecker<CastToStructChecker>();
}

bool ento::shouldRegisterCastToStructChecker(const CheckerManager &mgr) {
  return true;
}

Line	Count	Source (jump to first uncovered line)
1		//=== CastToStructChecker.cpp ----------------------------------- C++ ---===//
2		//
3		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4		// See https://llvm.org/LICENSE.txt for license information.
5		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6		//
7		//===----------------------------------------------------------------------===//
8		//
9		// This files defines CastToStructChecker, a builtin checker that checks for
10		// cast from non-struct pointer to struct pointer and widening struct data cast.
11		// This check corresponds to CWE-588.
12		//
13		//===----------------------------------------------------------------------===//
14
15		#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16		#include "clang/AST/RecursiveASTVisitor.h"
17		#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18		#include "clang/StaticAnalyzer/Core/Checker.h"
19		#include "clang/StaticAnalyzer/Core/CheckerManager.h"
20		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
21
22		using namespace clang;
23		using namespace ento;
24
25		namespace {
26		class CastToStructVisitor : public RecursiveASTVisitor<CastToStructVisitor> {
27		BugReporter &BR;
28		const CheckerBase *Checker;
29		AnalysisDeclContext *AC;
30
31		public:
32		explicit CastToStructVisitor(BugReporter &B, const CheckerBase *Checker,
33		AnalysisDeclContext *A)
34	1.36k	: BR(B), Checker(Checker), AC(A) {}
35		bool VisitCastExpr(const CastExpr *CE);
36		};
37		}
38
39	7.75k	bool CastToStructVisitor::VisitCastExpr(const CastExpr *CE) {
40	7.75k	const Expr *E = CE->getSubExpr();
41	7.75k	ASTContext &Ctx = AC->getASTContext();
42	7.75k	QualType OrigTy = Ctx.getCanonicalType(E->getType());
43	7.75k	QualType ToTy = Ctx.getCanonicalType(CE->getType());
44
45	7.75k	const PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr());
46	7.75k	const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());
47
48	7.75k	if (!ToPTy \|\| !OrigPTy3.89k )
49	6.08k	return true;
50
51	1.67k	QualType OrigPointeeTy = OrigPTy->getPointeeType();
52	1.67k	QualType ToPointeeTy = ToPTy->getPointeeType();
53
54	1.67k	if (!ToPointeeTy->isStructureOrClassType())
55	1.31k	return true;
56
57		// We allow cast from void*.
58	355	if (OrigPointeeTy->isVoidType())
59	24	return true;
60
61		// Now the cast-to-type is struct pointer, the original type is not void*.
62	331	if (!OrigPointeeTy->isRecordType()) {
63	10	SourceRange Sr[1] = {CE->getSourceRange()};
64	10	PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
65	10	BR.EmitBasicReport(
66	10	AC->getDecl(), Checker, "Cast from non-struct type to struct type",
67	10	categories::LogicError, "Casting a non-structure type to a structure "
68	10	"type and accessing a field can lead to memory "
69	10	"access errors or data corruption.",
70	10	Loc, Sr);
71	321	} else {
72		// Don't warn when size of data is unknown.
73	321	const auto *U = dyn_cast<UnaryOperator>(E);
74	321	if (!U \|\| U->getOpcode() != UO_AddrOf30 )
75	293	return true;
76
77		// Don't warn for references
78	28	const ValueDecl *VD = nullptr;
79	28	if (const auto *SE = dyn_cast<DeclRefExpr>(U->getSubExpr()))
80	25	VD = SE->getDecl();
81	3	else if (const auto *SE = dyn_cast<MemberExpr>(U->getSubExpr()))
82	0	VD = SE->getMemberDecl();
83	28	if (!VD \|\| VD->getType()->isReferenceType()25 )
84	6	return true;
85
86	22	if (ToPointeeTy->isIncompleteType() \|\|
87	22	OrigPointeeTy->isIncompleteType()21 )
88	2	return true;
89
90		// Warn when there is widening cast.
91	20	unsigned ToWidth = Ctx.getTypeInfo(ToPointeeTy).Width;
92	20	unsigned OrigWidth = Ctx.getTypeInfo(OrigPointeeTy).Width;
93	20	if (ToWidth <= OrigWidth)
94	14	return true;
95
96	6	PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
97	6	BR.EmitBasicReport(AC->getDecl(), Checker, "Widening cast to struct type",
98	6	categories::LogicError,
99	6	"Casting data to a larger structure type and accessing "
100	6	"a field can lead to memory access errors or data "
101	6	"corruption.",
102	6	Loc, CE->getSourceRange());
103	6	}
104
105	16	return true;
106	331	}
107
108		namespace {
109		class CastToStructChecker : public Checker<check::ASTCodeBody> {
110		public:
111		void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr,
112	1.36k	BugReporter &BR) const {
113	1.36k	CastToStructVisitor Visitor(BR, this, Mgr.getAnalysisDeclContext(D));
114	1.36k	Visitor.TraverseDecl(const_cast<Decl *>(D));
115	1.36k	}
116		};
117		} // end anonymous namespace
118
119	80	void ento::registerCastToStructChecker(CheckerManager &mgr) {
120	80	mgr.registerChecker<CastToStructChecker>();
121	80	}
122
123	160	bool ento::shouldRegisterCastToStructChecker(const CheckerManager &mgr) {
124	160	return true;
125	160	}

Coverage Report

Created: 2023-09-30 09:22