Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / f52f4f636f4fe572acde92d8a162a27f37367d05 / . / clang / lib / StaticAnalyzer / Checkers / CastToStructChecker.cpp
blob: 93665596be29896c636053cdb614c723949d8cf0 [file] [log] [blame]
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]1//=== CastToStructChecker.cpp ----------------------------------*- C++ -*--===//
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]2//
Chandler Carruth2946cd72019-01-19 08:50:56 +0000[diff] [blame]3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]6//
7//===----------------------------------------------------------------------===//
8//
9// This files defines CastToStructChecker, a builtin checker that checks for
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]10// cast from non-struct pointer to struct pointer and widening struct data cast.
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]11// This check corresponds to CWE-588.
12//
13//===----------------------------------------------------------------------===//
14
Kristof Umann76a21502018-12-15 16:23:51 +0000[diff] [blame]15#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]16#include "clang/AST/RecursiveASTVisitor.h"
Chandler Carruth3a022472012-12-04 09:13:33 +0000[diff] [blame]17#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]18#include "clang/StaticAnalyzer/Core/Checker.h"
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]19#include "clang/StaticAnalyzer/Core/CheckerManager.h"
Argyrios Kyrtzidisdff865d2011-02-23 01:05:36 +0000[diff] [blame]20#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]21
22using namespace clang;
Ted Kremenek98857c92010-12-23 07:20:52 +0000[diff] [blame]23using namespace ento;
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]24
25namespace {
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]26class CastToStructVisitor : public RecursiveASTVisitor<CastToStructVisitor> {
27 BugReporter &BR;
28 const CheckerBase *Checker;
29 AnalysisDeclContext *AC;
Argyrios Kyrtzidisdff865d2011-02-23 01:05:36 +0000[diff] [blame]30
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]31public:
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]32 explicit CastToStructVisitor(BugReporter &B, const CheckerBase *Checker,
33 AnalysisDeclContext *A)
34 : BR(B), Checker(Checker), AC(A) {}
35 bool VisitCastExpr(const CastExpr *CE);
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]36};
37}
38
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]39bool CastToStructVisitor::VisitCastExpr(const CastExpr *CE) {
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]40 const Expr *E = CE->getSubExpr();
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]41 ASTContext &Ctx = AC->getASTContext();
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]42 QualType OrigTy = Ctx.getCanonicalType(E->getType());
43 QualType ToTy = Ctx.getCanonicalType(CE->getType());
44
John McCall424cec92011-01-19 06:33:43 +0000[diff] [blame]45 const PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr());
46 const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]47
48 if (!ToPTy || !OrigPTy)
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]49 return true;
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]50
51 QualType OrigPointeeTy = OrigPTy->getPointeeType();
52 QualType ToPointeeTy = ToPTy->getPointeeType();
53
Douglas Gregor8385a062010-04-26 21:31:17 +0000[diff] [blame]54 if (!ToPointeeTy->isStructureOrClassType())
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]55 return true;
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]56
57 // We allow cast from void*.
58 if (OrigPointeeTy->isVoidType())
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]59 return true;
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]60
61 // Now the cast-to-type is struct pointer, the original type is not void*.
62 if (!OrigPointeeTy->isRecordType()) {
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]63 SourceRange Sr[1] = {CE->getSourceRange()};
64 PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
65 BR.EmitBasicReport(
66 AC->getDecl(), Checker, "Cast from non-struct type to struct type",
67 categories::LogicError, "Casting a non-structure type to a structure "
68 "type and accessing a field can lead to memory "
69 "access errors or data corruption.",
70 Loc, Sr);
71 } else {
72 // Don't warn when size of data is unknown.
73 const auto *U = dyn_cast<UnaryOperator>(E);
74 if (!U || U->getOpcode() != UO_AddrOf)
75 return true;
76
77 // Don't warn for references
78 const ValueDecl *VD = nullptr;
79 if (const auto *SE = dyn_cast<DeclRefExpr>(U->getSubExpr()))
George Burgess IV00f70bd2018-03-01 05:43:23 +0000[diff] [blame]80 VD = SE->getDecl();
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]81 else if (const auto *SE = dyn_cast<MemberExpr>(U->getSubExpr()))
82 VD = SE->getMemberDecl();
83 if (!VD || VD->getType()->isReferenceType())
84 return true;
85
Daniel Marjamakicf715bd2017-03-07 19:20:48 +0000[diff] [blame]86 if (ToPointeeTy->isIncompleteType() ||
87 OrigPointeeTy->isIncompleteType())
88 return true;
89
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]90 // Warn when there is widening cast.
91 unsigned ToWidth = Ctx.getTypeInfo(ToPointeeTy).Width;
92 unsigned OrigWidth = Ctx.getTypeInfo(OrigPointeeTy).Width;
93 if (ToWidth <= OrigWidth)
94 return true;
95
96 PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
97 BR.EmitBasicReport(AC->getDecl(), Checker, "Widening cast to struct type",
98 categories::LogicError,
99 "Casting data to a larger structure type and accessing "
100 "a field can lead to memory access errors or data "
101 "corruption.",
102 Loc, CE->getSourceRange());
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]103 }
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]104
105 return true;
Zhongxing Xuf06c6842009-11-09 08:07:38 +0000[diff] [blame]106}
107
Daniel Marjamaki13264eb2016-09-26 15:17:18 +0000[diff] [blame]108namespace {
109class CastToStructChecker : public Checker<check::ASTCodeBody> {
110public:
111 void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr,
112 BugReporter &BR) const {
113 CastToStructVisitor Visitor(BR, this, Mgr.getAnalysisDeclContext(D));
114 Visitor.TraverseDecl(const_cast<Decl *>(D));
115 }
116};
117} // end anonymous namespace
118
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]119void ento::registerCastToStructChecker(CheckerManager &mgr) {
Argyrios Kyrtzidisdff865d2011-02-23 01:05:36 +0000[diff] [blame]120 mgr.registerChecker<CastToStructChecker>();
Argyrios Kyrtzidis507ff532011-02-17 21:39:17 +0000[diff] [blame]121}
Kristof Umann058a7a42019-01-26 14:23:08 +0000[diff] [blame]122
123bool ento::shouldRegisterCastToStructChecker(const LangOptions &LO) {
124 return true;
125}