void StringLiteralWithEmbeddedNulCheck::registerMatchers(MatchFinder *Finder) {
// Match a string that contains embedded NUL character. Extra-checks are
// applied in |check| to find incorectly escaped characters.
Finder->addMatcher(stringLiteral(containsNul()).bind("strlit"), this);
// The remaining checks only apply to C++.
if (!getLangOpts().CPlusPlus)
return;
const auto StrLitWithNul =
ignoringParenImpCasts(stringLiteral(containsNul()).bind("truncated"));
// Match string constructor.
const auto StringConstructorExpr = expr(anyOf(
cxxConstructExpr(argumentCountIs(1),
hasDeclaration(cxxMethodDecl(hasName("basic_string")))),
// If present, the second argument is the alloc object which must not
// be present explicitly.
cxxConstructExpr(argumentCountIs(2),
hasDeclaration(cxxMethodDecl(hasName("basic_string"))),
hasArgument(1, cxxDefaultArgExpr()))));
// Detect passing a suspicious string literal to a string constructor.
// example: std::string str = "abc\0def";
Finder->addMatcher(
cxxConstructExpr(StringConstructorExpr, hasArgument(0, StrLitWithNul)),
this);
// Detect passing a suspicious string literal through an overloaded operator.
Finder->addMatcher(cxxOperatorCallExpr(hasAnyArgument(StrLitWithNul)), this);
}
void StrCatAppendCheck::registerMatchers(MatchFinder *Finder) {
if (!getLangOpts().CPlusPlus)
return;
const auto StrCat = functionDecl(hasName("::absl::StrCat"));
// The arguments of absl::StrCat are implicitly converted to AlphaNum. This
// matches to the arguments because of that behavior.
const auto AlphaNum = IgnoringTemporaries(cxxConstructExpr(
argumentCountIs(1), hasType(cxxRecordDecl(hasName("::absl::AlphaNum"))),
hasArgument(0, ignoringImpCasts(declRefExpr(to(equalsBoundNode("LHS")),
expr().bind("Arg0"))))));
const auto HasAnotherReferenceToLhs =
callExpr(hasAnyArgument(expr(hasDescendant(declRefExpr(
to(equalsBoundNode("LHS")), unless(equalsBoundNode("Arg0")))))));
// Now look for calls to operator= with an object on the LHS and a call to
// StrCat on the RHS. The first argument of the StrCat call should be the same
// as the LHS. Ignore calls from template instantiations.
Finder->addMatcher(
cxxOperatorCallExpr(
unless(isInTemplateInstantiation()), hasOverloadedOperatorName("="),
hasArgument(0, declRefExpr(to(decl().bind("LHS")))),
hasArgument(1, IgnoringTemporaries(
callExpr(callee(StrCat), hasArgument(0, AlphaNum),
unless(HasAnotherReferenceToLhs))
.bind("Call"))))
.bind("Op"),
this);
}
void UseEmplaceCheck::registerMatchers(MatchFinder *Finder) {
if (!getLangOpts().CPlusPlus11)
return;
// FIXME: Bunch of functionality that could be easily added:
// + add handling of `push_front` for std::forward_list, std::list
// and std::deque.
// + add handling of `push` for std::stack, std::queue, std::priority_queue
// + add handling of `insert` for stl associative container, but be careful
// because this requires special treatment (it could cause performance
// regression)
// + match for emplace calls that should be replaced with insertion
// + match for make_pair calls.
auto callPushBack = cxxMemberCallExpr(
hasDeclaration(functionDecl(hasName("push_back"))),
on(hasType(cxxRecordDecl(hasAnyName("std::vector", "llvm::SmallVector",
"std::list", "std::deque")))));
// We can't replace push_backs of smart pointer because
// if emplacement fails (f.e. bad_alloc in vector) we will have leak of
// passed pointer because smart pointer won't be constructed
// (and destructed) as in push_back case.
auto isCtorOfSmartPtr = hasDeclaration(cxxConstructorDecl(
ofClass(hasAnyName("std::shared_ptr", "std::unique_ptr", "std::auto_ptr",
"std::weak_ptr"))));
// Bitfields binds only to consts and emplace_back take it by universal ref.
auto bitFieldAsArgument = hasAnyArgument(ignoringParenImpCasts(
memberExpr(hasDeclaration(fieldDecl(matchers::isBitfield())))));
// We could have leak of resource.
auto newExprAsArgument = hasAnyArgument(ignoringParenImpCasts(cxxNewExpr()));
auto constructingDerived =
hasParent(implicitCastExpr(hasCastKind(CastKind::CK_DerivedToBase)));
auto hasInitList = has(ignoringParenImpCasts(initListExpr()));
auto soughtConstructExpr =
cxxConstructExpr(
unless(anyOf(isCtorOfSmartPtr, hasInitList, bitFieldAsArgument,
newExprAsArgument, constructingDerived,
has(materializeTemporaryExpr(hasInitList)))))
.bind("ctor");
auto hasConstructExpr = has(ignoringParenImpCasts(soughtConstructExpr));
auto ctorAsArgument = materializeTemporaryExpr(
anyOf(hasConstructExpr, has(cxxFunctionalCastExpr(hasConstructExpr))));
Finder->addMatcher(
cxxMemberCallExpr(callPushBack, has(ctorAsArgument)).bind("call"), this);
}
void InefficientStringConcatenationCheck::registerMatchers(
MatchFinder *Finder) {
if (!getLangOpts().CPlusPlus)
return;
const auto BasicStringType =
hasType(qualType(hasUnqualifiedDesugaredType(recordType(
hasDeclaration(cxxRecordDecl(hasName("::std::basic_string")))))));
const auto BasicStringPlusOperator = cxxOperatorCallExpr(
hasOverloadedOperatorName("+"),
hasAnyArgument(ignoringImpCasts(declRefExpr(BasicStringType))));
const auto PlusOperator =
cxxOperatorCallExpr(
hasOverloadedOperatorName("+"),
hasAnyArgument(ignoringImpCasts(declRefExpr(BasicStringType))),
hasDescendant(BasicStringPlusOperator))
.bind("plusOperator");
const auto AssignOperator = cxxOperatorCallExpr(
hasOverloadedOperatorName("="),
hasArgument(0, declRefExpr(BasicStringType,
hasDeclaration(decl().bind("lhsStrT")))
.bind("lhsStr")),
hasArgument(1, stmt(hasDescendant(declRefExpr(
hasDeclaration(decl(equalsBoundNode("lhsStrT"))))))),
hasDescendant(BasicStringPlusOperator));
if (StrictMode) {
Finder->addMatcher(cxxOperatorCallExpr(anyOf(AssignOperator, PlusOperator)),
this);
} else {
Finder->addMatcher(
cxxOperatorCallExpr(anyOf(AssignOperator, PlusOperator),
hasAncestor(stmt(anyOf(cxxForRangeStmt(),
whileStmt(), forStmt())))),
this);
}
}
void MisplacedOperatorInStrlenInAllocCheck::registerMatchers(
MatchFinder *Finder) {
const auto StrLenFunc = functionDecl(anyOf(
hasName("::strlen"), hasName("::std::strlen"), hasName("::strnlen"),
hasName("::std::strnlen"), hasName("::strnlen_s"),
hasName("::std::strnlen_s"), hasName("::wcslen"),
hasName("::std::wcslen"), hasName("::wcsnlen"), hasName("::std::wcsnlen"),
hasName("::wcsnlen_s"), hasName("std::wcsnlen_s")));
const auto BadUse =
callExpr(callee(StrLenFunc),
hasAnyArgument(ignoringImpCasts(
binaryOperator(
hasOperatorName("+"),
hasRHS(ignoringParenImpCasts(integerLiteral(equals(1)))))
.bind("BinOp"))))
.bind("StrLen");
const auto BadArg = anyOf(
allOf(unless(binaryOperator(
hasOperatorName("+"), hasLHS(BadUse),
hasRHS(ignoringParenImpCasts(integerLiteral(equals(1)))))),
hasDescendant(BadUse)),
BadUse);
const auto Alloc0Func =
functionDecl(anyOf(hasName("::malloc"), hasName("std::malloc"),
hasName("::alloca"), hasName("std::alloca")));
const auto Alloc1Func =
functionDecl(anyOf(hasName("::calloc"), hasName("std::calloc"),
hasName("::realloc"), hasName("std::realloc")));
const auto Alloc0FuncPtr =
varDecl(hasType(isConstQualified()),
hasInitializer(ignoringParenImpCasts(
declRefExpr(hasDeclaration(Alloc0Func)))));
const auto Alloc1FuncPtr =
varDecl(hasType(isConstQualified()),
hasInitializer(ignoringParenImpCasts(
declRefExpr(hasDeclaration(Alloc1Func)))));
Finder->addMatcher(callExpr(callee(decl(anyOf(Alloc0Func, Alloc0FuncPtr))),
hasArgument(0, BadArg))
.bind("Alloc"),
this);
Finder->addMatcher(callExpr(callee(decl(anyOf(Alloc1Func, Alloc1FuncPtr))),
hasArgument(1, BadArg))
.bind("Alloc"),
this);
Finder->addMatcher(
cxxNewExpr(isArray(), hasArraySize(BadArg)).bind("Alloc"), this);
}
void MisplacedWideningCastCheck::registerMatchers(MatchFinder *Finder) {
const auto Calc =
expr(anyOf(binaryOperator(
anyOf(hasOperatorName("+"), hasOperatorName("-"),
hasOperatorName("*"), hasOperatorName("<<"))),
unaryOperator(hasOperatorName("~"))),
hasType(isInteger()))
.bind("Calc");
const auto ExplicitCast = explicitCastExpr(hasDestinationType(isInteger()),
has(ignoringParenImpCasts(Calc)));
const auto ImplicitCast =
implicitCastExpr(hasImplicitDestinationType(isInteger()),
has(ignoringParenImpCasts(Calc)));
const auto Cast = expr(anyOf(ExplicitCast, ImplicitCast)).bind("Cast");
Finder->addMatcher(varDecl(hasInitializer(Cast)), this);
Finder->addMatcher(returnStmt(hasReturnValue(Cast)), this);
Finder->addMatcher(callExpr(hasAnyArgument(Cast)), this);
Finder->addMatcher(binaryOperator(hasOperatorName("="), hasRHS(Cast)), this);
Finder->addMatcher(
binaryOperator(matchers::isComparisonOperator(), hasEitherOperand(Cast)),
this);
}
void UseEmplaceCheck::registerMatchers(MatchFinder *Finder) {
if (!getLangOpts().CPlusPlus11)
return;
// FIXME: Bunch of functionality that could be easily added:
// + add handling of `push_front` for std::forward_list, std::list
// and std::deque.
// + add handling of `push` for std::stack, std::queue, std::priority_queue
// + add handling of `insert` for stl associative container, but be careful
// because this requires special treatment (it could cause performance
// regression)
// + match for emplace calls that should be replaced with insertion
// + match for make_pair calls.
auto callPushBack = cxxMemberCallExpr(
hasDeclaration(functionDecl(hasName("push_back"))),
on(hasType(cxxRecordDecl(hasAnyName(SmallVector<StringRef, 5>(
ContainersWithPushBack.begin(), ContainersWithPushBack.end()))))));
// We can't replace push_backs of smart pointer because
// if emplacement fails (f.e. bad_alloc in vector) we will have leak of
// passed pointer because smart pointer won't be constructed
// (and destructed) as in push_back case.
auto isCtorOfSmartPtr = hasDeclaration(cxxConstructorDecl(ofClass(hasAnyName(
SmallVector<StringRef, 5>(SmartPointers.begin(), SmartPointers.end())))));
// Bitfields binds only to consts and emplace_back take it by universal ref.
auto bitFieldAsArgument = hasAnyArgument(
ignoringImplicit(memberExpr(hasDeclaration(fieldDecl(isBitField())))));
// Initializer list can't be passed to universal reference.
auto initializerListAsArgument = hasAnyArgument(
ignoringImplicit(cxxConstructExpr(isListInitialization())));
// We could have leak of resource.
auto newExprAsArgument = hasAnyArgument(ignoringImplicit(cxxNewExpr()));
// We would call another constructor.
auto constructingDerived =
hasParent(implicitCastExpr(hasCastKind(CastKind::CK_DerivedToBase)));
// emplace_back can't access private constructor.
auto isPrivateCtor = hasDeclaration(cxxConstructorDecl(isPrivate()));
auto hasInitList = has(ignoringImplicit(initListExpr()));
// FIXME: Discard 0/NULL (as nullptr), static inline const data members,
// overloaded functions and template names.
auto soughtConstructExpr =
cxxConstructExpr(
unless(anyOf(isCtorOfSmartPtr, hasInitList, bitFieldAsArgument,
initializerListAsArgument, newExprAsArgument,
constructingDerived, isPrivateCtor)))
.bind("ctor");
auto hasConstructExpr = has(ignoringImplicit(soughtConstructExpr));
auto ctorAsArgument = materializeTemporaryExpr(
anyOf(hasConstructExpr, has(cxxFunctionalCastExpr(hasConstructExpr))));
Finder->addMatcher(cxxMemberCallExpr(callPushBack, has(ctorAsArgument),
unless(isInTemplateInstantiation()))
.bind("call"),
this);
}
#include "ASTUtility.h"
//StatementMatcher callExprMatcher = callExpr().bind("callexpr");
StatementMatcher mallocMatcher = callExpr(callee(functionDecl(hasName("malloc")).bind("m"))).bind("mallocCall");
StatementMatcher freeMatcher = callExpr(callee(functionDecl(hasName("free")).bind("f"))).bind("freeCall");
StatementMatcher reallocMatcher = callExpr(callee(functionDecl(hasName("realloc")).bind("r"))).bind("reallocCall");
//memcpy arrayType non-builtin = pointer or user-defined
StatementMatcher memcpyAryMatcher = callExpr(
callee(functionDecl(hasName("memcpy")).bind("cpy")),
hasAnyArgument(ignoringImpCasts(declRefExpr(
to(declaratorDecl(hasType(arrayType(
unless(hasElementType(builtinType()))).bind("cpyParm")))))))
).bind("memcpyCall");
StatementMatcher memcpyPtrMatcher = callExpr(
callee(functionDecl(hasName("memcpy")).bind("cpy")),
hasAnyArgument(ignoringImpCasts(declRefExpr(
to(declaratorDecl(hasType(pointerType(
pointee(unless(builtinType()))).bind("cpyParmPtr")))))))
).bind("memcpyCall");
StatementMatcher memcmpAryMatcher = callExpr(
callee(functionDecl(hasName("memcmp")).bind("cmp")),
hasAnyArgument(ignoringImpCasts(declRefExpr(
to(declaratorDecl(hasType(arrayType(
unless(hasElementType(builtinType()))).bind("cmpParm")))))))
).bind("memcmpCall");
StatementMatcher memcmpPtrMatcher = callExpr(
callee(functionDecl(hasName("memcmp")).bind("cmp")),
hasAnyArgument(ignoringImpCasts(declRefExpr(
void CanRunScriptChecker::registerMatchers(MatchFinder *AstMatcher) {
auto InvalidArg =
// We want to find any expression,
ignoreTrivials(expr(
// which has a refcounted pointer type,
hasType(pointerType(
pointee(hasDeclaration(cxxRecordDecl(isRefCounted()))))),
// and which is not this,
unless(cxxThisExpr()),
// and which is not a method call on a smart ptr,
unless(cxxMemberCallExpr(on(hasType(isSmartPtrToRefCounted())))),
// and which is not a parameter of the parent function,
unless(declRefExpr(to(parmVarDecl()))),
// and which is not a MOZ_KnownLive wrapped value.
unless(callExpr(callee(functionDecl(hasName("MOZ_KnownLive"))))),
expr().bind("invalidArg")));
auto OptionalInvalidExplicitArg = anyOf(
// We want to find any argument which is invalid.
hasAnyArgument(InvalidArg),
// This makes this matcher optional.
anything());
// Please not that the hasCanRunScriptAnnotation() matchers are not present
// directly in the cxxMemberCallExpr, callExpr and constructExpr matchers
// because we check that the corresponding functions can run script later in
// the checker code.
AstMatcher->addMatcher(
expr(
anyOf(
// We want to match a method call expression,
cxxMemberCallExpr(
// which optionally has an invalid arg,
OptionalInvalidExplicitArg,
// or which optionally has an invalid implicit this argument,
anyOf(
// which derefs into an invalid arg,
on(cxxOperatorCallExpr(
anyOf(hasAnyArgument(InvalidArg), anything()))),
// or is an invalid arg.
on(InvalidArg),
anything()),
expr().bind("callExpr")),
// or a regular call expression,
callExpr(
// which optionally has an invalid arg.
OptionalInvalidExplicitArg, expr().bind("callExpr")),
// or a construct expression,
cxxConstructExpr(
// which optionally has an invalid arg.
OptionalInvalidExplicitArg, expr().bind("constructExpr"))),
anyOf(
// We want to match the parent function.
forFunction(functionDecl().bind("nonCanRunScriptParentFunction")),
// ... optionally.
anything())),
this);
}