void StringLiteralWithEmbeddedNulCheck::registerMatchers(MatchFinder *Finder) {
// Match a string that contains embedded NUL character. Extra-checks are
// applied in |check| to find incorectly escaped characters.
Finder->addMatcher(stringLiteral(containsNul()).bind("strlit"), this);
// The remaining checks only apply to C++.
if (!getLangOpts().CPlusPlus)
return;
const auto StrLitWithNul =
ignoringParenImpCasts(stringLiteral(containsNul()).bind("truncated"));
// Match string constructor.
const auto StringConstructorExpr = expr(anyOf(
cxxConstructExpr(argumentCountIs(1),
hasDeclaration(cxxMethodDecl(hasName("basic_string")))),
// If present, the second argument is the alloc object which must not
// be present explicitly.
cxxConstructExpr(argumentCountIs(2),
hasDeclaration(cxxMethodDecl(hasName("basic_string"))),
hasArgument(1, cxxDefaultArgExpr()))));
// Detect passing a suspicious string literal to a string constructor.
// example: std::string str = "abc\0def";
Finder->addMatcher(
cxxConstructExpr(StringConstructorExpr, hasArgument(0, StrLitWithNul)),
this);
// Detect passing a suspicious string literal through an overloaded operator.
Finder->addMatcher(cxxOperatorCallExpr(hasAnyArgument(StrLitWithNul)), this);
}
void InaccurateEraseCheck::registerMatchers(MatchFinder *Finder) {
// Only register the matchers for C++; the functionality currently does not
// provide any benefit to other languages, despite being benign.
if (!getLangOpts().CPlusPlus)
return;
const auto EndCall =
callExpr(
callee(functionDecl(hasAnyName("remove", "remove_if", "unique"))),
hasArgument(
1,
anyOf(cxxConstructExpr(has(ignoringImplicit(
cxxMemberCallExpr(callee(cxxMethodDecl(hasName("end"))))
.bind("end")))),
anything())))
.bind("alg");
const auto DeclInStd = type(hasUnqualifiedDesugaredType(
tagType(hasDeclaration(decl(isInStdNamespace())))));
Finder->addMatcher(
cxxMemberCallExpr(
on(anyOf(hasType(DeclInStd), hasType(pointsTo(DeclInStd)))),
callee(cxxMethodDecl(hasName("erase"))), argumentCountIs(1),
hasArgument(0, has(ignoringImplicit(
anyOf(EndCall, has(ignoringImplicit(EndCall)))))),
unless(isInTemplateInstantiation()))
.bind("erase"),
this);
}
void InaccurateEraseCheck::registerMatchers(MatchFinder *Finder) {
// Only register the matchers for C++; the functionality currently does not
// provide any benefit to other languages, despite being benign.
if (!getLangOpts().CPlusPlus)
return;
const auto CheckForEndCall = hasArgument(
1, anyOf(cxxConstructExpr(has(ignoringParenImpCasts(
cxxMemberCallExpr(callee(cxxMethodDecl(hasName("end"))))
.bind("InaccEndCall")))),
anything()));
Finder->addMatcher(
cxxMemberCallExpr(
on(hasType(namedDecl(matchesName("^::std::")))),
callee(cxxMethodDecl(hasName("erase"))), argumentCountIs(1),
hasArgument(0, has(ignoringParenImpCasts(
callExpr(callee(functionDecl(matchesName(
"^::std::(remove(_if)?|unique)$"))),
CheckForEndCall)
.bind("InaccAlgCall")))),
unless(isInTemplateInstantiation()))
.bind("InaccErase"),
this);
}
void StrCatAppendCheck::registerMatchers(MatchFinder *Finder) {
if (!getLangOpts().CPlusPlus)
return;
const auto StrCat = functionDecl(hasName("::absl::StrCat"));
// The arguments of absl::StrCat are implicitly converted to AlphaNum. This
// matches to the arguments because of that behavior.
const auto AlphaNum = IgnoringTemporaries(cxxConstructExpr(
argumentCountIs(1), hasType(cxxRecordDecl(hasName("::absl::AlphaNum"))),
hasArgument(0, ignoringImpCasts(declRefExpr(to(equalsBoundNode("LHS")),
expr().bind("Arg0"))))));
const auto HasAnotherReferenceToLhs =
callExpr(hasAnyArgument(expr(hasDescendant(declRefExpr(
to(equalsBoundNode("LHS")), unless(equalsBoundNode("Arg0")))))));
// Now look for calls to operator= with an object on the LHS and a call to
// StrCat on the RHS. The first argument of the StrCat call should be the same
// as the LHS. Ignore calls from template instantiations.
Finder->addMatcher(
cxxOperatorCallExpr(
unless(isInTemplateInstantiation()), hasOverloadedOperatorName("="),
hasArgument(0, declRefExpr(to(decl().bind("LHS")))),
hasArgument(1, IgnoringTemporaries(
callExpr(callee(StrCat), hasArgument(0, AlphaNum),
unless(HasAnotherReferenceToLhs))
.bind("Call"))))
.bind("Op"),
this);
}
void MakeSmartPtrCheck::registerMatchers(ast_matchers::MatchFinder *Finder) {
if (!isLanguageVersionSupported(getLangOpts()))
return;
// Calling make_smart_ptr from within a member function of a type with a
// private or protected constructor would be ill-formed.
auto CanCallCtor = unless(has(ignoringImpCasts(
cxxConstructExpr(hasDeclaration(decl(unless(isPublic())))))));
Finder->addMatcher(
cxxBindTemporaryExpr(has(ignoringParenImpCasts(
cxxConstructExpr(
hasType(getSmartPointerTypeMatcher()), argumentCountIs(1),
hasArgument(0,
cxxNewExpr(hasType(pointsTo(qualType(hasCanonicalType(
equalsBoundNode(PointerType))))),
CanCallCtor)
.bind(NewExpression)),
unless(isInTemplateInstantiation()))
.bind(ConstructorCall)))),
this);
Finder->addMatcher(
cxxMemberCallExpr(
thisPointerType(getSmartPointerTypeMatcher()),
callee(cxxMethodDecl(hasName("reset"))),
hasArgument(0, cxxNewExpr(CanCallCtor).bind(NewExpression)),
unless(isInTemplateInstantiation()))
.bind(ResetCall),
this);
}
/// \brief Creates a matcher that finds the \c std::auto_ptr copy-ctor and
/// assign-operator expressions.
///
/// \c AutoPtrOwnershipTransferId is assigned to the argument of the expression,
/// this is the part that has to be wrapped by \c std::move().
///
/// \code
/// std::auto_ptr<int> i, j;
/// i = j;
/// ~~~~^
/// \endcode
StatementMatcher makeTransferOwnershipExprMatcher() {
return anyOf(
cxxOperatorCallExpr(allOf(hasOverloadedOperatorName("="),
callee(cxxMethodDecl(ofClass(AutoPtrDecl))),
hasArgument(1, MovableArgumentMatcher))),
cxxConstructExpr(allOf(hasType(AutoPtrType), argumentCountIs(1),
hasArgument(0, MovableArgumentMatcher))));
}
void FasterStringFindCheck::registerMatchers(MatchFinder *Finder) {
if (!getLangOpts().CPlusPlus)
return;
const auto SingleChar =
expr(ignoringParenCasts(stringLiteral(hasSize(1)).bind("literal")));
const auto StringFindFunctions =
anyOf(hasName("find"), hasName("rfind"), hasName("find_first_of"),
hasName("find_first_not_of"), hasName("find_last_of"),
hasName("find_last_not_of"));
llvm::Optional<ast_matchers::internal::Matcher<NamedDecl>> IsStringClass;
for (const auto &ClassName : StringLikeClasses) {
const auto HasName = hasName(ClassName);
IsStringClass = IsStringClass ? anyOf(*IsStringClass, HasName) : HasName;
}
if (IsStringClass) {
Finder->addMatcher(
cxxMemberCallExpr(
callee(functionDecl(StringFindFunctions).bind("func")),
anyOf(argumentCountIs(1), argumentCountIs(2)),
hasArgument(0, SingleChar),
on(expr(hasType(recordDecl(*IsStringClass)),
unless(hasSubstitutedType())))),
this);
}
}
void FoldInitTypeCheck::registerMatchers(MatchFinder *Finder) {
// We match functions of interest and bind the iterator and init value types.
// Note: Right now we check only builtin types.
const auto BuiltinTypeWithId = [](const char *ID) {
return hasCanonicalType(builtinType().bind(ID));
};
const auto IteratorWithValueType = [&BuiltinTypeWithId](const char *ID) {
return anyOf(
// Pointer types.
pointsTo(BuiltinTypeWithId(ID)),
// Iterator types.
recordType(hasDeclaration(has(typedefNameDecl(
hasName("value_type"), hasType(BuiltinTypeWithId(ID)))))));
};
const auto IteratorParam = parmVarDecl(
hasType(hasCanonicalType(IteratorWithValueType("IterValueType"))));
const auto Iterator2Param = parmVarDecl(
hasType(hasCanonicalType(IteratorWithValueType("Iter2ValueType"))));
const auto InitParam = parmVarDecl(hasType(BuiltinTypeWithId("InitType")));
// std::accumulate, std::reduce.
Finder->addMatcher(
callExpr(callee(functionDecl(
hasAnyName("::std::accumulate", "::std::reduce"),
hasParameter(0, IteratorParam), hasParameter(2, InitParam))),
argumentCountIs(3))
.bind("Call"),
this);
// std::inner_product.
Finder->addMatcher(
callExpr(callee(functionDecl(hasName("::std::inner_product"),
hasParameter(0, IteratorParam),
hasParameter(2, Iterator2Param),
hasParameter(3, InitParam))),
argumentCountIs(4))
.bind("Call"),
this);
// std::reduce with a policy.
Finder->addMatcher(
callExpr(callee(functionDecl(hasName("::std::reduce"),
hasParameter(1, IteratorParam),
hasParameter(3, InitParam))),
argumentCountIs(4))
.bind("Call"),
this);
// std::inner_product with a policy.
Finder->addMatcher(
callExpr(callee(functionDecl(hasName("::std::inner_product"),
hasParameter(1, IteratorParam),
hasParameter(3, Iterator2Param),
hasParameter(4, InitParam))),
argumentCountIs(5))
.bind("Call"),
this);
}
void
MemsetZeroLengthCheck::registerMatchers(ast_matchers::MatchFinder *Finder) {
// Look for memset(x, y, 0) as those is most likely an argument swap.
// TODO: Also handle other standard functions that suffer from the same
// problem, e.g. memchr.
Finder->addMatcher(
callExpr(callee(functionDecl(hasName("::memset"))), argumentCountIs(3),
unless(isInTemplateInstantiation())).bind("decl"),
this);
}
void FasterStringFindCheck::registerMatchers(MatchFinder *Finder) {
if (!getLangOpts().CPlusPlus)
return;
const auto SingleChar =
expr(ignoringParenCasts(stringLiteral(hasSize(1)).bind("literal")));
const auto StringFindFunctions =
hasAnyName("find", "rfind", "find_first_of", "find_first_not_of",
"find_last_of", "find_last_not_of");
Finder->addMatcher(
cxxMemberCallExpr(
callee(functionDecl(StringFindFunctions).bind("func")),
anyOf(argumentCountIs(1), argumentCountIs(2)),
hasArgument(0, SingleChar),
on(expr(
hasType(hasUnqualifiedDesugaredType(recordType(hasDeclaration(
recordDecl(hasAnyName(SmallVector<StringRef, 4>(
StringLikeClasses.begin(), StringLikeClasses.end()))))))),
unless(hasSubstitutedType())))),
this);
}
void UnconventionalAssignOperatorCheck::registerMatchers(
ast_matchers::MatchFinder *Finder) {
// Only register the matchers for C++; the functionality currently does not
// provide any benefit to other languages, despite being benign.
if (!getLangOpts().CPlusPlus)
return;
const auto HasGoodReturnType = cxxMethodDecl(returns(lValueReferenceType(
pointee(unless(isConstQualified()),
anyOf(autoType(), hasDeclaration(equalsBoundNode("class")))))));
const auto IsSelf = qualType(
anyOf(hasDeclaration(equalsBoundNode("class")),
referenceType(pointee(hasDeclaration(equalsBoundNode("class"))))));
const auto IsAssign =
cxxMethodDecl(unless(anyOf(isDeleted(), isPrivate(), isImplicit())),
hasName("operator="), ofClass(recordDecl().bind("class")))
.bind("method");
const auto IsSelfAssign =
cxxMethodDecl(IsAssign, hasParameter(0, parmVarDecl(hasType(IsSelf))))
.bind("method");
Finder->addMatcher(
cxxMethodDecl(IsAssign, unless(HasGoodReturnType)).bind("ReturnType"),
this);
const auto BadSelf = referenceType(
anyOf(lValueReferenceType(pointee(unless(isConstQualified()))),
rValueReferenceType(pointee(isConstQualified()))));
Finder->addMatcher(
cxxMethodDecl(IsSelfAssign,
hasParameter(0, parmVarDecl(hasType(BadSelf))))
.bind("ArgumentType"),
this);
Finder->addMatcher(
cxxMethodDecl(IsSelfAssign, anyOf(isConst(), isVirtual())).bind("cv"),
this);
const auto IsBadReturnStatement = returnStmt(unless(has(ignoringParenImpCasts(
anyOf(unaryOperator(hasOperatorName("*"), hasUnaryOperand(cxxThisExpr())),
cxxOperatorCallExpr(argumentCountIs(1),
callee(unresolvedLookupExpr()),
hasArgument(0, cxxThisExpr())))))));
const auto IsGoodAssign = cxxMethodDecl(IsAssign, HasGoodReturnType);
Finder->addMatcher(returnStmt(IsBadReturnStatement, forFunction(IsGoodAssign))
.bind("returnStmt"),
this);
}
void ReplaceAutoPtrCheck::registerMatchers(MatchFinder *Finder) {
// Only register the matchers for C++; the functionality currently does not
// provide any benefit to other languages, despite being benign.
if (!getLangOpts().CPlusPlus)
return;
auto AutoPtrDecl = recordDecl(hasName("auto_ptr"), isFromStdNamespace());
auto AutoPtrType = qualType(hasDeclaration(AutoPtrDecl));
// std::auto_ptr<int> a;
// ^~~~~~~~~~~~~
//
// typedef std::auto_ptr<int> int_ptr_t;
// ^~~~~~~~~~~~~
//
// std::auto_ptr<int> fn(std::auto_ptr<int>);
// ^~~~~~~~~~~~~ ^~~~~~~~~~~~~
Finder->addMatcher(typeLoc(loc(qualType(AutoPtrType,
// Skip elaboratedType() as the named
// type will match soon thereafter.
unless(elaboratedType()))))
.bind(AutoPtrTokenId),
this);
// using std::auto_ptr;
// ^~~~~~~~~~~~~~~~~~~
Finder->addMatcher(usingDecl(hasAnyUsingShadowDecl(hasTargetDecl(allOf(
hasName("auto_ptr"), isFromStdNamespace()))))
.bind(AutoPtrTokenId),
this);
// Find ownership transfers via copy construction and assignment.
// AutoPtrOwnershipTransferId is bound to the the part that has to be wrapped
// into std::move().
// std::auto_ptr<int> i, j;
// i = j;
// ~~~~^
auto MovableArgumentMatcher =
expr(isLValue(), hasType(AutoPtrType)).bind(AutoPtrOwnershipTransferId);
Finder->addMatcher(
cxxOperatorCallExpr(hasOverloadedOperatorName("="),
callee(cxxMethodDecl(ofClass(AutoPtrDecl))),
hasArgument(1, MovableArgumentMatcher)),
this);
Finder->addMatcher(cxxConstructExpr(hasType(AutoPtrType), argumentCountIs(1),
hasArgument(0, MovableArgumentMatcher)),
this);
}
void CommandProcessorCheck::registerMatchers(MatchFinder *Finder) {
Finder->addMatcher(
callExpr(
callee(functionDecl(anyOf(hasName("::system"), hasName("::popen"),
hasName("::_popen")))
.bind("func")),
// Do not diagnose when the call expression passes a null pointer
// constant to system(); that only checks for the presence of a
// command processor, which is not a security risk by itself.
unless(callExpr(callee(functionDecl(hasName("::system"))),
argumentCountIs(1),
hasArgument(0, nullPointerConstant()))))
.bind("expr"),
this);
}
void UseToStringCheck::registerMatchers(MatchFinder *Finder) {
if (!getLangOpts().CPlusPlus)
return;
Finder->addMatcher(
callExpr(
hasDeclaration(functionDecl(
returns(hasDeclaration(classTemplateSpecializationDecl(
hasName("std::basic_string"),
hasTemplateArgument(0,
templateArgument().bind("char_type"))))),
hasName("boost::lexical_cast"),
hasParameter(0, hasType(qualType(has(substTemplateTypeParmType(
isStrictlyInteger()))))))),
argumentCountIs(1), unless(isInTemplateInstantiation()))
.bind("to_string"),
this);
}
void MoveConstArgCheck::registerMatchers(MatchFinder *Finder) {
if (!getLangOpts().CPlusPlus)
return;
auto MoveCallMatcher =
callExpr(callee(functionDecl(hasName("::std::move"))), argumentCountIs(1),
unless(isInTemplateInstantiation()))
.bind("call-move");
Finder->addMatcher(MoveCallMatcher, this);
auto ConstParamMatcher = forEachArgumentWithParam(
MoveCallMatcher, parmVarDecl(hasType(references(isConstQualified()))));
Finder->addMatcher(callExpr(ConstParamMatcher).bind("receiving-expr"), this);
Finder->addMatcher(cxxConstructExpr(ConstParamMatcher).bind("receiving-expr"),
this);
}
void CanRunScriptChecker::registerMatchers(MatchFinder *AstMatcher) {
auto Refcounted = qualType(hasDeclaration(cxxRecordDecl(isRefCounted())));
auto InvalidArg =
// We want to find any expression,
ignoreTrivials(expr(
// which has a refcounted pointer type,
anyOf(
hasType(Refcounted),
hasType(pointsTo(Refcounted)),
hasType(references(Refcounted))
),
// and which is not this,
unless(cxxThisExpr()),
// and which is not a method call on a smart ptr,
unless(cxxMemberCallExpr(on(hasType(isSmartPtrToRefCounted())))),
// and which is not calling operator* on a smart ptr.
unless(
allOf(
cxxOperatorCallExpr(hasOverloadedOperatorName("*")),
callExpr(allOf(
hasAnyArgument(hasType(isSmartPtrToRefCounted())),
argumentCountIs(1)
))
)
),
// and which is not a parameter of the parent function,
unless(declRefExpr(to(parmVarDecl()))),
// and which is not a MOZ_KnownLive wrapped value.
unless(callExpr(callee(functionDecl(hasName("MOZ_KnownLive"))))),
expr().bind("invalidArg")));
auto OptionalInvalidExplicitArg = anyOf(
// We want to find any argument which is invalid.
hasAnyArgument(InvalidArg),
// This makes this matcher optional.
anything());
// Please note that the hasCanRunScriptAnnotation() matchers are not present
// directly in the cxxMemberCallExpr, callExpr and constructExpr matchers
// because we check that the corresponding functions can run script later in
// the checker code.
AstMatcher->addMatcher(
expr(
anyOf(
// We want to match a method call expression,
cxxMemberCallExpr(
// which optionally has an invalid arg,
OptionalInvalidExplicitArg,
// or which optionally has an invalid implicit this argument,
anyOf(
// which derefs into an invalid arg,
on(cxxOperatorCallExpr(
anyOf(hasAnyArgument(InvalidArg), anything()))),
// or is an invalid arg.
on(InvalidArg),
anything()),
expr().bind("callExpr")),
// or a regular call expression,
callExpr(
// which optionally has an invalid arg.
OptionalInvalidExplicitArg, expr().bind("callExpr")),
// or a construct expression,
cxxConstructExpr(
// which optionally has an invalid arg.
OptionalInvalidExplicitArg, expr().bind("constructExpr"))),
anyOf(
// We want to match the parent function.
forFunction(functionDecl().bind("nonCanRunScriptParentFunction")),
// ... optionally.
anything())),
this);
}
void UpgradeDurationConversionsCheck::registerMatchers(MatchFinder *Finder) {
if (!getLangOpts().CPlusPlus)
return;
// For the arithmetic calls, we match only the uses of the templated operators
// where the template parameter is not a built-in type. This means the
// instantiation makes use of an available user defined conversion to
// `int64_t`.
//
// The implementation of these templates will be updated to fail SFINAE for
// non-integral types. We match them to suggest an explicit cast.
// Match expressions like `a *= b` and `a /= b` where `a` has type
// `absl::Duration` and `b` is not of a built-in type.
Finder->addMatcher(
cxxOperatorCallExpr(
argumentCountIs(2),
hasArgument(
0, expr(hasType(cxxRecordDecl(hasName("::absl::Duration"))))),
hasArgument(1, expr().bind("arg")),
callee(functionDecl(
hasParent(functionTemplateDecl()),
unless(hasTemplateArgument(0, refersToType(builtinType()))),
hasAnyName("operator*=", "operator/=")))),
this);
// Match expressions like `a.operator*=(b)` and `a.operator/=(b)` where `a`
// has type `absl::Duration` and `b` is not of a built-in type.
Finder->addMatcher(
cxxMemberCallExpr(
callee(cxxMethodDecl(
ofClass(cxxRecordDecl(hasName("::absl::Duration"))),
hasParent(functionTemplateDecl()),
unless(hasTemplateArgument(0, refersToType(builtinType()))),
hasAnyName("operator*=", "operator/="))),
argumentCountIs(1), hasArgument(0, expr().bind("arg"))),
this);
// Match expressions like `a * b`, `a / b`, `operator*(a, b)`, and
// `operator/(a, b)` where `a` has type `absl::Duration` and `b` is not of a
// built-in type.
Finder->addMatcher(
callExpr(callee(functionDecl(
hasParent(functionTemplateDecl()),
unless(hasTemplateArgument(0, refersToType(builtinType()))),
hasAnyName("::absl::operator*", "::absl::operator/"))),
argumentCountIs(2),
hasArgument(0, expr(hasType(
cxxRecordDecl(hasName("::absl::Duration"))))),
hasArgument(1, expr().bind("arg"))),
this);
// Match expressions like `a * b` and `operator*(a, b)` where `a` is not of a
// built-in type and `b` has type `absl::Duration`.
Finder->addMatcher(
callExpr(callee(functionDecl(
hasParent(functionTemplateDecl()),
unless(hasTemplateArgument(0, refersToType(builtinType()))),
hasName("::absl::operator*"))),
argumentCountIs(2), hasArgument(0, expr().bind("arg")),
hasArgument(1, expr(hasType(cxxRecordDecl(
hasName("::absl::Duration")))))),
this);
// For the factory functions, we match only the non-templated overloads that
// take an `int64_t` parameter. Within these calls, we care about implicit
// casts through a user defined conversion to `int64_t`.
//
// The factory functions will be updated to be templated and SFINAE on whether
// the template parameter is an integral type. This complements the already
// existing templated overloads that only accept floating point types.
// Match calls like:
// `absl::Nanoseconds(x)`
// `absl::Microseconds(x)`
// `absl::Milliseconds(x)`
// `absl::Seconds(x)`
// `absl::Minutes(x)`
// `absl::Hours(x)`
// where `x` is not of a built-in type.
Finder->addMatcher(
implicitCastExpr(
anyOf(hasCastKind(CK_UserDefinedConversion),
has(implicitCastExpr(hasCastKind(CK_UserDefinedConversion)))),
hasParent(callExpr(
callee(functionDecl(DurationFactoryFunction(),
unless(hasParent(functionTemplateDecl())))),
hasArgument(0, expr().bind("arg"))))),
this);
}