void UnconventionalAssignOperatorCheck::registerMatchers(
ast_matchers::MatchFinder *Finder) {
// Only register the matchers for C++; the functionality currently does not
// provide any benefit to other languages, despite being benign.
if (!getLangOpts().CPlusPlus)
return;
const auto HasGoodReturnType = cxxMethodDecl(returns(lValueReferenceType(
pointee(unless(isConstQualified()),
anyOf(autoType(), hasDeclaration(equalsBoundNode("class")))))));
const auto IsSelf = qualType(
anyOf(hasDeclaration(equalsBoundNode("class")),
referenceType(pointee(hasDeclaration(equalsBoundNode("class"))))));
const auto IsAssign =
cxxMethodDecl(unless(anyOf(isDeleted(), isPrivate(), isImplicit())),
hasName("operator="), ofClass(recordDecl().bind("class")))
.bind("method");
const auto IsSelfAssign =
cxxMethodDecl(IsAssign, hasParameter(0, parmVarDecl(hasType(IsSelf))))
.bind("method");
Finder->addMatcher(
cxxMethodDecl(IsAssign, unless(HasGoodReturnType)).bind("ReturnType"),
this);
const auto BadSelf = referenceType(
anyOf(lValueReferenceType(pointee(unless(isConstQualified()))),
rValueReferenceType(pointee(isConstQualified()))));
Finder->addMatcher(
cxxMethodDecl(IsSelfAssign,
hasParameter(0, parmVarDecl(hasType(BadSelf))))
.bind("ArgumentType"),
this);
Finder->addMatcher(
cxxMethodDecl(IsSelfAssign, anyOf(isConst(), isVirtual())).bind("cv"),
this);
const auto IsBadReturnStatement = returnStmt(unless(has(ignoringParenImpCasts(
anyOf(unaryOperator(hasOperatorName("*"), hasUnaryOperand(cxxThisExpr())),
cxxOperatorCallExpr(argumentCountIs(1),
callee(unresolvedLookupExpr()),
hasArgument(0, cxxThisExpr())))))));
const auto IsGoodAssign = cxxMethodDecl(IsAssign, HasGoodReturnType);
Finder->addMatcher(returnStmt(IsBadReturnStatement, forFunction(IsGoodAssign))
.bind("returnStmt"),
this);
}
void ParentVirtualCallCheck::registerMatchers(MatchFinder *Finder) {
Finder->addMatcher(
cxxMemberCallExpr(
callee(memberExpr(hasDescendant(implicitCastExpr(
hasImplicitDestinationType(pointsTo(
type(anything()).bind("castToType"))),
hasSourceExpression(cxxThisExpr(hasType(
type(anything()).bind("thisType")))))))
.bind("member")),
callee(cxxMethodDecl(isVirtual()))),
this);
}
void ProperlySeededRandomGeneratorCheck::registerMatchers(MatchFinder *Finder) {
auto RandomGeneratorEngineDecl = cxxRecordDecl(hasAnyName(
"::std::linear_congruential_engine", "::std::mersenne_twister_engine",
"::std::subtract_with_carry_engine", "::std::discard_block_engine",
"::std::independent_bits_engine", "::std::shuffle_order_engine"));
auto RandomGeneratorEngineTypeMatcher = hasType(hasUnqualifiedDesugaredType(
recordType(hasDeclaration(RandomGeneratorEngineDecl))));
// std::mt19937 engine;
// engine.seed();
// ^
// engine.seed(1);
// ^
// const int x = 1;
// engine.seed(x);
// ^
Finder->addMatcher(
cxxMemberCallExpr(
has(memberExpr(has(declRefExpr(RandomGeneratorEngineTypeMatcher)),
member(hasName("seed")),
unless(hasDescendant(cxxThisExpr())))))
.bind("seed"),
this);
// std::mt19937 engine;
// ^
// std::mt19937 engine(1);
// ^
// const int x = 1;
// std::mt19937 engine(x);
// ^
Finder->addMatcher(
cxxConstructExpr(RandomGeneratorEngineTypeMatcher).bind("ctor"), this);
// srand();
// ^
// const int x = 1;
// srand(x);
// ^
Finder->addMatcher(
callExpr(callee(functionDecl(hasAnyName("::srand", "::std::srand"))))
.bind("srand"),
this);
}
void CanRunScriptChecker::registerMatchers(MatchFinder *AstMatcher) {
auto InvalidArg =
// We want to find any expression,
ignoreTrivials(expr(
// which has a refcounted pointer type,
hasType(pointerType(
pointee(hasDeclaration(cxxRecordDecl(isRefCounted()))))),
// and which is not this,
unless(cxxThisExpr()),
// and which is not a method call on a smart ptr,
unless(cxxMemberCallExpr(on(hasType(isSmartPtrToRefCounted())))),
// and which is not a parameter of the parent function,
unless(declRefExpr(to(parmVarDecl()))),
// and which is not a MOZ_KnownLive wrapped value.
unless(callExpr(callee(functionDecl(hasName("MOZ_KnownLive"))))),
expr().bind("invalidArg")));
auto OptionalInvalidExplicitArg = anyOf(
// We want to find any argument which is invalid.
hasAnyArgument(InvalidArg),
// This makes this matcher optional.
anything());
// Please not that the hasCanRunScriptAnnotation() matchers are not present
// directly in the cxxMemberCallExpr, callExpr and constructExpr matchers
// because we check that the corresponding functions can run script later in
// the checker code.
AstMatcher->addMatcher(
expr(
anyOf(
// We want to match a method call expression,
cxxMemberCallExpr(
// which optionally has an invalid arg,
OptionalInvalidExplicitArg,
// or which optionally has an invalid implicit this argument,
anyOf(
// which derefs into an invalid arg,
on(cxxOperatorCallExpr(
anyOf(hasAnyArgument(InvalidArg), anything()))),
// or is an invalid arg.
on(InvalidArg),
anything()),
expr().bind("callExpr")),
// or a regular call expression,
callExpr(
// which optionally has an invalid arg.
OptionalInvalidExplicitArg, expr().bind("callExpr")),
// or a construct expression,
cxxConstructExpr(
// which optionally has an invalid arg.
OptionalInvalidExplicitArg, expr().bind("constructExpr"))),
anyOf(
// We want to match the parent function.
forFunction(functionDecl().bind("nonCanRunScriptParentFunction")),
// ... optionally.
anything())),
this);
}
void DanglingOnTemporaryChecker::registerMatchers(MatchFinder *AstMatcher) {
////////////////////////////////////////
// Quick annotation conflict checkers //
////////////////////////////////////////
AstMatcher->addMatcher(
// This is a matcher on a method declaration,
cxxMethodDecl(
// which is marked as no dangling on temporaries,
noDanglingOnTemporaries(),
// and which is && ref-qualified.
isRValueRefQualified(),
decl().bind("invalidMethodRefQualified")),
this);
AstMatcher->addMatcher(
// This is a matcher on a method declaration,
cxxMethodDecl(
// which is marked as no dangling on temporaries,
noDanglingOnTemporaries(),
// which returns a primitive type,
returns(builtinType()),
// and which doesn't return a pointer.
unless(returns(pointerType())),
decl().bind("invalidMethodPointer")),
this);
//////////////////
// Main checker //
//////////////////
auto hasParentCall =
hasParent(expr(anyOf(
cxxOperatorCallExpr(
// If we're in a lamda, we may have an operator call expression
// ancestor in the AST, but the temporary we're matching
// against is not going to have the same lifetime as the
// constructor call.
unless(has(expr(ignoreTrivials(lambdaExpr())))),
expr().bind("parentOperatorCallExpr")),
callExpr(
// If we're in a lamda, we may have a call expression
// ancestor in the AST, but the temporary we're matching
// against is not going to have the same lifetime as the
// function call.
unless(has(expr(ignoreTrivials(lambdaExpr())))),
expr().bind("parentCallExpr")),
objcMessageExpr(
// If we're in a lamda, we may have an objc message expression
// ancestor in the AST, but the temporary we're matching
// against is not going to have the same lifetime as the
// function call.
unless(has(expr(ignoreTrivials(lambdaExpr())))),
expr().bind("parentObjCMessageExpr")),
cxxConstructExpr(
// If we're in a lamda, we may have a construct expression
// ancestor in the AST, but the temporary we're matching
// against is not going to have the same lifetime as the
// constructor call.
unless(has(expr(ignoreTrivials(lambdaExpr())))),
expr().bind("parentConstructExpr")))));
AstMatcher->addMatcher(
// This is a matcher on a method call,
cxxMemberCallExpr(
// which is in first party code,
isFirstParty(),
// and which is performed on a temporary,
on(allOf(
unless(hasType(pointerType())),
isTemporary(),
// but which is not `this`.
unless(cxxThisExpr()))),
// and which is marked as no dangling on temporaries.
callee(cxxMethodDecl(noDanglingOnTemporaries())),
expr().bind("memberCallExpr"),
// We optionally match a parent call expression or a parent construct
// expression because using a temporary inside a call is fine as long
// as the pointer doesn't escape the function call.
anyOf(
// This is the case where the call is the direct parent, so we
// know that the member call expression is the argument.
allOf(hasParentCall, expr().bind("parentCallArg")),
// This is the case where the call is not the direct parent, so we
// get its child to know in which argument tree we are.
hasAncestor(expr(
hasParentCall,
expr().bind("parentCallArg"))),
// To make it optional.
anything())),
this);
}
