/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Checkers/OSObjectCStyleCast.cpp

Source (jump to first uncovered line)
//===- OSObjectCStyleCast.cpp ------------------------------------*- C++ -*-==//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines OSObjectCStyleCast checker, which checks for C-style casts
// of OSObjects. Such casts almost always indicate a code smell,
// as an explicit static or dynamic cast should be used instead.
//===----------------------------------------------------------------------===//

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "llvm/Support/Debug.h"

using namespace clang;
using namespace ento;
using namespace ast_matchers;

namespace {
static constexpr const char *const WarnAtNode = "WarnAtNode";
static constexpr const char *const WarnRecordDecl = "WarnRecordDecl";

class OSObjectCStyleCastChecker : public Checker<check::ASTCodeBody> {
public:
  void checkASTCodeBody(const Decl *D, AnalysisManager &AM,
                        BugReporter &BR) const;
};
} // namespace

namespace clang {
namespace ast_matchers {
AST_MATCHER_P(StringLiteral, mentionsBoundType, std::string, BindingID) {
  return Builder->removeBindings([this, &Node](const BoundNodesMap &Nodes) {
    const auto &BN = Nodes.getNode(this->BindingID);
    if (const auto *ND = BN.get<NamedDecl>()) {
      return ND->getName() != Node.getString();
    }
    return true;
  });
}
} // end namespace ast_matchers
} // end namespace clang

static void emitDiagnostics(const BoundNodes &Nodes,
                            BugReporter &BR,
                            AnalysisDeclContext *ADC,
                            const OSObjectCStyleCastChecker *Checker) {
  const auto *CE = Nodes.getNodeAs<CastExpr>(WarnAtNode);
  const CXXRecordDecl *RD = Nodes.getNodeAs<CXXRecordDecl>(WarnRecordDecl);
  assert(CE && RD);

  std::string Diagnostics;
  llvm::raw_string_ostream OS(Diagnostics);
  OS << "C-style cast of an OSObject is prone to type confusion attacks; "
     << "use 'OSRequiredCast' if the object is definitely of type '"
     << RD->getNameAsString() << "', or 'OSDynamicCast' followed by "
     << "a null check if unsure",

  BR.EmitBasicReport(
    ADC->getDecl(),
    Checker,
    /*Name=*/"OSObject C-Style Cast",
    categories::SecurityError,
    OS.str(),
    PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), ADC),
    CE->getSourceRange());
}

static decltype(auto) hasTypePointingTo(DeclarationMatcher DeclM) {
  return hasType(pointerType(pointee(hasDeclaration(DeclM))));
}

void OSObjectCStyleCastChecker::checkASTCodeBody(const Decl *D,
                                                 AnalysisManager &AM,
                                                 BugReporter &BR) const {

  AnalysisDeclContext *ADC = AM.getAnalysisDeclContext(D);

  auto DynamicCastM = callExpr(callee(functionDecl(hasName("safeMetaCast"))));
  // 'allocClassWithName' allocates an object with the given type.
  // The type is actually provided as a string argument (type's name).
  // This makes the following pattern possible:
  //
  // Foo *object = (Foo *)allocClassWithName("Foo");
  //
  // While OSRequiredCast can be used here, it is still not a useful warning.
  auto AllocClassWithNameM = callExpr(
      callee(functionDecl(hasName("allocClassWithName"))),
      // Here we want to make sure that the string argument matches the
      // type in the cast expression.
      hasArgument(0, stringLiteral(mentionsBoundType(WarnRecordDecl))));

  auto OSObjTypeM =
      hasTypePointingTo(cxxRecordDecl(isDerivedFrom("OSMetaClassBase")));
  auto OSObjSubclassM = hasTypePointingTo(
      cxxRecordDecl(isDerivedFrom("OSObject")).bind(WarnRecordDecl));

  auto CastM =
      cStyleCastExpr(
          allOf(OSObjSubclassM,
                hasSourceExpression(
                    allOf(OSObjTypeM,
                          unless(anyOf(DynamicCastM, AllocClassWithNameM))))))
          .bind(WarnAtNode);

  auto Matches =
      match(stmt(forEachDescendant(CastM)), *D->getBody(), AM.getASTContext());
  for (BoundNodes Match : Matches)
    emitDiagnostics(Match, BR, ADC, this);
}

void ento::registerOSObjectCStyleCast(CheckerManager &Mgr) {
  Mgr.registerChecker<OSObjectCStyleCastChecker>();
}

bool ento::shouldRegisterOSObjectCStyleCast(const CheckerManager &mgr) {
  return true;
}

Line	Count	Source (jump to first uncovered line)
1		//===- OSObjectCStyleCast.cpp ------------------------------------- C++ --==//
2		//
3		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4		// See https://llvm.org/LICENSE.txt for license information.
5		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6		//
7		//===----------------------------------------------------------------------===//
8		//
9		// This file defines OSObjectCStyleCast checker, which checks for C-style casts
10		// of OSObjects. Such casts almost always indicate a code smell,
11		// as an explicit static or dynamic cast should be used instead.
12		//===----------------------------------------------------------------------===//
13
14		#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15		#include "clang/ASTMatchers/ASTMatchFinder.h"
16		#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
17		#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18		#include "clang/StaticAnalyzer/Core/Checker.h"
19		#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
20		#include "llvm/Support/Debug.h"
21
22		using namespace clang;
23		using namespace ento;
24		using namespace ast_matchers;
25
26		namespace {
27		static constexpr const char *const WarnAtNode = "WarnAtNode";
28		static constexpr const char *const WarnRecordDecl = "WarnRecordDecl";
29
30		class OSObjectCStyleCastChecker : public Checker<check::ASTCodeBody> {
31		public:
32		void checkASTCodeBody(const Decl *D, AnalysisManager &AM,
33		BugReporter &BR) const;
34		};
35		} // namespace
36
37		namespace clang {
38		namespace ast_matchers {
39	2	AST_MATCHER_P(StringLiteral, mentionsBoundType, std::string, BindingID) {
40	2	return Builder->removeBindings([this, &Node](const BoundNodesMap &Nodes) {
41	2	const auto &BN = Nodes.getNode(this->BindingID);
42	2	if (const auto *ND = BN.get<NamedDecl>()) {
43	2	return ND->getName() != Node.getString();
44	2	}
45	0	return true;
46	2	});
47	2	}
48		} // end namespace ast_matchers
49		} // end namespace clang
50
51		static void emitDiagnostics(const BoundNodes &Nodes,
52		BugReporter &BR,
53		AnalysisDeclContext *ADC,
54	2	const OSObjectCStyleCastChecker *Checker) {
55	2	const auto *CE = Nodes.getNodeAs<CastExpr>(WarnAtNode);
56	2	const CXXRecordDecl *RD = Nodes.getNodeAs<CXXRecordDecl>(WarnRecordDecl);
57	2	assert(CE && RD);
58
59	2	std::string Diagnostics;
60	2	llvm::raw_string_ostream OS(Diagnostics);
61	2	OS << "C-style cast of an OSObject is prone to type confusion attacks; "
62	2	<< "use 'OSRequiredCast' if the object is definitely of type '"
63	2	<< RD->getNameAsString() << "', or 'OSDynamicCast' followed by "
64	2	<< "a null check if unsure",
65
66	2	BR.EmitBasicReport(
67	2	ADC->getDecl(),
68	2	Checker,
69	2	/Name=/"OSObject C-Style Cast",
70	2	categories::SecurityError,
71	2	OS.str(),
72	2	PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), ADC),
73	2	CE->getSourceRange());
74	2	}
75
76	22	static decltype(auto) hasTypePointingTo(DeclarationMatcher DeclM) {
77	22	return hasType(pointerType(pointee(hasDeclaration(DeclM))));
78	22	}
79
80		void OSObjectCStyleCastChecker::checkASTCodeBody(const Decl *D,
81		AnalysisManager &AM,
82	11	BugReporter &BR) const {
83
84	11	AnalysisDeclContext *ADC = AM.getAnalysisDeclContext(D);
85
86	11	auto DynamicCastM = callExpr(callee(functionDecl(hasName("safeMetaCast"))));
87		// 'allocClassWithName' allocates an object with the given type.
88		// The type is actually provided as a string argument (type's name).
89		// This makes the following pattern possible:
90		//
91		// Foo object = (Foo )allocClassWithName("Foo");
92		//
93		// While OSRequiredCast can be used here, it is still not a useful warning.
94	11	auto AllocClassWithNameM = callExpr(
95	11	callee(functionDecl(hasName("allocClassWithName"))),
96		// Here we want to make sure that the string argument matches the
97		// type in the cast expression.
98	11	hasArgument(0, stringLiteral(mentionsBoundType(WarnRecordDecl))));
99
100	11	auto OSObjTypeM =
101	11	hasTypePointingTo(cxxRecordDecl(isDerivedFrom("OSMetaClassBase")));
102	11	auto OSObjSubclassM = hasTypePointingTo(
103	11	cxxRecordDecl(isDerivedFrom("OSObject")).bind(WarnRecordDecl));
104
105	11	auto CastM =
106	11	cStyleCastExpr(
107	11	allOf(OSObjSubclassM,
108	11	hasSourceExpression(
109	11	allOf(OSObjTypeM,
110	11	unless(anyOf(DynamicCastM, AllocClassWithNameM))))))
111	11	.bind(WarnAtNode);
112
113	11	auto Matches =
114	11	match(stmt(forEachDescendant(CastM)), *D->getBody(), AM.getASTContext());
115	11	for (BoundNodes Match : Matches)
116	2	emitDiagnostics(Match, BR, ADC, this);
117	11	}
118
119	1	void ento::registerOSObjectCStyleCast(CheckerManager &Mgr) {
120	1	Mgr.registerChecker<OSObjectCStyleCastChecker>();
121	1	}
122
123	2	bool ento::shouldRegisterOSObjectCStyleCast(const CheckerManager &mgr) {
124	2	return true;
125	2	}

Coverage Report

Created: 2023-09-30 09:22