void CanRunScriptChecker::registerMatchers(MatchFinder *AstMatcher) {
auto InvalidArg =
// We want to find any expression,
ignoreTrivials(expr(
// which has a refcounted pointer type,
hasType(pointerType(
pointee(hasDeclaration(cxxRecordDecl(isRefCounted()))))),
// and which is not this,
unless(cxxThisExpr()),
// and which is not a method call on a smart ptr,
unless(cxxMemberCallExpr(on(hasType(isSmartPtrToRefCounted())))),
// and which is not a parameter of the parent function,
unless(declRefExpr(to(parmVarDecl()))),
// and which is not a MOZ_KnownLive wrapped value.
unless(callExpr(callee(functionDecl(hasName("MOZ_KnownLive"))))),
expr().bind("invalidArg")));
auto OptionalInvalidExplicitArg = anyOf(
// We want to find any argument which is invalid.
hasAnyArgument(InvalidArg),
// This makes this matcher optional.
anything());
// Please not that the hasCanRunScriptAnnotation() matchers are not present
// directly in the cxxMemberCallExpr, callExpr and constructExpr matchers
// because we check that the corresponding functions can run script later in
// the checker code.
AstMatcher->addMatcher(
expr(
anyOf(
// We want to match a method call expression,
cxxMemberCallExpr(
// which optionally has an invalid arg,
OptionalInvalidExplicitArg,
// or which optionally has an invalid implicit this argument,
anyOf(
// which derefs into an invalid arg,
on(cxxOperatorCallExpr(
anyOf(hasAnyArgument(InvalidArg), anything()))),
// or is an invalid arg.
on(InvalidArg),
anything()),
expr().bind("callExpr")),
// or a regular call expression,
callExpr(
// which optionally has an invalid arg.
OptionalInvalidExplicitArg, expr().bind("callExpr")),
// or a construct expression,
cxxConstructExpr(
// which optionally has an invalid arg.
OptionalInvalidExplicitArg, expr().bind("constructExpr"))),
anyOf(
// We want to match the parent function.
forFunction(functionDecl().bind("nonCanRunScriptParentFunction")),
// ... optionally.
anything())),
this);
}
void DanglingOnTemporaryChecker::registerMatchers(MatchFinder *AstMatcher) {
////////////////////////////////////////
// Quick annotation conflict checkers //
////////////////////////////////////////
AstMatcher->addMatcher(
// This is a matcher on a method declaration,
cxxMethodDecl(
// which is marked as no dangling on temporaries,
noDanglingOnTemporaries(),
// and which is && ref-qualified.
isRValueRefQualified(),
decl().bind("invalidMethodRefQualified")),
this);
AstMatcher->addMatcher(
// This is a matcher on a method declaration,
cxxMethodDecl(
// which is marked as no dangling on temporaries,
noDanglingOnTemporaries(),
// which returns a primitive type,
returns(builtinType()),
// and which doesn't return a pointer.
unless(returns(pointerType())),
decl().bind("invalidMethodPointer")),
this);
//////////////////
// Main checker //
//////////////////
auto hasParentCall =
hasParent(expr(anyOf(
cxxOperatorCallExpr(
// If we're in a lamda, we may have an operator call expression
// ancestor in the AST, but the temporary we're matching
// against is not going to have the same lifetime as the
// constructor call.
unless(has(expr(ignoreTrivials(lambdaExpr())))),
expr().bind("parentOperatorCallExpr")),
callExpr(
// If we're in a lamda, we may have a call expression
// ancestor in the AST, but the temporary we're matching
// against is not going to have the same lifetime as the
// function call.
unless(has(expr(ignoreTrivials(lambdaExpr())))),
expr().bind("parentCallExpr")),
objcMessageExpr(
// If we're in a lamda, we may have an objc message expression
// ancestor in the AST, but the temporary we're matching
// against is not going to have the same lifetime as the
// function call.
unless(has(expr(ignoreTrivials(lambdaExpr())))),
expr().bind("parentObjCMessageExpr")),
cxxConstructExpr(
// If we're in a lamda, we may have a construct expression
// ancestor in the AST, but the temporary we're matching
// against is not going to have the same lifetime as the
// constructor call.
unless(has(expr(ignoreTrivials(lambdaExpr())))),
expr().bind("parentConstructExpr")))));
AstMatcher->addMatcher(
// This is a matcher on a method call,
cxxMemberCallExpr(
// which is in first party code,
isFirstParty(),
// and which is performed on a temporary,
on(allOf(
unless(hasType(pointerType())),
isTemporary(),
// but which is not `this`.
unless(cxxThisExpr()))),
// and which is marked as no dangling on temporaries.
callee(cxxMethodDecl(noDanglingOnTemporaries())),
expr().bind("memberCallExpr"),
// We optionally match a parent call expression or a parent construct
// expression because using a temporary inside a call is fine as long
// as the pointer doesn't escape the function call.
anyOf(
// This is the case where the call is the direct parent, so we
// know that the member call expression is the argument.
allOf(hasParentCall, expr().bind("parentCallArg")),
// This is the case where the call is not the direct parent, so we
// get its child to know in which argument tree we are.
hasAncestor(expr(
hasParentCall,
expr().bind("parentCallArg"))),
// To make it optional.
anything())),
this);
}
