首頁 探索 說明
註冊 登入
FangSoftSoft
/
clang
2
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: 04291a7c76
分支列表 標籤列表
clang
/
lib
/
StaticAnalyzer
/
Checkers
/
CastToStructChecker.cpp

CastToStructChecker.cpp 2.5 KB
文件歷史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 
  1. //=== CastToStructChecker.cpp - Fixed address usage checker ----*- C++ -*--===//
    2. 

  2. //
    3. 

  3. //                     The LLVM Compiler Infrastructure
    4. 

  4. //
    5. 

  5. // This file is distributed under the University of Illinois Open Source
    6. 

  6. // License. See LICENSE.TXT for details.
    7. 

  7. //
    8. 

  8. //===----------------------------------------------------------------------===//
    9. 

  9. //
    10. 

  10. // This files defines CastToStructChecker, a builtin checker that checks for
    11. 

  11. // cast from non-struct pointer to struct pointer.
    12. 

  12. // This check corresponds to CWE-588.
    13. 

  13. //
    14. 

  14. //===----------------------------------------------------------------------===//
    15. 

  15. 

  16. #include "clang/StaticAnalyzer/BugReporter/BugType.h"
    17. 

  17. #include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
    18. 

  18. #include "InternalChecks.h"
    19. 

  19. 

  20. using namespace clang;
    21. 

  21. using namespace ento;
    22. 

  22. 

  23. namespace {
    24. 

  24. class CastToStructChecker 
    25. 

  25.   : public CheckerVisitor<CastToStructChecker> {
    26. 

  26.   BuiltinBug *BT;
    27. 

  27. public:
    28. 

  28.   CastToStructChecker() : BT(0) {}
    29. 

  29.   static void *getTag();
    30. 

  30.   void PreVisitCastExpr(CheckerContext &C, const CastExpr *B);
    31. 

  31. };
    32. 

  32. }
    33. 

  33. 

  34. void *CastToStructChecker::getTag() {
    35. 

  35.   static int x;
    36. 

  36.   return &x;
    37. 

  37. }
    38. 

  38. 

  39. void CastToStructChecker::PreVisitCastExpr(CheckerContext &C,
    40. 

  40.                                            const CastExpr *CE) {
    41. 

  41.   const Expr *E = CE->getSubExpr();
    42. 

  42.   ASTContext &Ctx = C.getASTContext();
    43. 

  43.   QualType OrigTy = Ctx.getCanonicalType(E->getType());
    44. 

  44.   QualType ToTy = Ctx.getCanonicalType(CE->getType());
    45. 

  45. 

  46.   const PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr());
    47. 

  47.   const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());
    48. 

  48. 

  49.   if (!ToPTy || !OrigPTy)
    50. 

  50.     return;
    51. 

  51. 

  52.   QualType OrigPointeeTy = OrigPTy->getPointeeType();
    53. 

  53.   QualType ToPointeeTy = ToPTy->getPointeeType();
    54. 

  54. 

  55.   if (!ToPointeeTy->isStructureOrClassType())
    56. 

  56.     return;
    57. 

  57. 

  58.   // We allow cast from void*.
    59. 

  59.   if (OrigPointeeTy->isVoidType())
    60. 

  60.     return;
    61. 

  61. 

  62.   // Now the cast-to-type is struct pointer, the original type is not void*.
    63. 

  63.   if (!OrigPointeeTy->isRecordType()) {
    64. 

  64.     if (ExplodedNode *N = C.generateNode()) {
    65. 

  65.       if (!BT)
    66. 

  66.         BT = new BuiltinBug("Cast from non-struct type to struct type",
    67. 

  67.                             "Casting a non-structure type to a structure type "
    68. 

  68.                             "and accessing a field can lead to memory access "
    69. 

  69.                             "errors or data corruption.");
    70. 

  70.       RangedBugReport *R = new RangedBugReport(*BT,BT->getDescription(), N);
    71. 

  71.       R->addRange(CE->getSourceRange());
    72. 

  72.       C.EmitReport(R);
    73. 

  73.     }
    74. 

  74.   }
    75. 

  75. }
    76. 

  76. 

  77. void ento::RegisterCastToStructChecker(ExprEngine &Eng) {
    78. 

  78.   Eng.registerCheck(new CastToStructChecker());
    79. 

  79. }
    80.